The following issues were found
drivers/ptp/ptp_qoriq_debugfs.c
4 issues
Line: 14
Column: 20
CWE codes:
120
20
struct ptp_qoriq_registers *regs = &ptp_qoriq->regs;
u32 ctrl;
ctrl = ptp_qoriq->read(®s->ctrl_regs->tmr_ctrl);
*val = ctrl & PP1L ? 1 : 0;
return 0;
}
Reported by FlawFinder.
Line: 26
Column: 20
CWE codes:
120
20
struct ptp_qoriq_registers *regs = &ptp_qoriq->regs;
u32 ctrl;
ctrl = ptp_qoriq->read(®s->ctrl_regs->tmr_ctrl);
if (val == 0)
ctrl &= ~PP1L;
else
ctrl |= PP1L;
Reported by FlawFinder.
Line: 45
Column: 20
CWE codes:
120
20
struct ptp_qoriq_registers *regs = &ptp_qoriq->regs;
u32 ctrl;
ctrl = ptp_qoriq->read(®s->ctrl_regs->tmr_ctrl);
*val = ctrl & PP2L ? 1 : 0;
return 0;
}
Reported by FlawFinder.
Line: 57
Column: 20
CWE codes:
120
20
struct ptp_qoriq_registers *regs = &ptp_qoriq->regs;
u32 ctrl;
ctrl = ptp_qoriq->read(®s->ctrl_regs->tmr_ctrl);
if (val == 0)
ctrl &= ~PP2L;
else
ctrl |= PP2L;
Reported by FlawFinder.
drivers/pci/hotplug/cpqphp_ctrl.c
4 issues
Line: 2464
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
}
memcpy(hold_bus_node, bus_node, sizeof(struct pci_resource));
bus_node->base += 1;
bus_node->length -= 1;
bus_node->next = NULL;
Reported by FlawFinder.
Line: 2472
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* If we have IO resources copy them and fill in the bridge's
* IO range registers */
memcpy(hold_IO_node, io_node, sizeof(struct pci_resource));
io_node->next = NULL;
/* set IO base and Limit registers */
temp_byte = io_node->base >> 8;
rc = pci_bus_write_config_byte(pci_bus, devfn, PCI_IO_BASE, temp_byte);
Reported by FlawFinder.
Line: 2485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the memory resources and fill in the bridge's memory
* range registers.
*/
memcpy(hold_mem_node, mem_node, sizeof(struct pci_resource));
mem_node->next = NULL;
/* set Mem base and Limit registers */
temp_word = mem_node->base >> 16;
rc = pci_bus_write_config_word(pci_bus, devfn, PCI_MEMORY_BASE, temp_word);
Reported by FlawFinder.
Line: 2495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
temp_word = (mem_node->base + mem_node->length - 1) >> 16;
rc = pci_bus_write_config_word(pci_bus, devfn, PCI_MEMORY_LIMIT, temp_word);
memcpy(hold_p_mem_node, p_mem_node, sizeof(struct pci_resource));
p_mem_node->next = NULL;
/* set Pre Mem base and Limit registers */
temp_word = p_mem_node->base >> 16;
rc = pci_bus_write_config_word(pci_bus, devfn, PCI_PREF_MEMORY_BASE, temp_word);
Reported by FlawFinder.
drivers/s390/block/dasd_eer.c
4 issues
Line: 143
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
headindex = eerb->head / PAGE_SIZE;
localhead = eerb->head % PAGE_SIZE;
len = min(rest, PAGE_SIZE - localhead);
memcpy(eerb->buffer[headindex]+localhead, nextdata, len);
nextdata += len;
rest -= len;
eerb->head += len;
if (eerb->head == eerb->buffersize)
eerb->head = 0; /* wrap around */
Reported by FlawFinder.
Line: 170
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tailindex = eerb->tail / PAGE_SIZE;
localtail = eerb->tail % PAGE_SIZE;
len = min(rest, PAGE_SIZE - localtail);
memcpy(nextdata, eerb->buffer[tailindex] + localtail, len);
nextdata += len;
rest -= len;
eerb->tail += len;
if (eerb->tail == eerb->buffersize)
eerb->tail = 0; /* wrap around */
Reported by FlawFinder.
Line: 283
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 trigger;
__u64 tv_sec;
__u64 tv_usec;
char busid[DASD_EER_BUSID_SIZE];
} __attribute__ ((packed));
/*
* The following function can be used for those triggers that have
* all necessary data available when the function is called.
Reported by FlawFinder.
Line: 544
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* other side a copy_to_user can sleep. So we need to copy the data we have
* to transfer in a readbuffer, which is protected by the readbuffer_mutex.
