The following issues were found
drivers/scsi/aha152x.c
4 issues
Line: 462
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int target;
/* reconnecting target */
unsigned char syncrate[8];
/* current synchronous transfer agreements */
unsigned char syncneg[8];
/* 0: no negotiation;
* 1: negotiation in progress;
Reported by FlawFinder.
Line: 465
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char syncrate[8];
/* current synchronous transfer agreements */
unsigned char syncneg[8];
/* 0: no negotiation;
* 1: negotiation in progress;
* 2: negotiation completed
*/
Reported by FlawFinder.
Line: 476
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int msgi_len;
/* number of received message bytes */
unsigned char msgi[256];
/* received message bytes */
int msgo_i, msgo_len;
/* number of sent bytes and length of current messages */
unsigned char msgo[256];
Reported by FlawFinder.
Line: 481
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int msgo_i, msgo_len;
/* number of sent bytes and length of current messages */
unsigned char msgo[256];
/* pending messages */
int data_len;
/* number of sent/received bytes in dataphase */
Reported by FlawFinder.
drivers/rpmsg/virtio_rpmsg_bus.c
4 issues
Line: 617
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->src = cpu_to_rpmsg32(rpdev, src);
msg->dst = cpu_to_rpmsg32(rpdev, dst);
msg->reserved = 0;
memcpy(msg->data, data, len);
dev_dbg(dev, "TX From 0x%x, To 0x%x, Len %d, Flags %d, Reserved %d\n",
src, dst, len, msg->flags, msg->reserved);
#if defined(CONFIG_DYNAMIC_DEBUG)
dynamic_hex_dump("rpmsg_virtio TX: ", DUMP_PREFIX_NONE, 16, 1,
Reported by FlawFinder.
Line: 331
Column: 3
CWE codes:
120
virtio_has_feature(vrp->vdev, VIRTIO_RPMSG_F_NS)) {
struct rpmsg_ns_msg nsm;
strncpy(nsm.name, rpdev->id.name, RPMSG_NAME_SIZE);
nsm.addr = cpu_to_rpmsg32(rpdev, rpdev->ept->addr);
nsm.flags = cpu_to_rpmsg32(rpdev, RPMSG_NS_CREATE);
err = rpmsg_sendto(rpdev->ept, &nsm, sizeof(nsm), RPMSG_NS_ADDR);
if (err)
Reported by FlawFinder.
Line: 355
Column: 3
CWE codes:
120
virtio_has_feature(vrp->vdev, VIRTIO_RPMSG_F_NS)) {
struct rpmsg_ns_msg nsm;
strncpy(nsm.name, rpdev->id.name, RPMSG_NAME_SIZE);
nsm.addr = cpu_to_rpmsg32(rpdev, rpdev->ept->addr);
nsm.flags = cpu_to_rpmsg32(rpdev, RPMSG_NS_DESTROY);
err = rpmsg_sendto(rpdev->ept, &nsm, sizeof(nsm), RPMSG_NS_ADDR);
if (err)
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
120
*/
rpdev->announce = rpdev->src != RPMSG_ADDR_ANY;
strncpy(rpdev->id.name, chinfo->name, RPMSG_NAME_SIZE);
rpdev->dev.parent = &vrp->vdev->dev;
rpdev->dev.release = virtio_rpmsg_release_device;
ret = rpmsg_register_device(rpdev);
if (ret)
Reported by FlawFinder.
drivers/regulator/max77650-regulator.c
4 issues
Line: 358
CWE codes:
758
return rv;
rdescs[MAX77650_REGULATOR_ID_LDO] = &max77650_LDO_desc;
rdescs[MAX77650_REGULATOR_ID_SBB0] = &max77650_SBB0_desc;
switch (MAX77650_CID_BITS(val)) {
case MAX77650_CID_77650A:
case MAX77650_CID_77650C:
rdescs[MAX77650_REGULATOR_ID_SBB1] = &max77650_SBB1_desc;
Reported by Cppcheck.
Line: 364
CWE codes:
758
case MAX77650_CID_77650A:
case MAX77650_CID_77650C:
rdescs[MAX77650_REGULATOR_ID_SBB1] = &max77650_SBB1_desc;
rdescs[MAX77650_REGULATOR_ID_SBB2] = &max77650_SBB2_desc;
break;
case MAX77650_CID_77651A:
case MAX77650_CID_77651B:
rdescs[MAX77650_REGULATOR_ID_SBB1] = &max77651_SBB1_desc;
rdescs[MAX77650_REGULATOR_ID_SBB2] = &max77651_SBB2_desc;
Reported by Cppcheck.
Line: 369
CWE codes:
758
case MAX77650_CID_77651A:
case MAX77650_CID_77651B:
rdescs[MAX77650_REGULATOR_ID_SBB1] = &max77651_SBB1_desc;
rdescs[MAX77650_REGULATOR_ID_SBB2] = &max77651_SBB2_desc;
break;
default:
return -ENODEV;
}
Reported by Cppcheck.
