The following issues were found
drivers/scsi/hptiop.c
4 issues
Line: 446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy(config, req, sizeof(struct hpt_iop_request_get_config));
return 0;
}
static int iop_get_config_mvfrey(struct hptiop_hba *hba,
struct hpt_iop_request_get_config *config)
Reported by FlawFinder.
Line: 509
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct hpt_iop_request_set_config *req = hba->u.mv.internal_req;
memcpy(req, config, sizeof(struct hpt_iop_request_set_config));
req->header.flags = cpu_to_le32(IOP_REQUEST_FLAG_OUTPUT_CONTEXT);
req->header.type = cpu_to_le32(IOP_REQUEST_TYPE_SET_CONFIG);
req->header.size =
cpu_to_le32(sizeof(struct hpt_iop_request_set_config));
req->header.result = cpu_to_le32(IOP_RESULT_PENDING);
Reported by FlawFinder.
Line: 532
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct hpt_iop_request_set_config *req =
hba->u.mvfrey.internal_req.req_virt;
memcpy(req, config, sizeof(struct hpt_iop_request_set_config));
req->header.flags = cpu_to_le32(IOP_REQUEST_FLAG_OUTPUT_CONTEXT);
req->header.type = cpu_to_le32(IOP_REQUEST_TYPE_SET_CONFIG);
req->header.size =
cpu_to_le32(sizeof(struct hpt_iop_request_set_config));
req->header.result = cpu_to_le32(IOP_RESULT_PENDING);
Reported by FlawFinder.
Line: 759
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scsi_set_resid(scp,
scsi_bufflen(scp) - le32_to_cpu(req->dataxfer_length));
scp->result = SAM_STAT_CHECK_CONDITION;
memcpy(scp->sense_buffer, &req->sg_list, SCSI_SENSE_BUFFERSIZE);
goto skip_resid;
default:
scp->result = DID_ABORT << 16;
break;
Reported by FlawFinder.
drivers/net/wireless/ralink/rt2x00/rt2800lib.c
4 issues
Line: 1603
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&wcid_entry, 0xff, sizeof(wcid_entry));
if (address)
memcpy(wcid_entry.mac, address, ETH_ALEN);
rt2800_register_multiwrite(rt2x00dev, offset,
&wcid_entry, sizeof(wcid_entry));
}
Reported by FlawFinder.
Line: 1974
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* The BSSID register has to be set to our own mac
* address in AP mode.
*/
memcpy(conf->bssid, conf->mac, sizeof(conf->mac));
update_bssid = true;
}
if (!is_zero_ether_addr((const u8 *)conf->mac)) {
reg = le32_to_cpu(conf->mac[1]);
Reported by FlawFinder.
Line: 10354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rt2800_register_multiread(rt2x00dev, offset,
&iveiv_entry, sizeof(iveiv_entry));
memcpy(&seq->tkip.iv16, &iveiv_entry.iv[0], 2);
memcpy(&seq->tkip.iv32, &iveiv_entry.iv[4], 4);
}
EXPORT_SYMBOL_GPL(rt2800_get_key_seq);
int rt2800_set_rts_threshold(struct ieee80211_hw *hw, u32 value)
Reported by FlawFinder.
Line: 10355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&iveiv_entry, sizeof(iveiv_entry));
memcpy(&seq->tkip.iv16, &iveiv_entry.iv[0], 2);
memcpy(&seq->tkip.iv32, &iveiv_entry.iv[4], 4);
}
EXPORT_SYMBOL_GPL(rt2800_get_key_seq);
int rt2800_set_rts_threshold(struct ieee80211_hw *hw, u32 value)
{
Reported by FlawFinder.
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
4 issues
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dr->wIndex = 0;
dr->wLength = cpu_to_le16(len);
memcpy(buf, data, len);
usb_fill_control_urb(urb, priv->udev, usb_sndctrlpipe(priv->udev, 0),
(unsigned char *)dr, buf, len,
rtl8187_iowrite_async_cb, buf);
usb_anchor_urb(urb, &priv->anchored);
Reported by FlawFinder.
Line: 390
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rx_status.enc_flags |= RX_ENC_FLAG_SHORTPRE;
if (flags & RTL818X_RX_DESC_FLAG_CRC32_ERR)
rx_status.flag |= RX_FLAG_FAILED_FCS_CRC;
memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, sizeof(rx_status));
ieee80211_rx_irqsafe(dev, skb);
skb = dev_alloc_skb(RTL8187_MAX_RX);
if (unlikely(!skb)) {
/* TODO check rx queue length and refill *somewhere* */
Reported by FlawFinder.
