The following issues were found
drivers/staging/greybus/fw-download.c
3 issues
Line: 182
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
fw_req->firmware_id = ret;
snprintf(fw_req->name, sizeof(fw_req->name),
FW_NAME_PREFIX "%08x_%08x_%08x_%08x_%s.tftf",
intf->ddbl1_manufacturer_id, intf->ddbl1_product_id,
intf->vendor_id, intf->product_id, tag);
dev_info(fw_download->parent, "Requested firmware package '%s'\n",
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 firmware_id;
bool disabled;
bool timedout;
char name[FW_NAME_SIZE];
const struct firmware *fw;
struct list_head node;
struct delayed_work dwork;
/* Timeout, in jiffies, within which the firmware shall download */
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
response = op->response->payload;
memcpy(response->data, fw->data + offset, size);
dev_dbg(fw_download->parent,
"responding with firmware (offs = %u, size = %u)\n", offset,
size);
Reported by FlawFinder.
drivers/staging/rts5208/xd.c
3 issues
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (id_buf && buf_len) {
if (buf_len > 4)
buf_len = 4;
memcpy(id_buf, ptr, buf_len);
}
return STATUS_SUCCESS;
}
Reported by FlawFinder.
Line: 169
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf_len > 11)
buf_len = 11;
memcpy(buf, ptr, buf_len);
}
return STATUS_SUCCESS;
}
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return STATUS_FAIL;
}
memcpy(buf, rtsx_get_cmd_data(chip), buf_len);
return STATUS_SUCCESS;
}
static int xd_read_cis(struct rtsx_chip *chip, u32 page_addr, u8 *buf,
Reported by FlawFinder.
drivers/usb/dwc2/gadget.c
3 issues
Line: 1287
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hs_req->saved_req_buf = req_buf;
if (hs_ep->dir_in)
memcpy(hs_req->req.buf, req_buf, hs_req->req.length);
return 0;
}
static void
dwc2_hsotg_handle_unaligned_buf_complete(struct dwc2_hsotg *hsotg,
Reported by FlawFinder.
Line: 1305
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy data from bounce buffer on successful out transfer */
if (!hs_ep->dir_in && !hs_req->req.status)
memcpy(hs_req->saved_req_buf, hs_req->req.buf,
hs_req->req.actual);
/* Free bounce buffer */
kfree(hs_req->req.buf);
Reported by FlawFinder.
Line: 1622
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->complete = dwc2_hsotg_complete_oursetup;
if (length)
memcpy(req->buf, buff, length);
ret = dwc2_hsotg_ep_queue(&ep->ep, req, GFP_ATOMIC);
if (ret) {
dev_warn(hsotg->dev, "%s: cannot queue req\n", __func__);
return ret;
Reported by FlawFinder.
drivers/staging/fieldbus/anybuss/arcx-anybus.c
3 issues
Line: 169
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct controller_priv *cd = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", cd->version);
}
static DEVICE_ATTR_RO(version);
static ssize_t design_number_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __iomem *cpld_base;
struct mutex ctrl_lock; /* protects CONTROL register */
u8 control_reg;
char version[3];
u16 design_no;
};
static void do_reset(struct controller_priv *cd, u8 rst_bit, bool reset)
{
Reported by FlawFinder.
Line: 178
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct controller_priv *cd = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", cd->design_no);
}
static DEVICE_ATTR_RO(design_number);
static struct attribute *controller_attributes[] = {
&dev_attr_version.attr,
Reported by FlawFinder.
drivers/staging/qlge/qlge.h
3 issues
Line: 1487
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 irq; /* Which vector this ring is assigned. */
u32 cpu; /* Which CPU this should run on. */
struct delayed_work refill_work;
char name[IFNAMSIZ + 5];
struct napi_struct napi;
u8 reserved;
struct qlge_adapter *qdev;
u64 rx_packets;
u64 rx_multicast;
Reported by FlawFinder.
Line: 2001
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 intr_en_mask; /* value/mask used to enable this intr */
u32 intr_dis_mask; /* value/mask used to disable this intr */
u32 intr_read_mask; /* value/mask used to read this intr */
char name[IFNAMSIZ * 2];
irq_handler_t handler;
};
/* adapter flags definitions. */
enum {
Reported by FlawFinder.
Line: 2174
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct timer_list timer;
atomic_t lb_count;
/* Keep local copy of current mac address. */
char current_mac_addr[ETH_ALEN];
};
/*
* Typical Register accessor for memory mapped device.
*/
Reported by FlawFinder.
drivers/staging/qlge/qlge_dbg.c
3 issues
Line: 702
Column: 2
CWE codes:
120
seg_hdr->cookie = MPI_COREDUMP_COOKIE;
seg_hdr->seg_num = seg_number;
seg_hdr->seg_size = seg_size;
strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
}
/*
* This function should be called when a coredump / probedump
* is to be extracted from the HBA. It is assumed there is a
Reported by FlawFinder.
Line: 743
Column: 2
CWE codes:
120
sizeof(struct mpi_coredump_global_header);
mpi_coredump->mpi_global_header.image_size =
sizeof(struct qlge_mpi_coredump);
strncpy(mpi_coredump->mpi_global_header.id_string, "MPI Coredump",
sizeof(mpi_coredump->mpi_global_header.id_string));
/* Get generic NIC reg dump */
qlge_build_coredump_seg_header(&mpi_coredump->nic_regs_seg_hdr,
NIC1_CONTROL_SEG_NUM,
Reported by FlawFinder.
