The following issues were found
drivers/spi/spi-tle62x0.c
3 issues
Line: 122
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (ptr = 0; ptr < st->nr_gpio; ptr++) {
bp += sprintf(bp, "%s ", decode_fault(fault >> (ptr * 2)));
}
*bp++ = '\n';
mutex_unlock(&st->lock);
Reported by FlawFinder.
Line: 32
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int nr_gpio;
unsigned int gpio_state;
unsigned char tx_buff[4];
unsigned char rx_buff[4];
};
static int to_gpio_num(struct device_attribute *attr);
Reported by FlawFinder.
Line: 33
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int gpio_state;
unsigned char tx_buff[4];
unsigned char rx_buff[4];
};
static int to_gpio_num(struct device_attribute *attr);
static inline int tle62x0_write(struct tle62x0_state *st)
Reported by FlawFinder.
drivers/usb/storage/uas.c
3 issues
Line: 194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
urb->actual_length, len, newlen);
len = newlen;
}
memcpy(cmnd->sense_buffer, sense_iu->sense, len);
}
cmnd->result = sense_iu->status;
}
Reported by FlawFinder.
Line: 520
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iu->prio_attr = UAS_SIMPLE_TAG;
iu->len = len;
int_to_scsilun(sdev->lun, &iu->lun);
memcpy(iu->cdb, cmnd->cmnd, cmnd->cmd_len);
usb_fill_bulk_urb(urb, udev, devinfo->cmd_pipe, iu, sizeof(*iu) + len,
uas_cmd_cmplt, NULL);
urb->transfer_flags |= URB_FREE_BUFFER;
out:
Reported by FlawFinder.
Line: 653
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((devinfo->flags & US_FL_NO_ATA_1X) &&
(cmnd->cmnd[0] == ATA_12 || cmnd->cmnd[0] == ATA_16)) {
memcpy(cmnd->sense_buffer, usb_stor_sense_invalidCDB,
sizeof(usb_stor_sense_invalidCDB));
cmnd->result = SAM_STAT_CHECK_CONDITION;
cmnd->scsi_done(cmnd);
return 0;
}
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_mp_ioctl.c
3 issues
Line: 163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
/* 3 1. initialize a new struct wlan_bssid_ex */
memcpy(bssid->MacAddress, pmppriv->network_macaddr, ETH_ALEN);
bssid->Ssid.SsidLength = 16;
memcpy(bssid->Ssid.Ssid, (unsigned char *)"mp_pseudo_adhoc",
bssid->Ssid.SsidLength);
bssid->InfrastructureMode = Ndis802_11IBSS;
bssid->NetworkTypeInUse = Ndis802_11DS;
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* 3 1. initialize a new struct wlan_bssid_ex */
memcpy(bssid->MacAddress, pmppriv->network_macaddr, ETH_ALEN);
bssid->Ssid.SsidLength = 16;
memcpy(bssid->Ssid.Ssid, (unsigned char *)"mp_pseudo_adhoc",
bssid->Ssid.SsidLength);
bssid->InfrastructureMode = Ndis802_11IBSS;
bssid->NetworkTypeInUse = Ndis802_11DS;
bssid->IELength = 0;
length = r8712_get_wlan_bssid_ex_sz(bssid);
Reported by FlawFinder.
Line: 200
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* 3 3. join pseudo AdHoc */
tgt_network->join_res = 1;
tgt_network->aid = psta->aid = 1;
memcpy(&tgt_network->network, bssid, length);
_clr_fwstate_(pmlmepriv, _FW_UNDER_LINKING);
r8712_os_indicate_connect(padapter);
/* Set to LINKED STATE for MP TRX Testing */
set_fwstate(pmlmepriv, _FW_LINKED);
end_of_mp_start_test:
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_def.h
3 issues
Line: 2595
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define FCS_DEVICE_LOST 3
#define FCS_ONLINE 4
extern const char *const port_state_str[5];
static const char * const port_dstate_str[] = {
"DELETED",
"GNN_ID",
"GNL",
Reported by FlawFinder.
Line: 3354
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int in_use;
uint32_t vector;
uint16_t entry;
char name[30];
void *handle;
int cpuid;
};
#define WATCH_INTERVAL 1 /* number of seconds */
Reported by FlawFinder.
Line: 4433
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint16_t product_id[4];
uint8_t model_number[16+1];
char model_desc[80];
uint8_t adapter_id[16+1];
/* Option ROM information. */
char *optrom_buffer;
uint32_t optrom_size;
Reported by FlawFinder.
drivers/scsi/qedi/qedi_sysfs.c
3 issues
Line: 26
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct qedi_ctx *qedi = qedi_dev_to_hba(dev);
if (atomic_read(&qedi->link_state) == QEDI_LINK_UP)
return sprintf(buf, "Online\n");
else
return sprintf(buf, "Linkdown\n");
}
static ssize_t speed_show(struct device *dev,
Reported by FlawFinder.
