The following issues were found
drivers/platform/chrome/chromeos_laptop.c
3 issues
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct acpi_peripheral {
char hid[ACPI_ID_LEN];
struct software_node swnode;
struct i2c_client *client;
};
struct chromeos_laptop {
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < cros_laptop->num_acpi_peripherals; i++) {
acpi_dev = &cros_laptop->acpi_peripherals[i];
memcpy(acpi_ids[0].id, acpi_dev->hid, ACPI_ID_LEN);
if (acpi_match_device(acpi_ids, &client->dev)) {
error = device_add_software_node(&client->dev, &acpi_dev->swnode);
if (error) {
dev_err(&client->dev,
Reported by FlawFinder.
Line: 149
Column: 8
CWE codes:
126
continue;
if (strncmp(adapter->name, i2c_adapter_names[i2c_dev->type],
strlen(i2c_adapter_names[i2c_dev->type])))
continue;
if (i2c_dev->pci_devid &&
!chromeos_laptop_match_adapter_devid(adapter->dev.parent,
i2c_dev->pci_devid)) {
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_chardev.c
3 issues
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
event->size = ec_dev->event_size;
event->event_type = ec_dev->event_data.event_type;
memcpy(event->data, &ec_dev->event_data.data, ec_dev->event_size);
spin_lock(&priv->wait_event.lock);
list_add_tail(&event->node, &priv->events);
priv->event_len += total_size;
wake_up_locked(&priv->wait_event);
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t cros_ec_chardev_read(struct file *filp, char __user *buffer,
size_t length, loff_t *offset)
{
char msg[sizeof(struct ec_response_get_version) +
sizeof(CROS_EC_DEV_VERSION)];
struct chardev_priv *priv = filp->private_data;
struct cros_ec_dev *ec_dev = priv->ec_dev;
size_t count;
int ret;
Reported by FlawFinder.
Line: 244
Column: 22
CWE codes:
126
if (ret)
return ret;
count = min(length, strlen(msg));
if (copy_to_user(buffer, msg, count))
return -EFAULT;
*offset = count;
Reported by FlawFinder.
drivers/ptp/ptp_idt82p33.c
3 issues
Line: 126
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
msg[0] = regaddr;
memcpy(&msg[1], buf, count);
err = i2c_master_send(client, msg, count + 1);
if (err < 0) {
dev_err(&client->dev, "i2c_master_send returned %d\n", err);
return err;
Reported by FlawFinder.
Line: 256
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct idt82p33 *idt82p33 = channel->idt82p33;
struct timespec64 local_ts = *ts;
char buf[TOD_BYTE_COUNT];
s64 dynamic_overhead_ns;
unsigned char trigger;
int err;
u8 i;
Reported by FlawFinder.
Line: 322
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int _idt82p33_adjfine(struct idt82p33_channel *channel, long scaled_ppm)
{
struct idt82p33 *idt82p33 = channel->idt82p33;
unsigned char buf[5] = {0};
int err, i;
s64 fcw;
if (scaled_ppm == channel->current_freq_ppb)
return 0;
Reported by FlawFinder.
drivers/s390/net/ism_drv.c
3 issues
Line: 402
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct cpuid id;
u16 ident_tail;
char tmp[5];
get_cpu_id(&id);
ident_tail = (u16)(id.ident & ISM_IDENT_MASK);
snprintf(tmp, 5, "%04X", ident_tail);
memcpy(&SYSTEM_EID.serial_number, tmp, 4);
Reported by FlawFinder.
Line: 407
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
get_cpu_id(&id);
ident_tail = (u16)(id.ident & ISM_IDENT_MASK);
snprintf(tmp, 5, "%04X", ident_tail);
memcpy(&SYSTEM_EID.serial_number, tmp, 4);
snprintf(tmp, 5, "%04X", id.machine);
memcpy(&SYSTEM_EID.type, tmp, 4);
}
static void ism_get_system_eid(struct smcd_dev *smcd, u8 **eid)
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
snprintf(tmp, 5, "%04X", ident_tail);
memcpy(&SYSTEM_EID.serial_number, tmp, 4);
snprintf(tmp, 5, "%04X", id.machine);
memcpy(&SYSTEM_EID.type, tmp, 4);
}
static void ism_get_system_eid(struct smcd_dev *smcd, u8 **eid)
{
*eid = &SYSTEM_EID.seid_string[0];
Reported by FlawFinder.
drivers/rtc/rtc-max6916.c
3 issues
Line: 45
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char data)
{
struct spi_device *spi = to_spi_device(dev);
unsigned char buf[2];
buf[0] = address & 0x7F;
buf[1] = data;
return spi_write_then_read(spi, buf, 2, NULL, 0);
Reported by FlawFinder.
Line: 57
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_device *spi = to_spi_device(dev);
int err;
unsigned char buf[8];
buf[0] = MAX6916_CLOCK_BURST | 0x80;
err = spi_write_then_read(spi, buf, 1, buf, 8);
Reported by FlawFinder.
Line: 80
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int max6916_set_time(struct device *dev, struct rtc_time *dt)
{
struct spi_device *spi = to_spi_device(dev);
unsigned char buf[9];
if (dt->tm_year < 100 || dt->tm_year > 199) {
dev_err(&spi->dev, "Year must be between 2000 and 2099. It's %d.\n",
dt->tm_year + 1900);
return -EINVAL;
Reported by FlawFinder.
drivers/net/wireless/intersil/p54/p54.h
3 issues
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} __packed;
struct bootrec_comp_ver {
char fw_version[24];
} __packed;
struct bootrec_end {
__le16 crc;
u8 padding[2];
Reported by FlawFinder.
