The following issues were found
drivers/usb/host/xhci-tegra.c
3 issues
Line: 878
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
header = (struct tegra_xusb_fw_header *)tegra->fw.virt;
memcpy(tegra->fw.virt, fw->data, tegra->fw.size);
release_firmware(fw);
return 0;
}
Reported by FlawFinder.
Line: 1581
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
for (i = 0, k = 0; i < tegra->soc->num_types; i++) {
char prop[8];
for (j = 0; j < tegra->soc->phy_types[i].num; j++) {
snprintf(prop, sizeof(prop), "%s-%d",
tegra->soc->phy_types[i].name, j);
Reported by FlawFinder.
Line: 1197
Column: 12
CWE codes:
126
for (i = 0; i < tegra->soc->num_types; i++) {
if (!strncmp(tegra->soc->phy_types[i].name, name,
strlen(name)))
return tegra->phys[phy_count+port];
phy_count += tegra->soc->phy_types[i].num;
}
Reported by FlawFinder.
drivers/video/fbdev/geode/gx1fb_core.c
3 issues
Line: 23
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "display_gx1.h"
#include "video_cs5530.h"
static char mode_option[32] = "640x480-16@60";
static int crt_option = 1;
static char panel_option[32] = "";
/* Modes relevant to the GX1 (taken from modedb.c) */
static const struct fb_videomode gx1_modedb[] = {
Reported by FlawFinder.
Line: 25
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char mode_option[32] = "640x480-16@60";
static int crt_option = 1;
static char panel_option[32] = "";
/* Modes relevant to the GX1 (taken from modedb.c) */
static const struct fb_videomode gx1_modedb[] = {
/* 640x480-60 VESA */
{ NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
par = info->par;
strcpy(info->fix.id, "GX1");
info->fix.type = FB_TYPE_PACKED_PIXELS;
info->fix.type_aux = 0;
info->fix.xpanstep = 0;
info->fix.ypanstep = 0;
Reported by FlawFinder.
drivers/usb/misc/isight_firmware.c
3 issues
Line: 41
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int llen, len, req, ret = 0;
const struct firmware *firmware;
unsigned char *buf = kmalloc(50, GFP_KERNEL);
unsigned char data[4];
const u8 *ptr;
if (!buf)
return -ENOMEM;
Reported by FlawFinder.
Line: 66
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
while (ptr+4 <= firmware->data+firmware->size) {
memcpy(data, ptr, 4);
len = (data[0] << 8 | data[1]);
req = (data[2] << 8 | data[3]);
ptr += 4;
if (len == 0x8001)
Reported by FlawFinder.
Line: 85
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -ENODEV;
goto out;
}
memcpy(buf, ptr, llen);
ptr += llen;
if (usb_control_msg
(dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, req, 0,
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/rtl819x_TSProc.c
3 issues
Line: 274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pTsCommonInfo == NULL)
return;
memcpy(pTsCommonInfo->addr, Addr, 6);
if (pTSPEC != NULL)
memcpy((u8 *)(&(pTsCommonInfo->t_spec)), (u8 *)pTSPEC, sizeof(struct tspec_body));
for (count = 0; count < TCLAS_Num; count++)
Reported by FlawFinder.
Line: 277
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pTsCommonInfo->addr, Addr, 6);
if (pTSPEC != NULL)
memcpy((u8 *)(&(pTsCommonInfo->t_spec)), (u8 *)pTSPEC, sizeof(struct tspec_body));
for (count = 0; count < TCLAS_Num; count++)
memcpy((u8 *)(&(pTsCommonInfo->t_class[count])), (u8 *)pTCLAS, sizeof(union qos_tclas));
pTsCommonInfo->t_clas_proc = TCLAS_Proc;
Reported by FlawFinder.
Line: 280
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy((u8 *)(&(pTsCommonInfo->t_spec)), (u8 *)pTSPEC, sizeof(struct tspec_body));
for (count = 0; count < TCLAS_Num; count++)
memcpy((u8 *)(&(pTsCommonInfo->t_class[count])), (u8 *)pTCLAS, sizeof(union qos_tclas));
pTsCommonInfo->t_clas_proc = TCLAS_Proc;
pTsCommonInfo->t_clas_num = TCLAS_Num;
}
Reported by FlawFinder.
drivers/target/target_core_file.c
3 issues
Line: 799
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t bl = 0;
bl = sprintf(b + bl, "TCM FILEIO ID: %u", fd_dev->fd_dev_id);
bl += sprintf(b + bl, " File: %s Size: %llu Mode: %s Async: %d\n",
fd_dev->fd_dev_name, fd_dev->fd_dev_size,
(fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) ?
"Buffered-WCE" : "O_DSYNC",
!!(fd_dev->fbd_flags & FDBD_HAS_ASYNC_IO));
return bl;
Reported by FlawFinder.
Line: 798
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct fd_dev *fd_dev = FD_DEV(dev);
ssize_t bl = 0;
bl = sprintf(b + bl, "TCM FILEIO ID: %u", fd_dev->fd_dev_id);
bl += sprintf(b + bl, " File: %s Size: %llu Mode: %s Async: %d\n",
fd_dev->fd_dev_name, fd_dev->fd_dev_size,
(fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) ?
"Buffered-WCE" : "O_DSYNC",
!!(fd_dev->fbd_flags & FDBD_HAS_ASYNC_IO));
Reported by FlawFinder.
