The following issues were found
drivers/scsi/wd719x.c
3 issues
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb->lun = cmd->device->lun;
/* copy the command */
memcpy(scb->CDB, cmd->cmnd, cmd->cmd_len);
/* map SCB */
scb->phys = dma_map_single(&wd->pdev->dev, scb, sizeof(*scb),
DMA_BIDIRECTIONAL);
Reported by FlawFinder.
Line: 338
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* make a fresh copy of WCS and RISC code */
memcpy(wd->fw_virt, fw_wcs->data, fw_wcs->size);
memcpy(wd->fw_virt + ALIGN(fw_wcs->size, 4), fw_risc->data,
fw_risc->size);
/* Reset the Spider Chip and adapter itself */
wd719x_writeb(wd, WD719X_PCI_PORT_RESET, WD719X_PCI_RESET);
Reported by FlawFinder.
Line: 339
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* make a fresh copy of WCS and RISC code */
memcpy(wd->fw_virt, fw_wcs->data, fw_wcs->size);
memcpy(wd->fw_virt + ALIGN(fw_wcs->size, 4), fw_risc->data,
fw_risc->size);
/* Reset the Spider Chip and adapter itself */
wd719x_writeb(wd, WD719X_PCI_PORT_RESET, WD719X_PCI_RESET);
udelay(WD719X_WAIT_FOR_RISC);
Reported by FlawFinder.
drivers/staging/pi433/pi433_if.c
3 issues
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct task_struct *tx_task_struct;
wait_queue_head_t tx_wait_queue;
u8 free_in_fifo;
char buffer[MAX_MSG_SIZE];
/* rx related values */
struct pi433_rx_cfg rx_cfg;
u8 *rx_buffer;
unsigned int rx_buffer_size;
Reported by FlawFinder.
Line: 899
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (copy_from_user(&tx_cfg, argp, sizeof(struct pi433_tx_cfg)))
return -EFAULT;
mutex_lock(&device->tx_fifo_lock);
memcpy(&instance->tx_cfg, &tx_cfg, sizeof(struct pi433_tx_cfg));
mutex_unlock(&device->tx_fifo_lock);
break;
case PI433_IOC_RD_RX_CFG:
if (copy_to_user(argp, &device->rx_cfg,
sizeof(struct pi433_rx_cfg)))
Reported by FlawFinder.
Line: 977
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int setup_gpio(struct pi433_device *device)
{
char name[5];
int retval;
int i;
const irq_handler_t DIO_irq_handler[NUM_DIO] = {
DIO0_irq_handler,
DIO1_irq_handler
Reported by FlawFinder.
drivers/staging/rts5208/rtsx_chip.h
3 issues
Line: 233
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char seg_no; /* segment No. */
unsigned char sense_key; /* byte5 : ILI */
/* bit3-0 : sense key */
unsigned char info[4]; /* information */
unsigned char ad_sense_len; /* additional sense data length */
unsigned char cmd_info[4]; /* command specific information */
unsigned char asc; /* ASC */
unsigned char ascq; /* ASCQ */
unsigned char rfu; /* FRU */
Reported by FlawFinder.
Line: 235
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* bit3-0 : sense key */
unsigned char info[4]; /* information */
unsigned char ad_sense_len; /* additional sense data length */
unsigned char cmd_info[4]; /* command specific information */
unsigned char asc; /* ASC */
unsigned char ascq; /* ASCQ */
unsigned char rfu; /* FRU */
unsigned char sns_key_info[3];/* sense key specific information */
};
Reported by FlawFinder.
Line: 239
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char asc; /* ASC */
unsigned char ascq; /* ASCQ */
unsigned char rfu; /* FRU */
unsigned char sns_key_info[3];/* sense key specific information */
};
/* PCI Operation Register Address */
#define RTSX_HCBAR 0x00
#define RTSX_HCBCTLR 0x04
Reported by FlawFinder.
drivers/staging/pi433/rf69.c
3 issues
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rf69_write_reg(struct spi_device *spi, u8 addr, u8 value)
{
int retval;
char buffer[2];
buffer[0] = addr | WRITE_BIT;
buffer[1] = value;
retval = spi_write(spi, &buffer, 2);
Reported by FlawFinder.
