The following issues were found
drivers/staging/rtl8712/hal_init.c
3 issues
Line: 203
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
txdesc->txdw0 |= cpu_to_le32(dump_imem_sz &
0x0000ffff);
memcpy(payload, ptr, dump_imem_sz);
r8712_write_mem(adapter, RTL8712_DMA_VOQ,
dump_imem_sz + TXDESC_SIZE,
(u8 *)txdesc);
ptr += dump_imem_sz;
imem_sz -= dump_imem_sz;
Reported by FlawFinder.
Line: 232
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
txdesc->txdw0 |= cpu_to_le32(dump_emem_sz &
0x0000ffff);
memcpy(payload, ptr, dump_emem_sz);
r8712_write_mem(adapter, RTL8712_DMA_VOQ,
dump_emem_sz + TXDESC_SIZE,
(u8 *)txdesc);
ptr += dump_emem_sz;
emem_sz -= dump_emem_sz;
Reported by FlawFinder.
Line: 285
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(txdesc, 0, TXDESC_SIZE);
txdesc->txdw0 |= cpu_to_le32(fwhdr.fw_priv_sz & 0x0000ffff);
txdesc->txdw0 |= cpu_to_le32(BIT(28));
memcpy(payload, &fwhdr.fwpriv, fwhdr.fw_priv_sz);
r8712_write_mem(adapter, RTL8712_DMA_VOQ,
fwhdr.fw_priv_sz + TXDESC_SIZE, (u8 *)txdesc);
/* polling dmem code done */
i = 100;
Reported by FlawFinder.
drivers/spmi/hisi-spmi-controller.c
3 issues
Line: 166
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i * SPMI_PER_DATAREG_BYTE);
data = be32_to_cpu((__be32 __force)data);
if ((bc - i * SPMI_PER_DATAREG_BYTE) >> 2) {
memcpy(buf, &data, sizeof(data));
buf += sizeof(data);
} else {
memcpy(buf, &data, bc % SPMI_PER_DATAREG_BYTE);
buf += (bc % SPMI_PER_DATAREG_BYTE);
}
Reported by FlawFinder.
Line: 169
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf, &data, sizeof(data));
buf += sizeof(data);
} else {
memcpy(buf, &data, bc % SPMI_PER_DATAREG_BYTE);
buf += (bc % SPMI_PER_DATAREG_BYTE);
}
}
done:
Reported by FlawFinder.
Line: 235
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&data, buf, sizeof(data));
buf += sizeof(data);
} else {
memcpy(&data, buf, bc % SPMI_PER_DATAREG_BYTE);
buf += (bc % SPMI_PER_DATAREG_BYTE);
}
writel((u32 __force)cpu_to_be32(data),
spmi_controller->base + chnl_ofst +
Reported by FlawFinder.
drivers/usb/musb/ux500.c
3 issues
Line: 193
Column: 6
CWE codes:
126
{
struct musb_hdrc_platform_data *pdata;
const char *mode;
int strlen;
pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL);
if (!pdata)
return NULL;
Reported by FlawFinder.
Line: 199
Column: 41
CWE codes:
126
if (!pdata)
return NULL;
mode = of_get_property(np, "dr_mode", &strlen);
if (!mode) {
dev_err(&pdev->dev, "No 'dr_mode' property found\n");
return NULL;
}
Reported by FlawFinder.
Line: 205
Column: 6
CWE codes:
126
return NULL;
}
if (strlen > 0) {
if (!strcmp(mode, "host"))
pdata->mode = MUSB_HOST;
if (!strcmp(mode, "otg"))
pdata->mode = MUSB_OTG;
if (!strcmp(mode, "peripheral"))
Reported by FlawFinder.
drivers/target/target_core_xcopy.h
3 issues
Line: 26
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct se_cmd *xop_se_cmd;
struct se_device *src_dev;
unsigned char src_tid_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
struct se_device *dst_dev;
unsigned char dst_tid_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
unsigned char local_dev_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
struct percpu_ref *remote_lun_ref;
Reported by FlawFinder.
Line: 28
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct se_device *src_dev;
unsigned char src_tid_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
struct se_device *dst_dev;
unsigned char dst_tid_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
unsigned char local_dev_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
struct percpu_ref *remote_lun_ref;
sector_t src_lba;
sector_t dst_lba;
Reported by FlawFinder.
Line: 29
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char src_tid_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
struct se_device *dst_dev;
unsigned char dst_tid_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
unsigned char local_dev_wwn[XCOPY_NAA_IEEE_REGEX_LEN];
struct percpu_ref *remote_lun_ref;
sector_t src_lba;
sector_t dst_lba;
unsigned short stdi;
Reported by FlawFinder.
drivers/target/tcm_fc/tcm_fc.h
3 issues
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ft_lun {
u32 index;
char name[FT_LUN_NAMELEN];
};
/*
* Target portal group (local port).
*/
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ft_lport_wwn {
u64 wwpn;
char name[FT_NAMELEN];
struct list_head ft_wwn_node;
struct ft_tpg *tpg;
struct se_wwn se_wwn;
};
Reported by FlawFinder.
