The following issues were found
drivers/infiniband/hw/irdma/utils.c
3 issues
Line: 596
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return err_code;
}
static const char *const irdma_cqp_cmd_names[IRDMA_MAX_CQP_OPS] = {
[IRDMA_OP_CEQ_DESTROY] = "Destroy CEQ Cmd",
[IRDMA_OP_AEQ_DESTROY] = "Destroy AEQ Cmd",
[IRDMA_OP_DELETE_ARP_CACHE_ENTRY] = "Delete ARP Cache Cmd",
[IRDMA_OP_MANAGE_APBVT_ENTRY] = "Manage APBV Table Entry Cmd",
[IRDMA_OP_CEQ_CREATE] = "CEQ Create Cmd",
Reported by FlawFinder.
Line: 1217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cqp_info = &cqp_request->info;
m_info = &cqp_info->in.u.qp_modify.info;
memcpy(m_info, info, sizeof(*m_info));
cqp_info->cqp_cmd = IRDMA_OP_QP_MODIFY;
cqp_info->post_sq = 1;
cqp_info->in.u.qp_modify.qp = &iwqp->sc_qp;
cqp_info->in.u.qp_modify.scratch = (uintptr_t)cqp_request;
status = irdma_handle_cqp_op(rf, cqp_request);
Reported by FlawFinder.
Line: 1251
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cqp_info = &cqp_request->info;
m_info = &cqp_info->in.u.qp_modify.info;
memcpy(m_info, info, sizeof(*m_info));
cqp_info->cqp_cmd = IRDMA_OP_QP_MODIFY;
cqp_info->post_sq = 1;
cqp_info->in.u.qp_modify.qp = &iwqp->sc_qp;
cqp_info->in.u.qp_modify.scratch = (uintptr_t)cqp_request;
m_info->next_iwarp_state = IRDMA_QP_STATE_ERROR;
Reported by FlawFinder.
drivers/input/keyboard/newtonkbd.c
3 issues
Line: 27
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NKBD_KEY 0x7f
#define NKBD_PRESS 0x80
static unsigned char nkbd_keycode[128] = {
KEY_A, KEY_S, KEY_D, KEY_F, KEY_H, KEY_G, KEY_Z, KEY_X,
KEY_C, KEY_V, 0, KEY_B, KEY_Q, KEY_W, KEY_E, KEY_R,
KEY_Y, KEY_T, KEY_1, KEY_2, KEY_3, KEY_4, KEY_6, KEY_5,
KEY_EQUAL, KEY_9, KEY_7, KEY_MINUS, KEY_8, KEY_0, KEY_RIGHTBRACE, KEY_O,
KEY_U, KEY_LEFTBRACE, KEY_I, KEY_P, KEY_ENTER, KEY_L, KEY_J, KEY_APOSTROPHE,
Reported by FlawFinder.
Line: 44
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct nkbd {
unsigned char keycode[128];
struct input_dev *dev;
struct serio *serio;
char phys[32];
};
Reported by FlawFinder.
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char keycode[128];
struct input_dev *dev;
struct serio *serio;
char phys[32];
};
static irqreturn_t nkbd_interrupt(struct serio *serio,
unsigned char data, unsigned int flags)
{
Reported by FlawFinder.
drivers/gpu/drm/sun4i/sun4i_hdmi_i2c.c
3 issues
Line: 25
Column: 74
CWE codes:
120
20
/* FIFO request bit is set when FIFO level is above RX_THRESHOLD during read */
#define RX_THRESHOLD SUN4I_HDMI_DDC_FIFO_CTRL_RX_THRES_MAX
static int fifo_transfer(struct sun4i_hdmi *hdmi, u8 *buf, int len, bool read)
{
/*
* 1 byte takes 9 clock cycles (8 bits + 1 ACK) = 90 us for 100 kHz
* clock. As clock rate is fixed, just round it up to 100 us.
*/
Reported by FlawFinder.
Line: 47
Column: 24
CWE codes:
120
20
* Limit transfer length by FIFO threshold or FIFO size.
* For TX the threshold is for an empty FIFO.
*/
len = min_t(int, len, read ? read_len : SUN4I_HDMI_DDC_FIFO_SIZE);
/* Wait until error, FIFO request bit set or transfer complete */
if (regmap_field_read_poll_timeout(hdmi->field_ddc_int_status, reg,
reg & mask, len * byte_time_ns,
100000))
Reported by FlawFinder.