Line: 149
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct p54_led_dev {
struct ieee80211_hw *hw_dev;
struct led_classdev led_dev;
char name[P54_LED_MAX_NAME_LEN + 1];
unsigned int toggled;
unsigned int index;
unsigned int registered;
};
Reported by FlawFinder.
Line: 168
Column: 8
CWE codes:
362
struct ieee80211_hw *hw;
struct ieee80211_vif *vif;
void (*tx)(struct ieee80211_hw *dev, struct sk_buff *skb);
int (*open)(struct ieee80211_hw *dev);
void (*stop)(struct ieee80211_hw *dev);
struct sk_buff_head tx_pending;
struct sk_buff_head tx_queue;
struct mutex conf_mutex;
bool registered;
Reported by FlawFinder.
drivers/scsi/esas2r/esas2r_disc.c
3 issues
Line: 651
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dc->raid_grp_ix++;
} else {
memcpy(&dc->raid_grp_name[0],
&grpinfo->grp_name[0],
sizeof(grpinfo->grp_name));
dc->interleave = le32_to_cpu(grpinfo->interleave);
dc->block_size = le32_to_cpu(grpinfo->block_size);
Reported by FlawFinder.
Line: 724
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
partinfo->part_no = dc->part_num;
memcpy(&partinfo->grp_name[0],
&dc->raid_grp_name[0],
sizeof(partinfo->grp_name));
rq->comp_cb = esas2r_disc_part_info_cb;
Reported by FlawFinder.
Line: 961
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dc->dev_addr_type == ATTO_GDA_AT_PORT) {
if (addrlen == sizeof(u64))
memcpy(&dc->sas_addr,
&hi->data.get_dev_addr.address[0],
addrlen);
else
memset(&dc->sas_addr, 0, sizeof(dc->sas_addr));
Reported by FlawFinder.
drivers/ps3/ps3av.c
3 issues
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return_len = recv_buf->size + PS3AV_HDR_SIZE;
if (return_len > user_buf_size)
return_len = user_buf_size;
memcpy(cmd_buf, recv_buf, return_len);
return 0; /* success */
}
void ps3av_set_hdr(u32 cid, u16 size, struct ps3av_send_hdr *hdr)
{
Reported by FlawFinder.
Line: 661
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct ps3av_info_monitor *info = &monitor_info->info;
const struct ps3av_info_audio *audio = info->audio;
char id[sizeof(info->monitor_id)*3+1];
int i;
pr_debug("Monitor Info: size %u\n", monitor_info->send_hdr.size);
pr_debug("avport: %02x\n", info->avport);
Reported by FlawFinder.
Line: 668
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pr_debug("avport: %02x\n", info->avport);
for (i = 0; i < sizeof(info->monitor_id); i++)
sprintf(&id[i*3], " %02x", info->monitor_id[i]);
pr_debug("monitor_id: %s\n", id);
pr_debug("monitor_type: %02x\n", info->monitor_type);
pr_debug("monitor_name: %.*s\n", (int)sizeof(info->monitor_name),
info->monitor_name);
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/usb.c
3 issues
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&usb->usb_ctrl_mtx);
while (i < len) {
current_batch_size = min_t(int, usb->data_len, len - i);
memcpy(usb->data, val + i, current_batch_size);
ret = __mt76u_vendor_request(dev, MT_VEND_MULTI_WRITE,
USB_DIR_OUT | USB_TYPE_VENDOR,
0, offset + i, usb->data,
current_batch_size);
if (ret < 0)
Reported by FlawFinder.
Line: 230
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&usb->usb_ctrl_mtx);
while (i < len) {
batch_len = min_t(int, usb->data_len, len - i);
memcpy(usb->data, val + i, batch_len);
ret = __mt76u_vendor_request(dev, MT_VEND_WRITE_EXT,
USB_DIR_OUT | USB_TYPE_VENDOR,
(offset + i) >> 16, offset + i,
usb->data, batch_len);
if (ret < 0)
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
break;
memcpy(val + i, usb->data, batch_len);
i += batch_len;
}
mutex_unlock(&usb->usb_ctrl_mtx);
}
Reported by FlawFinder.
drivers/scsi/iscsi_tcp.c
3 issues
Line: 839
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data;
stats->custom_length = 3;
strcpy(stats->custom[0].desc, "tx_sendpage_failures");
stats->custom[0].value = tcp_sw_conn->sendpage_failures_cnt;
strcpy(stats->custom[1].desc, "rx_discontiguous_hdr");
stats->custom[1].value = tcp_sw_conn->discontiguous_hdr_cnt;
strcpy(stats->custom[2].desc, "eh_abort_cnt");
stats->custom[2].value = conn->eh_abort_cnt;
Reported by FlawFinder.
Line: 841
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
stats->custom_length = 3;
strcpy(stats->custom[0].desc, "tx_sendpage_failures");
stats->custom[0].value = tcp_sw_conn->sendpage_failures_cnt;
strcpy(stats->custom[1].desc, "rx_discontiguous_hdr");
stats->custom[1].value = tcp_sw_conn->discontiguous_hdr_cnt;
strcpy(stats->custom[2].desc, "eh_abort_cnt");
stats->custom[2].value = conn->eh_abort_cnt;
iscsi_tcp_conn_get_stats(cls_conn, stats);
Reported by FlawFinder.
Line: 843
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
stats->custom[0].value = tcp_sw_conn->sendpage_failures_cnt;
strcpy(stats->custom[1].desc, "rx_discontiguous_hdr");
stats->custom[1].value = tcp_sw_conn->discontiguous_hdr_cnt;
strcpy(stats->custom[2].desc, "eh_abort_cnt");
stats->custom[2].value = conn->eh_abort_cnt;
iscsi_tcp_conn_get_stats(cls_conn, stats);
}
Reported by FlawFinder.