Line: 114
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 write_data_len; /* data received on writes */
struct work_struct work;
/* Local sense buffer */
unsigned char ft_sense_buffer[TRANSPORT_SENSE_BUFFER];
u32 was_ddp_setup:1; /* Set only if ddp is setup */
u32 aborted:1; /* Set if aborted by reset or timeout */
struct scatterlist *sg; /* Set only if DDP is setup */
u32 sg_cnt; /* No. of item in scatterlist */
};
Reported by FlawFinder.
drivers/staging/rtl8712/rtl8712_cmd.c
3 issues
Line: 176
CWE codes:
908
struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
if (pcmd->rsp && pcmd->rspsz > 0)
memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
if (!pcmd_callback)
r8712_free_cmd_obj(pcmd);
else
pcmd_callback(padapter, pcmd);
Reported by Cppcheck.
Line: 176
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
if (pcmd->rsp && pcmd->rspsz > 0)
memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
if (!pcmd_callback)
r8712_free_cmd_obj(pcmd);
else
pcmd_callback(padapter, pcmd);
Reported by FlawFinder.
Line: 356
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(pcmd->cmdcode << 16) |
(pcmdpriv->cmd_seq << 24));
pcmdbuf += 2; /* 8 bytes alignment */
memcpy((u8 *)pcmdbuf, pcmd->parmbuf, pcmd->cmdsz);
if (blnPending)
wr_sz += 8; /* Append 8 bytes */
r8712_write_mem(padapter, RTL8712_DMA_H2CCMD, wr_sz,
(u8 *)pdesc);
pcmdpriv->cmd_seq++;
Reported by FlawFinder.
drivers/spi/spi-zynqmp-gqspi.c
3 issues
Line: 347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void zynqmp_qspi_copy_read_data(struct zynqmp_qspi *xqspi,
ulong data, u8 size)
{
memcpy(xqspi->rxbuf, &data, size);
xqspi->rxbuf += size;
xqspi->bytes_to_receive -= size;
}
/**
Reported by FlawFinder.
Line: 513
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while ((xqspi->bytes_to_transfer > 0) && (count < size) && (xqspi->txbuf)) {
if (xqspi->bytes_to_transfer >= 4) {
memcpy(&intermediate, xqspi->txbuf, 4);
xqspi->txbuf += 4;
xqspi->bytes_to_transfer -= 4;
count += 4;
} else {
memcpy(&intermediate, xqspi->txbuf,
Reported by FlawFinder.
Line: 518
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xqspi->bytes_to_transfer -= 4;
count += 4;
} else {
memcpy(&intermediate, xqspi->txbuf,
xqspi->bytes_to_transfer);
xqspi->txbuf += xqspi->bytes_to_transfer;
xqspi->bytes_to_transfer = 0;
count += xqspi->bytes_to_transfer;
}
Reported by FlawFinder.
drivers/usb/serial/io_ti.c
3 issues
Line: 838
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pointer to fw_down memory image */
img_header = (struct ti_i2c_image_header *)&fw->data[4];
memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
&fw->data[4 + sizeof(struct ti_i2c_image_header)],
le16_to_cpu(img_header->Length));
for (i=0; i < buffer_size; i++) {
cs = (u8)(cs + buffer[i]);
Reported by FlawFinder.
Line: 1462
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Initialize the buffer to 0xff (pad the buffer) */
memset(buffer, 0xff, buffer_size);
memcpy(buffer, &fw->data[4], fw->size - 4);
for (i = sizeof(struct ti_i2c_image_header);
i < buffer_size; i++) {
cs = (u8)(cs + buffer[i]);
}
Reported by FlawFinder.
Line: 2610
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_serial_port *port = to_usb_serial_port(dev);
struct edgeport_port *edge_port = usb_get_serial_port_data(port);
return sprintf(buf, "%d\n", edge_port->bUartMode);
}
static ssize_t uart_mode_store(struct device *dev,
struct device_attribute *attr, const char *valbuf, size_t count)
{
Reported by FlawFinder.
drivers/staging/most/i2c/i2c.c
3 issues
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool int_disabled;
unsigned int delay;
} rx;
char name[64];
};
#define to_hdm(iface) container_of(iface, struct hdm_i2c, most_iface)
static irqreturn_t most_irq_handler(int, void *);
Reported by FlawFinder.
Line: 193
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void do_rx_work(struct hdm_i2c *dev)
{
struct mbo *mbo;
unsigned char msg[MAX_BUF_SIZE_CONTROL];
int ret;
u16 pml, data_size;
/* Read PML (2 bytes) */
ret = i2c_master_recv(dev->client, msg, 2);
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_del(&mbo->list);
mbo->processed_length = min(data_size, mbo->buffer_length);
memcpy(mbo->virt_address, msg, mbo->processed_length);
mbo->status = MBO_SUCCESS;
mbo->complete(mbo);
}
/**
Reported by FlawFinder.
drivers/usb/serial/iuu_phoenix.c
3 issues
Line: 611
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*buf_ptr++ = IUU_UART_TX;
*buf_ptr++ = priv->writelen;
memcpy(buf_ptr, priv->writebuf, priv->writelen);
buf_len = priv->writelen;
priv->writelen = 0;
spin_unlock_irqrestore(&priv->lock, flags);
dev_dbg(&port->dev, "%s - writing %i chars : %*ph\n", __func__,
buf_len, buf_len, buf_ptr);
Reported by FlawFinder.
Line: 711
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
/* fill the buffer */
memcpy(priv->writebuf + priv->writelen, buf, count);
priv->writelen += count;
out:
spin_unlock_irqrestore(&priv->lock, flags);
return count;
Reported by FlawFinder.
Line: 1113
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_serial_port *port = to_usb_serial_port(dev);
struct iuu_private *priv = usb_get_serial_port_data(port);
return sprintf(buf, "%d\n", priv->vcc);
}
static ssize_t vcc_mode_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.