Line: 58
Column: 6
CWE codes:
120
20
if (reg & SUN4I_HDMI_DDC_INT_STATUS_ERROR_MASK)
return -EIO;
if (read)
readsb(hdmi->base + hdmi->variant->ddc_fifo_reg, buf, len);
else
writesb(hdmi->base + hdmi->variant->ddc_fifo_reg, buf, len);
/* Clear FIFO request bit by forcing a write to that bit */
Reported by FlawFinder.
drivers/infiniband/hw/irdma/hw.c
3 issues
Line: 2566
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!wait)
cqp_request->callback_fcn = irdma_hw_flush_wqes_callback;
hw_info = &cqp_request->info.in.u.qp_flush_wqes.info;
memcpy(hw_info, info, sizeof(*hw_info));
cqp_info->cqp_cmd = IRDMA_OP_QP_FLUSH_WQES;
cqp_info->post_sq = 1;
cqp_info->in.u.qp_flush_wqes.qp = qp;
cqp_info->in.u.qp_flush_wqes.scratch = (uintptr_t)cqp_request;
status = irdma_handle_cqp_op(rf, cqp_request);
Reported by FlawFinder.
Line: 2613
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cqp_info = &new_req->info;
hw_info = &new_req->info.in.u.qp_flush_wqes.info;
memcpy(hw_info, info, sizeof(*hw_info));
cqp_info->cqp_cmd = IRDMA_OP_QP_FLUSH_WQES;
cqp_info->post_sq = 1;
cqp_info->in.u.qp_flush_wqes.qp = qp;
cqp_info->in.u.qp_flush_wqes.scratch = (uintptr_t)new_req;
Reported by FlawFinder.
Line: 2671
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cqp_info = &cqp_request->info;
ae_info = &cqp_request->info.in.u.gen_ae.info;
memcpy(ae_info, info, sizeof(*ae_info));
cqp_info->cqp_cmd = IRDMA_OP_GEN_AE;
cqp_info->post_sq = 1;
cqp_info->in.u.gen_ae.qp = qp;
cqp_info->in.u.gen_ae.scratch = (uintptr_t)cqp_request;
Reported by FlawFinder.
drivers/input/keyboard/omap-keypad.c
3 issues
Line: 33
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void omap_kp_tasklet(unsigned long);
static void omap_kp_timer(struct timer_list *);
static unsigned char keypad_state[8];
static DEFINE_MUTEX(kp_enable_mutex);
static int kp_enable = 1;
static int kp_cur_group = -1;
struct omap_kp {
Reported by FlawFinder.
Line: 96
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct omap_kp *omap_kp_data = (struct omap_kp *) data;
unsigned short *keycodes = omap_kp_data->input->keycode;
unsigned int row_shift = get_count_order(omap_kp_data->cols);
unsigned char new_state[8], changed, key_down = 0;
int col, row;
/* check for any changes */
omap_kp_scan_keypad(omap_kp_data, new_state);
Reported by FlawFinder.
Line: 147
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t omap_kp_enable_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%u\n", kp_enable);
}
static ssize_t omap_kp_enable_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/input/keyboard/pmic8xxx-keypad.c
3 issues
Line: 290
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pmic8xxx_detect_ghost_keys(kp, new_state))
return 0;
__pmic8xxx_kp_scan_matrix(kp, new_state, kp->keystate);
memcpy(kp->keystate, new_state, sizeof(new_state));
break;
case 0x3: /* two events - eventcounter is gray-coded */
rc = pmic8xxx_kp_read_matrix(kp, new_state, old_state);
if (rc < 0)
return rc;
Reported by FlawFinder.
Line: 299
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__pmic8xxx_kp_scan_matrix(kp, old_state, kp->keystate);
__pmic8xxx_kp_scan_matrix(kp, new_state, old_state);
memcpy(kp->keystate, new_state, sizeof(new_state));
break;
case 0x2:
dev_dbg(kp->dev, "Some key events were lost\n");
rc = pmic8xxx_kp_read_matrix(kp, new_state, old_state);
if (rc < 0)
Reported by FlawFinder.
Line: 308
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
__pmic8xxx_kp_scan_matrix(kp, old_state, kp->keystate);
__pmic8xxx_kp_scan_matrix(kp, new_state, old_state);
memcpy(kp->keystate, new_state, sizeof(new_state));
break;
default:
rc = -EINVAL;
}
return rc;
Reported by FlawFinder.
drivers/infiniband/hw/hns/hns_roce_device.h
3 issues
Line: 344
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u64 size; /* Address range of MR */
u32 key; /* Key of MR */
u32 pd; /* PD num of MR */
u32 access; /* Access permission of MR */
int enabled; /* MR's active status */
int type; /* MR's register type */
u32 pbl_hop_num; /* multi-hop number */
struct hns_roce_mtr pbl_mtr;
u32 npages;
Reported by FlawFinder.
