The following issues were found
drivers/gpu/drm/drm_hdcp.c
3 issues
Line: 69
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DRM_DEBUG("vrl: %d, Revoked KSVs: %d\n", vrl_idx++,
vrl_ksv_cnt);
memcpy((*revoked_ksv_list) + (ksv_count * DRM_HDCP_KSV_LEN),
buf, vrl_ksv_sz);
ksv_count += vrl_ksv_cnt;
buf += vrl_ksv_sz;
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf += DRM_HDCP_2_NO_OF_DEV_PLUS_RESERVED_SZ;
DRM_DEBUG("Revoked KSVs: %d\n", ksv_count);
memcpy(*revoked_ksv_list, buf, ksv_sz);
*revoked_ksv_cnt = ksv_count;
return 0;
}
Reported by FlawFinder.
Line: 238
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int drm_hdcp_request_srm(struct drm_device *drm_dev,
u8 **revoked_ksv_list, u32 *revoked_ksv_cnt)
{
char fw_name[36] = "display_hdcp_srm.bin";
const struct firmware *fw;
int ret;
ret = request_firmware_direct(&fw, (const char *)fw_name,
drm_dev->dev);
Reported by FlawFinder.
drivers/firewire/nosy.c
3 issues
Line: 197
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer->tail->length = length;
if (&buffer->tail->data[length] < end) {
memcpy(buffer->tail->data, data, length);
buffer->tail = (struct packet *) &buffer->tail->data[length];
} else {
size_t split = end - buffer->tail->data;
memcpy(buffer->tail->data, data, split);
Reported by FlawFinder.
Line: 202
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
size_t split = end - buffer->tail->data;
memcpy(buffer->tail->data, data, split);
memcpy(buffer->data, data + split, length - split);
buffer->tail = (struct packet *) &buffer->data[length - split];
}
/* Finally, adjust buffer size and wake up userspace reader. */
Reported by FlawFinder.
Line: 203
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t split = end - buffer->tail->data;
memcpy(buffer->tail->data, data, split);
memcpy(buffer->data, data + split, length - split);
buffer->tail = (struct packet *) &buffer->data[length - split];
}
/* Finally, adjust buffer size and wake up userspace reader. */
Reported by FlawFinder.
drivers/crypto/cavium/nitrox/nitrox_dev.h
3 issues
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @zip_cores: number of zip cores
*/
struct nitrox_hw {
char partname[IFNAMSIZ * 2];
char fw_name[CNN55XX_MAX_UCD_BLOCKS][VERSION_LEN];
int freq;
u16 vendor_id;
u16 device_id;
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct nitrox_hw {
char partname[IFNAMSIZ * 2];
char fw_name[CNN55XX_MAX_UCD_BLOCKS][VERSION_LEN];
int freq;
u16 vendor_id;
u16 device_id;
u8 revision_id;
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define IRQ_NAMESZ 32
struct nitrox_q_vector {
char name[IRQ_NAMESZ];
bool valid;
int ring;
struct tasklet_struct resp_tasklet;
union {
struct nitrox_cmdq *cmdq;
Reported by FlawFinder.
crypto/cipher.c
3 issues
Line: 35
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
memcpy(alignbuffer, key, keylen);
ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen);
memset(alignbuffer, 0, keylen);
kfree(buffer);
return ret;
Reported by FlawFinder.
Line: 72
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 buffer[MAX_CIPHER_BLOCKSIZE + MAX_CIPHER_ALIGNMASK];
u8 *tmp = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
memcpy(tmp, src, bs);
fn(crypto_cipher_tfm(tfm), tmp, tmp);
memcpy(dst, tmp, bs);
} else {
fn(crypto_cipher_tfm(tfm), dst, src);
}
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(tmp, src, bs);
fn(crypto_cipher_tfm(tfm), tmp, tmp);
memcpy(dst, tmp, bs);
} else {
fn(crypto_cipher_tfm(tfm), dst, src);
}
}
Reported by FlawFinder.
drivers/crypto/atmel-tdes.c
3 issues
Line: 583
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->cryptlen - ivsize, ivsize, 0);
} else {
if (req->src == req->dst)
memcpy(req->iv, rctx->lastc, ivsize);
else
scatterwalk_map_and_copy(req->iv, req->src,
req->cryptlen - ivsize,
ivsize, 0);
}
Reported by FlawFinder.
Line: 806
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
memcpy(ctx->key, key, keylen);
ctx->keylen = keylen;
return 0;
}
Reported by FlawFinder.
Line: 822
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
memcpy(ctx->key, key, keylen);
ctx->keylen = keylen;
return 0;
}
Reported by FlawFinder.
drivers/crypto/hisilicon/zip/zip_crypto.c
3 issues
Line: 171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static size_t __maybe_unused get_gzip_head_size(struct scatterlist *sgl)
{
char buf[HZIP_GZIP_HEAD_BUF];
sg_copy_to_buffer(sgl, sg_nents(sgl), buf, sizeof(buf));
return __get_gzip_head_size(buf);
}
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
126
static u32 get_name_field_size(const u8 *start)
{
return strlen(start) + 1;
}
static u32 get_comment_field_size(const u8 *start)
{
return strlen(start) + 1;
Reported by FlawFinder.