Line: 1467
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(priv->channels) != sizeof(rtl818x_channels));
BUILD_BUG_ON(sizeof(priv->rates) != sizeof(rtl818x_rates));
memcpy(priv->channels, rtl818x_channels, sizeof(rtl818x_channels));
memcpy(priv->rates, rtl818x_rates, sizeof(rtl818x_rates));
priv->map = (struct rtl818x_csr *)0xFF00;
priv->band.band = NL80211_BAND_2GHZ;
priv->band.channels = priv->channels;
Reported by FlawFinder.
Line: 1468
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(priv->rates) != sizeof(rtl818x_rates));
memcpy(priv->channels, rtl818x_channels, sizeof(rtl818x_channels));
memcpy(priv->rates, rtl818x_rates, sizeof(rtl818x_rates));
priv->map = (struct rtl818x_csr *)0xFF00;
priv->band.band = NL80211_BAND_2GHZ;
priv->band.channels = priv->channels;
priv->band.n_channels = ARRAY_SIZE(rtl818x_channels);
Reported by FlawFinder.
drivers/rpmsg/rpmsg_char.c
4 issues
Line: 302
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", eptdev->chinfo.name);
}
static DEVICE_ATTR_RO(name);
static ssize_t src_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 311
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", eptdev->chinfo.src);
}
static DEVICE_ATTR_RO(src);
static ssize_t dst_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 320
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", eptdev->chinfo.dst);
}
static DEVICE_ATTR_RO(dst);
static struct attribute *rpmsg_eptdev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 442
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (copy_from_user(&eptinfo, argp, sizeof(eptinfo)))
return -EFAULT;
memcpy(chinfo.name, eptinfo.name, RPMSG_NAME_SIZE);
chinfo.name[RPMSG_NAME_SIZE-1] = '\0';
chinfo.src = eptinfo.src;
chinfo.dst = eptinfo.dst;
return rpmsg_eptdev_create(ctrldev, chinfo);
Reported by FlawFinder.
drivers/power/supply/abx500_chargalg.c
4 issues
Line: 1750
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t abx500_chargalg_curr_step_show(struct abx500_chargalg *di,
char *buf)
{
return sprintf(buf, "%d\n", di->curr_status.curr_step);
}
static ssize_t abx500_chargalg_curr_step_store(struct abx500_chargalg *di,
const char *buf, size_t length)
{
Reported by FlawFinder.
Line: 1781
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t abx500_chargalg_en_show(struct abx500_chargalg *di,
char *buf)
{
return sprintf(buf, "%d\n",
di->susp_status.ac_suspended &&
di->susp_status.usb_suspended);
}
static ssize_t abx500_chargalg_en_store(struct abx500_chargalg *di,
Reported by FlawFinder.
Line: 1774
Column: 9
CWE codes:
126
"1--100. Set AC/USB charging current step\n"
"100. Enable AC/USB Charging\n");
return strlen(buf);
}
static ssize_t abx500_chargalg_en_show(struct abx500_chargalg *di,
char *buf)
Reported by FlawFinder.
Line: 1830
Column: 9
CWE codes:
126
"1. Enable AC charging\n"
"2. Enable USB Charging\n");
}
return strlen(buf);
}
static struct abx500_chargalg_sysfs_entry abx500_chargalg_en_charger =
__ATTR(chargalg, 0644, abx500_chargalg_en_show,
abx500_chargalg_en_store);
Reported by FlawFinder.
drivers/parisc/eisa_enumerator.c
4 issues
Line: 72
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
vendor[0] = '@' + (id & 0x1f);
id >>= 5;
sprintf(s, "%s%02X%02X", vendor, device, rev);
}
static int configure_memory(const unsigned char *buf,
struct resource *mem_parent,
char *name)
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_eisa_id(char *s, u_int32_t id)
{
char vendor[4];
int rev;
int device;
rev = id & 0xff;
id >>= 8;
Reported by FlawFinder.
Line: 429
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned int id;
char id_string[8];
if (!(es->slot_info&HPEE_SLOT_INFO_NO_READID)) {
/* try to read the id of the board in the slot */
id = le32_to_cpu(inl(SLOT2PORT(slot)+EPI));
Reported by FlawFinder.
Line: 485
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
struct eeprom_header *eh;
static char eeprom_buf[HPEE_MAX_LENGTH];
for (i=0; i < HPEE_MAX_LENGTH; i++) {
eeprom_buf[i] = gsc_readb(eeprom_addr+i);
}
Reported by FlawFinder.
drivers/s390/cio/vfio_ccw_ops.c
4 issues
Line: 84
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t device_api_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", VFIO_DEVICE_API_CCW_STRING);
}
static MDEV_TYPE_ATTR_RO(device_api);
static ssize_t available_instances_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr,
Reported by FlawFinder.