Line: 833
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct file *prot_file, *file = fd_dev->fd_file;
struct inode *inode;
int ret, flags = O_RDWR | O_CREAT | O_LARGEFILE | O_DSYNC;
char buf[FD_MAX_DEV_PROT_NAME];
if (!file) {
pr_err("Unable to locate fd_dev->fd_file\n");
return -ENODEV;
}
Reported by FlawFinder.
drivers/staging/rtl8192u/r819xU_cmdpkt.c
3 issues
Line: 42
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb = dev_alloc_skb(USB_HWDESC_HEADER_LEN + DataLen + 4);
if (!skb)
return RT_STATUS_FAILURE;
memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_NORMAL;
tcb_desc->bLastIniPkt = 0;
skb_reserve(skb, USB_HWDESC_HEADER_LEN);
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* endian type before copy the message copy.
*/
/* Use pointer to transfer structure memory. */
memcpy((u8 *)&rx_tx_fb, pmsg, sizeof(struct cmd_pkt_tx_feedback));
/* 2. Use tx feedback info to count TX statistics. */
cmpk_count_txstatistic(dev, &rx_tx_fb);
/* Comment previous method for TX statistic function. */
/* Collect info TX feedback packet to fill TCB. */
/* We can not know the packet length and transmit type: broadcast or uni
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
cmpk_tx_status_t rx_tx_sts;
memcpy((void *)&rx_tx_sts, (void *)pmsg, sizeof(cmpk_tx_status_t));
/* 2. Use tx feedback info to count TX statistics. */
cmpk_count_tx_status(dev, &rx_tx_sts);
}
/*-----------------------------------------------------------------------------
Reported by FlawFinder.
drivers/soc/ti/knav_dma.c
3 issues
Line: 694
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dma->max_rx_flow = max_rx_flow;
dma->max_tx_chan = min(max_tx_chan, max_tx_sched);
atomic_set(&dma->ref_count, 0);
strcpy(dma->name, node->name);
spin_lock_init(&dma->lock);
for (i = 0; i < dma->max_tx_chan; i++) {
if (pktdma_init_chan(dma, DMA_MEM_TO_DEV, i) >= 0)
num_chan++;
Reported by FlawFinder.
Line: 108
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct reg_tx_sched __iomem *reg_tx_sched;
unsigned max_rx_chan, max_tx_chan;
unsigned max_rx_flow;
char name[32];
atomic_t ref_count;
struct list_head list;
struct list_head chan_list;
spinlock_t lock;
};
Reported by FlawFinder.
Line: 204
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Keep a copy of the cfg */
memcpy(&chan->cfg, cfg, sizeof(*cfg));
spin_unlock(&chan->lock);
return 0;
}
Reported by FlawFinder.
drivers/scsi/scsi_error.c
3 issues
Line: 1012
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scmd->sc_data_direction = DMA_NONE;
if (cmnd) {
BUG_ON(cmnd_size > BLK_MAX_CDB);
memcpy(scmd->cmnd, cmnd, cmnd_size);
scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
}
}
scmd->underflow = 0;
Reported by FlawFinder.
Line: 1313
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int scsi_eh_tur(struct scsi_cmnd *scmd)
{
static unsigned char tur_command[6] = {TEST_UNIT_READY, 0, 0, 0, 0, 0};
int retry_cnt = 1;
enum scsi_disposition rtn;
retry_tur:
rtn = scsi_send_eh_cmnd(scmd, tur_command, 6,
Reported by FlawFinder.
Line: 1400
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int scsi_eh_try_stu(struct scsi_cmnd *scmd)
{
static unsigned char stu_command[6] = {START_STOP, 0, 0, 0, 1, 0};
if (scmd->device->allow_restart) {
int i;
enum scsi_disposition rtn = NEEDS_RETRY;
Reported by FlawFinder.
drivers/usb/musb/musb_dsps.c
3 issues
Line: 413
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dentry *root;
char buf[128];
sprintf(buf, "%s.dsps", dev_name(musb->controller));
root = debugfs_create_dir(buf, usb_debug_root);
glue->dbgfs_root = root;
glue->regset.regs = dsps_musb_regs;
glue->regset.nregs = ARRAY_SIZE(dsps_musb_regs);
Reported by FlawFinder.
Line: 411
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dsps_musb_dbg_init(struct musb *musb, struct dsps_glue *glue)
{
struct dentry *root;
char buf[128];
sprintf(buf, "%s.dsps", dev_name(musb->controller));
root = debugfs_create_dir(buf, usb_debug_root);
glue->dbgfs_root = root;
Reported by FlawFinder.
Line: 636
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Read any remaining 1 to 3 bytes */
if (len > 0) {
u32 val = musb_readl(fifo, 0);
memcpy(dst, &val, len);
}
}
#ifdef CONFIG_USB_TI_CPPI41_DMA
static void dsps_dma_controller_callback(struct dma_controller *c)
Reported by FlawFinder.
drivers/target/target_core_stat.c
3 issues
Line: 1310
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct se_session *se_sess;
struct se_portal_group *tpg;
ssize_t ret;
unsigned char buf[64];
spin_lock_irq(&nacl->nacl_sess_lock);
se_sess = nacl->nacl_sess;
if (!se_sess) {
spin_unlock_irq(&nacl->nacl_sess_lock);
Reported by FlawFinder.
Line: 226
Column: 5
CWE codes:
126
/* scsiLuWwnName */
return snprintf(page, PAGE_SIZE, "%s\n",
(strlen(dev->t10_wwn.unit_serial)) ?
dev->t10_wwn.unit_serial : "None");
}
static ssize_t target_stat_lu_vend_show(struct config_item *item, char *page)
{
Reported by FlawFinder.
Line: 775
Column: 6
CWE codes:
126
/* scsiTransportDevName */
ret = snprintf(page, PAGE_SIZE, "%s+%s\n",
tpg->se_tpg_tfo->tpg_get_wwn(tpg),
(strlen(wwn->unit_serial)) ? wwn->unit_serial :
wwn->vendor);
}
rcu_read_unlock();
return ret;
}
Reported by FlawFinder.