Line: 28
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (atomic_read(&qedi->link_state) == QEDI_LINK_UP)
return sprintf(buf, "Online\n");
else
return sprintf(buf, "Linkdown\n");
}
static ssize_t speed_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 39
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
qedi_ops->common->get_link(qedi->cdev, &if_link);
return sprintf(buf, "%d Gbit\n", if_link.speed / 1000);
}
static DEVICE_ATTR_RO(port_state);
static DEVICE_ATTR_RO(speed);
Reported by FlawFinder.
drivers/usb/typec/tipd/core.c
3 issues
Line: 133
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data[0] < len)
return -EIO;
memcpy(val, &data[1], len);
return 0;
}
static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
const void *val, size_t len)
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return regmap_raw_write(tps->regmap, reg, val, len);
data[0] = len;
memcpy(&data[1], val, len);
return regmap_raw_write(tps->regmap, reg, data, sizeof(data));
}
static inline int tps6598x_read16(struct tps6598x *tps, u8 reg, u16 *val)
Reported by FlawFinder.
Line: 472
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tps6598x_check_mode(struct tps6598x *tps)
{
char mode[5] = { };
int ret;
ret = tps6598x_read32(tps, TPS_REG_MODE, (void *)mode);
if (ret)
return ret;
Reported by FlawFinder.
drivers/usb/usbip/stub_main.c
3 issues
Line: 158
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < MAX_BUSID; i++) {
spin_lock(&busid_table[i].busid_lock);
if (busid_table[i].name[0])
out += sprintf(out, "%s ", busid_table[i].name);
spin_unlock(&busid_table[i].busid_lock);
}
spin_unlock(&busid_table_lock);
out += sprintf(out, "\n");
Reported by FlawFinder.
Line: 171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count)
{
int len;
char busid[BUSID_SIZE];
if (count < 5)
return -EINVAL;
/* busid needs to include \0 termination */
Reported by FlawFinder.
Line: 162
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_unlock(&busid_table[i].busid_lock);
}
spin_unlock(&busid_table_lock);
out += sprintf(out, "\n");
return out - buf;
}
static ssize_t match_busid_store(struct device_driver *dev, const char *buf,
Reported by FlawFinder.
drivers/thunderbolt/dma_port.c
3 issues
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static bool dma_port_copy(struct tb_cfg_request *req, const struct ctl_pkg *pkg)
{
memcpy(req->response, pkg->buffer, req->response_size);
return true;
}
static int dma_port_read(struct tb_ctl *ctl, void *buffer, u64 route,
u32 port, u32 offset, u32 length, int timeout_msec)
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (res.err)
return res.err;
memcpy(buffer, &reply.data, 4 * length);
return 0;
}
static int dma_port_write(struct tb_ctl *ctl, const void *buffer, u64 route,
u32 port, u32 offset, u32 length, int timeout_msec)
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cfg_read_pkg reply;
struct tb_cfg_result res;
memcpy(&request.data, buffer, length * 4);
req = tb_cfg_request_alloc();
if (!req)
return -ENOMEM;
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_sta_mgt.c
3 issues
Line: 107
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (psta) {
list_del_init(&psta->list);
_init_stainfo(psta);
memcpy(psta->hwaddr, hwaddr, ETH_ALEN);
index = wifi_mac_hash(hwaddr);
if (index >= NUM_STA) {
psta = NULL;
goto exit;
}
Reported by FlawFinder.
Line: 123
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* initialize the tid_rxseq variable as the 0xffff.
*/
for (i = 0; i < 16; i++)
memcpy(&psta->sta_recvpriv.rxcache.tid_rxseq[i],
&wRxSeqInitialValue, 2);
/* for A-MPDU Rx reordering buffer control */
for (i = 0; i < 16; i++) {
preorder_ctrl = &psta->recvreorder_ctrl[i];
preorder_ctrl->padapter = pstapriv->padapter;
Reported by FlawFinder.
Line: 246
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void r8712_init_bcmc_stainfo(struct _adapter *padapter)
{
unsigned char bcast_addr[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
struct sta_priv *pstapriv = &padapter->stapriv;
r8712_alloc_stainfo(pstapriv, bcast_addr);
}
Reported by FlawFinder.
drivers/thunderbolt/nvm.c
3 issues
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nvm->flushed = false;
nvm->buf_data_size = offset + bytes;
memcpy(nvm->buf + offset, val, bytes);
return 0;
}
/**
* tb_nvm_add_non_active() - Adds non-active NVMem device to NVM
Reported by FlawFinder.
Line: 205
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
nbytes -= offset;
memcpy(buf, data + offset, nbytes);
size -= nbytes;
address += nbytes;
buf += nbytes;
} while (size > 0);
Reported by FlawFinder.
Line: 241
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset = address & 3;
nbytes = min_t(u32, size + offset, NVM_DATA_DWORDS * 4);
memcpy(data + offset, buf, nbytes);
dwaddress = address / 4;
ret = write_block(write_block_data, dwaddress, data, nbytes / 4);
if (ret) {
if (ret == -ETIMEDOUT) {
Reported by FlawFinder.