The following issues were found
drivers/pinctrl/bcm/pinctrl-bcm2835.c
3 issues
Line: 424
CWE codes:
908
chained_irq_enter(host_chip, desc);
switch (group) {
case 0: /* IRQ0 covers GPIOs 0-27 */
bcm2835_gpio_irq_handle_bank(pc, 0, 0x0fffffff);
break;
case 1: /* IRQ1 covers GPIOs 28-45 */
bcm2835_gpio_irq_handle_bank(pc, 0, 0xf0000000);
Reported by Cppcheck.
Line: 224
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BCM2835_FSEL_MASK = 0x7,
};
static const char * const bcm2835_functions[BCM2835_FSEL_COUNT] = {
[BCM2835_FSEL_GPIO_IN] = "gpio_in",
[BCM2835_FSEL_GPIO_OUT] = "gpio_out",
[BCM2835_FSEL_ALT0] = "alt0",
[BCM2835_FSEL_ALT1] = "alt1",
[BCM2835_FSEL_ALT2] = "alt2",
Reported by FlawFinder.
Line: 1288
Column: 9
CWE codes:
126
pc->wake_irq[i] = irq_of_parse_and_map(np, i +
BCM2835_NUM_IRQS + 1);
len = strlen(dev_name(pc->dev)) + 16;
name = devm_kzalloc(pc->dev, len, GFP_KERNEL);
if (!name)
return -ENOMEM;
snprintf(name, len, "%s:bank%d", dev_name(pc->dev), i);
Reported by FlawFinder.
drivers/scsi/53c700.c
3 issues
Line: 504
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
ret[0]='\0';
for(i=0; i<8; i++) {
if((1<<i) & sbcl)
strcat(ret, NCR_700_SBCL_bits[i]);
}
strcat(ret, NCR_700_SBCL_to_phase[sbcl & 0x07]);
return ret;
}
Reported by FlawFinder.
Line: 506
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if((1<<i) & sbcl)
strcat(ret, NCR_700_SBCL_bits[i]);
}
strcat(ret, NCR_700_SBCL_to_phase[sbcl & 0x07]);
return ret;
}
static inline __u8
bitmap_to_number(__u8 bitmap)
Reported by FlawFinder.
Line: 499
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sbcl_to_string(__u8 sbcl)
{
int i;
static char ret[256];
ret[0]='\0';
for(i=0; i<8; i++) {
if((1<<i) & sbcl)
strcat(ret, NCR_700_SBCL_bits[i]);
Reported by FlawFinder.
drivers/scsi/elx/libefc/efc_domain.c
3 issues
Line: 376
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sp = (struct fc_els_flogi *)nport->service_params;
/* Save the domain service parameters */
memcpy(domain->service_params + 4, domain->dma.virt,
sizeof(struct fc_els_flogi) - 4);
memcpy(nport->service_params + 4, domain->dma.virt,
sizeof(struct fc_els_flogi) - 4);
/*
Reported by FlawFinder.
Line: 378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Save the domain service parameters */
memcpy(domain->service_params + 4, domain->dma.virt,
sizeof(struct fc_els_flogi) - 4);
memcpy(nport->service_params + 4, domain->dma.virt,
sizeof(struct fc_els_flogi) - 4);
/*
* Update the nport's service parameters,
* user might have specified non-default names
Reported by FlawFinder.
Line: 826
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void
__efc_domain_attach_internal(struct efc_domain *domain, u32 s_id)
{
memcpy(domain->dma.virt,
((uint8_t *)domain->flogi_service_params) + 4,
sizeof(struct fc_els_flogi) - 4);
(void)efc_sm_post_event(&domain->drvsm, EFC_EVT_DOMAIN_REQ_ATTACH,
&s_id);
}
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt7601u/mcu.c
3 issues
Line: 274
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le16 build_ver;
__le16 fw_ver;
u8 pad[4];
char build_time[16];
};
struct mt76_fw {
struct mt76_fw_header hdr;
u8 ivb[MT_MCU_IVB_SIZE];
Reported by FlawFinder.