Line: 934
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pci_dev *pci_dev;
struct device *dev;
struct hns_roce_uar priv_uar;
const char *irq_names[HNS_ROCE_MAX_IRQ_NUM];
spinlock_t sm_lock;
spinlock_t bt_cmd_lock;
bool active;
bool is_reset;
bool dis_db;
Reported by FlawFinder.
Line: 956
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hns_roce_caps caps;
struct xarray qp_table_xa;
unsigned char dev_addr[HNS_ROCE_MAX_PORTS][ETH_ALEN];
u64 sys_image_guid;
u32 vendor_id;
u32 vendor_part_id;
u32 hw_rev;
void __iomem *priv_addr;
Reported by FlawFinder.
drivers/input/keyboard/stowaway.c
3 issues
Line: 30
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define SKBD_KEY_MASK 0x7f
#define SKBD_RELEASE 0x80
static unsigned char skbd_keycode[128] = {
KEY_1, KEY_2, KEY_3, KEY_Z, KEY_4, KEY_5, KEY_6, KEY_7,
0, KEY_Q, KEY_W, KEY_E, KEY_R, KEY_T, KEY_Y, KEY_GRAVE,
KEY_X, KEY_A, KEY_S, KEY_D, KEY_F, KEY_G, KEY_H, KEY_SPACE,
KEY_CAPSLOCK, KEY_TAB, KEY_LEFTCTRL, 0, 0, 0, 0, 0,
0, 0, 0, KEY_LEFTALT, 0, 0, 0, 0,
Reported by FlawFinder.
Line: 50
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct skbd {
unsigned char keycode[128];
struct input_dev *dev;
struct serio *serio;
char phys[32];
};
Reported by FlawFinder.
Line: 53
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char keycode[128];
struct input_dev *dev;
struct serio *serio;
char phys[32];
};
static irqreturn_t skbd_interrupt(struct serio *serio, unsigned char data,
unsigned int flags)
{
Reported by FlawFinder.
drivers/gpu/drm/tiny/simpledrm.c
3 issues
Line: 400
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return -ENOMEM;
for_each_property_of_node(of_node, prop) {
char name[32]; /* 32 is max size of property name */
size_t len;
p = strstr(prop->name, SUPPLY_SUFFIX);
if (!p || p == prop->name)
continue;
Reported by FlawFinder.
Line: 406
Column: 30
CWE codes:
126
p = strstr(prop->name, SUPPLY_SUFFIX);
if (!p || p == prop->name)
continue;
len = strlen(prop->name) - strlen(SUPPLY_SUFFIX) + 1;
strscpy(name, prop->name, min(sizeof(name), len));
regulator = regulator_get_optional(&pdev->dev, name);
if (IS_ERR(regulator)) {
ret = PTR_ERR(regulator);
Reported by FlawFinder.
Line: 406
Column: 9
CWE codes:
126
p = strstr(prop->name, SUPPLY_SUFFIX);
if (!p || p == prop->name)
continue;
len = strlen(prop->name) - strlen(SUPPLY_SUFFIX) + 1;
strscpy(name, prop->name, min(sizeof(name), len));
regulator = regulator_get_optional(&pdev->dev, name);
if (IS_ERR(regulator)) {
ret = PTR_ERR(regulator);
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/verbs.c
3 issues
Line: 1463
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (device_modify_mask & IB_DEVICE_MODIFY_NODE_DESC) {
memcpy(device->node_desc, device_modify->node_desc,
IB_DEVICE_NODE_DESC_MAX);
for (i = 0; i < dd->num_pports; i++) {
struct hfi1_ibport *ibp = &dd->pport[i].ibport_data;
hfi1_node_desc_chg(ibp);
Reported by FlawFinder.
Line: 1682
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
p = names_out + (n + num_extra_names) * sizeof(char *);
memcpy(p, names_in, names_len);
q = (char **)names_out;
for (i = 0; i < n; i++) {
q[i] = p;
p = strchr(p, '\n');
Reported by FlawFinder.
Line: 1781
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = num_port_cntrs;
}
memcpy(stats->value, values, count * sizeof(u64));
return count;
}
static const struct ib_device_ops hfi1_dev_ops = {
.owner = THIS_MODULE,
Reported by FlawFinder.