Line: 867
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg(&spi->dev, "%d - 0x%x\n", i, local_buffer[i + 1]);
#endif
memcpy(buffer, &local_buffer[1], size);
return retval;
}
int rf69_write_fifo(struct spi_device *spi, u8 *buffer, unsigned int size)
Reported by FlawFinder.
Line: 886
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
local_buffer[0] = REG_FIFO | WRITE_BIT;
memcpy(&local_buffer[1], buffer, size);
#ifdef DEBUG_FIFO_ACCESS
for (i = 0; i < size; i++)
dev_dbg(&spi->dev, "0x%x\n", buffer[i]);
#endif
Reported by FlawFinder.
drivers/mailbox/bcm-pdc-mailbox.c
3 issues
Line: 492
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void pdc_setup_debugfs(struct pdc_state *pdcs)
{
char spu_stats_name[16];
if (!debugfs_initialized())
return;
snprintf(spu_stats_name, 16, "pdc%d_stats", pdcs->pdc_idx);
Reported by FlawFinder.
Line: 1012
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg(dev, " - base DMA addr of rx ring %pad", &rx.dmabase);
dev_dbg(dev, " - base virtual addr of rx ring %p", rx.vbase);
memcpy(&pdcs->tx_ring_alloc, &tx, sizeof(tx));
memcpy(&pdcs->rx_ring_alloc, &rx, sizeof(rx));
pdcs->rxin = 0;
pdcs->rx_msg_start = 0;
pdcs->last_rx_curr = 0;
Reported by FlawFinder.
Line: 1013
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg(dev, " - base virtual addr of rx ring %p", rx.vbase);
memcpy(&pdcs->tx_ring_alloc, &tx, sizeof(tx));
memcpy(&pdcs->rx_ring_alloc, &rx, sizeof(rx));
pdcs->rxin = 0;
pdcs->rx_msg_start = 0;
pdcs->last_rx_curr = 0;
pdcs->rxout = 0;
Reported by FlawFinder.
drivers/iio/position/hid-sensor-custom-intel-hinge.c
3 issues
Line: 179
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hinge_state *st = iio_priv(indio_dev);
return sprintf(label, "%s\n", st->labels[chan->channel]);
}
static const struct iio_info hinge_info = {
.read_raw = hinge_read_raw,
.write_raw = hinge_write_raw,
Reported by FlawFinder.
Line: 30
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
HID_USAGE_SENSOR_DATA_FIELD_CUSTOM_VALUE(3)
};
static const char *const hinge_labels[CHANNEL_SCAN_INDEX_MAX] = { "hinge",
"screen",
"keyboard" };
struct hinge_state {
struct iio_dev *indio_dev;
Reported by FlawFinder.
Line: 39
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hid_sensor_hub_attribute_info hinge[CHANNEL_SCAN_INDEX_MAX];
struct hid_sensor_hub_callbacks callbacks;
struct hid_sensor_common common_attributes;
const char *labels[CHANNEL_SCAN_INDEX_MAX];
struct {
u32 hinge_val[3];
u64 timestamp __aligned(8);
} scan;
Reported by FlawFinder.
drivers/infiniband/core/rw.c
3 issues
Line: 115
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
reg->reg_wr.mr = reg->mr;
reg->reg_wr.access = IB_ACCESS_LOCAL_WRITE;
if (rdma_protocol_iwarp(qp->device, port_num))
reg->reg_wr.access |= IB_ACCESS_REMOTE_WRITE;
count++;
reg->sge.addr = reg->mr->iova;
reg->sge.length = reg->mr->length;
return count;
Reported by FlawFinder.
