The following issues were found
drivers/platform/chrome/wilco_ec/properties.c
3 issues
Line: 51
CWE codes:
908
ret = wilco_ec_mailbox(ec, &ec_msg);
if (ret < 0)
return ret;
if (rs->op != rq->op)
return -EBADMSG;
if (memcmp(rq->property_id, rs->property_id, sizeof(rs->property_id)))
return -EBADMSG;
return 0;
Reported by Cppcheck.
Line: 75
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
prop_msg->length = rs.length;
memcpy(prop_msg->data, rs.data, rs.length);
return 0;
}
EXPORT_SYMBOL_GPL(wilco_ec_get_property);
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rq.op = EC_OP_SET;
put_unaligned_le32(prop_msg->property_id, rq.property_id);
rq.length = prop_msg->length;
memcpy(rq.data, prop_msg->data, prop_msg->length);
ret = send_property_msg(ec, &rq, &rs);
if (ret < 0)
return ret;
if (rs.length != prop_msg->length)
Reported by FlawFinder.
drivers/platform/chrome/wilco_ec/sysfs.c
3 issues
Line: 174
CWE codes:
908
ret = wilco_ec_mailbox(ec, &msg);
if (ret < 0)
return ret;
if (rs->status)
return -EIO;
return 0;
}
Reported by Cppcheck.
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct get_ec_info_resp {
u8 reserved[2];
char value[9]; /* __nonstring: might not be null terminated */
} __packed;
static ssize_t boot_on_ac_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 196
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", rs.val);
}
static ssize_t usb_charge_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/platform/mellanox/mlxreg-hotplug.c
3 issues
Line: 82
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mlxreg_hotplug_udev_event_send(struct kobject *kobj,
struct mlxreg_core_data *data, bool action)
{
char event_str[MLXREG_CORE_LABEL_MAX_SIZE + 2];
char label[MLXREG_CORE_LABEL_MAX_SIZE] = { 0 };
mlxreg_hotplug_udev_envp[0] = event_str;
string_upper(label, data->label);
snprintf(event_str, MLXREG_CORE_LABEL_MAX_SIZE, "%s=%d", label, !!action);
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxreg_core_data *data, bool action)
{
char event_str[MLXREG_CORE_LABEL_MAX_SIZE + 2];
char label[MLXREG_CORE_LABEL_MAX_SIZE] = { 0 };
mlxreg_hotplug_udev_envp[0] = event_str;
string_upper(label, data->label);
snprintf(event_str, MLXREG_CORE_LABEL_MAX_SIZE, "%s=%d", label, !!action);
Reported by FlawFinder.
Line: 183
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
regval = !!(regval & data->mask);
}
return sprintf(buf, "%u\n", regval);
}
#define PRIV_ATTR(i) priv->mlxreg_hotplug_attr[i]
#define PRIV_DEV_ATTR(i) priv->mlxreg_hotplug_dev_attr[i]
Reported by FlawFinder.
drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c
3 issues
Line: 928
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb->dev = NULL;
hdr = (struct qtnf_pearl_fw_hdr *)skb->data;
memcpy(hdr->boardflg, QTN_PCIE_BOARDFLG, strlen(QTN_PCIE_BOARDFLG));
hdr->fwsize = cpu_to_le32(size);
hdr->seqnum = cpu_to_le32(blk);
if (blk)
hdr->type = cpu_to_le32(QTN_FW_DSUB);
Reported by FlawFinder.
Line: 946
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
hdr->pktlen = cpu_to_le32(len);
memcpy(pdata, pblk, len);
hdr->crc = cpu_to_le32(~crc32(0, pdata, len));
ret = qtnf_pcie_skb_send(bus, skb);
return (ret == NETDEV_TX_OK) ? len : 0;
Reported by FlawFinder.
Line: 928
Column: 43
CWE codes:
126
skb->dev = NULL;
hdr = (struct qtnf_pearl_fw_hdr *)skb->data;
memcpy(hdr->boardflg, QTN_PCIE_BOARDFLG, strlen(QTN_PCIE_BOARDFLG));
hdr->fwsize = cpu_to_le32(size);
hdr->seqnum = cpu_to_le32(blk);
if (blk)
hdr->type = cpu_to_le32(QTN_FW_DSUB);
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/usb.c
3 issues
Line: 77
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dr->wIndex = cpu_to_le16(index);
dr->wLength = cpu_to_le16(len);
/* data are already in little-endian order */
memcpy(databuf, pdata, len);
usb_fill_control_urb(urb, udev, pipe,
(unsigned char *)dr, databuf, len,
usbctrl_async_callback, NULL);
rc = usb_submit_urb(urb, GFP_ATOMIC);
if (rc < 0) {
Reported by FlawFinder.
Line: 439
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr = (struct ieee80211_hdr *)(skb->data);
fc = hdr->frame_control;
if (!stats.crc) {
memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, sizeof(rx_status));
if (is_broadcast_ether_addr(hdr->addr1)) {
/*TODO*/;
} else if (is_multicast_ether_addr(hdr->addr1)) {
/*TODO*/
Reported by FlawFinder.
