The following issues were found
drivers/platform/x86/intel-hid.c
3 issues
Line: 145
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
INTEL_HID_DSM_FN_MAX
};
static const char *intel_hid_dsm_fn_to_method[INTEL_HID_DSM_FN_MAX] = {
NULL,
"BTNL",
"HDMM",
"HDSM",
"HDEM",
Reported by FlawFinder.
Line: 173
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fn_index >= INTEL_HID_DSM_FN_MAX)
return false;
method_name = (char *)intel_hid_dsm_fn_to_method[fn_index];
if (!(intel_hid_dsm_fn_mask & BIT(fn_index)))
goto skip_dsm_exec;
/* All methods expects a package with one integer element */
Reported by FlawFinder.
Line: 214
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fn_index >= INTEL_HID_DSM_FN_MAX)
return false;
method_name = (char *)intel_hid_dsm_fn_to_method[fn_index];
if (!(intel_hid_dsm_fn_mask & fn_index))
goto skip_dsm_eval;
obj = acpi_evaluate_dsm_typed(handle, &intel_dsm_guid,
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/util.h
3 issues
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define adapter_item_addr(n) (offsetof(struct mwifiex_adapter, n))
struct mwifiex_debug_data {
char name[32]; /* variable/array name */
u32 size; /* size of the variable/array */
size_t addr; /* address of the variable/array */
int num; /* number of variables in an array */
};
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct mwifiex_cb *cb = (struct mwifiex_cb *)skb->cb;
memcpy(&cb->dma_mapping, mapping, sizeof(*mapping));
}
static inline void mwifiex_get_mapping(struct sk_buff *skb,
struct mwifiex_dma_mapping *mapping)
{
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct mwifiex_cb *cb = (struct mwifiex_cb *)skb->cb;
memcpy(mapping, &cb->dma_mapping, sizeof(*mapping));
}
static inline dma_addr_t MWIFIEX_SKB_DMA_ADDR(struct sk_buff *skb)
{
struct mwifiex_dma_mapping mapping;
Reported by FlawFinder.
drivers/platform/x86/intel_pmt_class.c
3 issues
Line: 105
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct intel_pmt_entry *entry = dev_get_drvdata(dev);
return sprintf(buf, "0x%x\n", entry->guid);
}
static DEVICE_ATTR_RO(guid);
static ssize_t size_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 114
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct intel_pmt_entry *entry = dev_get_drvdata(dev);
return sprintf(buf, "%zu\n", entry->size);
}
static DEVICE_ATTR_RO(size);
static ssize_t
offset_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct intel_pmt_entry *entry = dev_get_drvdata(dev);
return sprintf(buf, "%lu\n", offset_in_page(entry->base_addr));
}
static DEVICE_ATTR_RO(offset);
static struct attribute *intel_pmt_attrs[] = {
&dev_attr_guid.attr,
Reported by FlawFinder.
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
3 issues
Line: 322
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & RTL818X_RX_DESC_FLAG_CRC32_ERR)
rx_status.flag |= RX_FLAG_FAILED_FCS_CRC;
memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, sizeof(rx_status));
ieee80211_rx_irqsafe(dev, skb);
skb = new_skb;
priv->rx_buf[priv->rx_idx] = skb;
*((dma_addr_t *) skb->cb) = mapping;
Reported by FlawFinder.
Line: 1801
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(priv->channels) != sizeof(rtl818x_channels));
BUILD_BUG_ON(sizeof(priv->rates) != sizeof(rtl818x_rates));
memcpy(priv->channels, rtl818x_channels, sizeof(rtl818x_channels));
memcpy(priv->rates, rtl818x_rates, sizeof(rtl818x_rates));
priv->band.band = NL80211_BAND_2GHZ;
priv->band.channels = priv->channels;
priv->band.n_channels = ARRAY_SIZE(rtl818x_channels);
Reported by FlawFinder.
Line: 1802
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(priv->rates) != sizeof(rtl818x_rates));
memcpy(priv->channels, rtl818x_channels, sizeof(rtl818x_channels));
memcpy(priv->rates, rtl818x_rates, sizeof(rtl818x_rates));
priv->band.band = NL80211_BAND_2GHZ;
priv->band.channels = priv->channels;
priv->band.n_channels = ARRAY_SIZE(rtl818x_channels);
priv->band.bitrates = priv->rates;
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mac80211.c
3 issues
Line: 782
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wcid->rx_check_pn = true;
for (i = 0; i < IEEE80211_NUM_TIDS; i++) {
ieee80211_get_key_rx_seq(key, i, &seq);
memcpy(wcid->rx_key_pn[i], seq.ccmp.pn, sizeof(seq.ccmp.pn));
}
}
EXPORT_SYMBOL(mt76_wcid_key_setup);
static void
Reported by FlawFinder.
Line: 818
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(mstat) > sizeof(skb->cb));
BUILD_BUG_ON(sizeof(status->chain_signal) !=
sizeof(mstat.chain_signal));
memcpy(status->chain_signal, mstat.chain_signal,
sizeof(mstat.chain_signal));
*sta = wcid_to_sta(mstat.wcid);
*hw = mt76_phy_hw(dev, mstat.ext_phy);
}
Reported by FlawFinder.
