The following issues were found
drivers/hid/intel-ish-hid/ishtp/client.c
3 issues
Line: 588
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
--cl->tx_ring_free_size;
spin_unlock_irqrestore(&cl->tx_free_list_spinlock, tx_free_flags);
memcpy(cl_msg->send_buf.data, buf, length);
cl_msg->send_buf.size = length;
spin_lock_irqsave(&cl->tx_list_spinlock, tx_flags);
have_msg_to_send = !list_empty(&cl->tx_list.list);
list_add_tail(&cl_msg->list, &cl->tx_list.list);
spin_unlock_irqrestore(&cl->tx_list_spinlock, tx_flags);
Reported by FlawFinder.
Line: 774
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cl->last_tx_path = CL_TX_PATH_DMA;
/* write msg to dma buf */
memcpy(msg_addr, cl_msg->send_buf.data, cl_msg->send_buf.size);
/*
* if current fw don't support cache snooping, driver have to
* flush the cache manually.
*/
Reported by FlawFinder.
Line: 1017
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->ops->dma_no_cache_snooping(dev))
clflush_cache_range(msg, hbm->msg_length);
memcpy(buffer, msg, hbm->msg_length);
rb->buf_idx = hbm->msg_length;
/* Last fragment in message - it's complete */
cl->status = 0;
list_del(&rb->list);
Reported by FlawFinder.
drivers/hwmon/lm77.c
3 issues
Line: 137
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct lm77_data *data = lm77_update_device(dev);
return sprintf(buf, "%d\n", data->temp[attr->index]);
}
static ssize_t temp_hyst_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 151
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
temp = nr == t_min ? data->temp[nr] + data->temp[t_hyst] :
data->temp[nr] - data->temp[t_hyst];
return sprintf(buf, "%d\n", temp);
}
static ssize_t temp_store(struct device *dev,
struct device_attribute *devattr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 208
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int bitnr = to_sensor_dev_attr(attr)->index;
struct lm77_data *data = lm77_update_device(dev);
return sprintf(buf, "%u\n", (data->alarms >> bitnr) & 1);
}
static SENSOR_DEVICE_ATTR_RO(temp1_input, temp, t_input);
static SENSOR_DEVICE_ATTR_RW(temp1_crit, temp, t_crit);
static SENSOR_DEVICE_ATTR_RW(temp1_min, temp, t_min);
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/gvt.h
3 issues
Line: 111
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct intel_vgpu_cfg_space {
unsigned char virtual_cfg_space[PCI_CFG_SPACE_EXP_SIZE];
struct intel_vgpu_pci_bar bar[INTEL_GVT_MAX_BAR_NUM];
u32 pmcsr_off;
};
#define vgpu_cfg_space(vgpu) ((vgpu)->cfg_space.virtual_cfg_space)
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NR_MAX_INTEL_VGPU_TYPES 20
struct intel_vgpu_type {
char name[16];
unsigned int avail_instance;
unsigned int low_gm_size;
unsigned int high_gm_size;
unsigned int fence;
unsigned int weight;
Reported by FlawFinder.
drivers/infiniband/core/iwpm_util.c
3 issues
Line: 154
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!map_info)
return -ENOMEM;
memcpy(&map_info->local_sockaddr, local_sockaddr,
sizeof(struct sockaddr_storage));
memcpy(&map_info->mapped_sockaddr, mapped_sockaddr,
sizeof(struct sockaddr_storage));
map_info->nl_client = nl_client;
map_info->map_flags = map_flags;
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&map_info->local_sockaddr, local_sockaddr,
sizeof(struct sockaddr_storage));
memcpy(&map_info->mapped_sockaddr, mapped_sockaddr,
sizeof(struct sockaddr_storage));
map_info->nl_client = nl_client;
map_info->map_flags = map_flags;
spin_lock_irqsave(&iwpm_mapinfo_lock, flags);
Reported by FlawFinder.
Line: 328
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
!iwpm_compare_sockaddr(&rem_info->mapped_rem_sockaddr,
mapped_rem_addr)) {
memcpy(remote_addr, &rem_info->remote_sockaddr,
sizeof(struct sockaddr_storage));
iwpm_print_sockaddr(remote_addr,
"get_remote_info: Remote sockaddr:");
hlist_del_init(&rem_info->hlist_node);
Reported by FlawFinder.
drivers/iio/magnetometer/yamaha-yas530.c
3 issues
Line: 133
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *dev;
unsigned int devid;
unsigned int version;
char name[16];
struct yas5xx_calibration calibration;
u8 hard_offsets[3];
struct iio_mount_matrix orientation;
struct regmap *map;
struct regulator_bulk_data regs[2];
Reported by FlawFinder.
Line: 880
Column: 3
CWE codes:
120
goto assert_reset;
dev_info(dev, "detected YAS530 MS-3E %s",
yas5xx->version ? "B" : "A");
strncpy(yas5xx->name, "yas530", sizeof(yas5xx->name));
break;
case YAS532_DEVICE_ID:
ret = yas532_get_calibration_data(yas5xx);
if (ret)
goto assert_reset;
Reported by FlawFinder.
