The following issues were found
drivers/atm/midway.h
2 issues
Line: 163
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define ENI155_MAGIC 0xa54b872d
struct midway_eprom {
unsigned char mac[MAC_LEN],inv_mac[MAC_LEN];
unsigned char pad[36];
u32 serial,inv_serial;
u32 magic,inv_magic;
};
Reported by FlawFinder.
Line: 164
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct midway_eprom {
unsigned char mac[MAC_LEN],inv_mac[MAC_LEN];
unsigned char pad[36];
u32 serial,inv_serial;
u32 magic,inv_magic;
};
Reported by FlawFinder.
drivers/gpu/drm/bridge/sil-sii8620.c
2 issues
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->error = -ENOMEM;
return;
}
memcpy(msg.buf + 1, buf, len);
} else {
msg.buf = data;
msg.buf[1] = *buf;
}
Reported by FlawFinder.
Line: 489
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[SINK_DVI] = "DVI"
};
char sink_name[20];
struct device *dev = ctx->dev;
if (!ctx->sink_detected || !ctx->devcap_read)
return;
Reported by FlawFinder.
drivers/cpufreq/longhaul.h
2 issues
Line: 328
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{1475, 17}, {1425, 15}, {1375, 13}, {1325, 11}
};
static const unsigned char mV_vrm85[32] = {
0x04, 0x14, 0x03, 0x13, 0x02, 0x12, 0x01, 0x11,
0x00, 0x10, 0x0f, 0x1f, 0x0e, 0x1e, 0x0d, 0x1d,
0x0c, 0x1c, 0x0b, 0x1b, 0x0a, 0x1a, 0x09, 0x19,
0x08, 0x18, 0x07, 0x17, 0x06, 0x16, 0x05, 0x15
};
Reported by FlawFinder.
Line: 346
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{675, 3}, {650, 2}, {625, 1}, {600, 0}
};
static const unsigned char mV_mobilevrm[32] = {
0x1f, 0x1e, 0x1d, 0x1c, 0x1b, 0x1a, 0x19, 0x18,
0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10,
0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
};
Reported by FlawFinder.
drivers/dma/imx-sdma.c
2 issues
Line: 735
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bd0->buffer_addr = buf_phys;
bd0->ext_buffer_addr = address;
memcpy(buf_virt, buf, size);
ret = sdma_run_channel0(sdma);
spin_unlock_irqrestore(&sdma->channel_0_lock, flags);
Reported by FlawFinder.
Line: 1655
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sdma_channel *sdmac = to_sdma_chan(chan);
memcpy(&sdmac->slave_config, dmaengine_cfg, sizeof(*dmaengine_cfg));
/* Set ENBLn earlier to make sure dma request triggered after that */
if (sdmac->event_id0 >= sdmac->sdma->drvdata->num_events)
return -EINVAL;
sdma_event_enable(sdmac, sdmac->event_id0);
Reported by FlawFinder.
drivers/dma/ioat/init.c
2 issues
Line: 133
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(ioat_pending_level, int, 0644);
MODULE_PARM_DESC(ioat_pending_level,
"high-water mark for pushing ioat descriptors (default: 7)");
static char ioat_interrupt_style[32] = "msix";
module_param_string(ioat_interrupt_style, ioat_interrupt_style,
sizeof(ioat_interrupt_style), 0644);
MODULE_PARM_DESC(ioat_interrupt_style,
"set ioat interrupt style: msix (default), msi, intx");
Reported by FlawFinder.
Line: 1155
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* starting with CB3.3 super extended descriptors are supported */
if (ioat_dma->cap & IOAT_CAP_RAID16SS) {
char pool_name[14];
int i;
for (i = 0; i < MAX_SED_POOLS; i++) {
snprintf(pool_name, 14, "ioat_hw%d_sed", i);
Reported by FlawFinder.
drivers/gpu/drm/amd/pm/powerplay/smumgr/smu10_smumgr.c
2 issues
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
amdgpu_asic_invalidate_hdp(adev, NULL);
memcpy(table, (uint8_t *)priv->smu_tables.entry[table_id].table,
priv->smu_tables.entry[table_id].size);
return 0;
}
Reported by FlawFinder.
