The following issues were found
drivers/usb/serial/kobil_sct.c
3 issues
Line: 106
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct kobil_private {
unsigned char buf[KOBIL_BUF_LENGTH]; /* buffer for the APDU to send */
int filled; /* index of the last char in buf */
int cur_pos; /* index of the next char to send in buf */
__u16 device_type;
};
Reported by FlawFinder.
Line: 313
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy data to buffer */
memcpy(priv->buf + priv->filled, buf, count);
usb_serial_debug_data(&port->dev, __func__, count, priv->buf + priv->filled);
priv->filled = priv->filled + count;
/* only send complete block. TWIN, KAAN SIM and adapter K
use the same protocol. */
Reported by FlawFinder.
Line: 332
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* max 8 byte in one urb (endpoint size) */
length = min(todo, port->interrupt_out_size);
/* copy data to transfer buffer */
memcpy(port->interrupt_out_buffer,
priv->buf + priv->cur_pos, length);
port->interrupt_out_urb->transfer_buffer_length = length;
priv->cur_pos = priv->cur_pos + length;
result = usb_submit_urb(port->interrupt_out_urb,
Reported by FlawFinder.
drivers/usb/serial/mos7840.c
3 issues
Line: 918
CWE codes:
788
status = usb_submit_urb(urb, GFP_ATOMIC);
if (status) {
mos7840_port->busy[i] = 0;
dev_err_console(port, "%s - usb_submit_urb(write bulk) failed "
"with status = %d\n", __func__, status);
bytes_sent = status;
goto exit;
}
Reported by Cppcheck.
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t pool_lock;
struct urb *write_urb_pool[NUM_URBS];
char busy[NUM_URBS];
bool read_urb_busy;
/* For device(s) with LED indicator */
bool has_led;
struct timer_list led_timer1; /* Timer for LED on */
Reported by FlawFinder.
Line: 888
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE);
memcpy(urb->transfer_buffer, current_position, transfer_size);
/* fill urb with data and submit */
if ((serial->num_ports == 2) && (((__u16)port->port_number % 2) != 0)) {
usb_fill_bulk_urb(urb,
serial->dev,
Reported by FlawFinder.
drivers/thermal/armada_thermal.c
3 issues
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct armada_thermal_priv {
struct device *dev;
struct regmap *syscon;
char zone_name[THERMAL_NAME_LENGTH];
/* serialize temperature reads/updates */
struct mutex update_lock;
struct armada_thermal_data *data;
struct thermal_zone_device *overheat_sensor;
int interrupt_source;
Reported by FlawFinder.
Line: 750
Column: 6
CWE codes:
126
const char *name = dev_name(&pdev->dev);
char *insane_char;
if (strlen(name) > THERMAL_NAME_LENGTH) {
/*
* When inside a system controller, the device name has the
* form: f06f8000.system-controller:ap-thermal so stripping
* after the ':' should give us a shorter but meaningful name.
*/
Reported by FlawFinder.
Line: 764
Column: 2
CWE codes:
120
}
/* Save the name locally */
strncpy(priv->zone_name, name, THERMAL_NAME_LENGTH - 1);
priv->zone_name[THERMAL_NAME_LENGTH - 1] = '\0';
/* Then check there are no '-' or hwmon core will complain */
do {
insane_char = strpbrk(priv->zone_name, "-");
Reported by FlawFinder.
drivers/video/fbdev/imsttfb.c
3 issues
Line: 1425
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
}
sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP");
info->fix.mmio_len = 0x1000;
info->fix.accel = FB_ACCEL_IMS_TWINTURBO;
info->fix.type = FB_TYPE_PACKED_PIXELS;
info->fix.visual = info->var.bits_per_pixel == 8 ? FB_VISUAL_PSEUDOCOLOR
: FB_VISUAL_DIRECTCOLOR;
Reported by FlawFinder.
Line: 334
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define INIT_YRES 480
static int inverse = 0;
static char fontname[40] __initdata = { 0 };
#if defined(CONFIG_PPC_PMAC)
static signed char init_vmode = -1, init_cmode = -1;
#endif
static struct imstt_regvals tvp_reg_init_2 = {
Reported by FlawFinder.
Line: 1573
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < sizeof(fontname) - 1; i++)
if (!*p || *p == ' ' || *p == ',')
break;
memcpy(fontname, this_opt + 5, i);
fontname[i] = 0;
} else if (!strncmp(this_opt, "inverse", 7)) {
inverse = 1;
fb_invert_cmaps();
}
Reported by FlawFinder.
drivers/usb/serial/whiteheat.c
3 issues
Line: 514
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
} else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
(urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
memcpy(command_info->result_buffer, &data[1],
urb->actual_length - 1);
command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
wake_up(&command_info->wait_command);
} else
dev_dbg(&urb->dev->dev, "%s - bad reply from firmware\n", __func__);
Reported by FlawFinder.
Line: 556
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
transfer_buffer = (__u8 *)command_port->write_urb->transfer_buffer;
transfer_buffer[0] = command;
memcpy(&transfer_buffer[1], data, datasize);
command_port->write_urb->transfer_buffer_length = datasize + 1;
retval = usb_submit_urb(command_port->write_urb, GFP_NOIO);
if (retval) {
dev_dbg(dev, "%s - submit urb failed\n", __func__);
goto exit;
Reported by FlawFinder.
