The following issues were found
drivers/scsi/megaraid/megaraid_mm.c
2 issues
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mraid_mm_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
{
uioc_t *kioc;
char signature[EXT_IOCTL_SIGN_SZ] = {0};
int rval;
mraid_mmadp_t *adp;
uint8_t old_ioctl;
int drvrcmd_rval;
void __user *argp = (void __user *)arg;
Reported by FlawFinder.
Line: 452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
mbox64 = (mbox64_t *)((unsigned long)kioc->cmdbuf);
mbox = &mbox64->mbox32;
memcpy(mbox, mimd.mbox, 14);
if (mbox->cmd != MBOXCMD_PASSTHRU) { // regular DCMD
mbox->xferaddr = (uint32_t)kioc->buf_paddr;
Reported by FlawFinder.
drivers/usb/gadget/udc/bdc/bdc.h
2 issues
Line: 360
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct usb_ss_ep_comp_descriptor *comp_desc;
const struct usb_endpoint_descriptor *desc;
unsigned int flags;
char name[20];
/* endpoint bd list*/
struct bd_list bd_list;
/*
* HW generates extra event for multi bd tranfers, this flag helps in
* ignoring the extra event
Reported by FlawFinder.
Line: 448
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ep0 callback handlers */
void (*sr_xsf_ep0[3])(struct bdc *, struct bdc_sr *);
/* ep0 response buffer for ch9 requests like GET_STATUS and SET_SEL */
unsigned char ep0_response_buff[EP0_RESPONSE_BUFF];
/*
* Timer to check if host resumed transfer after bdc sent Func wake
* notification packet after a remote wakeup. if not, then resend the
* Func Wake packet every 2.5 secs. Refer to USB3 spec section 8.5.6.4
*/
Reported by FlawFinder.
drivers/soc/renesas/r8a779a0-sysc.c
2 issues
Line: 419
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto out_put;
}
strcpy(pd->name, area->name);
pd->genpd.name = pd->name;
pd->pdr = area->pdr;
pd->flags = area->flags;
error = r8a779a0_sysc_pd_setup(pd);
Reported by FlawFinder.
Line: 413
Column: 30
CWE codes:
126
continue;
}
pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);
if (!pd) {
error = -ENOMEM;
goto out_put;
}
Reported by FlawFinder.
drivers/staging/media/av7110/av7110_hw.h
2 issues
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void mwdebi(struct av7110 *av7110, u32 config, int addr,
const u8 *val, int count)
{
memcpy(av7110->debi_virt, val, count);
av7110_debiwrite(av7110, config, addr, 0, count);
}
static inline u32 irdebi(struct av7110 *av7110, u32 config, int addr, u32 val, unsigned int count)
{
Reported by FlawFinder.
Line: 407
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res=av7110_debiread(av7110, config, addr, count);
if (count<=4)
memcpy(av7110->debi_virt, (char *) &res, count);
return res;
}
/* DEBI outside interrupts, only for count <= 4! */
static inline void wdebi(struct av7110 *av7110, u32 config, int addr, u32 val, unsigned int count)
Reported by FlawFinder.
drivers/spi/spi-armada-3700.c
2 issues
Line: 523
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
val = spireg_read(a3700_spi, A3700_SPI_DATA_IN_REG);
if (a3700_spi->buf_len >= 4) {
memcpy(a3700_spi->rx_buf, &val, 4);
a3700_spi->buf_len -= 4;
a3700_spi->rx_buf += 4;
} else {
/*
Reported by FlawFinder.
Line: 772
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
val = spireg_read(a3700_spi, A3700_SPI_DATA_IN_REG);
memcpy(a3700_spi->rx_buf, &val, a3700_spi->byte_len);
a3700_spi->buf_len -= a3700_spi->byte_len;
a3700_spi->tx_buf += a3700_spi->byte_len;
a3700_spi->rx_buf += a3700_spi->byte_len;
Reported by FlawFinder.
drivers/usb/typec/tcpm/tcpci.c
2 issues
Line: 538
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[pos++] = cnt + 2;
if (msg)
memcpy(&buf[pos], &msg->header, sizeof(msg->header));
pos += sizeof(header);
if (cnt > 0)
memcpy(&buf[pos], msg->payload, cnt);
Reported by FlawFinder.
Line: 543
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += sizeof(header);
if (cnt > 0)
memcpy(&buf[pos], msg->payload, cnt);
pos += cnt;
ret = regmap_raw_write(tcpci->regmap, TCPC_TX_BYTE_CNT, buf, pos);
if (ret < 0)
return ret;
Reported by FlawFinder.
drivers/usb/class/cdc-wdm.c
2 issues
Line: 960
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!skb)
return;
memcpy(skb_put(skb, length), desc->inbuf, length);
wwan_port_rx(port, skb);
/* inbuf has been copied, it is safe to check for outstanding data */
schedule_work(&desc->service_outs_intr);
}
Reported by FlawFinder.
drivers/staging/sm750fb/sm750_accel.c
2 issues
Line: 328
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int ul4BytesPerScan;
unsigned int ulBytesRemain;
unsigned int de_ctrl = 0;
unsigned char ajRemain[4];
int i, j;
startBit &= 7; /* Just make sure the start bit is within legal range */
ulBytesPerScan = (width + startBit + 7) / 8;
ul4BytesPerScan = ulBytesPerScan & ~3;
Reported by FlawFinder.
Line: 404
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
write_dpPort(accel, *(unsigned int *)(pSrcbuf + (j * 4)));
if (ulBytesRemain) {
memcpy(ajRemain, pSrcbuf + ul4BytesPerScan,
ulBytesRemain);
write_dpPort(accel, *(unsigned int *)ajRemain);
}
pSrcbuf += srcDelta;
Reported by FlawFinder.
drivers/scsi/qedi/qedi_iscsi.h
2 issues
Line: 227
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct qedi_boot_target {
char ip_addr[64];
char iscsi_name[255];
u32 ipv6_en;
};
#define qedi_set_itt(task_id, itt) ((u32)(((task_id) & 0xffff) | ((itt) << 16)))
Reported by FlawFinder.
Line: 228
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qedi_boot_target {
char ip_addr[64];
char iscsi_name[255];
u32 ipv6_en;
};
#define qedi_set_itt(task_id, itt) ((u32)(((task_id) & 0xffff) | ((itt) << 16)))
#define qedi_get_itt(cqe) (cqe.iscsi_hdr.cmd.itt >> 16)
Reported by FlawFinder.
drivers/usb/gadget/udc/atmel_usba_udc.c
2 issues
Line: 90
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head *queue = file->private_data;
struct usba_request *req, *tmp_req;
size_t len, remaining, actual = 0;
char tmpbuf[38];
if (!access_ok(buf, nbytes))
return -EFAULT;
inode_lock(file_inode(file));
Reported by FlawFinder.
Line: 2215
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ep->can_dma = ep_cfg->can_dma;
ep->can_isoc = ep_cfg->can_isoc;
sprintf(ep->name, "ep%d", ep->index);
ep->ep.name = ep->name;
ep->ep_regs = udc->regs + USBA_EPT_BASE(i);
ep->dma_regs = udc->regs + USBA_DMA_BASE(i);
ep->fifo = udc->fifo + USBA_FIFO_BASE(i);
Reported by FlawFinder.