The following issues were found
drivers/hid/hid-gt683r.c
2 issues
Line: 256
Column: 13
CWE codes:
126
}
for (i = 0; i < GT683R_LED_COUNT; i++) {
name_sz = strlen(dev_name(&hdev->dev)) +
strlen(gt683r_panel_names[i]) + 3;
name = devm_kzalloc(&hdev->dev, name_sz, GFP_KERNEL);
if (!name) {
ret = -ENOMEM;
Reported by FlawFinder.
Line: 257
Column: 5
CWE codes:
126
for (i = 0; i < GT683R_LED_COUNT; i++) {
name_sz = strlen(dev_name(&hdev->dev)) +
strlen(gt683r_panel_names[i]) + 3;
name = devm_kzalloc(&hdev->dev, name_sz, GFP_KERNEL);
if (!name) {
ret = -ENOMEM;
goto fail;
Reported by FlawFinder.
drivers/hid/hid-picolcd_core.c
2 issues
Line: 354
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* report we got is one of the expected ones or not.
*/
if (data->pending) {
memcpy(data->pending->raw_data, raw_data+1, size-1);
data->pending->raw_size = size-1;
data->pending->in_report = report;
complete(&data->pending->ready);
}
spin_unlock_irqrestore(&data->lock, flags);
Reported by FlawFinder.
Line: 428
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
input_set_drvdata(idev, hdev);
memcpy(data->keycode, def_keymap, sizeof(def_keymap));
idev->name = hdev->name;
idev->phys = hdev->phys;
idev->uniq = hdev->uniq;
idev->id.bustype = hdev->bus;
idev->id.vendor = hdev->vendor;
Reported by FlawFinder.
drivers/hid/hid-quirks.c
2 issues
Line: 1009
Column: 16
CWE codes:
126
* other ELAN devices.
*/
if ((hdev->product == 0x0401 || hdev->product == 0x0400))
for (i = 0; strlen(elan_acpi_id[i].id); ++i)
if (!strncmp(hdev->name, elan_acpi_id[i].id,
strlen(elan_acpi_id[i].id)))
return true;
break;
}
Reported by FlawFinder.
Line: 1011
Column: 11
CWE codes:
126
if ((hdev->product == 0x0401 || hdev->product == 0x0400))
for (i = 0; strlen(elan_acpi_id[i].id); ++i)
if (!strncmp(hdev->name, elan_acpi_id[i].id,
strlen(elan_acpi_id[i].id)))
return true;
break;
}
if (hdev->type == HID_TYPE_USBMOUSE &&
Reported by FlawFinder.
drivers/hid/hid-sensor-hub.c
2 issues
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (remaining_bytes) {
value = 0;
memcpy(&value, (u8 *)buf32, remaining_bytes);
ret = hid_set_field(report->field[field_index], i,
(__force __s32)cpu_to_le32(value));
if (ret)
goto done_proc;
}
Reported by FlawFinder.
Line: 276
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buffer_index >= ret)
break;
memcpy(&((u8 *)buffer)[buffer_index], val_ptr,
report->field[field_index]->report_size / 8);
val_ptr += sizeof(__s32);
buffer_index += (report->field[field_index]->report_size / 8);
}
Reported by FlawFinder.
drivers/hid/hid-uclogic-core.c
2 issues
Line: 149
Column: 9
CWE codes:
126
}
if (suffix) {
len = strlen(hdev->name) + 2 + strlen(suffix);
name = devm_kzalloc(&hi->input->dev, len, GFP_KERNEL);
if (name) {
snprintf(name, len, "%s %s", hdev->name, suffix);
hi->input->name = name;
}
Reported by FlawFinder.
Line: 149
Column: 34
CWE codes:
126
}
if (suffix) {
len = strlen(hdev->name) + 2 + strlen(suffix);
name = devm_kzalloc(&hi->input->dev, len, GFP_KERNEL);
if (name) {
snprintf(name, len, "%s %s", hdev->name, suffix);
hi->input->name = name;
}
Reported by FlawFinder.
drivers/hid/hid-vivaldi.c
2 issues
Line: 37
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return 0;
for (i = 0; i < drvdata->max_function_row_key; i++)
size += sprintf(buf + size, "%02X ",
drvdata->function_row_physmap[i]);
size += sprintf(buf + size, "\n");
return size;
}
Reported by FlawFinder.
Line: 39
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < drvdata->max_function_row_key; i++)
size += sprintf(buf + size, "%02X ",
drvdata->function_row_physmap[i]);
size += sprintf(buf + size, "\n");
return size;
}
DEVICE_ATTR_RO(function_row_physmap);
static struct attribute *sysfs_attrs[] = {
Reported by FlawFinder.
drivers/hid/hid-wiimote-debug.c
2 issues
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wiimote_data *wdata = dbg->wdata;
unsigned long flags;
ssize_t ret;
char buf[16];
__u16 size = 0;
if (s == 0)
return -EINVAL;
if (*off > 0xffffff)
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *sf = f->private_data;
struct wiimote_debug *dbg = sf->private;
unsigned long flags;
char buf[16];
ssize_t len;
int i;
if (s == 0)
return -EINVAL;
Reported by FlawFinder.
drivers/hid/intel-ish-hid/ipc/pci-ish.c
2 issues
Line: 63
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
char tmp_buf[100];
va_start(args, format);
vsnprintf(tmp_buf, sizeof(tmp_buf), format, args);
va_end(args);
trace_ishtp_dump(tmp_buf);
}
}
Reported by FlawFinder.
Line: 60
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
if (trace_ishtp_dump_enabled()) {
va_list args;
char tmp_buf[100];
va_start(args, format);
vsnprintf(tmp_buf, sizeof(tmp_buf), format, args);
va_end(args);
Reported by FlawFinder.
drivers/hid/intel-ish-hid/ishtp-hid.h
2 issues
Line: 123
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int hid_dev_count;
struct device_info *hid_devices;
unsigned char *report_descr[MAX_HID_DEVICES];
int report_descr_size[MAX_HID_DEVICES];
struct hid_device *hid_sensor_hubs[MAX_HID_DEVICES];
unsigned char *hid_descr[MAX_HID_DEVICES];
int hid_descr_size[MAX_HID_DEVICES];
Reported by FlawFinder.
Line: 126
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *report_descr[MAX_HID_DEVICES];
int report_descr_size[MAX_HID_DEVICES];
struct hid_device *hid_sensor_hubs[MAX_HID_DEVICES];
unsigned char *hid_descr[MAX_HID_DEVICES];
int hid_descr_size[MAX_HID_DEVICES];
wait_queue_head_t init_wait;
wait_queue_head_t ishtp_resume_wait;
struct ishtp_cl *hid_ishtp_cl;
Reported by FlawFinder.
drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h
2 issues
Line: 102
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *ipc_send_compl_prm;
size_t length;
struct list_head link;
unsigned char inline_data[IPC_FULL_MSG_SIZE];
};
/*
* The ISHTP layer talks to hardware IPC message using the following
* callbacks
Reported by FlawFinder.
Line: 172
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wait_queue_head_t wait_hbm_recvd_msg;
/* FIFO for input messages for BH processing */
unsigned char rd_msg_fifo[RD_INT_FIFO_SIZE * IPC_PAYLOAD_SIZE];
unsigned int rd_msg_fifo_head, rd_msg_fifo_tail;
spinlock_t rd_msg_spinlock;
struct work_struct bh_hbm_work;
/* IPC write queue */
Reported by FlawFinder.