The following issues were found
drivers/usb/gadget/legacy/printer.c
2 issues
Line: 84
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* descriptors that are built on-demand */
static char product_desc [40] = DRIVER_DESC;
static char serial_num [40] = "1";
static char *pnp_string =
"MFG:linux;MDL:g_printer;CLS:PRINTER;SN:1;";
/* static strings, in UTF-8 */
Reported by FlawFinder.
Line: 85
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* descriptors that are built on-demand */
static char product_desc [40] = DRIVER_DESC;
static char serial_num [40] = "1";
static char *pnp_string =
"MFG:linux;MDL:g_printer;CLS:PRINTER;SN:1;";
/* static strings, in UTF-8 */
static struct usb_string strings [] = {
Reported by FlawFinder.
drivers/usb/usbip/vudc_sysfs.c
2 issues
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto giveback_req;
}
memcpy(ddesc, usb_req->req.buf, sizeof(*ddesc));
udc->desc_cached = 1;
ret = 0;
giveback_req:
usb_req->req.status = 0;
usb_req->req.actual = usb_req->req.length;
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto unlock;
}
memcpy(out, desc_ptr + off, count);
ret = count;
unlock:
spin_unlock_irqrestore(&udc->lock, flags);
return ret;
}
Reported by FlawFinder.
drivers/usb/usbip/vudc_transfer.c
2 issues
Line: 226
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rbuf_pos = req->req.buf + req->req.actual;
if (urb->pipe & USB_DIR_IN)
memcpy(ubuf_pos, rbuf_pos, len);
else
memcpy(rbuf_pos, ubuf_pos, len);
urb->actual_length += len;
req->req.actual += len;
Reported by FlawFinder.
Line: 228
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (urb->pipe & USB_DIR_IN)
memcpy(ubuf_pos, rbuf_pos, len);
else
memcpy(rbuf_pos, ubuf_pos, len);
urb->actual_length += len;
req->req.actual += len;
sent += len;
}
Reported by FlawFinder.
drivers/vdpa/ifcvf/ifcvf_base.h
2 issues
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
phys_addr_t notify_pa;
u32 irq;
struct vdpa_callback cb;
char msix_name[256];
};
struct ifcvf_hw {
u8 __iomem *isr;
/* Live migration */
Reported by FlawFinder.
Line: 88
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __iomem *net_cfg;
struct vring_info vring[IFCVF_MAX_QUEUE_PAIRS * 2];
void __iomem * const *base;
char config_msix_name[256];
struct vdpa_callback config_cb;
unsigned int config_irq;
};
struct ifcvf_adapter {
Reported by FlawFinder.
drivers/vdpa/mlx5/net/mlx5_vnet.c
2 issues
Line: 1267
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX5_SET(tirc, tirc, rx_hash_symmetric, 1);
MLX5_SET(tirc, tirc, rx_hash_fn, MLX5_RX_HASH_FN_TOEPLITZ);
rss_key = MLX5_ADDR_OF(tirc, tirc, rx_hash_toeplitz_key);
memcpy(rss_key, rx_hash_toeplitz_key, sizeof(rx_hash_toeplitz_key));
outer = MLX5_ADDR_OF(tirc, tirc, rx_hash_field_selector_outer);
MLX5_SET(rx_hash_field_select, outer, l3_prot_type, MLX5_L3_PROT_TYPE_IPV4);
MLX5_SET(rx_hash_field_select, outer, l4_prot_type, MLX5_L4_PROT_TYPE_TCP);
MLX5_SET(rx_hash_field_select, outer, selected_fields, HASH_IP_L4PORTS);
Reported by FlawFinder.