Line: 378
CWE codes:
758
config.dev = parent;
for (i = 0; i < MAX77650_REGULATOR_NUM_REGULATORS; i++) {
rdesc = rdescs[i];
config.driver_data = rdesc;
rdev = devm_regulator_register(dev, &rdesc->desc, &config);
if (IS_ERR(rdev))
return PTR_ERR(rdev);
Reported by Cppcheck.
drivers/s390/char/zcore.c
4 issues
Line: 53
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct dentry *zcore_hsa_file;
static struct ipl_parameter_block *zcore_ipl_block;
static char hsa_buf[PAGE_SIZE] __aligned(PAGE_SIZE);
/*
* Copy memory from HSA to user memory (not reentrant):
*
* @dest: User buffer where memory should be copied to
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
offset = src % PAGE_SIZE;
bytes = min(PAGE_SIZE - offset, count);
memcpy(dest, hsa_buf + offset, bytes);
src += bytes;
dest += bytes;
count -= bytes;
}
return 0;
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t zcore_hsa_read(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
static char str[18];
if (hsa_available)
snprintf(str, sizeof(str), "%lx\n", sclp.hsa_size);
else
snprintf(str, sizeof(str), "0\n");
Reported by FlawFinder.
Line: 176
Column: 56
CWE codes:
126
snprintf(str, sizeof(str), "%lx\n", sclp.hsa_size);
else
snprintf(str, sizeof(str), "0\n");
return simple_read_from_buffer(buf, count, ppos, str, strlen(str));
}
static ssize_t zcore_hsa_write(struct file *filp, const char __user *buf,
size_t count, loff_t *ppos)
{
Reported by FlawFinder.
drivers/rtc/rtc-palmas.c
4 issues
Line: 37
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int palmas_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
unsigned char rtc_data[PALMAS_NUM_TIME_REGS];
struct palmas *palmas = dev_get_drvdata(dev->parent);
int ret;
/* Copy RTC counting registers to static registers or latches */
ret = palmas_update_bits(palmas, PALMAS_RTC_BASE, PALMAS_RTC_CTRL_REG,
Reported by FlawFinder.
Line: 68
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int palmas_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
unsigned char rtc_data[PALMAS_NUM_TIME_REGS];
struct palmas *palmas = dev_get_drvdata(dev->parent);
int ret;
rtc_data[0] = bin2bcd(tm->tm_sec);
rtc_data[1] = bin2bcd(tm->tm_min);
Reported by FlawFinder.
Line: 114
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int palmas_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alm)
{
unsigned char alarm_data[PALMAS_NUM_TIME_REGS];
u32 int_val;
struct palmas *palmas = dev_get_drvdata(dev->parent);
int ret;
ret = palmas_bulk_read(palmas, PALMAS_RTC_BASE,
Reported by FlawFinder.
Line: 148
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int palmas_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alm)
{
unsigned char alarm_data[PALMAS_NUM_TIME_REGS];
struct palmas *palmas = dev_get_drvdata(dev->parent);
int ret;
ret = palmas_rtc_alarm_irq_enable(dev, 0);
if (ret < 0) {
Reported by FlawFinder.
drivers/power/supply/ds2780_battery.c
4 issues
Line: 457
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n",
!!(control_reg & DS2780_CONTROL_REG_PMOD));
}
static ssize_t ds2780_set_pmod_enabled(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 510
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
ret = sprintf(buf, "%d\n", sense_resistor);
return ret;
}
static ssize_t ds2780_set_sense_resistor_value(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 548
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", rsgain);
}
static ssize_t ds2780_set_rsgain_setting(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 591
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
ret = sprintf(buf, "%d\n", sfr & DS2780_SFR_REG_PIOSC);
return ret;
}
static ssize_t ds2780_set_pio_pin(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
drivers/power/supply/ds2760_battery.c
4 issues
Line: 94
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* DS2760 data, valid after calling ds2760_battery_read_status() */
unsigned long update_time; /* jiffies when data read */
char raw[DS2760_DATA_SIZE]; /* raw DS2760 data */
int voltage_raw; /* units of 4.88 mV */
int voltage_uV; /* units of µV */
int current_raw; /* units of 0.625 mA */
int current_uA; /* units of µA */
int accum_current_raw; /* units of 0.25 mAh */
Reported by FlawFinder.
Line: 376
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ds2760_battery_set_current_accum(struct ds2760_device_info *di,
unsigned int acr_val)
{
unsigned char acr[2];
/* acr is in units of 0.25 mAh */
acr_val *= 4L;
acr_val /= 1000;
Reported by FlawFinder.