Line: 164
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
PP_ASSERT_WITH_CODE(priv->smu_tables.entry[table_id].size != 0,
"Invalid SMU Table Length!", return -EINVAL;);
memcpy(priv->smu_tables.entry[table_id].table, table,
priv->smu_tables.entry[table_id].size);
amdgpu_asic_flush_hdp(adev, NULL);
smum_send_msg_to_smc_with_parameter(hwmgr,
Reported by FlawFinder.
drivers/base/dd.c
2 issues
Line: 62
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Save the async probe drivers' name from kernel cmdline */
#define ASYNC_DRV_NAMES_MAX_LEN 256
static char async_probe_drv_names[ASYNC_DRV_NAMES_MAX_LEN];
/*
* In some cases, like suspend to RAM or hibernation, It might be reasonable
* to prohibit probing of devices as it could be unsafe.
* Once defer_all_probes is true all drivers probes will be forcibly deferred.
Reported by FlawFinder.
Line: 801
Column: 6
CWE codes:
126
/* The option format is "driver_async_probe=drv_name1,drv_name2,..." */
static int __init save_async_options(char *buf)
{
if (strlen(buf) >= ASYNC_DRV_NAMES_MAX_LEN)
pr_warn("Too long list of driver names for 'driver_async_probe'!\n");
strlcpy(async_probe_drv_names, buf, ASYNC_DRV_NAMES_MAX_LEN);
return 0;
}
Reported by FlawFinder.
drivers/cpufreq/powernow-k8.c
2 issues
Line: 1159
Column: 59
CWE codes:
126
if (!cur_drv)
goto request;
if (strncmp(cur_drv, drv, min_t(size_t, strlen(cur_drv), strlen(drv))))
pr_warn("WTF driver: %s\n", cur_drv);
return;
request:
Reported by FlawFinder.
Line: 1159
Column: 42
CWE codes:
126
if (!cur_drv)
goto request;
if (strncmp(cur_drv, drv, min_t(size_t, strlen(cur_drv), strlen(drv))))
pr_warn("WTF driver: %s\n", cur_drv);
return;
request:
Reported by FlawFinder.
drivers/cpufreq/powernv-cpufreq.c
2 issues
Line: 380
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t cpuinfo_nominal_freq_show(struct cpufreq_policy *policy,
char *buf)
{
return sprintf(buf, "%u\n",
powernv_freqs[powernv_pstate_info.nominal].frequency);
}
static struct freq_attr cpufreq_freq_attr_cpuinfo_nominal_freq =
__ATTR_RO(cpuinfo_nominal_freq);
Reported by FlawFinder.
Line: 401
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{ \
struct chip *chip = per_cpu(chip_info, policy->cpu); \
\
return sprintf(buf, "%u\n", chip->member); \
} \
\
static struct freq_attr throttle_attr_##name = __ATTR_RO(name) \
throttle_attr(unthrottle, reason[NO_THROTTLE]);
Reported by FlawFinder.
drivers/bluetooth/bcm203x.c
2 issues
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (data->state) {
case BCM203X_LOAD_MINIDRV:
memcpy(data->buffer, "#", 1);
usb_fill_bulk_urb(urb, udev, usb_sndbulkpipe(udev, BCM203X_OUT_EP),
data->buffer, 1, bcm203x_complete, data);
data->state = BCM203X_SELECT_MEMORY;
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(data->buffer, firmware->data, firmware->size);
usb_fill_bulk_urb(data->urb, udev, usb_sndbulkpipe(udev, BCM203X_OUT_EP),
data->buffer, firmware->size, bcm203x_complete, data);
release_firmware(firmware);
Reported by FlawFinder.