Line: 888
Column: 3
CWE codes:
120
goto assert_reset;
dev_info(dev, "detected YAS532/YAS533 MS-3R/F %s",
yas5xx->version ? "AC" : "AB");
strncpy(yas5xx->name, "yas532", sizeof(yas5xx->name));
break;
default:
ret = -ENODEV;
dev_err(dev, "unhandled device ID %02x\n", yas5xx->devid);
goto assert_reset;
Reported by FlawFinder.
drivers/i2c/busses/i2c-viperboard.c
3 issues
Line: 204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
/* copy the received data */
memcpy(msg->buf + start, rmsg, len1);
/* second read transfer if neccessary */
if (len2 > 0) {
ret = vprbrd_i2c_receive(vb->usb_dev, rmsg, len2);
if (ret < 0)
Reported by FlawFinder.
Line: 212
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
/* copy the received data */
memcpy(msg->buf + start + 512, rmsg, len2);
}
}
return 0;
}
Reported by FlawFinder.
Line: 252
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct vprbrd_i2c_write_hdr);
remain_len = 0;
}
memcpy(wmsg->data, msg->buf + start,
bytes_xfer - sizeof(struct vprbrd_i2c_write_hdr));
ret = usb_bulk_msg(vb->usb_dev,
usb_sndbulkpipe(vb->usb_dev,
VPRBRD_EP_OUT), wmsg,
Reported by FlawFinder.
drivers/hid/usbhid/usbmouse.c
3 issues
Line: 39
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
struct usb_mouse {
char name[128];
char phys[64];
struct usb_device *usbdev;
struct input_dev *dev;
struct urb *irq;
Reported by FlawFinder.
Line: 40
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_mouse {
char name[128];
char phys[64];
struct usb_device *usbdev;
struct input_dev *dev;
struct urb *irq;
signed char *data;
Reported by FlawFinder.
Line: 153
Column: 7
CWE codes:
126
strlcat(mouse->name, dev->product, sizeof(mouse->name));
}
if (!strlen(mouse->name))
snprintf(mouse->name, sizeof(mouse->name),
"USB HIDBP Mouse %04x:%04x",
le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
Reported by FlawFinder.
drivers/hid/wacom_wac.c
3 issues
Line: 1184
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void wacom_intuos_bt_process_data(struct wacom_wac *wacom,
unsigned char *data)
{
memcpy(wacom->data, data, 10);
wacom_intuos_irq(wacom);
input_sync(wacom->pen_input);
if (wacom->pad_input)
input_sync(wacom->pad_input);
Reported by FlawFinder.
Line: 1194
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int wacom_intuos_bt_irq(struct wacom_wac *wacom, size_t len)
{
unsigned char data[WACOM_PKGLEN_MAX];
int i = 1;
unsigned power_raw, battery_capacity, bat_charging, ps_connected;
memcpy(data, wacom->data, len);
Reported by FlawFinder.
Line: 1198
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i = 1;
unsigned power_raw, battery_capacity, bat_charging, ps_connected;
memcpy(data, wacom->data, len);
switch (data[0]) {
case 0x04:
wacom_intuos_bt_process_data(wacom, data + i);
i += 10;
Reported by FlawFinder.
drivers/hwmon/max197.c
3 issues
Line: 212
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct platform_device *pdev = to_platform_device(dev);
return sprintf(buf, "%s\n", pdev->name);
}
#define MAX197_SENSOR_DEVICE_ATTR_CH(chan) \
static SENSOR_DEVICE_ATTR(in##chan##_input, S_IRUGO, \
max197_show_input, NULL, chan); \
Reported by FlawFinder.
Line: 111
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_unlock(&data->lock);
return sprintf(buf, "%d\n", range);
}
/* Function called on write access on in{0,1,2,3,4,5,6,7}_{min,max} */
static ssize_t max197_store_range(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 201
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value /= 10000;
}
ret = sprintf(buf, "%d\n", value);
unlock:
mutex_unlock(&data->lock);
return ret;
}
Reported by FlawFinder.
drivers/infiniband/core/device.c
3 issues
Line: 465
Column: 7
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
xa_for_each (&devices, index, device) {
char buf[IB_DEVICE_NAME_MAX];
if (sscanf(dev_name(&device->dev), name, &i) != 1)
continue;
if (i < 0 || i >= INT_MAX)
continue;
snprintf(buf, sizeof buf, name, i);
if (strcmp(buf, dev_name(&device->dev)) != 0)
Reported by FlawFinder.
Line: 469
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
continue;
if (i < 0 || i >= INT_MAX)
continue;
snprintf(buf, sizeof buf, name, i);
if (strcmp(buf, dev_name(&device->dev)) != 0)
continue;
rc = ida_alloc_range(&inuse, i, i, GFP_KERNEL);
if (rc < 0)
Reported by FlawFinder.
Line: 463
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
lockdep_assert_held_write(&devices_rwsem);
ida_init(&inuse);
xa_for_each (&devices, index, device) {
char buf[IB_DEVICE_NAME_MAX];
if (sscanf(dev_name(&device->dev), name, &i) != 1)
continue;
if (i < 0 || i >= INT_MAX)
continue;
Reported by FlawFinder.