*/
static char readbuffer[PAGE_SIZE];
static DEFINE_MUTEX(readbuffer_mutex);
static int dasd_eer_open(struct inode *inp, struct file *filp)
{
struct eerbuffer *eerb;
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas_tf/if_usb.c
4 issues
Line: 292
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
extra __le32 field in between the header and the data,
which is not in the struct fwheader in the actual
firmware binary. Insert the seqnum in the middle... */
memcpy(&fwdata->hdr, &firmware[cardp->totalbytes],
sizeof(struct fwheader));
cardp->fwlastblksent = cardp->totalbytes;
cardp->totalbytes += sizeof(struct fwheader);
Reported by FlawFinder.
Line: 298
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cardp->fwlastblksent = cardp->totalbytes;
cardp->totalbytes += sizeof(struct fwheader);
memcpy(fwdata->data, &firmware[cardp->totalbytes],
le32_to_cpu(fwdata->hdr.datalength));
lbtf_deb_usb2(&cardp->udev->dev, "Data length = %d\n",
le32_to_cpu(fwdata->hdr.datalength));
Reported by FlawFinder.
Line: 612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
spin_lock_irqsave(&priv->driver_lock, flags);
memcpy(priv->cmd_resp_buff, recvbuff + MESSAGE_HEADER_LEN,
recvlength - MESSAGE_HEADER_LEN);
kfree_skb(skb);
lbtf_cmd_response_rx(priv);
spin_unlock_irqrestore(&priv->driver_lock, flags);
}
Reported by FlawFinder.
Line: 728
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = 1;
}
memcpy((cardp->ep_out_buf + MESSAGE_HEADER_LEN), payload, nb);
return usb_tx_block(cardp, cardp->ep_out_buf, nb + MESSAGE_HEADER_LEN,
data);
}
Reported by FlawFinder.
drivers/rtc/rtc-pm8xxx.c
4 issues
Line: 40
Column: 15
CWE codes:
120
20
struct pm8xxx_rtc_regs {
unsigned int ctrl;
unsigned int write;
unsigned int read;
unsigned int alarm_ctrl;
unsigned int alarm_ctrl2;
unsigned int alarm_rw;
unsigned int alarm_en;
};
Reported by FlawFinder.
Line: 184
Column: 46
CWE codes:
120
20
struct pm8xxx_rtc *rtc_dd = dev_get_drvdata(dev);
const struct pm8xxx_rtc_regs *regs = rtc_dd->regs;
rc = regmap_bulk_read(rtc_dd->regmap, regs->read, value, sizeof(value));
if (rc) {
dev_err(dev, "RTC read data register failed\n");
return rc;
}
Reported by FlawFinder.
Line: 194
Column: 41
CWE codes:
120
20
* Read the LSB again and check if there has been a carry over.
* If there is, redo the read operation.
*/
rc = regmap_read(rtc_dd->regmap, regs->read, ®);
if (rc < 0) {
dev_err(dev, "RTC read data register failed\n");
return rc;
}
Reported by FlawFinder.
Line: 201
Column: 47
CWE codes:
120
20
}
if (unlikely(reg < value[0])) {
rc = regmap_bulk_read(rtc_dd->regmap, regs->read,
value, sizeof(value));
if (rc) {
dev_err(dev, "RTC read data register failed\n");
return rc;
}
Reported by FlawFinder.
drivers/net/wireless/ti/wlcore/init.c
4 issues
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* nullfunc->addr1 is filled by FW */
memcpy(nullfunc->addr2, vif->addr, ETH_ALEN);
memcpy(nullfunc->addr3, vif->addr, ETH_ALEN);
rate = wl1271_tx_min_rate_get(wl, wlvif->basic_rate_set);
ret = wl1271_cmd_template_set(wl, wlvif->role_id,
CMD_TEMPL_NULL_DATA, nullfunc,
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* nullfunc->addr1 is filled by FW */
memcpy(nullfunc->addr2, vif->addr, ETH_ALEN);
memcpy(nullfunc->addr3, vif->addr, ETH_ALEN);
rate = wl1271_tx_min_rate_get(wl, wlvif->basic_rate_set);
ret = wl1271_cmd_template_set(wl, wlvif->role_id,
CMD_TEMPL_NULL_DATA, nullfunc,
sizeof(*nullfunc), 0, rate);
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* qosnull->addr1 is filled by FW */
memcpy(qosnull->addr2, vif->addr, ETH_ALEN);
memcpy(qosnull->addr3, vif->addr, ETH_ALEN);
rate = wl1271_tx_min_rate_get(wl, wlvif->basic_rate_set);
ret = wl1271_cmd_template_set(wl, wlvif->role_id,
CMD_TEMPL_QOS_NULL_DATA, qosnull,
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* qosnull->addr1 is filled by FW */
memcpy(qosnull->addr2, vif->addr, ETH_ALEN);
memcpy(qosnull->addr3, vif->addr, ETH_ALEN);
rate = wl1271_tx_min_rate_get(wl, wlvif->basic_rate_set);
ret = wl1271_cmd_template_set(wl, wlvif->role_id,
CMD_TEMPL_QOS_NULL_DATA, qosnull,
sizeof(*qosnull), 0, rate);
Reported by FlawFinder.
drivers/net/wireless/quantenna/qtnfmac/event.c
4 issues
Line: 211
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ie[0] = WLAN_EID_SSID;
ie[1] = vif->wdev.ssid_len;
memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len);
bss = cfg80211_inform_bss(wiphy, chandef.chan,
CFG80211_BSS_FTYPE_UNKNOWN,
join_info->bssid, 0,
WLAN_CAPABILITY_ESS, 100,
Reported by FlawFinder.
