The following issues were found
drivers/usb/typec/ucsi/ucsi_acpi.c
2 issues
Line: 54
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(val, (const void __force *)(ua->base + offset), val_len);
return 0;
}
static int ucsi_acpi_async_write(struct ucsi *ucsi, unsigned int offset,
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct ucsi_acpi *ua = ucsi_get_drvdata(ucsi);
memcpy((void __force *)(ua->base + offset), val, val_len);
return ucsi_acpi_dsm(ua, UCSI_DSM_FUNC_WRITE);
}
static int ucsi_acpi_sync_write(struct ucsi *ucsi, unsigned int offset,
Reported by FlawFinder.
drivers/usb/gadget/udc/aspeed-vhub/epn.c
2 issues
Line: 70
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* For IN transfers, copy data over first */
if (ep->epn.is_in) {
memcpy(ep->buf, req->req.buf + act, chunk);
vhub_dma_workaround(ep->buf);
}
writel(ep->buf_dma, ep->epn.regs + AST_VHUB_EP_DESC_BASE);
} else {
if (ep->epn.is_in)
Reported by FlawFinder.
Line: 128
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* If not using DMA, copy data out if needed */
if (!req->req.dma && !ep->epn.is_in && len)
memcpy(req->req.buf + req->req.actual, ep->buf, len);
/* Adjust size */
req->req.actual += len;
/* Check for short packet */
Reported by FlawFinder.
drivers/staging/media/omap4iss/iss_csi2.c
2 issues
Line: 874
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pixelcode = fmt->code;
format = __csi2_get_format(csi2, sd_state, CSI2_PAD_SINK,
which);
memcpy(fmt, format, sizeof(*fmt));
/*
* Only Allow DPCM decompression, and check that the
* pattern is preserved
*/
Reported by FlawFinder.
Line: 1263
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct media_pad *pads = csi2->pads;
struct media_entity *me = &sd->entity;
int ret;
char name[V4L2_SUBDEV_NAME_SIZE];
v4l2_subdev_init(sd, &csi2_ops);
sd->internal_ops = &csi2_internal_ops;
snprintf(name, sizeof(name), "CSI2%s", subname);
snprintf(sd->name, sizeof(sd->name), "OMAP4 ISS %s", name);
Reported by FlawFinder.
drivers/staging/media/av7110/dvb_filter.c
2 issues
Line: 97
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[1]&=~0x40;
while (len>=184) {
buf[3]=0x10|((p2ts->cc++)&0x0f);
memcpy(buf+4, pes, 184);
if ((ret=p2ts->cb(p2ts->priv, buf)))
return ret;
len-=184; pes+=184;
buf[1]&=~0x40;
}
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(buf+6, 0xff, rest-1);
}
buf[4]=rest;
memcpy(buf+5+rest, pes, len);
return p2ts->cb(p2ts->priv, buf);
}
Reported by FlawFinder.
drivers/spi/spi-nxp-fspi.c
2 issues
Line: 762
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
WARN_ON(ret);
for (j = 0; j < ALIGN(op->data.nbytes - i, 4); j += 4) {
memcpy(&data, buf + i + j, 4);
fspi_writel(f, data, base + FSPI_TFDR + j);
}
fspi_writel(f, FSPI_INTR_IPTXWE, base + FSPI_INTR);
}
}
Reported by FlawFinder.
Line: 809
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < op->data.nbytes - i; j += 4) {
tmp = fspi_readl(f, base + FSPI_RFDR + j);
size = min(len, 4);
memcpy(buf + j, &tmp, size);
len -= size;
}
}
/* invalid the RXFIFO */
Reported by FlawFinder.
drivers/usb/gadget/udc/aspeed-vhub/ep0.c
2 issues
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* in the EP buffer)
*/
if (chunk && req->req.buf)
memcpy(ep->buf, req->req.buf + req->req.actual, chunk);
vhub_dma_workaround(ep->buf);
/* Remember chunk size and trigger send */
reg = VHUB_EP0_SET_TX_LEN(chunk);
Reported by FlawFinder.
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = -EOVERFLOW;
}
if (len && req->req.buf)
memcpy(req->req.buf + req->req.actual, ep->buf, len);
req->req.actual += len;
/* Done ? */
if (len < ep->ep.maxpacket || len == remain) {
ep->ep0.state = ep0_state_status;
Reported by FlawFinder.
drivers/staging/media/av7110/sp8870.c
2 issues
Line: 115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// write register 0xCF0A
tx_buf[0] = 0xCF;
tx_buf[1] = 0x0A;
memcpy(&tx_buf[2], fw_buf + fw_pos, tx_len);
msg.addr = state->config->demod_address;
msg.flags = 0;
msg.buf = tx_buf;
msg.len = tx_len + 2;
if ((err = i2c_transfer (state->i2c, &msg, 1)) != 1) {
Reported by FlawFinder.
Line: 563
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sp8870_readreg(state, 0x0200) < 0) goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &sp8870_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
kfree(state);
Reported by FlawFinder.
drivers/usb/gadget/u_os_desc.h
2 issues
Line: 100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int data_len)
{
put_unaligned_le32(data_len, usb_ext_prop_data_len_ptr(buf, pnl));
memcpy(usb_ext_prop_data_ptr(buf, pnl), data, data_len);
}
static inline int usb_ext_prop_put_unicode(u8 *buf, int pnl, const char *string,
int data_len)
{
Reported by FlawFinder.
Line: 86
Column: 33
CWE codes:
126
int result;
put_unaligned_le16(pnl, usb_ext_prop_name_len_ptr(buf));
result = utf8s_to_utf16s(name, strlen(name), UTF16_LITTLE_ENDIAN,
(wchar_t *) usb_ext_prop_name_ptr(buf), pnl - 2);
if (result < 0)
return result;
put_unaligned_le16(0, &buf[USB_EXT_PROP_B_PROPERTY_NAME + pnl - 2]);
Reported by FlawFinder.
drivers/tty/tty_audit.c
2 issues
Line: 72
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_TTY);
if (ab) {
char name[sizeof(current->comm)];
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u major=%d"
" minor=%d comm=", description, pid, uid,
loginuid, sessionid, MAJOR(dev), MINOR(dev));
get_task_comm(name, current);
Reported by FlawFinder.
Line: 240
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
run = N_TTY_BUF_SIZE - buf->valid;
if (run > size)
run = size;
memcpy(buf->data + buf->valid, data, run);
buf->valid += run;
data += run;
size -= run;
if (buf->valid == N_TTY_BUF_SIZE)
tty_audit_buf_push(buf);
Reported by FlawFinder.
drivers/staging/rtl8723bs/include/drv_types.h
2 issues
Line: 397
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void (*intf_stop)(struct adapter *adapter);
struct net_device *pnetdev;
char old_ifname[IFNAMSIZ];
/* used by rtw_rereg_nd_name related function */
struct rereg_nd_name_data {
struct net_device *old_pnetdev;
char old_ifname[IFNAMSIZ];
Reported by FlawFinder.
Line: 402
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* used by rtw_rereg_nd_name related function */
struct rereg_nd_name_data {
struct net_device *old_pnetdev;
char old_ifname[IFNAMSIZ];
u8 old_bRegUseLed;
} rereg_nd_name_priv;
int bup;
struct net_device_stats stats;
Reported by FlawFinder.