Line: 587
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (command) {
case WHITEHEAT_GET_DTR_RTS:
info = usb_get_serial_port_data(port);
memcpy(&info->mcr, command_info->result_buffer,
sizeof(struct whiteheat_dr_info));
break;
}
}
exit:
Reported by FlawFinder.
drivers/thermal/intel/int340x_thermal/processor_thermal_rfim.c
3 issues
Line: 92
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;\
reg_val = readl((void __iomem *) (proc_priv->mmio_base + mmio_regs[ret].offset));\
ret = (reg_val >> mmio_regs[ret].shift) & mmio_regs[ret].mask;\
return sprintf(buf, "%u\n", ret);\
}
#define RFIM_STORE(suffix, table)\
static ssize_t suffix##_store(struct device *dev,\
struct device_attribute *attr,\
Reported by FlawFinder.
Line: 225
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%u\n", cmd_resp);
}
static ssize_t ddr_data_rate_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 240
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%u\n", cmd_resp);
}
static DEVICE_ATTR_RW(rfi_restriction);
static DEVICE_ATTR_RO(ddr_data_rate);
Reported by FlawFinder.
drivers/scsi/qla2xxx/tcm_qla2xxx.h
3 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Binary World Wide unique Node Name for remote FC Initiator Nport */
u64 nport_wwnn;
/* ASCII formatted WWPN for FC Initiator Nport */
char nport_name[TCM_QLA2XXX_NAMELEN];
/* Pointer to fc_port */
struct fc_port *fc_port;
/* Pointer to TCM FC nexus */
struct se_session *nport_nexus;
};
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Binary World Wide unique Node Name for FC NPIV Target Lport */
u64 lport_npiv_wwnn;
/* ASCII formatted WWPN for FC Target Lport */
char lport_name[TCM_QLA2XXX_NAMELEN];
/* ASCII formatted naa WWPN for VPD page 83 etc */
char lport_naa_name[TCM_QLA2XXX_NAMELEN];
/* map for fc_port pointers in 24-bit FC Port ID space */
struct btree_head32 lport_fcport_map;
/* vmalloc-ed memory for fc_port pointers for 16-bit FC loop ID */
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ASCII formatted WWPN for FC Target Lport */
char lport_name[TCM_QLA2XXX_NAMELEN];
/* ASCII formatted naa WWPN for VPD page 83 etc */
char lport_naa_name[TCM_QLA2XXX_NAMELEN];
/* map for fc_port pointers in 24-bit FC Port ID space */
struct btree_head32 lport_fcport_map;
/* vmalloc-ed memory for fc_port pointers for 16-bit FC loop ID */
struct tcm_qla2xxx_fc_loopid *lport_loopid_map;
/* Pointer to struct scsi_qla_host from qla2xxx LLD */
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_tmpl.c
3 issues
Line: 824
{
typeof(*qla27xx_fwdt_entry_call) *list = qla27xx_fwdt_entry_call;
while (list->type < type)
list++;
if (list->type == type)
return list->call;
return qla27xx_fwdt_entry_other;
Reported by Cppcheck.
Line: 39
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (buf && mem && size) {
buf += *len;
memcpy(buf, mem, size);
}
*len += size;
}
static inline void
Reported by FlawFinder.
Line: 949
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (qla27xx_fwdt_template_valid(tmp)) {
len = le32_to_cpu(tmp->template_size);
tmp = memcpy(buf, tmp, len);
ql27xx_edit_template(vha, tmp);
qla27xx_walk_template(vha, tmp, buf, &len);
}
return len;
Reported by FlawFinder.
drivers/usb/storage/onetouch.c
3 issues
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void onetouch_release_input(void *onetouch_);
struct usb_onetouch {
char name[128];
char phys[64];
struct input_dev *dev; /* input device interface */
struct usb_device *udev; /* usb device */
struct urb *irq; /* urb for interrupt in report */
Reported by FlawFinder.
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_onetouch {
char name[128];
char phys[64];
struct input_dev *dev; /* input device interface */
struct usb_device *udev; /* usb device */
struct urb *irq; /* urb for interrupt in report */
unsigned char *data; /* input data */
Reported by FlawFinder.
Line: 212
Column: 7
CWE codes:
126
strlcat(onetouch->name, udev->product, sizeof(onetouch->name));
}
if (!strlen(onetouch->name))
snprintf(onetouch->name, sizeof(onetouch->name),
"Maxtor Onetouch %04x:%04x",
le16_to_cpu(udev->descriptor.idVendor),
le16_to_cpu(udev->descriptor.idProduct));
Reported by FlawFinder.
drivers/usb/storage/scsiglue.c
3 issues
Line: 388
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((us->fflags & US_FL_NO_ATA_1X) &&
(srb->cmnd[0] == ATA_12 || srb->cmnd[0] == ATA_16)) {
memcpy(srb->sense_buffer, usb_stor_sense_invalidCDB,
sizeof(usb_stor_sense_invalidCDB));
srb->result = SAM_STAT_CHECK_CONDITION;
done(srb);
return 0;
}
Reported by FlawFinder.
Line: 573
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scsi_device *sdev = to_scsi_device(dev);
return sprintf(buf, "%u\n", queue_max_hw_sectors(sdev->request_queue));
}
/* Input routine for the sysfs max_sectors file */
static ssize_t max_sectors_store(struct device *dev, struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 673
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
EXPORT_SYMBOL_GPL(usb_stor_host_template_init);
/* To Report "Illegal Request: Invalid Field in CDB */
unsigned char usb_stor_sense_invalidCDB[18] = {
[0] = 0x70, /* current error */
[2] = ILLEGAL_REQUEST, /* Illegal Request = 0x05 */
[7] = 0x0a, /* additional length */
[12] = 0x24 /* Invalid Field in CDB */
};
Reported by FlawFinder.