Line: 857
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret <= 0)
return -EINVAL; /* replay */
memcpy(wcid->rx_key_pn[tidno], status->iv, sizeof(status->iv));
if (status->flag & RX_FLAG_IV_STRIPPED)
status->flag |= RX_FLAG_PN_VALIDATED;
return 0;
Reported by FlawFinder.
drivers/s390/cio/vfio_ccw_cp.c
3 issues
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
m = min(l, m);
memcpy(to + (n - l), (void *)from, m);
l -= m;
if (l == 0)
break;
}
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chain->ch_iova = cda;
/* Copy the actual CCWs into the new chain */
memcpy(chain->ch_ccw, cp->guest_cp, len * sizeof(struct ccw1));
/* Loop for tics on this new chain. */
ret = ccwchain_loop_tic(chain, cp);
if (ret)
Reported by FlawFinder.
Line: 656
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_warn(mdev, "Prefetching channel program even though prefetch not specified in ORB");
INIT_LIST_HEAD(&cp->ccwchain_list);
memcpy(&cp->orb, orb, sizeof(*orb));
cp->mdev = mdev;
/* Build a ccwchain for the first CCW segment */
ret = ccwchain_handle_ccw(orb->cmd.cpa, cp);
Reported by FlawFinder.
drivers/platform/x86/think-lmi.h
3 issues
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tlmi_pwd_setting {
struct kobject kobj;
bool valid;
char password[TLMI_PWD_BUFSIZE];
const char *pwd_type;
const char *role;
int minlen;
int maxlen;
enum encoding_option encoding;
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int minlen;
int maxlen;
enum encoding_option encoding;
char kbdlang[TLMI_LANG_MAXLEN];
};
/* Attribute setting details */
struct tlmi_attr_setting {
struct kobject kobj;
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tlmi_attr_setting {
struct kobject kobj;
int index;
char display_name[TLMI_SETTINGS_MAXLEN];
char *possible_values;
};
struct think_lmi {
struct wmi_device *wmi_device;
Reported by FlawFinder.
drivers/scsi/libfc/fc_exch.c
3 issues
Line: 1370
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* seq_id, cs_ctl, df_ctl and param/offset are zero.
*/
memcpy(fh->fh_s_id, rx_fh->fh_d_id, 3);
memcpy(fh->fh_d_id, rx_fh->fh_s_id, 3);
fh->fh_ox_id = rx_fh->fh_ox_id;
fh->fh_rx_id = rx_fh->fh_rx_id;
fh->fh_seq_cnt = rx_fh->fh_seq_cnt;
fh->fh_r_ctl = FC_RCTL_BA_RJT;
Reported by FlawFinder.
Line: 1371
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* seq_id, cs_ctl, df_ctl and param/offset are zero.
*/
memcpy(fh->fh_s_id, rx_fh->fh_d_id, 3);
memcpy(fh->fh_d_id, rx_fh->fh_s_id, 3);
fh->fh_ox_id = rx_fh->fh_ox_id;
fh->fh_rx_id = rx_fh->fh_rx_id;
fh->fh_seq_cnt = rx_fh->fh_seq_cnt;
fh->fh_r_ctl = FC_RCTL_BA_RJT;
fh->fh_type = FC_TYPE_BLS;
Reported by FlawFinder.
Line: 2071
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(acc, 0, sizeof(*acc));
acc->reca_cmd = ELS_LS_ACC;
acc->reca_ox_id = rp->rec_ox_id;
memcpy(acc->reca_ofid, rp->rec_s_id, 3);
acc->reca_rx_id = htons(ep->rxid);
if (ep->sid == ep->oid)
hton24(acc->reca_rfid, ep->did);
else
hton24(acc->reca_rfid, ep->sid);
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mt7603/mcu.c
3 issues
Line: 11
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MCU_SKB_RESERVE 8
struct mt7603_fw_trailer {
char fw_ver[10];
char build_date[15];
__le32 dl_len;
} __packed;
static int
Reported by FlawFinder.
Line: 12
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mt7603_fw_trailer {
char fw_ver[10];
char build_date[15];
__le32 dl_len;
} __packed;
static int
mt7603_mcu_parse_response(struct mt76_dev *mdev, int cmd,
Reported by FlawFinder.
Line: 326
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!req)
return -ENOMEM;
memcpy(req, &req_hdr, sizeof(req_hdr));
data = (struct req_data *)(req + sizeof(req_hdr));
memset(data, 0, size);
for (i = 0; i < ARRAY_SIZE(req_fields); i++) {
data[i].addr = cpu_to_le16(req_fields[i]);
data[i].val = eep[req_fields[i]];
Reported by FlawFinder.
drivers/s390/cio/qdio_setup.c
3 issues
Line: 341
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = -EINVAL;
if (!rc)
memcpy(data, &ssqd->qdio_ssqd, sizeof(*data));
out:
if (!irq_ptr)
free_page((unsigned long)ssqd);
Reported by FlawFinder.
Line: 420
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (init_data->no_output_qs)
irq_ptr->qib.osliba =
(unsigned long)(irq_ptr->output_qs[0]->slib);
memcpy(irq_ptr->qib.ebcnam, dev_name(&irq_ptr->cdev->dev), 8);
ASCEBC(irq_ptr->qib.ebcnam, 8);
}
int qdio_setup_irq(struct qdio_irq *irq_ptr, struct qdio_initialize *init_data)
{
Reported by FlawFinder.
Line: 500
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void qdio_print_subchannel_info(struct qdio_irq *irq_ptr)
{
char s[80];
snprintf(s, 80, "qdio: %s %s on SC %x using "
"AI:%d QEBSM:%d PRI:%d TDD:%d SIGA:%s%s%s%s%s\n",
dev_name(&irq_ptr->cdev->dev),
(irq_ptr->qib.qfmt == QDIO_QETH_QFMT) ? "OSA" :
Reported by FlawFinder.