Line: 296
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reg = cpu_to_le32(FIELD_PREP(MT_TXD_INFO_TYPE, DMA_PACKET) |
FIELD_PREP(MT_TXD_INFO_D_PORT, CPU_TX_PORT) |
FIELD_PREP(MT_TXD_INFO_LEN, len));
memcpy(buf.buf, ®, sizeof(reg));
memcpy(buf.buf + sizeof(reg), data, len);
memset(buf.buf + sizeof(reg) + len, 0, 8);
ret = mt7601u_vendor_single_wr(dev, MT_VEND_WRITE_FCE,
MT_FCE_DMA_ADDR, dst_addr);
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FIELD_PREP(MT_TXD_INFO_D_PORT, CPU_TX_PORT) |
FIELD_PREP(MT_TXD_INFO_LEN, len));
memcpy(buf.buf, ®, sizeof(reg));
memcpy(buf.buf + sizeof(reg), data, len);
memset(buf.buf + sizeof(reg) + len, 0, 8);
ret = mt7601u_vendor_single_wr(dev, MT_VEND_WRITE_FCE,
MT_FCE_DMA_ADDR, dst_addr);
if (ret)
Reported by FlawFinder.
drivers/s390/char/con3215.c
3 issues
Line: 690
CWE codes:
788
for (line = 0; line < NR_3215; line++)
if (raw3215[line] == raw)
break;
raw3215[line] = NULL;
spin_unlock(&raw3215_device_lock);
dev_set_drvdata(&cdev->dev, NULL);
raw3215_free_info(raw);
}
}
Reported by Cppcheck.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wait_queue_head_t empty_wait; /* wait queue for flushing */
struct timer_list timer; /* timer for delayed output */
int line_pos; /* position on the line (for tabs) */
char ubuffer[80]; /* copy_from_user buffer */
};
/* array of 3215 devices structures */
static struct raw3215_info *raw3215[NR_3215];
/* spinlock to protect the raw3215 array */
Reported by FlawFinder.
Line: 499
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
RAW3215_BUFFER_SIZE - raw->head));
if (c <= 0)
break;
memcpy(raw->buffer + raw->head, str, c);
ASCEBC(raw->buffer + raw->head, c);
raw->head = (raw->head + c) & (RAW3215_BUFFER_SIZE - 1);
raw->count += c;
raw->line_pos += c;
str += c;
Reported by FlawFinder.
drivers/rapidio/devices/rio_mport_cdev.c
3 issues
Line: 1526
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int handled;
event.header = RIO_PORTWRITE;
memcpy(event.u.portwrite.payload, msg->raw, RIO_PW_MSG_SIZE);
handled = 0;
spin_lock(&md->pw_lock);
list_for_each_entry(pw_filter, &md->portwrites, md_node) {
if (rio_mport_match_pw(msg, &pw_filter->filter)) {
Reported by FlawFinder.
Line: 1788
Column: 6
CWE codes:
126
rswitch->route_table = NULL;
}
if (strlen(dev_info.name))
dev_set_name(&rdev->dev, "%s", dev_info.name);
else if (rdev->pef & RIO_PEF_SWITCH)
dev_set_name(&rdev->dev, "%02x:s:%04x", mport->id,
rdev->comp_tag & RIO_CTAG_UDEVID);
else
Reported by FlawFinder.
Line: 1831
Column: 6
CWE codes:
126
mport = priv->md->mport;
/* If device name is specified, removal by name has priority */
if (strlen(dev_info.name)) {
dev = bus_find_device_by_name(&rio_bus_type, NULL,
dev_info.name);
if (dev)
rdev = to_rio_dev(dev);
} else {
Reported by FlawFinder.
drivers/sbus/char/oradax.c
3 issues
Line: 255
Column: 28
CWE codes:
126
prop = (char *)mdesc_get_property(hp, pn, "name", &len);
if (prop == NULL)
continue;
if (strncmp(prop, "dax", strlen("dax")))
continue;
dax_dbg("Found node 0x%llx = %s", pn, prop);
prop = (char *)mdesc_get_property(hp, pn, "compatible", &len);
if (prop == NULL)
Reported by FlawFinder.
Line: 273
Column: 30
CWE codes:
126
goto done;
}
if (strncmp(prop, DAX2_STR, strlen(DAX2_STR)) == 0) {
dax_name = DAX_NAME "2";
major = DAX2_MAJOR;
minor_requested = DAX2_MINOR;
max_ccb_version = 1;
dax_dbg("MD indicates DAX2 coprocessor");
Reported by FlawFinder.
