The following issues were found
drivers/bluetooth/hci_ll.c
2 issues
Line: 318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BT_DBG("hu %p skb %p", hu, skb);
/* Prepend skb with frame type */
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
/* lock hcill state */
spin_lock_irqsave(&ll->hcill_lock, flags);
/* act according to current state */
Reported by FlawFinder.
Line: 522
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short chip, min_ver, maj_ver;
int version, err, len;
unsigned char *ptr, *action_ptr;
unsigned char bts_scr_name[40]; /* 40 char long bts scr name? */
const struct firmware *fw;
struct hci_command *cmd;
version = read_local_version(lldev->hu.hdev);
if (version < 0)
Reported by FlawFinder.
drivers/clk/at91/at91rm9200.c
2 issues
Line: 82
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *slowxtal_name, *mainxtal_name;
struct pmc_data *at91rm9200_pmc;
u32 usb_div[] = { 1, 2, 0, 0 };
const char *parent_names[6];
struct regmap *regmap;
struct clk_hw *hw;
int i;
bool bypass;
Reported by FlawFinder.
Line: 170
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
parent_names[2] = "pllack";
parent_names[3] = "pllbck";
for (i = 0; i < 4; i++) {
char name[6];
snprintf(name, sizeof(name), "prog%d", i);
hw = at91_clk_register_programmable(regmap, name,
parent_names, 4, i,
Reported by FlawFinder.
drivers/android/binder_alloc.c
2 issues
Line: 1263
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
base_ptr = kmap_atomic(page);
tmpptr = base_ptr + pgoff;
if (to_buffer)
memcpy(tmpptr, ptr, size);
else
memcpy(ptr, tmpptr, size);
/*
* kunmap_atomic() takes care of flushing the cache
* if this device has VIVT cache arch
Reported by FlawFinder.
Line: 1265
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (to_buffer)
memcpy(tmpptr, ptr, size);
else
memcpy(ptr, tmpptr, size);
/*
* kunmap_atomic() takes care of flushing the cache
* if this device has VIVT cache arch
*/
kunmap_atomic(base_ptr);
Reported by FlawFinder.
drivers/clk/at91/at91sam9260.c
2 issues
Line: 335
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *slowxtal_name, *mainxtal_name;
struct pmc_data *at91sam9260_pmc;
u32 usb_div[] = { 1, 2, 4, 0 };
const char *parent_names[6];
const char *slck_name;
struct regmap *regmap;
struct clk_hw *hw;
int i;
bool bypass;
Reported by FlawFinder.
Line: 447
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
parent_names[2] = "pllack";
parent_names[3] = "pllbck";
for (i = 0; i < data->num_progck; i++) {
char name[6];
snprintf(name, sizeof(name), "prog%d", i);
hw = at91_clk_register_programmable(regmap, name,
parent_names, 4, i,
Reported by FlawFinder.
drivers/android/binder.c
2 issues
Line: 5057
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mutex_unlock(&binder_procs_lock);
if (binder_debugfs_dir_entry_proc && !existing_pid) {
char strbuf[11];
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
/*
* proc debug entries are shared between contexts.
* Only create for the first PID to avoid debugfs log spamming
Reported by FlawFinder.
Line: 5073
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if (binder_binderfs_dir_entry_proc && !existing_pid) {
char strbuf[11];
struct dentry *binderfs_entry;
snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
/*
* Similar to debugfs, the process specific log file is shared
Reported by FlawFinder.
drivers/dma/xilinx/xilinx_dma.c
2 issues
Line: 2187
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (chan->direction == DMA_MEM_TO_DEV) {
if (app_w)
memcpy(hw->app, app_w, sizeof(u32) *
XILINX_DMA_NUM_APP_WORDS);
}
sg_used += copy;
Reported by FlawFinder.
Line: 2392
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hw->control = copy;
if (chan->direction == DMA_MEM_TO_DEV && app_w) {
memcpy(hw->app, app_w, sizeof(u32) *
XILINX_DMA_NUM_APP_WORDS);
}
sg_used += copy;
/*
Reported by FlawFinder.
drivers/crypto/atmel-sha204a.c
2 issues
Line: 51
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rng->priv) {
work_data = (struct atmel_i2c_work_data *)rng->priv;
max = min(sizeof(work_data->cmd.data), max);
memcpy(data, &work_data->cmd.data, max);
rng->priv = 0;
} else {
work_data = kmalloc(sizeof(*work_data), GFP_ATOMIC);
if (!work_data)
return -ENOMEM;
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
max = min(sizeof(cmd.data), max);
memcpy(data, cmd.data, max);
return max;
}
static int atmel_sha204a_probe(struct i2c_client *client,
Reported by FlawFinder.
drivers/edac/al_mc_edac.c
2 issues
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u32 eccerrcnt, ecccaddr0, ecccaddr1, ecccsyn0, ecccsyn1, ecccsyn2, row;
struct al_mc_edac *al_mc = mci->pvt_info;
char msg[AL_MC_EDAC_MSG_MAX];
u16 ce_count, column;
unsigned long flags;
u8 rank, bg, bank;
eccerrcnt = readl_relaxed(al_mc->mmio_base + AL_MC_ECC_ERR_COUNT);
Reported by FlawFinder.
Line: 123
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u32 eccerrcnt, eccuaddr0, eccuaddr1, eccusyn0, eccusyn1, eccusyn2, row;
struct al_mc_edac *al_mc = mci->pvt_info;
char msg[AL_MC_EDAC_MSG_MAX];
u16 ue_count, column;
unsigned long flags;
u8 rank, bg, bank;
eccerrcnt = readl_relaxed(al_mc->mmio_base + AL_MC_ECC_ERR_COUNT);
Reported by FlawFinder.
drivers/acpi/x86/apple.c
2 issues
Line: 115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
newprops[k].type = ACPI_TYPE_STRING;
newprops[k].string.length = key->string.length;
newprops[k].string.pointer = free_space;
memcpy(free_space, key->string.pointer, key->string.length);
free_space += key->string.length + 1;
newprops[v].type = val->type;
if (val->type == ACPI_TYPE_INTEGER) {
newprops[v].integer.value = val->integer.value;
Reported by FlawFinder.
Line: 124
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
newprops[v].buffer.length = val->buffer.length;
newprops[v].buffer.pointer = free_space;
memcpy(free_space, val->buffer.pointer,
val->buffer.length);
free_space += val->buffer.length;
}
j++; /* count valid properties */
}
Reported by FlawFinder.
drivers/edac/debugfs.c
2 issues
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
parent = debugfs_create_dir(mci->dev.kobj.name, edac_debugfs);
for (i = 0; i < mci->n_layers; i++) {
sprintf(name, "fake_inject_%s",
edac_layer_name[mci->layers[i].type]);
debugfs_create_u8(name, S_IRUGO | S_IWUSR, parent,
&mci->fake_inject_layer[i]);
}
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void edac_create_debugfs_nodes(struct mem_ctl_info *mci)
{
struct dentry *parent;
char name[80];
int i;
parent = debugfs_create_dir(mci->dev.kobj.name, edac_debugfs);
for (i = 0; i < mci->n_layers; i++) {
Reported by FlawFinder.