The following issues were found
drivers/thunderbolt/tb.h
2 issues
Line: 580
CWE codes:
476
static inline int tb_sw_read(struct tb_switch *sw, void *buffer,
enum tb_cfg_space space, u32 offset, u32 length)
{
if (sw->is_unplugged)
return -ENODEV;
return tb_cfg_read(sw->tb->ctl,
buffer,
tb_route(sw),
0,
Reported by Cppcheck.
Line: 580
CWE codes:
476
static inline int tb_sw_read(struct tb_switch *sw, void *buffer,
enum tb_cfg_space space, u32 offset, u32 length)
{
if (sw->is_unplugged)
return -ENODEV;
return tb_cfg_read(sw->tb->ctl,
buffer,
tb_route(sw),
0,
Reported by Cppcheck.
drivers/scsi/qedf/qedf_dbg.c
2 issues
Line: 136
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void
qedf_uevent_emit(struct Scsi_Host *shost, u32 code, char *msg)
{
char event_string[40];
char *envp[] = {event_string, NULL};
memset(event_string, 0, sizeof(event_string));
switch (code) {
case QEDF_UEVENT_CODE_GRCDUMP:
Reported by FlawFinder.
Line: 145
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (msg)
strscpy(event_string, msg, sizeof(event_string));
else
sprintf(event_string, "GRCDUMP=%u", shost->host_no);
break;
default:
/* do nothing */
break;
}
Reported by FlawFinder.
drivers/vfio/pci/vfio_pci_zdev.c
2 issues
Line: 80
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cap->header.id = VFIO_DEVICE_INFO_CAP_ZPCI_UTIL;
cap->header.version = 1;
cap->size = CLP_UTIL_STR_LEN;
memcpy(cap->util_str, zdev->util_str, cap->size);
ret = vfio_info_add_capability(caps, &cap->header, cap_size);
kfree(cap);
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cap->header.id = VFIO_DEVICE_INFO_CAP_ZPCI_PFIP;
cap->header.version = 1;
cap->size = CLP_PFIP_NR_SEGMENTS;
memcpy(cap->pfip, zdev->pfip, cap->size);
ret = vfio_info_add_capability(caps, &cap->header, cap_size);
kfree(cap);
Reported by FlawFinder.
drivers/spi/spi-tegra20-slink.c
2 issues
Line: 373
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tspi->is_packed) {
unsigned len = tspi->curr_dma_words * tspi->bytes_per_word;
memcpy(tspi->tx_dma_buf, t->tx_buf + tspi->cur_pos, len);
} else {
unsigned int i;
unsigned int count;
u8 *tx_buf = (u8 *)t->tx_buf + tspi->cur_tx_pos;
unsigned consume = tspi->curr_dma_words * tspi->bytes_per_word;
Reported by FlawFinder.
Line: 406
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tspi->is_packed) {
len = tspi->curr_dma_words * tspi->bytes_per_word;
memcpy(t->rx_buf + tspi->cur_rx_pos, tspi->rx_dma_buf, len);
} else {
unsigned int i;
unsigned int count;
unsigned char *rx_buf = t->rx_buf + tspi->cur_rx_pos;
u32 rx_mask = ((u32)1 << t->bits_per_word) - 1;
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_xmit.h
2 issues
Line: 116
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
u8 iv_len;
u8 icv_len;
unsigned char iv[8];
unsigned char icv[8];
u8 dst[ETH_ALEN] __aligned(2); /* for ether_addr_copy */
u8 src[ETH_ALEN];
u8 ta[ETH_ALEN];
u8 ra[ETH_ALEN];
Reported by FlawFinder.
Line: 117
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 iv_len;
u8 icv_len;
unsigned char iv[8];
unsigned char icv[8];
u8 dst[ETH_ALEN] __aligned(2); /* for ether_addr_copy */
u8 src[ETH_ALEN];
u8 ta[ETH_ALEN];
u8 ra[ETH_ALEN];
struct sta_info *psta;
Reported by FlawFinder.
drivers/staging/media/zoran/zoran_device.c
2 issues
Line: 638
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* set JPEG app/com marker */
app.appn = zr->jpg_settings.jpg_comp.APPn;
app.len = zr->jpg_settings.jpg_comp.APP_len;
memcpy(app.data, zr->jpg_settings.jpg_comp.APP_data, 60);
zr->codec->control(zr->codec, CODEC_S_JPEG_APP_DATA,
sizeof(struct jpeg_app_marker), &app);
com.len = zr->jpg_settings.jpg_comp.COM_len;
memcpy(com.data, zr->jpg_settings.jpg_comp.COM_data, 60);
Reported by FlawFinder.
