The following issues were found
drivers/nvmem/rave-sp-eeprom.c
3 issues
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* a read data_size should be zero and memcpy would become a
* no-op
*/
memcpy(&cmd[offset], page->data, data_size);
ret = rave_sp_exec(eeprom->sp, cmd, cmd_size, page, rsp_size);
if (ret)
return ret;
Reported by FlawFinder.
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(&page.data[page_offset], data, data_len);
}
ret = rave_sp_eeprom_io(eeprom, type, page_nr, &page);
if (ret)
return ret;
Reported by FlawFinder.
Line: 199
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* buffer we need to copy that to 'data'
*/
if (type == RAVE_SP_EEPROM_READ)
memcpy(data, &page.data[page_offset], data_len);
return 0;
}
/**
Reported by FlawFinder.
drivers/scsi/csiostor/csio_mb.c
3 issues
Line: 933
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmdp->gen_wwn_to_vnpi |= htonl(FW_FCOE_VNP_CMD_GEN_WWN);
if (vnport_wwnn)
memcpy(cmdp->vnport_wwnn, vnport_wwnn, 8);
if (vnport_wwpn)
memcpy(cmdp->vnport_wwpn, vnport_wwpn, 8);
} /* csio_fcoe_vnp_alloc_init_mb */
Reported by FlawFinder.
Line: 935
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vnport_wwnn)
memcpy(cmdp->vnport_wwnn, vnport_wwnn, 8);
if (vnport_wwpn)
memcpy(cmdp->vnport_wwpn, vnport_wwpn, 8);
} /* csio_fcoe_vnp_alloc_init_mb */
/*
* csio_fcoe_vnp_read_init_mb - Prepares VNP read cmd.
Reported by FlawFinder.
Line: 1069
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (*retval == FW_SUCCESS) {
dst = (uint8_t *)(&stats) + ((portparams->idx - 1) * 8);
src = (uint8_t *)rsp + (CSIO_STATS_OFFSET * 8);
memcpy(dst, src, (portparams->nstats * 8));
if (portparams->idx == 1) {
/* Get the first 6 flits from the Mailbox */
portstats->tx_bcast_bytes = stats.tx_bcast_bytes;
portstats->tx_bcast_frames = stats.tx_bcast_frames;
portstats->tx_mcast_bytes = stats.tx_mcast_bytes;
Reported by FlawFinder.
drivers/pnp/isapnp/proc.c
3 issues
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int isapnp_proc_attach_device(struct pnp_dev *dev)
{
struct pnp_card *bus = dev->card;
char name[16];
if (!bus->procdir) {
sprintf(name, "%02x", bus->number);
bus->procdir = proc_mkdir(name, isapnp_proc_bus_dir);
if (!bus->procdir)
Reported by FlawFinder.
Line: 63
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char name[16];
if (!bus->procdir) {
sprintf(name, "%02x", bus->number);
bus->procdir = proc_mkdir(name, isapnp_proc_bus_dir);
if (!bus->procdir)
return -ENOMEM;
}
sprintf(name, "%02x", dev->number);
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!bus->procdir)
return -ENOMEM;
}
sprintf(name, "%02x", dev->number);
dev->procent = proc_create_data(name, S_IFREG | S_IRUGO, bus->procdir,
&isapnp_proc_bus_proc_ops, dev);
if (!dev->procent)
return -ENOMEM;
proc_set_size(dev->procent, 256);
Reported by FlawFinder.
drivers/pnp/pnpacpi/core.c
3 issues
Line: 252
Column: 6
CWE codes:
126
if (acpi_has_method(device->handle, "_DIS"))
dev->capabilities |= PNP_DISABLE;
if (strlen(acpi_device_name(device)))
strncpy(dev->name, acpi_device_name(device), sizeof(dev->name));
else
strncpy(dev->name, acpi_device_bid(device), sizeof(dev->name));
if (dev->active)
Reported by FlawFinder.
Line: 253
Column: 3
CWE codes:
120
dev->capabilities |= PNP_DISABLE;
if (strlen(acpi_device_name(device)))
strncpy(dev->name, acpi_device_name(device), sizeof(dev->name));
else
strncpy(dev->name, acpi_device_bid(device), sizeof(dev->name));
if (dev->active)
pnpacpi_parse_allocated_resource(dev);
Reported by FlawFinder.
Line: 255
Column: 3
CWE codes:
120
if (strlen(acpi_device_name(device)))
strncpy(dev->name, acpi_device_name(device), sizeof(dev->name));
else
strncpy(dev->name, acpi_device_bid(device), sizeof(dev->name));
if (dev->active)
pnpacpi_parse_allocated_resource(dev);
if (dev->capabilities & PNP_CONFIGURABLE)
Reported by FlawFinder.
drivers/of/property.c
3 issues
Line: 559
Column: 10
CWE codes:
126
if (!cur)
return prop->value;
curv += strlen(cur) + 1;
if (curv >= prop->value + prop->length)
return NULL;
return curv;
}
Reported by FlawFinder.
Line: 1192
Column: 8
CWE codes:
126
{
unsigned int len, suffix_len;
len = strlen(str);
suffix_len = strlen(suffix);
if (len <= suffix_len)
return -1;
return strcmp(str + len - suffix_len, suffix);
}
Reported by FlawFinder.
Line: 1193
Column: 15
CWE codes:
126
unsigned int len, suffix_len;
len = strlen(str);
suffix_len = strlen(suffix);
if (len <= suffix_len)
return -1;
return strcmp(str + len - suffix_len, suffix);
}
Reported by FlawFinder.
drivers/opp/of.c
3 issues
Line: 589
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *microvolt, *microamp = NULL;
int supplies = opp_table->regulator_count, vcount, icount, ret, i, j;
struct property *prop = NULL;
char name[NAME_MAX];
/* Search for "opp-microvolt-<name>" */
if (opp_table->prop_name) {
snprintf(name, sizeof(name), "opp-microvolt-%s",
opp_table->prop_name);
Reported by FlawFinder.