Line: 575
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ev->ssid_len) {
int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
memcpy(auth.ssid.ssid, ev->ssid, len);
auth.ssid.ssid_len = len;
}
auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
ether_addr_copy(auth.bssid, ev->bssid);
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ie)
return -ENOMEM;
memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN);
memcpy(ie, owe_ev->ies, ie_len);
owe_info.ie_len = ie_len;
owe_info.ie = ie;
pr_info("%s: external OWE processing: peer=%pM\n",
Reported by FlawFinder.
Line: 661
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN);
memcpy(ie, owe_ev->ies, ie_len);
owe_info.ie_len = ie_len;
owe_info.ie = ie;
pr_info("%s: external OWE processing: peer=%pM\n",
vif->netdev->name, owe_ev->peer);
Reported by FlawFinder.
drivers/ptp/ptp_clockmatrix.c
4 issues
Line: 204
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
msg[0] = regaddr;
memcpy(&msg[1], buf, count);
cnt = i2c_master_send(client, msg, count + 1);
if (cnt < 0) {
dev_err(&client->dev,
Reported by FlawFinder.
Line: 741
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum scsr_tod_write_type_sel wr_type)
{
struct idtcm *idtcm = channel->idtcm;
unsigned char buf[TOD_BYTE_COUNT], cmd;
struct timespec64 local_ts = *ts;
int err, count = 0;
timespec64_add_ns(&local_ts, SETTIME_CORRECTION);
Reported by FlawFinder.
Line: 962
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ktime_t stop;
ktime_t diff;
char buf[TOD_BYTE_COUNT] = {0};
/* Set page offset */
idtcm_write(idtcm, channel->hw_dpll_n, HW_DPLL_TOD_OVR__0,
buf, sizeof(buf));
Reported by FlawFinder.
Line: 1217
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int idtcm_load_firmware(struct idtcm *idtcm,
struct device *dev)
{
char fname[128] = FW_FILENAME;
const struct firmware *fw;
struct idtcm_fwrc *rec;
u32 regaddr;
int err;
s32 len;
Reported by FlawFinder.
drivers/s390/char/sclp_vt220.c
4 issues
Line: 332
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Perform conversion */
if (c == 0x0a) {
if (to + 1 < sclp_vt220_space_left(request)) {
((unsigned char *) buffer)[to++] = c;
((unsigned char *) buffer)[to++] = 0x0d;
} else
break;
} else
Reported by FlawFinder.
Line: 333
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (c == 0x0a) {
if (to + 1 < sclp_vt220_space_left(request)) {
((unsigned char *) buffer)[to++] = c;
((unsigned char *) buffer)[to++] = 0x0d;
} else
break;
} else
((unsigned char *) buffer)[to++] = c;
Reported by FlawFinder.
Line: 338
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
break;
} else
((unsigned char *) buffer)[to++] = c;
}
sccb->header.length += to;
sccb->evbuf.length += to;
return from;
} else {
Reported by FlawFinder.
Line: 344
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sccb->evbuf.length += to;
return from;
} else {
memcpy(buffer, (const void *) msg, count);
sccb->header.length += count;
sccb->evbuf.length += count;
return count;
}
}
Reported by FlawFinder.
drivers/net/wireless/ti/wlcore/debugfs.c
4 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos, char *fmt, ...)
{
va_list args;
char buf[DEBUGFS_FORMAT_BUFFER_SIZE];
int res;
va_start(args, fmt);
res = vscnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct wl1271 *wl = file->private_data;
u32 queue_len;
char buf[20];
int res;
queue_len = wl1271_tx_total_queue_count(wl);
res = scnprintf(buf, sizeof(buf), "%u\n", queue_len);
Reported by FlawFinder.
Line: 187
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool state = test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags);
int res;
char buf[10];
res = scnprintf(buf, sizeof(buf), "%d\n", state);
return simple_read_from_buffer(user_buf, count, ppos, buf, res);
}
Reported by FlawFinder.
Line: 533
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret, res = 0;
const int buf_size = 4096;
char *buf;
char tmp_buf[64];
buf = kzalloc(buf_size, GFP_KERNEL);
if (!buf)
return -ENOMEM;
Reported by FlawFinder.