The following issues were found
drivers/usb/gadget/udc/pxa25x_udc.c
3 issues
Line: 895
Column: 16
CWE codes:
120
20
break;
case EP0_OUT_DATA_PHASE:
dev->stats.read.ops++;
/* messy ... */
if (dev->req_config) {
DBG(DBG_VERBOSE, "ep0 config ack%s\n",
dev->has_cfr ? "" : " raced");
if (dev->has_cfr)
Reported by FlawFinder.
Line: 1296
Column: 14
CWE codes:
120
20
seq_printf(m, "ep0 IN %lu/%lu, OUT %lu/%lu\nirqs %lu\n\n",
dev->stats.write.bytes, dev->stats.write.ops,
dev->stats.read.bytes, dev->stats.read.ops,
dev->stats.irqs);
/* dump endpoint queues */
for (i = 0; i < PXA_UDC_NUM_ENDPOINTS; i++) {
struct pxa25x_ep *ep = &dev->ep [i];
Reported by FlawFinder.
Line: 1296
Column: 37
CWE codes:
120
20
seq_printf(m, "ep0 IN %lu/%lu, OUT %lu/%lu\nirqs %lu\n\n",
dev->stats.write.bytes, dev->stats.write.ops,
dev->stats.read.bytes, dev->stats.read.ops,
dev->stats.irqs);
/* dump endpoint queues */
for (i = 0; i < PXA_UDC_NUM_ENDPOINTS; i++) {
struct pxa25x_ep *ep = &dev->ep [i];
Reported by FlawFinder.
drivers/usb/gadget/udc/pxa25x_udc.h
3 issues
Line: 81
Column: 4
CWE codes:
120
20
struct ep0stats {
unsigned long ops;
unsigned long bytes;
} read, write;
unsigned long irqs;
};
#ifdef CONFIG_USB_PXA25X_SMALL
/* when memory's tight, SMALL config saves code+data. */
Reported by FlawFinder.
Line: 220
Column: 37
CWE codes:
120
20
dump_udccs0 ("udccs0");
DMSG("ep0 IN %lu/%lu, OUT %lu/%lu\n",
dev->stats.write.bytes, dev->stats.write.ops,
dev->stats.read.bytes, dev->stats.read.ops);
for (i = 1; i < PXA_UDC_NUM_ENDPOINTS; i++) {
if (dev->ep[i].ep.desc == NULL)
continue;
DMSG ("udccs%d = %02x\n", i, udc_ep_get_UDCCS(&dev->ep[i]));
Reported by FlawFinder.
Line: 220
Column: 14
CWE codes:
120
20
dump_udccs0 ("udccs0");
DMSG("ep0 IN %lu/%lu, OUT %lu/%lu\n",
dev->stats.write.bytes, dev->stats.write.ops,
dev->stats.read.bytes, dev->stats.read.ops);
for (i = 1; i < PXA_UDC_NUM_ENDPOINTS; i++) {
if (dev->ep[i].ep.desc == NULL)
continue;
DMSG ("udccs%d = %02x\n", i, udc_ep_get_UDCCS(&dev->ep[i]));
Reported by FlawFinder.
drivers/target/iscsi/cxgbit/cxgbit_cm.c
3 issues
Line: 444
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_LIST_HEAD(&cnp->np_accept_list);
spin_lock_init(&cnp->np_accept_lock);
kref_init(&cnp->kref);
memcpy(&np->np_sockaddr, ksockaddr,
sizeof(struct sockaddr_storage));
memcpy(&cnp->com.local_addr, &np->np_sockaddr,
sizeof(cnp->com.local_addr));
cnp->np = np;
Reported by FlawFinder.
Line: 1344
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sin6->sin6_family = PF_INET6;
sin6->sin6_port = local_port;
memcpy(sin6->sin6_addr.s6_addr, local_ip, 16);
cxgb4_clip_get(cdev->lldi.ports[0],
(const u32 *)&sin6->sin6_addr.s6_addr,
1);
sin6 = (struct sockaddr_in6 *)&csk->com.remote_addr;
Reported by FlawFinder.