Line: 459
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ds2760_battery_write_active_full(struct ds2760_device_info *di,
int active_full)
{
unsigned char tmp[2] = {
active_full >> 8,
active_full & 0xff
};
if (tmp[0] == di->raw[DS2760_ACTIVE_FULL] &&
Reported by FlawFinder.
Line: 683
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ds2760_device_info *di;
struct device *dev = &sl->dev;
int retval = 0;
char name[32];
char status;
di = devm_kzalloc(dev, sizeof(*di), GFP_KERNEL);
if (!di) {
retval = -ENOMEM;
Reported by FlawFinder.
drivers/nvmem/rockchip-efuse.c
4 issues
Line: 137
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out_value = readl(efuse->base + RK3328_DOUT);
writel(RK3328_INT_FINISH, efuse->base + RK3328_INT_STATUS);
memcpy(&buf[i], &out_value, RK3399_NBYTES);
i += RK3399_NBYTES;
}
memcpy(val, buf + addr_offset, bytes);
err:
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i += RK3399_NBYTES;
}
memcpy(val, buf + addr_offset, bytes);
err:
kfree(buf);
nomem:
clk_disable_unprepare(efuse->clk);
Reported by FlawFinder.
Line: 190
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
efuse->base + REG_EFUSE_CTRL);
udelay(1);
memcpy(&buf[i], &out_value, RK3399_NBYTES);
i += RK3399_NBYTES;
}
/* Switch to standby mode */
writel(RK3399_PD | RK3399_CSB, efuse->base + REG_EFUSE_CTRL);
Reported by FlawFinder.
Line: 197
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Switch to standby mode */
writel(RK3399_PD | RK3399_CSB, efuse->base + REG_EFUSE_CTRL);
memcpy(val, buf + addr_offset, bytes);
kfree(buf);
clk_disable_unprepare(efuse->clk);
Reported by FlawFinder.
drivers/scsi/elx/efct/efct_hw.c
4 issues
Line: 1406
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bmbx = hw->sli.bmbx.virt;
memset(bmbx, 0, SLI4_BMBX_SIZE);
memcpy(bmbx, cmd, SLI4_BMBX_SIZE);
if (sli_bmbx_command(&hw->sli) == 0) {
rc = 0;
memcpy(cmd, bmbx, SLI4_BMBX_SIZE);
}
Reported by FlawFinder.
Line: 1410
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sli_bmbx_command(&hw->sli) == 0) {
rc = 0;
memcpy(cmd, bmbx, SLI4_BMBX_SIZE);
}
mutex_unlock(&hw->bmbx_lock);
} else if (opts == EFCT_CMD_NOWAIT) {
struct efct_command_ctx *ctx = NULL;
Reported by FlawFinder.
Line: 1433
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->arg = arg;
}
memcpy(ctx->buf, cmd, SLI4_BMBX_SIZE);
ctx->ctx = hw;
spin_lock_irqsave(&hw->cmd_lock, flags);
/* Add to pending list */
Reported by FlawFinder.
Line: 1478
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_irqrestore(&hw->cmd_lock, flags);
if (ctx->cb) {
memcpy(ctx->buf, mqe, size);
ctx->cb(hw, status, ctx->buf, ctx->arg);
}
mempool_free(ctx, hw->cmd_ctx_pool);
Reported by FlawFinder.
drivers/nfc/st95hf/core.c
4 issues
Line: 92
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cmd_len;
unsigned char cmd_id;
unsigned char no_cmd_params;
unsigned char cmd_params[MAX_CMD_PARAMS];
enum req_type req;
};
struct param_list {
int param_offset;
Reported by FlawFinder.
Line: 250
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct param_list *list_array,
bool recv_res)
{
unsigned char spi_cmd_buffer[MAX_CMD_LEN];
int i, ret;
struct device *dev = &st95context->spicontext.spidev->dev;
if (cmd_array[cmd].cmd_len > MAX_CMD_LEN)
return -EINVAL;
Reported by FlawFinder.
Line: 265
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_cmd_buffer[1] = cmd_array[cmd].cmd_id;
spi_cmd_buffer[2] = cmd_array[cmd].no_cmd_params;
memcpy(&spi_cmd_buffer[3], cmd_array[cmd].cmd_params,
spi_cmd_buffer[2]);
for (i = 0; i < no_modif; i++) {
if (list_array[i].param_offset >= cmd_array[cmd].no_cmd_params)
return -EINVAL;
Reported by FlawFinder.
Line: 285
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if (cmd_array[cmd].req == SYNC && recv_res) {
unsigned char st95hf_response_arr[2];
ret = st95hf_spi_recv_response(&st95context->spicontext,
st95hf_response_arr);
if (ret < 0) {
dev_err(dev, "spi error from st95hf_spi_recv_response(), err = 0x%x\n",
Reported by FlawFinder.