Line: 149
Column: 9
CWE codes:
126
static u32 get_comment_field_size(const u8 *start)
{
return strlen(start) + 1;
}
static u32 __get_gzip_head_size(const u8 *src)
{
u8 head_flg = *(src + GZIP_HEAD_FLG_SHIFT);
Reported by FlawFinder.
drivers/fsi/fsi-occ.c
3 issues
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct occ {
struct device *dev;
struct device *sbefifo;
char name[32];
int idx;
enum versions version;
struct miscdevice mdev;
struct mutex occ_lock;
};
Reported by FlawFinder.
Line: 302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data_len, resp_data_len);
rc = -EBADMSG;
} else {
memcpy(data, resp, len);
}
free:
/* Convert positive SBEI status */
if (rc > 0) {
Reported by FlawFinder.
Line: 359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buf[4 + idx] = cpu_to_be32(data_len);
memcpy(&buf[5 + idx], data, len);
rc = sbefifo_submit(occ->sbefifo, buf, cmd_len, buf, &resp_len);
if (rc)
goto free;
Reported by FlawFinder.
drivers/bus/omap_l3_noc.c
3 issues
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct l3_masters_data *master;
char *target_name, *master_name = "UN IDENTIFIED";
char *err_description;
char err_string[30] = { 0 };
char info_string[60] = { 0 };
/* We DONOT expect err_src to go out of bounds */
BUG_ON(err_src > MAX_CLKDM_TARGETS);
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *target_name, *master_name = "UN IDENTIFIED";
char *err_description;
char err_string[30] = { 0 };
char info_string[60] = { 0 };
/* We DONOT expect err_src to go out of bounds */
BUG_ON(err_src > MAX_CLKDM_TARGETS);
if (err_src < flag_mux->num_targ_data) {
Reported by FlawFinder.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!l3)
return -ENOMEM;
memcpy(l3, of_id->data, sizeof(*l3));
l3->dev = &pdev->dev;
platform_set_drvdata(pdev, l3);
/* Get mem resources */
for (i = 0, res_idx = 0; i < l3->num_modules; i++) {
Reported by FlawFinder.
drivers/ata/libata-acpi.c
3 issues
Line: 152
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 event)
{
struct kobject *kobj = NULL;
char event_string[20];
char *envp[] = { event_string, NULL };
if (dev) {
if (dev->sdev)
kobj = &dev->sdev->sdev_gendev.kobj;
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_free;
}
memcpy(gtm, out_obj->buffer.pointer, sizeof(struct ata_acpi_gtm));
rc = 0;
out_free:
kfree(output.pointer);
return rc;
}
Reported by FlawFinder.
Line: 655
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int err_mask;
const char *level;
const char *descr;
char msg[60];
int rc;
if ((gtf->tf[0] == 0) && (gtf->tf[1] == 0) && (gtf->tf[2] == 0)
&& (gtf->tf[3] == 0) && (gtf->tf[4] == 0) && (gtf->tf[5] == 0)
&& (gtf->tf[6] == 0))
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/mmsch_v1_0.h
3 issues
Line: 106
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
direct_wt->cmd_header.reg_offset = reg_offset;
direct_wt->reg_value = value;
memcpy((void *)init_table, direct_wt, sizeof(struct mmsch_v1_0_cmd_direct_write));
}
static inline void mmsch_v1_0_insert_direct_rd_mod_wt(struct mmsch_v1_0_cmd_direct_read_modify_write *direct_rd_mod_wt,
uint32_t *init_table,
uint32_t reg_offset,
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
direct_rd_mod_wt->cmd_header.reg_offset = reg_offset;
direct_rd_mod_wt->mask_value = mask;
direct_rd_mod_wt->write_data = data;
memcpy((void *)init_table, direct_rd_mod_wt,
sizeof(struct mmsch_v1_0_cmd_direct_read_modify_write));
}
static inline void mmsch_v1_0_insert_direct_poll(struct mmsch_v1_0_cmd_direct_polling *direct_poll,
uint32_t *init_table,
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
direct_poll->cmd_header.reg_offset = reg_offset;
direct_poll->mask_value = mask;
direct_poll->wait_value = wait;
memcpy((void *)init_table, direct_poll, sizeof(struct mmsch_v1_0_cmd_direct_polling));
}
#define MMSCH_V1_0_INSERT_DIRECT_RD_MOD_WT(reg, mask, data) { \
mmsch_v1_0_insert_direct_rd_mod_wt(&direct_rd_mod_wt, \
init_table, (reg), \
Reported by FlawFinder.