Line: 600
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!prop) {
/* Search for "opp-microvolt" */
sprintf(name, "opp-microvolt");
prop = of_find_property(opp->np, name, NULL);
/* Missing property isn't a problem, but an invalid entry is */
if (!prop) {
if (unlikely(supplies == -1)) {
Reported by FlawFinder.
Line: 663
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!prop) {
/* Search for "opp-microamp" */
sprintf(name, "opp-microamp");
prop = of_find_property(opp->np, name, NULL);
}
if (prop) {
icount = of_property_count_u32_elems(opp->np, name);
Reported by FlawFinder.
drivers/scsi/isci/phy.c
3 issues
Line: 456
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sas_identify_frame *iaf;
iaf = &iphy->frame_rcvd.iaf;
memcpy(sas, iaf->sas_addr, SAS_ADDR_SIZE);
}
void sci_phy_get_protocols(struct isci_phy *iphy, struct sci_phy_proto *proto)
{
proto->all = readl(&iphy->link_layer_registers->transmit_identification);
Reported by FlawFinder.
Line: 990
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 state;
spin_lock_irqsave(&iphy->sas_phy.frame_rcvd_lock, flags);
memcpy(&iphy->frame_rcvd.iaf, &iaf, sizeof(iaf));
spin_unlock_irqrestore(&iphy->sas_phy.frame_rcvd_lock, flags);
if (iaf.smp_tport) {
/* We got the IAF for an expander PHY go to the final
* state since there are no power requirements for
* expander phys.
Reported by FlawFinder.
Line: 1398
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sci_sas_addr <<= 32;
sci_sas_addr |= oem->phys[index].sas_address.low;
sas_addr = cpu_to_be64(sci_sas_addr);
memcpy(iphy->sas_addr, &sas_addr, sizeof(sas_addr));
iphy->sas_phy.enabled = 0;
iphy->sas_phy.id = index;
iphy->sas_phy.sas_addr = &iphy->sas_addr[0];
iphy->sas_phy.frame_rcvd = (u8 *)&iphy->frame_rcvd;
Reported by FlawFinder.
drivers/parisc/ccio-dma.c
3 issues
Line: 1167
CWE codes:
476
struct ioc *ioc = ccio_get_iommu(dev);
u8 *res_ptr;
ioc->cujo20_bug = 1;
res_ptr = ioc->res_map;
idx = PDIR_INDEX(iovp) >> 3;
while (idx < ioc->res_size) {
res_ptr[idx] |= 0xff;
Reported by Cppcheck.
Line: 1168
CWE codes:
476
u8 *res_ptr;
ioc->cujo20_bug = 1;
res_ptr = ioc->res_map;
idx = PDIR_INDEX(iovp) >> 3;
while (idx < ioc->res_size) {
res_ptr[idx] |= 0xff;
idx += PDIR_INDEX(CUJO_20_STEP) >> 3;
Reported by Cppcheck.
Line: 1171
CWE codes:
476
res_ptr = ioc->res_map;
idx = PDIR_INDEX(iovp) >> 3;
while (idx < ioc->res_size) {
res_ptr[idx] |= 0xff;
idx += PDIR_INDEX(CUJO_20_STEP) >> 3;
}
}
Reported by Cppcheck.
drivers/parisc/dino.c
3 issues
Line: 494
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dev_name(bus->bridge));
res->name = kmalloc(size+1, GFP_KERNEL);
if(res->name)
strcpy((char *)res->name, name);
else
res->name = dino_dev->hba.lmmio_space.name;
if (ccio_allocate_resource(dino_dev->hba.dev, res, _8MB,
Reported by FlawFinder.
Line: 485
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i;
struct dino_device *dino_dev = DINO_DEV(parisc_walk_tree(bus->bridge));
struct resource *res;
char name[128];
int size;
res = &dino_dev->hba.lmmio_space;
res->flags = IORESOURCE_MEM;
size = scnprintf(name, sizeof(name), "Dino LMMIO (%s)",
Reported by FlawFinder.
Line: 272
Column: 6
CWE codes:
120
20
/* tell HW which IO Port address */ \
__raw_writel((u32) addr, d->base_addr + DINO_PCI_ADDR); \
/* generate I/O PORT read cycle */ \
v = read##type(d->base_addr+DINO_IO_DATA+(addr&mask)); \
spin_unlock_irqrestore(&(DINO_DEV(d)->dinosaur_pen), flags); \
return v; \
}
DINO_PORT_IN(b, 8, 3)
Reported by FlawFinder.
drivers/scsi/isci/probe_roms.c
3 issues
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct isci_orom *rom = NULL;
size_t len, i;
int j;
char oem_sig[4];
struct isci_oem_hdr oem_hdr;
u8 *tmp, sum;
if (!oprom)
return NULL;
Reported by FlawFinder.
Line: 136
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!orom)
goto out;
memcpy(orom, fw->data, fw->size);
if (is_c0(pdev) || is_c1(pdev))
goto out;
/*
Reported by FlawFinder.
Line: 129
Column: 7
CWE codes:
126
data = (struct isci_orom *)fw->data;
if (strncmp(ISCI_ROM_SIG, data->hdr.signature,
strlen(ISCI_ROM_SIG)) != 0)
goto out;
orom = devm_kzalloc(&pdev->dev, fw->size, GFP_KERNEL);
if (!orom)
goto out;
Reported by FlawFinder.