Line: 1231
Column: 2
CWE codes:
120
sizeof(struct mpi_coredump_global_header);
mpi_coredump->mpi_global_header.image_size =
sizeof(struct qlge_reg_dump);
strncpy(mpi_coredump->mpi_global_header.id_string, "MPI Coredump",
sizeof(mpi_coredump->mpi_global_header.id_string));
/* segment 16 */
qlge_build_coredump_seg_header(&mpi_coredump->misc_nic_seg_hdr,
MISC_NIC_INFO_SEG_NUM,
Reported by FlawFinder.
drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
3 issues
Line: 1415
/* tpf: {*, 0} resets timing; clip to [min, max]*/
tpf = tpf.denominator ? tpf : tpf_default;
tpf = V4L2_FRACT_COMPARE(tpf, <, tpf_min) ? tpf_min : tpf;
tpf = V4L2_FRACT_COMPARE(tpf, >, tpf_max) ? tpf_max : tpf;
dev->capture.timeperframe = tpf;
parm->parm.capture.timeperframe = tpf;
parm->parm.capture.readbuffers = 1;
Reported by Cppcheck.
Line: 859
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EINVAL;
inp->type = V4L2_INPUT_TYPE_CAMERA;
sprintf((char *)inp->name, "Camera %u", inp->index);
return 0;
}
static int vidioc_g_input(struct file *file, void *priv, unsigned int *i)
{
Reported by FlawFinder.
Line: 887
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
vchiq_mmal_version(dev->instance, &major, &minor);
strcpy((char *)cap->driver, "bm2835 mmal");
snprintf((char *)cap->card, sizeof(cap->card), "mmal service %d.%d",
major, minor);
snprintf((char *)cap->bus_info, sizeof(cap->bus_info),
"platform:%s", dev->v4l2_dev.name);
Reported by FlawFinder.
drivers/scsi/ufs/ufshcd-crypto.c
3 issues
Line: 84
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ccap_array[cap_idx].algorithm_id == UFS_CRYPTO_ALG_AES_XTS) {
/* In XTS mode, the blk_crypto_key's size is already doubled */
memcpy(cfg.crypto_key, key->raw, key->size/2);
memcpy(cfg.crypto_key + UFS_CRYPTO_KEY_MAX_SIZE/2,
key->raw + key->size/2, key->size/2);
} else {
memcpy(cfg.crypto_key, key->raw, key->size);
}
Reported by FlawFinder.
Line: 85
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ccap_array[cap_idx].algorithm_id == UFS_CRYPTO_ALG_AES_XTS) {
/* In XTS mode, the blk_crypto_key's size is already doubled */
memcpy(cfg.crypto_key, key->raw, key->size/2);
memcpy(cfg.crypto_key + UFS_CRYPTO_KEY_MAX_SIZE/2,
key->raw + key->size/2, key->size/2);
} else {
memcpy(cfg.crypto_key, key->raw, key->size);
}
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cfg.crypto_key + UFS_CRYPTO_KEY_MAX_SIZE/2,
key->raw + key->size/2, key->size/2);
} else {
memcpy(cfg.crypto_key, key->raw, key->size);
}
err = ufshcd_program_key(hba, &cfg, slot);
memzero_explicit(&cfg, sizeof(cfg));
Reported by FlawFinder.
drivers/usb/gadget/function/f_acm.c
3 issues
Line: 376
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
value = min_t(unsigned, w_length,
sizeof(struct usb_cdc_line_coding));
memcpy(req->buf, &acm->port_line_coding, value);
break;
/* SET_CONTROL_LINE_STATE ... save what the host sent */
case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
| USB_CDC_REQ_SET_CONTROL_LINE_STATE:
Reported by FlawFinder.
Line: 516
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
notify->wValue = cpu_to_le16(value);
notify->wIndex = cpu_to_le16(acm->ctrl_id);
notify->wLength = cpu_to_le16(length);
memcpy(buf, data, length);
/* ep_queue() can complete immediately if it fills the fifo... */
spin_unlock(&acm->lock);
status = usb_ep_queue(ep, req, GFP_ATOMIC);
spin_lock(&acm->lock);
Reported by FlawFinder.
Line: 812
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t f_acm_port_num_show(struct config_item *item, char *page)
{
return sprintf(page, "%u\n", to_f_serial_opts(item)->port_num);
}
CONFIGFS_ATTR_RO(f_acm_, port_num);
static struct configfs_attribute *acm_attrs[] = {
Reported by FlawFinder.
drivers/staging/qlge/qlge_ethtool.c
3 issues
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "qlge.h"
struct qlge_stats {
char stat_string[ETH_GSTRING_LEN];
int sizeof_stat;
int stat_offset;
};
#define QL_SIZEOF(m) sizeof_field(struct qlge_adapter, m)
Reported by FlawFinder.
Line: 339
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_TEST:
memcpy(buf, *qlge_gstrings_test, QLGE_TEST_LEN * ETH_GSTRING_LEN);
break;
case ETH_SS_STATS:
for (index = 0; index < QLGE_STATS_LEN; index++) {
memcpy(buf + index * ETH_GSTRING_LEN,
qlge_gstrings_stats[index].stat_string,
Reported by FlawFinder.
Line: 343
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case ETH_SS_STATS:
for (index = 0; index < QLGE_STATS_LEN; index++) {
memcpy(buf + index * ETH_GSTRING_LEN,
qlge_gstrings_stats[index].stat_string,
ETH_GSTRING_LEN);
}
break;
}
Reported by FlawFinder.