Line: 77
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t name_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
return sprintf(buf, "I/O subchannel (Non-QDIO)\n");
}
static MDEV_TYPE_ATTR_RO(name);
static ssize_t device_api_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct vfio_ccw_private *private =
dev_get_drvdata(mtype_get_parent_dev(mtype));
return sprintf(buf, "%d\n", atomic_read(&private->avail));
}
static MDEV_TYPE_ATTR_RO(available_instances);
static struct attribute *mdev_types_attrs[] = {
&mdev_type_attr_name.attr,
Reported by FlawFinder.
Line: 254
Column: 38
CWE codes:
120
20
return vfio_ccw_mdev_read_io_region(private, buf, count, ppos);
default:
index -= VFIO_CCW_NUM_REGIONS;
return private->region[index].ops->read(private, buf, count,
ppos);
}
return -EINVAL;
}
Reported by FlawFinder.
drivers/rtc/rtc-m41t80.c
4 issues
Line: 199
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int m41t80_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char buf[8];
int err, flags;
flags = i2c_smbus_read_byte_data(client, M41T80_REG_FLAGS);
if (flags < 0)
return flags;
Reported by FlawFinder.
Line: 234
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *client = to_i2c_client(dev);
struct m41t80_data *clientdata = i2c_get_clientdata(client);
unsigned char buf[8];
int err, flags;
buf[M41T80_REG_SSEC] = 0;
buf[M41T80_REG_SEC] = bin2bcd(tm->tm_sec);
buf[M41T80_REG_MIN] = bin2bcd(tm->tm_min);
Reported by FlawFinder.
Line: 619
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void wdt_ping(void)
{
unsigned char i2c_data[2];
struct i2c_msg msgs1[1] = {
{
.addr = save_client->addr,
.flags = 0,
.len = 2,
Reported by FlawFinder.
Line: 655
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void wdt_disable(void)
{
unsigned char i2c_data[2], i2c_buf[0x10];
struct i2c_msg msgs0[2] = {
{
.addr = save_client->addr,
.flags = 0,
.len = 1,
Reported by FlawFinder.
drivers/rtc/rtc-pcf85363.c
4 issues
Line: 123
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf85363_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct pcf85363 *pcf85363 = dev_get_drvdata(dev);
unsigned char buf[DT_YEARS + 1];
int ret, len = sizeof(buf);
/* read the RTC date and time registers all at once */
ret = regmap_bulk_read(pcf85363->regmap, DT_100THS, buf, len);
if (ret) {
Reported by FlawFinder.
Line: 152
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf85363_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
struct pcf85363 *pcf85363 = dev_get_drvdata(dev);
unsigned char tmp[11];
unsigned char *buf = &tmp[2];
int ret;
tmp[0] = STOP_EN_STOP;
tmp[1] = RESET_CPR;
Reported by FlawFinder.
Line: 184
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf85363_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
{
struct pcf85363 *pcf85363 = dev_get_drvdata(dev);
unsigned char buf[DT_MONTH_ALM1 - DT_SECOND_ALM1 + 1];
unsigned int val;
int ret;
ret = regmap_bulk_read(pcf85363->regmap, DT_SECOND_ALM1, buf,
sizeof(buf));
Reported by FlawFinder.
Line: 241
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf85363_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm)
{
struct pcf85363 *pcf85363 = dev_get_drvdata(dev);
unsigned char buf[DT_MONTH_ALM1 - DT_SECOND_ALM1 + 1];
int ret;
buf[0] = bin2bcd(alrm->time.tm_sec);
buf[1] = bin2bcd(alrm->time.tm_min);
buf[2] = bin2bcd(alrm->time.tm_hour);
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mt76x0/initvals.h
4 issues
Line: 47
CWE codes:
190
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(RXO, 28), 0x0000008A } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 31), 0x00000E23 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 31), 0x00000E13 } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 32), 0x00003218 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 32), 0x0000181C } },
Reported by Cppcheck.
Line: 47
CWE codes:
190
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(RXO, 28), 0x0000008A } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 31), 0x00000E23 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 31), 0x00000E13 } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 32), 0x00003218 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 32), 0x0000181C } },
Reported by Cppcheck.
Line: 47
CWE codes:
190
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(RXO, 28), 0x0000008A } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 31), 0x00000E23 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 31), 0x00000E13 } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 32), 0x00003218 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 32), 0x0000181C } },
Reported by Cppcheck.
Line: 47
CWE codes:
190
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(RXO, 28), 0x0000008A } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 31), 0x00000E23 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 31), 0x00000E13 } },
{ RF_G_BAND | RF_BW_20 | RF_BW_40, { MT_BBP(AGC, 32), 0x00003218 } },
{ RF_A_BAND | RF_BW_20 | RF_BW_40 | RF_BW_80, { MT_BBP(AGC, 32), 0x0000181C } },
Reported by Cppcheck.