Line: 279
Column: 37
CWE codes:
126
minor_requested = DAX2_MINOR;
max_ccb_version = 1;
dax_dbg("MD indicates DAX2 coprocessor");
} else if (strncmp(prop, DAX1_STR, strlen(DAX1_STR)) == 0) {
dax_name = DAX_NAME "1";
major = DAX1_MAJOR;
minor_requested = DAX1_MINOR;
max_ccb_version = 0;
dax_dbg("MD indicates DAX1 coprocessor");
Reported by FlawFinder.
drivers/scsi/elx/libefc/efc_node.h
3 issues
Line: 29
Column: 3
CWE codes:
120
struct efc_node *node = ctx->app;
if (evt == EFC_EVT_ENTER) {
strncpy(node->current_state_name, handler,
sizeof(node->current_state_name));
} else if (evt == EFC_EVT_EXIT) {
strncpy(node->prev_state_name, node->current_state_name,
sizeof(node->prev_state_name));
strncpy(node->current_state_name, "invalid",
Reported by FlawFinder.
Line: 32
Column: 3
CWE codes:
120
strncpy(node->current_state_name, handler,
sizeof(node->current_state_name));
} else if (evt == EFC_EVT_EXIT) {
strncpy(node->prev_state_name, node->current_state_name,
sizeof(node->prev_state_name));
strncpy(node->current_state_name, "invalid",
sizeof(node->current_state_name));
}
node->prev_evt = node->current_evt;
Reported by FlawFinder.
Line: 34
Column: 3
CWE codes:
120
} else if (evt == EFC_EVT_EXIT) {
strncpy(node->prev_state_name, node->current_state_name,
sizeof(node->prev_state_name));
strncpy(node->current_state_name, "invalid",
sizeof(node->current_state_name));
}
node->prev_evt = node->current_evt;
node->current_evt = evt;
}
Reported by FlawFinder.
drivers/net/wireless/ti/wl1251/acx.c
3 issues
Line: 396
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* MAC filtering */
acx->enabled = enable;
acx->num_groups = mc_list_len;
memcpy(acx->mac_table, mc_list, mc_list_len * ETH_ALEN);
ret = wl1251_cmd_configure(wl, DOT11_GROUP_ADDRESS_TBL,
acx, sizeof(*acx));
if (ret < 0) {
wl1251_warning("failed to set group addr table: %d", ret);
Reported by FlawFinder.
Line: 982
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acx->enable = enable;
if (enable)
memcpy(acx->address, &address, ACX_IPV4_ADDR_SIZE);
ret = wl1251_cmd_configure(wl, ACX_ARP_IP_FILTER,
acx, sizeof(*acx));
if (ret < 0)
wl1251_warning("failed to set arp ip filter: %d", ret);
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
120
}
/* be careful with the buffer sizes */
strncpy(buf, rev->fw_version, min(len, sizeof(rev->fw_version)));
/*
* if the firmware version string is exactly
* sizeof(rev->fw_version) long or fw_len is less than
* sizeof(rev->fw_version) it won't be null terminated
Reported by FlawFinder.
drivers/s390/char/hmcdrv_cache.c
3 issues
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct hmcdrv_cache_entry {
enum hmcdrv_ftp_cmdid id;
char fname[HMCDRV_FTP_FIDENT_MAX];
size_t fsize;
loff_t ofs;
unsigned long timeout;
void *content;
size_t len;
Reported by FlawFinder.
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((pos >= 0) &&
((pos + len) <= hmcdrv_cache_file.len)) {
memcpy(ftp->buf,
hmcdrv_cache_file.content + pos,
len);
pr_debug("using cached content of '%s', returning %zd/%zd bytes\n",
hmcdrv_cache_file.fname, len,
hmcdrv_cache_file.fsize);
Reported by FlawFinder.
Line: 146
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hmcdrv_cache_file.ofs = ftp->ofs;
hmcdrv_cache_file.timeout = jiffies +
HMCDRV_CACHE_TIMEOUT * HZ;
memcpy(ftp->buf, hmcdrv_cache_file.content, len);
}
} else {
len = func(ftp, &hmcdrv_cache_file.fsize);
hmcdrv_cache_file.ofs = -1; /* invalidate content */
}
Reported by FlawFinder.