Line: 481
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr = (struct ieee80211_hdr *)(skb->data);
fc = hdr->frame_control;
if (!stats.crc) {
memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, sizeof(rx_status));
if (is_broadcast_ether_addr(hdr->addr1)) {
/*TODO*/;
} else if (is_multicast_ether_addr(hdr->addr1)) {
/*TODO*/
Reported by FlawFinder.
drivers/pps/pps.c
3 issues
Line: 268
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return -EFAULT;
memcpy(&fdata.timeout, &compat.timeout,
sizeof(struct pps_ktime_compat));
err = pps_cdev_pps_fetch(pps, &fdata);
if (err)
return err;
Reported by FlawFinder.
Line: 282
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
compat.info.clear_sequence = pps->clear_sequence;
compat.info.current_mode = pps->current_mode;
memcpy(&compat.info.assert_tu, &pps->assert_tu,
sizeof(struct pps_ktime_compat));
memcpy(&compat.info.clear_tu, &pps->clear_tu,
sizeof(struct pps_ktime_compat));
spin_unlock_irq(&pps->lock);
Reported by FlawFinder.
Line: 284
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&compat.info.assert_tu, &pps->assert_tu,
sizeof(struct pps_ktime_compat));
memcpy(&compat.info.clear_tu, &pps->clear_tu,
sizeof(struct pps_ktime_compat));
spin_unlock_irq(&pps->lock);
return copy_to_user(uarg, &compat,
Reported by FlawFinder.
drivers/scsi/ibmvscsi/ibmvfc.h
3 issues
Line: 806
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long hw_irq;
unsigned long irq;
unsigned long hwq_id;
char name[32];
};
struct ibmvfc_scsi_channels {
struct ibmvfc_queue *scrqs;
unsigned int active_queues;
Reported by FlawFinder.
Line: 841
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct ibmvfc_host {
char name[8];
struct list_head queue;
struct Scsi_Host *host;
enum ibmvfc_host_state state;
enum ibmvfc_host_action action;
#define IBMVFC_NUM_TRACE_INDEX_BITS 8
Reported by FlawFinder.
Line: 891
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define IBMVFC_AE_RSCN 0x0004
dma_addr_t disc_buf_dma;
unsigned int partition_number;
char partition_name[97];
void (*job_step) (struct ibmvfc_host *);
struct task_struct *work_thread;
struct tasklet_struct tasklet;
struct work_struct rport_add_work_q;
wait_queue_head_t init_wait_q;
Reported by FlawFinder.
drivers/power/supply/wm831x_power.c
3 issues
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct power_supply_desc wall_desc;
struct power_supply_desc usb_desc;
struct power_supply_desc battery_desc;
char wall_name[20];
char usb_name[20];
char battery_name[20];
bool have_battery;
struct usb_phy *usb_phy;
struct notifier_block usb_notify;
Reported by FlawFinder.
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct power_supply_desc usb_desc;
struct power_supply_desc battery_desc;
char wall_name[20];
char usb_name[20];
char battery_name[20];
bool have_battery;
struct usb_phy *usb_phy;
struct notifier_block usb_notify;
};
Reported by FlawFinder.
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct power_supply_desc battery_desc;
char wall_name[20];
char usb_name[20];
char battery_name[20];
bool have_battery;
struct usb_phy *usb_phy;
struct notifier_block usb_notify;
};
Reported by FlawFinder.
drivers/platform/surface/surface_acpi_notify.c
3 issues
Line: 526
CWE codes:
476
gsb->data.out.len = len;
if (len)
memcpy(&gsb->data.out.pld[0], ptr, len);
}
static acpi_status san_rqst_fixup_suspended(struct san_data *d,
struct ssam_request *rqst,
struct gsb_buffer *gsb)
Reported by Cppcheck.
Line: 357
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_DELAYED_WORK(&work->work, san_evt_bat_workfn);
work->dev = d->dev;
memcpy(&work->event, event, sizeof(struct ssam_event) + event->length);
schedule_delayed_work(&work->work, delay);
return SSAM_NOTIF_HANDLED;
}
Reported by FlawFinder.
Line: 526
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gsb->data.out.len = len;
if (len)
memcpy(&gsb->data.out.pld[0], ptr, len);
}
static acpi_status san_rqst_fixup_suspended(struct san_data *d,
struct ssam_request *rqst,
struct gsb_buffer *gsb)
Reported by FlawFinder.
drivers/platform/surface/surfacepro3_button.c
3 issues
Line: 214
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
name = acpi_device_name(device);
strcpy(name, SURFACE_BUTTON_DEVICE_NAME);
snprintf(button->phys, sizeof(button->phys), "%s/buttons", hid);
input->name = name;
input->phys = button->phys;
input->id.bustype = BUS_HOST;
Reported by FlawFinder.
Line: 69
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct surface_button {
unsigned int type;
struct input_dev *input;
char phys[32]; /* for input device */
unsigned long pushed;
bool suspended;
};
static void surface_button_notify(struct acpi_device *device, u32 event)
Reported by FlawFinder.
Line: 196
Column: 6
CWE codes:
126
int error;
if (strncmp(acpi_device_bid(device), SURFACE_BUTTON_OBJ_NAME,
strlen(SURFACE_BUTTON_OBJ_NAME)))
return -ENODEV;
if (!surface_button_check_MSHW0040(device))
return -ENODEV;
Reported by FlawFinder.