Line: 442
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ctx->reg->reg_wr.wr.send_flags = 0;
ctx->reg->reg_wr.access = IB_ACCESS_LOCAL_WRITE;
if (rdma_protocol_iwarp(qp->device, port_num))
ctx->reg->reg_wr.access |= IB_ACCESS_REMOTE_WRITE;
ctx->reg->reg_wr.mr = ctx->reg->mr;
ctx->reg->reg_wr.key = ctx->reg->mr->lkey;
count++;
ctx->reg->sge.addr = ctx->reg->mr->iova;
Reported by FlawFinder.
Line: 427
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count += rdma_rw_inv_key(ctx->reg);
memcpy(ctx->reg->mr->sig_attrs, sig_attrs, sizeof(struct ib_sig_attrs));
ret = ib_map_mr_sg_pi(ctx->reg->mr, sg, sg_cnt, NULL, prot_sg,
prot_sg_cnt, NULL, SZ_4K);
if (unlikely(ret)) {
pr_err("failed to map PI sg (%u)\n", sg_cnt + prot_sg_cnt);
Reported by FlawFinder.
drivers/hid/hid-rmi.c
3 issues
Line: 239
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
read_input_count = data->readReport[1];
memcpy(buf + bytes_read, &data->readReport[2],
read_input_count < bytes_needed ?
read_input_count : bytes_needed);
bytes_read += read_input_count;
bytes_needed -= read_input_count;
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data->writeReport[1] = len;
data->writeReport[2] = addr & 0xFF;
data->writeReport[3] = (addr >> 8) & 0xFF;
memcpy(&data->writeReport[4], buf, len);
ret = rmi_write_report(hdev, data->writeReport,
data->output_report_size);
if (ret < 0) {
dev_err(&hdev->dev,
Reported by FlawFinder.
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(hdata->readReport, data, size < hdata->input_report_size ?
size : hdata->input_report_size);
set_bit(RMI_READ_DATA_PENDING, &hdata->flags);
wake_up(&hdata->wait);
return 1;
Reported by FlawFinder.
drivers/input/touchscreen/ilitek_ts_i2c.c
3 issues
Line: 57
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct ilitek_protocol_map *ptl_cb_func;
struct ilitek_protocol_info ptl;
char product_id[30];
u16 mcu_ver;
u8 ic_mode;
u8 firmware_ver[8];
s32 reset_time;
Reported by FlawFinder.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ts->mcu_ver = get_unaligned_le16(outbuf);
memset(ts->product_id, 0, sizeof(ts->product_id));
memcpy(ts->product_id, outbuf + 6, 26);
return 0;
}
static int api_protocol_get_fw_ver(struct ilitek_ts_data *ts,
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (error)
return error;
memcpy(ts->firmware_ver, outbuf, 8);
return 0;
}
static int api_protocol_get_scrn_res(struct ilitek_ts_data *ts,
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/display.c
3 issues
Line: 87
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static unsigned char virtual_dp_monitor_edid[GVT_EDID_NUM][EDID_SIZE] = {
{
/* EDID with 1024x768 as its resolution */
/*Header*/
0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
/* Vendor & Product Identification */
Reported by FlawFinder.
Line: 554
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(port->edid->edid_block, virtual_dp_monitor_edid[resolution],
EDID_SIZE);
port->edid->data_valid = true;
memcpy(port->dpcd->data, dpcd_fix_data, DPCD_HEADER_SIZE);
port->dpcd->data_valid = true;
Reported by FlawFinder.
Line: 558
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EDID_SIZE);
port->edid->data_valid = true;
memcpy(port->dpcd->data, dpcd_fix_data, DPCD_HEADER_SIZE);
port->dpcd->data_valid = true;
port->dpcd->data[DPCD_SINK_COUNT] = 0x1;
port->type = type;
port->id = resolution;
port->vrefresh_k = GVT_DEFAULT_REFRESH_RATE * MSEC_PER_SEC;
Reported by FlawFinder.