The following issues were found
drivers/staging/wfx/hif_rx.c
2 issues
Line: 44
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (wdev->hif_cmd.buf_recv) {
if (wdev->hif_cmd.len_recv >= len && len > 0)
memcpy(wdev->hif_cmd.buf_recv, buf, len);
else
status = -EIO;
}
wdev->hif_cmd.ret = status;
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(wdev->dev, "received invalid startup indication");
return -EINVAL;
}
memcpy(&wdev->hw_caps, body, sizeof(struct hif_ind_startup));
le16_to_cpus((__le16 *)&wdev->hw_caps.hardware_id);
le16_to_cpus((__le16 *)&wdev->hw_caps.num_inp_ch_bufs);
le16_to_cpus((__le16 *)&wdev->hw_caps.size_inp_ch_buf);
le32_to_cpus((__le32 *)&wdev->hw_caps.supported_rate_mask);
Reported by FlawFinder.
drivers/tty/tty_ldisc.c
2 issues
Line: 446
Column: 15
CWE codes:
362
static int tty_ldisc_open(struct tty_struct *tty, struct tty_ldisc *ld)
{
WARN_ON(test_and_set_bit(TTY_LDISC_OPEN, &tty->flags));
if (ld->ops->open) {
int ret;
/* BTM here locks versus a hangup event */
ret = ld->ops->open(tty);
if (ret)
clear_bit(TTY_LDISC_OPEN, &tty->flags);
Reported by FlawFinder.
Line: 449
Column: 18
CWE codes:
362
if (ld->ops->open) {
int ret;
/* BTM here locks versus a hangup event */
ret = ld->ops->open(tty);
if (ret)
clear_bit(TTY_LDISC_OPEN, &tty->flags);
tty_ldisc_debug(tty, "%p: opened\n", ld);
return ret;
Reported by FlawFinder.
drivers/staging/octeon-usb/octeon-hcd.c
2 issues
Line: 444
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
temp->orig_buffer = urb->transfer_buffer;
if (usb_urb_dir_out(urb))
memcpy(temp->data, urb->transfer_buffer,
urb->transfer_buffer_length);
urb->transfer_buffer = temp->data;
urb->transfer_flags |= URB_ALIGNED_TEMP_BUFFER;
return 0;
Reported by FlawFinder.
Line: 474
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
length = urb->actual_length;
memcpy(temp->orig_buffer, urb->transfer_buffer, length);
}
urb->transfer_buffer = temp->orig_buffer;
urb->transfer_flags &= ~URB_ALIGNED_TEMP_BUFFER;
kfree(temp);
}
Reported by FlawFinder.
drivers/video/fbdev/matrox/matroxfb_DAC1064.c
2 issues
Line: 737
Column: 48
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
outDAC1064(minfo, M1064_XPWRCTRL, pwr);
matroxfb_DAC_unlock_irqrestore(flags);
}
matroxfb_g450_setclk(minfo, minfo->values.pll.system, M_SYSTEM_PLL);
/* switch clocks to their real PLL source(s) */
pci_write_config_dword(minfo->pcidev, PCI_OPTION_REG, minfo->hw.MXoptionReg | 4);
pci_write_config_dword(minfo->pcidev, PCI_OPTION3_REG, minfo->values.reg.opt3);
pci_write_config_dword(minfo->pcidev, PCI_OPTION_REG, minfo->hw.MXoptionReg);
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DBG(__func__)
memcpy(hw->DACreg, MGA1064_DAC, sizeof(MGA1064_DAC_regs));
switch (minfo->fbcon.var.bits_per_pixel) {
/* case 4: not supported by MGA1064 DAC */
case 8:
hw->DACreg[POS1064_XMULCTRL] = M1064_XMULCTRL_DEPTH_8BPP | M1064_XMULCTRL_GRAPHICS_PALETIZED;
break;
Reported by FlawFinder.
drivers/scsi/pmcraid.h
2 issues
Line: 745
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* structures related to command blocks */
struct kmem_cache *cmd_cachep; /* cache for cmd blocks */
struct dma_pool *control_pool; /* pool for control blocks */
char cmd_pool_name[64]; /* name of cmd cache */
char ctl_pool_name[64]; /* name of control cache */
struct pmcraid_cmd *cmd_list[PMCRAID_MAX_CMD];
struct list_head free_cmd_pool;
Reported by FlawFinder.