Line: 643
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct jpeg_app_marker), &app);
com.len = zr->jpg_settings.jpg_comp.COM_len;
memcpy(com.data, zr->jpg_settings.jpg_comp.COM_data, 60);
zr->codec->control(zr->codec, CODEC_S_JPEG_COM_DATA,
sizeof(struct jpeg_com_marker), &com);
/* Setup the JPEG codec */
zr->codec->control(zr->codec, CODEC_S_JPEG_TDS_BYTE,
Reported by FlawFinder.
drivers/scsi/qedf/drv_fcoe_fw_funcs.c
2 issues
Line: 46
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
y_st_ctx->data_2_trns_rem = cpu_to_le32(io_size);
y_st_ctx->task_rety_identifier = cpu_to_le32(task_retry_id);
y_st_ctx->task_type = (u8)task_params->task_type;
memcpy(&y_st_ctx->tx_info_union.fcp_cmd_payload,
fcp_cmd_payload, sizeof(struct fcoe_fcp_cmd_payload));
/* Tstorm ctx */
t_st_ctx = &ctx->tstorm_st_context;
t_st_ctx->read_only.dev_type = (u8)(task_params->is_tape_device == 1 ?
Reported by FlawFinder.
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
YSTORM_FCOE_TASK_ST_CTX_TX_SGL_MODE, SCSI_FAST_SGL);
y_st_ctx->data_2_trns_rem = cpu_to_le32(task_params->tx_io_size);
y_st_ctx->task_type = (u8)task_params->task_type;
memcpy(&y_st_ctx->tx_info_union.tx_params.mid_path,
mid_path_fc_header, sizeof(struct fcoe_tx_mid_path_params));
/* Init Mstorm */
m_st_ctx = &ctx->mstorm_st_context;
init_scsi_sgl_context(&m_st_ctx->sgl_params,
Reported by FlawFinder.
drivers/staging/media/ipu3/ipu3-css.c
2 issues
Line: 1697
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const u32 OUT_ALIGN_W = 8;
static const u32 OUT_ALIGN_H = 4;
static const u32 VF_ALIGN_W = 2;
static const char *qnames[IPU3_CSS_QUEUES] = {
[IPU3_CSS_QUEUE_IN] = "in",
[IPU3_CSS_QUEUE_PARAMS] = "params",
[IPU3_CSS_QUEUE_OUT] = "out",
[IPU3_CSS_QUEUE_VF] = "vf",
[IPU3_CSS_QUEUE_STAT_3A] = "3a",
Reported by FlawFinder.
Line: 1704
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[IPU3_CSS_QUEUE_VF] = "vf",
[IPU3_CSS_QUEUE_STAT_3A] = "3a",
};
static const char *rnames[IPU3_CSS_RECTS] = {
[IPU3_CSS_RECT_EFFECTIVE] = "effective resolution",
[IPU3_CSS_RECT_BDS] = "bayer-domain scaled resolution",
[IPU3_CSS_RECT_ENVELOPE] = "DVS envelope size",
[IPU3_CSS_RECT_GDC] = "GDC output res",
};
Reported by FlawFinder.
drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c
2 issues
Line: 193
Column: 8
CWE codes:
126
num_ovls = 0;
len = strlen(buf);
if (buf[len - 1] == '\n')
len = len - 1;
lock_fb_info(fbi);
omapfb_lock(fbdev);
Reported by FlawFinder.
Line: 352
Column: 8
CWE codes:
126
bool changed = false;
u8 rotation[OMAPFB_MAX_OVL_PER_FB];
len = strlen(buf);
if (buf[len - 1] == '\n')
len = len - 1;
lock_fb_info(fbi);
Reported by FlawFinder.
drivers/video/backlight/88pm860x_bl.c
2 issues
Line: 188
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct backlight_device *bl;
struct resource *res;
struct backlight_properties props;
char name[MFD_NAME_SIZE];
int ret = 0;
data = devm_kzalloc(&pdev->dev, sizeof(struct pm860x_backlight_data),
GFP_KERNEL);
if (data == NULL)
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data->reg_current = res->start;
memset(name, 0, MFD_NAME_SIZE);
sprintf(name, "backlight-%d", pdev->id);
data->port = pdev->id;
data->chip = chip;
data->i2c = (chip->id == CHIP_PM8606) ? chip->client : chip->companion;
data->current_brightness = MAX_BRIGHTNESS;
if (pm860x_backlight_dt_init(pdev, data, name)) {
Reported by FlawFinder.