The following issues were found
drivers/ata/libata-sata.c
2 issues
Line: 1465
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* we've got the perpetrator, condemn it */
qc = __ata_qc_from_tag(ap, tag);
memcpy(&qc->result_tf, &tf, sizeof(tf));
qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48;
qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ;
if (dev->class == ATA_DEV_ZAC &&
((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) {
char sense_key, asc, ascq;
Reported by FlawFinder.
Line: 797
Column: 26
CWE codes:
126
policy < ARRAY_SIZE(ata_lpm_policy_names); policy++) {
const char *name = ata_lpm_policy_names[policy];
if (strncmp(name, buf, strlen(name)) == 0)
break;
}
if (policy == ARRAY_SIZE(ata_lpm_policy_names))
return -EINVAL;
Reported by FlawFinder.
drivers/char/tpm/tpm2-cmd.c
2 issues
Line: 213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (digest_size_ptr)
*digest_size_ptr = digest_size;
memcpy(digest->digest, out->digest, digest_size);
out:
tpm_buf_destroy(&buf);
return rc;
}
Reported by FlawFinder.
Line: 329
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -EFAULT;
goto out;
}
memcpy(dest_ptr, out->buffer, recd);
dest_ptr += recd;
total += recd;
num_bytes -= recd;
} while (retries-- && total < max);
Reported by FlawFinder.
drivers/acpi/acpica/nsrepair2.c
2 issues
Line: 16
#include "acnamesp.h"
#define _COMPONENT ACPI_NAMESPACE
ACPI_MODULE_NAME("nsrepair2")
/*
* Information structure and handler for ACPI predefined names that can
* be repaired on a per-name basis.
*/
Reported by Cppcheck.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return_object_ptr);
typedef struct acpi_repair_info {
char name[ACPI_NAMESEG_SIZE];
acpi_repair_function repair_function;
} acpi_repair_info;
/* Local prototypes */
Reported by FlawFinder.
drivers/block/paride/bpck.c
2 issues
Line: 281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int bpck_test_proto( PIA *pi, char * scratch, int verbose )
{ int i, e, l, h, om;
char buf[TEST_LEN];
bpck_force_spp(pi);
switch (pi->mode) {
Reported by FlawFinder.
Line: 420
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void bpck_log_adapter( PIA *pi, char * scratch, int verbose )
{ char *mode_string[5] = { "4-bit","8-bit","EPP-8",
"EPP-16","EPP-32" };
#ifdef DUMP_EEPROM
int i;
#endif
Reported by FlawFinder.
drivers/bus/mhi/core/boot.c
2 issues
Line: 378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (remainder) {
to_cpy = min(remainder, mhi_buf->len);
memcpy(mhi_buf->buf, buf, to_cpy);
bhi_vec->dma_addr = mhi_buf->dma_addr;
bhi_vec->size = to_cpy;
buf += to_cpy;
remainder -= to_cpy;
Reported by FlawFinder.
Line: 452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Download image using BHI */
memcpy(buf, firmware->data, size);
ret = mhi_fw_load_bhi(mhi_cntrl, dma_addr, size);
mhi_free_coherent(mhi_cntrl, size, buf, dma_addr);
/* Error or in EDL mode, we're done */
if (ret) {
Reported by FlawFinder.
drivers/counter/ti-eqep.c
2 issues
Line: 217
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
regmap_read(priv->regmap32, QPOSMAX, &qposmax);
return sprintf(buf, "%u\n", qposmax);
}
static ssize_t ti_eqep_position_ceiling_write(struct counter_device *counter,
struct counter_count *count,
void *ext_priv, const char *buf,
Reported by FlawFinder.
Line: 247
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
regmap_read(priv->regmap16, QEPCTL, &qepctl);
return sprintf(buf, "%u\n", !!(qepctl & QEPCTL_PHEN));
}
static ssize_t ti_eqep_position_enable_write(struct counter_device *counter,
struct counter_count *count,
void *ext_priv, const char *buf,
Reported by FlawFinder.
drivers/dma/dw-edma/dw-edma-v0-debugfs.c
2 issues
Line: 167
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct dentry *regs_dir, *ch_dir;
int nr_entries, i;
char name[16];
regs_dir = debugfs_create_dir(WRITE_STR, dir);
if (!regs_dir)
return;
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct dentry *regs_dir, *ch_dir;
int nr_entries, i;
char name[16];
regs_dir = debugfs_create_dir(READ_STR, dir);
if (!regs_dir)
return;
Reported by FlawFinder.
drivers/cpufreq/cppc_cpufreq.c
2 issues
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool boost_supported;
struct cppc_workaround_oem_info {
char oem_id[ACPI_OEM_ID_SIZE + 1];
char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1];
u32 oem_revision;
};
static struct cppc_workaround_oem_info wa_info[] = {
Reported by FlawFinder.
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cppc_workaround_oem_info {
char oem_id[ACPI_OEM_ID_SIZE + 1];
char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1];
u32 oem_revision;
};
static struct cppc_workaround_oem_info wa_info[] = {
{
Reported by FlawFinder.
drivers/cpufreq/cpufreq_governor.h
2 issues
Line: 59
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{ \
struct dbs_data *dbs_data = to_dbs_data(attr_set); \
struct _gov##_dbs_tuners *tuners = dbs_data->tuners; \
return sprintf(buf, "%u\n", tuners->file_name); \
}
#define gov_show_one_common(file_name) \
static ssize_t show_##file_name \
(struct gov_attr_set *attr_set, char *buf) \
Reported by FlawFinder.
Line: 67
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
(struct gov_attr_set *attr_set, char *buf) \
{ \
struct dbs_data *dbs_data = to_dbs_data(attr_set); \
return sprintf(buf, "%u\n", dbs_data->file_name); \
}
#define gov_attr_ro(_name) \
static struct governor_attr _name = \
__ATTR(_name, 0444, show_##_name, NULL)
Reported by FlawFinder.
drivers/bcma/scan.c
2 issues
Line: 451
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
chipinfo->rev = (tmp & BCMA_CC_ID_REV) >> BCMA_CC_ID_REV_SHIFT;
chipinfo->pkg = (tmp & BCMA_CC_ID_PKG) >> BCMA_CC_ID_PKG_SHIFT;
snprintf(chip_id, ARRAY_SIZE(chip_id),
(chipinfo->id > 0x9999) ? "%d" : "0x%04X", chipinfo->id);
bcma_info(bus, "Found chip with id %s, rev 0x%02X and package 0x%02X\n",
chip_id, chipinfo->rev, chipinfo->pkg);
}
Reported by FlawFinder.
Line: 442
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
s32 tmp;
struct bcma_chipinfo *chipinfo = &(bus->chipinfo);
char chip_id[8];
bcma_scan_switch_core(bus, BCMA_ADDR_BASE);
tmp = bcma_scan_read32(bus, 0, BCMA_CC_ID);
chipinfo->id = (tmp & BCMA_CC_ID_ID) >> BCMA_CC_ID_ID_SHIFT;
Reported by FlawFinder.