Line: 1352
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sin6 = (struct sockaddr_in6 *)&csk->com.remote_addr;
sin6->sin6_family = PF_INET6;
sin6->sin6_port = peer_port;
memcpy(sin6->sin6_addr.s6_addr, peer_ip, 16);
}
skb_queue_head_init(&csk->rxq);
skb_queue_head_init(&csk->txq);
skb_queue_head_init(&csk->ppodq);
Reported by FlawFinder.
drivers/video/fbdev/hyperv_fb.c
3 issues
Line: 1230
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
info->var.width = -1;
info->var.vmode = FB_VMODE_NONINTERLACED;
strcpy(info->fix.id, KBUILD_MODNAME);
info->fix.type = FB_TYPE_PACKED_PIXELS;
info->fix.visual = FB_VISUAL_TRUECOLOR;
info->fix.line_length = screen_width * screen_depth / 8;
info->fix.accel = FB_ACCEL_NONE;
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset + size > dio_fb_size)
size = dio_fb_size - offset;
memcpy(par->mmio_vp + offset, par->dio_vp + offset, size);
}
/* Deferred IO callback */
static void synthvid_deferred_io(struct fb_info *p,
struct list_head *pagelist)
Reported by FlawFinder.
Line: 485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msg->vid_hdr.type == SYNTHVID_VERSION_RESPONSE ||
msg->vid_hdr.type == SYNTHVID_RESOLUTION_RESPONSE ||
msg->vid_hdr.type == SYNTHVID_VRAM_LOCATION_ACK) {
memcpy(par->init_buf, msg, MAX_VMBUS_PKT_SIZE);
complete(&par->wait);
return;
}
/* Reply with screen and cursor info */
Reported by FlawFinder.
drivers/soc/xilinx/zynqmp_power.c
3 issues
Line: 140
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (md = PM_SUSPEND_MODE_FIRST; md < ARRAY_SIZE(suspend_modes); md++)
if (suspend_modes[md]) {
if (md == suspend_mode)
s += sprintf(s, "[%s] ", suspend_modes[md]);
else
s += sprintf(s, "%s ", suspend_modes[md]);
}
/* Convert last space to newline */
Reported by FlawFinder.
Line: 142
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (md == suspend_mode)
s += sprintf(s, "[%s] ", suspend_modes[md]);
else
s += sprintf(s, "%s ", suspend_modes[md]);
}
/* Convert last space to newline */
if (s != buf)
*(s - 1) = '\n';
Reported by FlawFinder.
Line: 90
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 payload[CB_PAYLOAD_SIZE];
int ret;
memcpy(payload, msg->data, sizeof(msg->len));
/* First element is callback API ID, others are callback arguments */
if (payload[0] == PM_INIT_SUSPEND_CB) {
if (work_pending(&zynqmp_pm_init_suspend_work->callback_work))
return;
Reported by FlawFinder.
drivers/usb/host/r8a66597.h
3 issues
Line: 79
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short ep_in_toggle;
unsigned short ep_out_toggle;
unsigned char pipe_cnt[R8A66597_MAX_NUM_PIPE];
unsigned char dma_map;
enum usb_device_state state;
struct usb_device *udev;
Reported by FlawFinder.
Line: 120
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short address_map;
unsigned short timeout_map;
unsigned short interval_map;
unsigned char pipe_cnt[R8A66597_MAX_NUM_PIPE];
unsigned char dma_map;
unsigned int max_root_hub;
struct list_head child_device;
unsigned long child_connect_map[4];
Reported by FlawFinder.
Line: 178
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len & 0x00000003) {
unsigned long tmp = ioread32(fifoaddr);
memcpy((unsigned char *)buf + count * 4, &tmp,
len & 0x03);
}
} else {
len = (len + 1) / 2;
ioread16_rep(fifoaddr, buf, len);
Reported by FlawFinder.