Line: 746
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kmem_cache *cmd_cachep; /* cache for cmd blocks */
struct dma_pool *control_pool; /* pool for control blocks */
char cmd_pool_name[64]; /* name of cmd cache */
char ctl_pool_name[64]; /* name of control cache */
struct pmcraid_cmd *cmd_list[PMCRAID_MAX_CMD];
struct list_head free_cmd_pool;
struct list_head pending_cmd_pool;
Reported by FlawFinder.
drivers/tty/vt/conmakehash.c
2 issues
Line: 80
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
FILE *ctbl;
char *tblname;
char buffer[65536];
int fontlen;
int i, nuni, nent;
int fp0, fp1, un0, un1;
char *p, *p1;
Reported by FlawFinder.
Line: 96
Column: 14
CWE codes:
362
}
else
{
ctbl = fopen(tblname = argv[1], "r");
if ( !ctbl )
{
perror(tblname);
exit(EX_NOINPUT);
}
Reported by FlawFinder.
drivers/scsi/pm8001/pm8001_sas.h
2 issues
Line: 471
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 irq_id;
};
struct pm8001_hba_info {
char name[PM8001_NAME_LENGTH];
struct list_head list;
unsigned long flags;
spinlock_t lock;/* host-wide lock */
spinlock_t bitmap_lock;
struct pci_dev *pdev;/* our device */
Reported by FlawFinder.
Line: 521
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pm8001_ccb_info *ccb_info;
#ifdef PM8001_USE_MSIX
int number_of_intr;/*will be used in remove()*/
char intr_drvname[PM8001_MAX_MSIX_VEC]
[PM8001_NAME_LENGTH+1+3+1];
#endif
#ifdef PM8001_USE_TASKLET
struct tasklet_struct tasklet[PM8001_MAX_MSIX_VEC];
#endif
Reported by FlawFinder.
drivers/staging/rtl8723bs/os_dep/xmit_linux.c
2 issues
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sk_buff *newskb;
struct sta_info *psta = NULL;
u8 chk_alive_num = 0;
char chk_alive_list[NUM_STA];
u8 bc_addr[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
u8 null_addr[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
int i;
s32 res;
Reported by FlawFinder.
Line: 167
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
newskb = rtw_skb_copy(skb);
if (newskb) {
memcpy(newskb->data, psta->hwaddr, 6);
res = rtw_xmit(padapter, &newskb);
if (res < 0) {
pxmitpriv->tx_drop++;
dev_kfree_skb_any(newskb);
}
Reported by FlawFinder.
drivers/slimbus/qcom-ngd-ctrl.c
2 issues
Line: 878
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (txn->msg && txn->msg->wbuf)
memcpy(puc, txn->msg->wbuf, txn->msg->num_bytes);
mutex_lock(&ctrl->tx_lock);
ret = qcom_slim_ngd_tx_msg_post(ctrl, pbuf, txn->rl);
if (ret) {
mutex_unlock(&ctrl->tx_lock);
Reported by FlawFinder.
Line: 1046
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
wbuf[0] = (u8)txn.tid;
memcpy(&wbuf[1], ea, sizeof(*ea));
ret = qcom_slim_ngd_xfer_msg_sync(ctrl, &txn);
if (ret) {
slim_free_txn_tid(ctrl, &txn);
return ret;
Reported by FlawFinder.
drivers/slimbus/qcom-ctrl.c
2 issues
Line: 374
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (txn->msg && txn->msg->wbuf)
memcpy(puc, txn->msg->wbuf, txn->msg->num_bytes);
qcom_slim_queue_tx(ctrl, head, txn->rl, MGR_TX_MSG);
timeout = wait_for_completion_timeout(&done, msecs_to_jiffies(ms));
if (!timeout) {
Reported by FlawFinder.
Line: 430
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_irqrestore(&ctrl->rx.lock, flags);
return -ENODATA;
}
memcpy(buf, ctrl->rx.base + (ctrl->rx.head * ctrl->rx.sl_sz),
ctrl->rx.sl_sz);
ctrl->rx.head = (ctrl->rx.head + 1) % ctrl->rx.n;
spin_unlock_irqrestore(&ctrl->rx.lock, flags);
Reported by FlawFinder.