Line: 1832
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
if (offset + len <= sizeof(struct virtio_net_config))
memcpy(buf, (u8 *)&ndev->config + offset, len);
}
static void mlx5_vdpa_set_config(struct vdpa_device *vdev, unsigned int offset, const void *buf,
unsigned int len)
{
Reported by FlawFinder.
drivers/vdpa/vdpa_sim/vdpa_sim.c
2 issues
Line: 485
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vdpasim->dev_attr.get_config)
vdpasim->dev_attr.get_config(vdpasim, vdpasim->config);
memcpy(buf, vdpasim->config + offset, len);
}
static void vdpasim_set_config(struct vdpa_device *vdpa, unsigned int offset,
const void *buf, unsigned int len)
{
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset + len > vdpasim->dev_attr.config_size)
return;
memcpy(vdpasim->config + offset, buf, len);
if (vdpasim->dev_attr.set_config)
vdpasim->dev_attr.set_config(vdpasim, vdpasim->config);
}
Reported by FlawFinder.
drivers/soc/qcom/smd-rpm.c
2 issues
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pkt->req.type = cpu_to_le32(type);
pkt->req.id = cpu_to_le32(id);
pkt->req.data_len = cpu_to_le32(count);
memcpy(pkt->payload, buf, count);
ret = rpmsg_send(rpm->rpm_channel, pkt, size);
if (ret)
goto out;
Reported by FlawFinder.
Line: 161
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qcom_smd_rpm *rpm = dev_get_drvdata(&rpdev->dev);
const u8 *buf = data + sizeof(struct qcom_rpm_header);
const u8 *end = buf + hdr_length;
char msgbuf[32];
int status = 0;
u32 len, msg_length;
if (le32_to_cpu(hdr->service_type) != RPM_SERVICE_TYPE_REQUEST ||
hdr_length < sizeof(struct qcom_rpm_message)) {
Reported by FlawFinder.
drivers/staging/wfx/main.c
2 issues
Line: 298
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hw->wiphy->iface_combinations = wfx_iface_combinations;
hw->wiphy->bands[NL80211_BAND_2GHZ] = devm_kmalloc(dev, sizeof(wfx_band_2ghz), GFP_KERNEL);
// FIXME: also copy wfx_rates and wfx_2ghz_chantable
memcpy(hw->wiphy->bands[NL80211_BAND_2GHZ], &wfx_band_2ghz,
sizeof(wfx_band_2ghz));
wdev = hw->priv;
wdev->hw = hw;
wdev->dev = dev;
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wdev->dev = dev;
wdev->hwbus_ops = hwbus_ops;
wdev->hwbus_priv = hwbus_priv;
memcpy(&wdev->pdata, pdata, sizeof(*pdata));
of_property_read_string(dev->of_node, "config-file",
&wdev->pdata.file_pds);
wdev->pdata.gpio_wakeup = devm_gpiod_get_optional(dev, "wakeup",
GPIOD_OUT_LOW);
if (IS_ERR(wdev->pdata.gpio_wakeup))
Reported by FlawFinder.
drivers/vdpa/virtio_pci/vp_vdpa.c
2 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vp_vring {
void __iomem *notify;
char msix_name[VP_VDPA_NAME_SIZE];
struct vdpa_callback cb;
resource_size_t notify_pa;
int irq;
};
Reported by FlawFinder.
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct virtio_pci_modern_device mdev;
struct vp_vring *vring;
struct vdpa_callback config_cb;
char msix_name[VP_VDPA_NAME_SIZE];
int config_irq;
int queues;
int vectors;
};
Reported by FlawFinder.
drivers/spi/spi-atmel.c
2 issues
Line: 569
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_vmalloc_addr(as->current_transfer->rx_buf) &&
IS_ENABLED(CONFIG_SOC_SAM_V4_V5)) {
memcpy(as->current_transfer->rx_buf, as->addr_rx_bbuf,
as->current_transfer->len);
}
complete(&as->xfer_completion);
}
Reported by FlawFinder.
Line: 741
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (atmel_spi_is_vmalloc_xfer(xfer) &&
IS_ENABLED(CONFIG_SOC_SAM_V4_V5)) {
memcpy(as->addr_tx_bbuf, xfer->tx_buf, xfer->len);
txdesc = dmaengine_prep_slave_single(txchan,
as->dma_addr_tx_bbuf,
xfer->len, DMA_MEM_TO_DEV,
DMA_PREP_INTERRUPT |
DMA_CTRL_ACK);
Reported by FlawFinder.