drivers/scsi/snic/snic_res.h
3 issues
Line: 38
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->u.icmnd.flags = cpu_to_le16(flags);
req->u.icmnd.tgt_id = cpu_to_le64(tgt_id);
memcpy(&req->u.icmnd.lun_id, lun, LUN_ADDR_LEN);
req->u.icmnd.cdb_len = cdb_len;
memset(req->u.icmnd.cdb, 0, SNIC_CDB_LEN);
memcpy(req->u.icmnd.cdb, scsi_cdb, cdb_len);
req->u.icmnd.data_len = cpu_to_le32(data_len);
req->u.icmnd.sg_addr = cpu_to_le64(sgl_addr);
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&req->u.icmnd.lun_id, lun, LUN_ADDR_LEN);
req->u.icmnd.cdb_len = cdb_len;
memset(req->u.icmnd.cdb, 0, SNIC_CDB_LEN);
memcpy(req->u.icmnd.cdb, scsi_cdb, cdb_len);
req->u.icmnd.data_len = cpu_to_le32(data_len);
req->u.icmnd.sg_addr = cpu_to_le64(sgl_addr);
req->u.icmnd.sense_len = cpu_to_le32(sense_len);
req->u.icmnd.sense_addr = cpu_to_le64(sns_addr_pa);
}
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* req_id valid only in abort, clear task */
req->u.itmf.req_id = cpu_to_le32(req_id);
req->u.itmf.tgt_id = cpu_to_le64(tgt_id);
memcpy(&req->u.itmf.lun_id, lun, LUN_ADDR_LEN);
}
static inline void
snic_queue_wq_eth_desc(struct vnic_wq *wq,
void *os_buf,
Reported by FlawFinder.
drivers/scsi/snic/snic_isr.c
3 issues
Line: 118
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* from queue ptr.
* Except for err_notify, which is always one.
*/
sprintf(snic->msix[SNIC_MSIX_WQ].devname,
"%.11s-scsi-wq",
snic->name);
snic->msix[SNIC_MSIX_WQ].isr = snic_isr_msix_wq;
snic->msix[SNIC_MSIX_WQ].devid = snic;
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
snic->msix[SNIC_MSIX_WQ].isr = snic_isr_msix_wq;
snic->msix[SNIC_MSIX_WQ].devid = snic;
sprintf(snic->msix[SNIC_MSIX_IO_CMPL].devname,
"%.11s-io-cmpl",
snic->name);
snic->msix[SNIC_MSIX_IO_CMPL].isr = snic_isr_msix_io_cmpl;
snic->msix[SNIC_MSIX_IO_CMPL].devid = snic;
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
snic->msix[SNIC_MSIX_IO_CMPL].isr = snic_isr_msix_io_cmpl;
snic->msix[SNIC_MSIX_IO_CMPL].devid = snic;
sprintf(snic->msix[SNIC_MSIX_ERR_NOTIFY].devname,
"%.11s-err-notify",
snic->name);
snic->msix[SNIC_MSIX_ERR_NOTIFY].isr = snic_isr_msix_err_notify;
snic->msix[SNIC_MSIX_ERR_NOTIFY].devid = snic;
Reported by FlawFinder.
drivers/usb/host/xhci-debugfs.c
3 issues
Line: 129
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(args, fmt);
vsnprintf(rgs->name, sizeof(rgs->name), fmt, args);
va_end(args);
regset = &rgs->regset;
regset->regs = regs;
regset->nregs = nregs;
Reported by FlawFinder.
Line: 362
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *s = file->private_data;
struct xhci_port *port = s->private;
struct xhci_hcd *xhci = hcd_to_xhci(port->rhub->hcd);
char buf[32];
u32 portsc;
unsigned long flags;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
Line: 629
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dentry *parent)
{
unsigned int num_ports;
char port_name[8];
struct xhci_port *port;
struct dentry *dir;
num_ports = HCS_MAX_PORTS(xhci->hcs_params1);
Reported by FlawFinder.
drivers/usb/host/xhci-debugfs.h
3 issues
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct xhci_regset {
char name[DEBUGFS_NAMELEN];
struct debugfs_regset32 regset;
size_t nregs;
struct list_head list;
};
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xhci_ep_priv {
char name[DEBUGFS_NAMELEN];
struct dentry *root;
struct xhci_stream_info *stream_info;
struct xhci_ring *show_ring;
unsigned int stream_id;
};
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xhci_slot_priv {
char name[DEBUGFS_NAMELEN];
struct dentry *root;
struct xhci_ep_priv *eps[31];
struct xhci_virt_device *dev;
};
Reported by FlawFinder.