The following issues were found
drivers/usb/host/xhci.c
2 issues
Line: 2853
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virt_dev->tt_info);
}
/* Revert the endpoint back to its old information */
memcpy(&virt_dev->eps[i].bw_info, &ep_bw_info[i],
sizeof(ep_bw_info[i]));
/* Add any changed or dropped endpoints back into the table */
if (EP_IS_DROPPED(ctrl_ctx, i))
xhci_add_ep_to_interval_table(xhci,
&virt_dev->eps[i].bw_info,
Reported by FlawFinder.
Line: 445
Column: 7
CWE codes:
126
}
legacy_irq:
if (!strlen(hcd->irq_descr))
snprintf(hcd->irq_descr, sizeof(hcd->irq_descr), "%s:usb%d",
hcd->driver->description, hcd->self.busnum);
/* fall back to legacy interrupt*/
ret = request_irq(pdev->irq, &usb_hcd_irq, IRQF_SHARED,
Reported by FlawFinder.
drivers/usb/host/xhci-trace.h
2 issues
Line: 35
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
TP_ARGS(vaf),
TP_STRUCT__entry(__dynamic_array(char, msg, XHCI_MSG_MAX)),
TP_fast_assign(
vsnprintf(__get_str(msg), XHCI_MSG_MAX, vaf->fmt, *vaf->va);
),
TP_printk("%s", __get_str(msg))
);
DEFINE_EVENT(xhci_log_msg, xhci_dbg_address,
Reported by FlawFinder.
Line: 100
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->ctx_va = ctx->bytes;
__entry->slot_id = udev->slot_id;
__entry->ctx_ep_num = ep_num;
memcpy(__get_dynamic_array(ctx_data), ctx->bytes,
((HCC_64BYTE_CONTEXT(xhci->hcc_params) + 1) * 32) *
((ctx->type == XHCI_CTX_TYPE_INPUT) + ep_num + 1));
),
TP_printk("ctx_64=%d, ctx_type=%u, ctx_dma=@%llx, ctx_va=@%p",
__entry->ctx_64, __entry->ctx_type,
Reported by FlawFinder.
drivers/usb/host/r8a66597-hcd.c
2 issues
Line: 2399
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int r8a66597_probe(struct platform_device *pdev)
{
char clk_name[8];
struct resource *res = NULL, *ires;
int irq = -1;
void __iomem *reg = NULL;
struct usb_hcd *hcd = NULL;
struct r8a66597 *r8a66597;
Reported by FlawFinder.
Line: 244
Column: 11
CWE codes:
126
static int is_hub_limit(char *devpath)
{
return ((strlen(devpath) >= 4) ? 1 : 0);
}
static void get_port_number(struct r8a66597 *r8a66597,
char *devpath, u16 *root_port, u16 *hub_port)
{
Reported by FlawFinder.
drivers/usb/host/ohci-pxa27x.c
2 issues
Line: 470
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
pxa_ohci->mmio_base = (void __iomem *)hcd->regs;
for (i = 0; i < 3; ++i) {
char name[6];
if (!(inf->flags & (ENABLE_PORT1 << i)))
continue;
sprintf(name, "vbus%u", i + 1);
Reported by FlawFinder.
Line: 475
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!(inf->flags & (ENABLE_PORT1 << i)))
continue;
sprintf(name, "vbus%u", i + 1);
pxa_ohci->vbus[i] = devm_regulator_get(&pdev->dev, name);
}
retval = pxa27x_start_hc(pxa_ohci, &pdev->dev);
if (retval < 0) {
Reported by FlawFinder.
drivers/usb/mtu3/mtu3_gadget_ep0.c
2 issues
Line: 115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (len & 0x3) {
value = readl(fifo);
memcpy(&dst[index], &value, len & 0x3);
}
}
static void ep0_load_test_packet(struct mtu3 *mtu)
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* prepare a data stage for GET_STATUS */
dev_dbg(mtu->dev, "get_status=%x\n", *(u16 *)result);
memcpy(mtu->setup_buf, result, sizeof(result));
mtu->ep0_req.mep = mtu->ep0;
mtu->ep0_req.request.length = 2;
mtu->ep0_req.request.buf = &mtu->setup_buf;
mtu->ep0_req.request.complete = ep0_dummy_complete;
ret = ep0_queue(mtu->ep0, &mtu->ep0_req);
Reported by FlawFinder.
drivers/usb/host/max3421-hcd.c
2 issues
Line: 1161
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct max3421_hcd *max3421_hcd = hcd_to_max3421(hcd);
struct max3421_ep *max3421_ep;
struct usb_host_endpoint *ep;
char ubuf[512], *dp, *end;
unsigned long flags;
struct urb *urb;
int epnum, ret;
spin_lock_irqsave(&max3421_hcd->lock, flags);
Reported by FlawFinder.
Line: 1263
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef DEBUG
{
static unsigned long last_time;
char sbuf[16 * 16], *dp, *end;
int i;
if (time_after(jiffies, last_time + 5*HZ)) {
dp = sbuf;
end = sbuf + sizeof(sbuf);
Reported by FlawFinder.
drivers/soc/tegra/fuse/fuse.h
2 issues
Line: 21
Column: 8
CWE codes:
120
20
struct tegra_fuse;
struct tegra_fuse_info {
u32 (*read)(struct tegra_fuse *fuse, unsigned int offset);
unsigned int size;
unsigned int spare;
};
struct tegra_fuse_soc {
Reported by FlawFinder.
Line: 46
Column: 8
CWE codes:
120
20
struct clk *clk;
u32 (*read_early)(struct tegra_fuse *fuse, unsigned int offset);
u32 (*read)(struct tegra_fuse *fuse, unsigned int offset);
const struct tegra_fuse_soc *soc;
/* APBDMA on Tegra20 */
struct {
struct mutex lock;
Reported by FlawFinder.
drivers/usb/host/fsl-mph-dr-of.c
2 issues
Line: 20
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fsl_usb2_dev_data {
char *dr_mode; /* controller mode */
char *drivers[3]; /* drivers to instantiate for this mode */
enum fsl_usb2_operating_modes op_mode; /* operating mode */
};
static struct fsl_usb2_dev_data dr_mode_data[] = {
{
Reported by FlawFinder.
Line: 194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pdata = &data;
if (match->data)
memcpy(pdata, match->data, sizeof(data));
else
memset(pdata, 0, sizeof(data));
dev_data = get_dr_mode_data(np);
Reported by FlawFinder.
drivers/usb/musb/musb_debugfs.c
2 issues
Line: 169
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *s = file->private_data;
struct musb *musb = s->private;
u8 test;
char buf[24];
memset(buf, 0x00, sizeof(buf));
if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
Line: 268
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct seq_file *s = file->private_data;
struct musb *musb = s->private;
char buf[2];
u8 reg;
memset(buf, 0x00, sizeof(buf));
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
Reported by FlawFinder.
drivers/staging/rtl8192e/rtl8192e/r8192E_cmdpkt.c
2 issues
Line: 47
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto Failed;
}
memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
tcb_desc->bCmdOrInit = type;
tcb_desc->bLastIniPkt = bLastIniPkt;
Reported by FlawFinder.
Line: 65
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
seg_ptr = skb_put(skb, frag_length);
memcpy(seg_ptr, data, (u32)frag_length);
if (type == DESC_PACKET_TYPE_INIT &&
(!priv->rtllib->check_nic_enough_desc(dev, TXCMD_QUEUE) ||
(!skb_queue_empty(&priv->rtllib->skb_waitQ[TXCMD_QUEUE])) ||
(priv->rtllib->queue_stop))) {
Reported by FlawFinder.