The following issues were found
drivers/usb/dwc3/gadget.c
2 issues
Line: 3911
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dwc3_writel(dwc->regs, DWC3_GEVNTSIZ(0), reg);
amount = min(count, evt->length - evt->lpos);
memcpy(evt->cache + evt->lpos, evt->buf + evt->lpos, amount);
if (amount < count)
memcpy(evt->cache, evt->buf, count - amount);
dwc3_writel(dwc->regs, DWC3_GEVNTCOUNT(0), count);
Reported by FlawFinder.
Line: 3914
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(evt->cache + evt->lpos, evt->buf + evt->lpos, amount);
if (amount < count)
memcpy(evt->cache, evt->buf, count - amount);
dwc3_writel(dwc->regs, DWC3_GEVNTCOUNT(0), count);
return IRQ_WAKE_THREAD;
}
Reported by FlawFinder.
drivers/usb/serial/oti6858.c
2 issues
Line: 532
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
spin_lock_irqsave(&priv->lock, flags);
memcpy(&priv->status, buf, OTI6858_CTRL_PKT_SIZE);
priv->pending_setup.divisor = buf->divisor;
priv->pending_setup.frame_fmt = buf->frame_fmt;
priv->pending_setup.control = buf->control;
spin_unlock_irqrestore(&priv->lock, flags);
kfree(buf);
Reported by FlawFinder.
Line: 711
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wake_up_interruptible(&port->port.delta_msr_wait);
}
memcpy(&priv->status, xs, OTI6858_CTRL_PKT_SIZE);
}
if (!priv->transient && xs->rx_bytes_avail != 0) {
can_recv = xs->rx_bytes_avail;
priv->flags.read_urb_in_use = 1;
Reported by FlawFinder.
drivers/usb/chipidea/host.c
2 issues
Line: 384
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
length = urb->actual_length;
memcpy(temp->old_xfer_buffer, temp->data, length);
}
urb->transfer_buffer = temp->old_xfer_buffer;
kfree(temp->kmalloc_ptr);
urb->transfer_flags &= ~URB_ALIGNED_TEMP_BUFFER;
Reported by FlawFinder.
Line: 416
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
temp->kmalloc_ptr = kmalloc_ptr;
temp->old_xfer_buffer = urb->transfer_buffer;
if (usb_urb_dir_out(urb))
memcpy(temp->data, urb->transfer_buffer,
urb->transfer_buffer_length);
urb->transfer_buffer = temp->data;
urb->transfer_flags |= URB_ALIGNED_TEMP_BUFFER;
Reported by FlawFinder.
drivers/thermal/intel/int340x_thermal/acpi_thermal_rel.c
2 issues
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &buffer)))
pr_warn("Failed to get device name from acpi handle\n");
else {
memcpy(name, buffer.pointer, ACPI_NAMESEG_SIZE);
kfree(buffer.pointer);
}
}
static int fill_art(char __user *ubuf)
Reported by FlawFinder.
Line: 253
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
get_single_name(arts[i].source, art_user[i].source_device);
get_single_name(arts[i].target, art_user[i].target_device);
/* copy the rest int data in addition to source and target */
memcpy(&art_user[i].weight, &arts[i].weight,
sizeof(u64) * (ACPI_NR_ART_ELEMENTS - 2));
}
if (copy_to_user(ubuf, art_user, art_len))
ret = -EFAULT;
Reported by FlawFinder.
drivers/usb/gadget/udc/omap_udc.c
2 issues
Line: 2145
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u16 stat_flg;
struct omap_req *req;
char buf[20];
use_ep(ep, 0);
if (use_dma && ep->has_dma)
snprintf(buf, sizeof buf, "(%cxdma%d lch%d) ",
Reported by FlawFinder.
Line: 2555
Column: 9
CWE codes:
126
BUG_ON(buf > 2048);
/* set up driver data structures */
BUG_ON(strlen(name) >= sizeof ep->name);
strlcpy(ep->name, name, sizeof ep->name);
INIT_LIST_HEAD(&ep->queue);
INIT_LIST_HEAD(&ep->iso);
ep->bEndpointAddress = addr;
ep->bmAttributes = type;
Reported by FlawFinder.
drivers/staging/gdm724x/netlink_k.c
2 issues
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&ifindex, ND_NLMSG_IFIDX(nlh), ND_IFINDEX_LEN);
msg = ND_NLMSG_DATA(nlh);
mlen = ND_NLMSG_R_LEN(nlh);
dev = dev_get_by_index(&init_net, ifindex);
if (dev) {
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
seq++;
nlh = nlmsg_put(skb, 0, seq, type, len, 0);
memcpy(NLMSG_DATA(nlh), msg, len);
NETLINK_CB(skb).portid = 0;
NETLINK_CB(skb).dst_group = 0;
ret = netlink_broadcast(sock, skb, 0, group + 1, GFP_ATOMIC);
if (!ret)
Reported by FlawFinder.
drivers/scsi/qla4xxx/ql4_nx.c
2 issues
Line: 2115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error_exit;
}
memcpy(data_ptr, rdmem_buffer, size);
data_ptr += size;
read_size += size;
}
DEBUG2(ql4_printk(KERN_INFO, ha, "Leaving fn: %s\n", __func__));
Reported by FlawFinder.
Line: 3210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
**/
static void qla4_8xxx_uevent_emit(struct scsi_qla_host *ha, u32 code)
{
char event_string[40];
char *envp[] = { event_string, NULL };
switch (code) {
case QL4_UEVENT_CODE_FW_DUMP:
snprintf(event_string, sizeof(event_string), "FW_DUMP=%lu",
Reported by FlawFinder.
drivers/usb/gadget/udc/net2280.c
2 issues
Line: 1556
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_endpoint_descriptor *desc,
struct usb_ss_ep_comp_descriptor *ep_comp)
{
char name[8];
struct usb_ep *ep;
if (usb_endpoint_type(desc) == USB_ENDPOINT_XFER_INT) {
/* ep-e, ep-f are PIO with only 64 byte fifos */
ep = gadget_find_ep_by_name(_gadget, "ep-e");
Reported by FlawFinder.
Line: 1649
Column: 4
CWE codes:
126
struct net2280 *dev = dev_get_drvdata(_dev);
if (!dev->driver || !dev->driver->function ||
strlen(dev->driver->function) > PAGE_SIZE)
return 0;
return scnprintf(buf, PAGE_SIZE, "%s\n", dev->driver->function);
}
static DEVICE_ATTR_RO(function);
Reported by FlawFinder.
drivers/thermal/intel/int340x_thermal/int340x_thermal_zone.c
2 issues
Line: 113
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct int34x_thermal_zone *d = zone->devdata;
acpi_status status;
char name[10];
if (d->override_ops && d->override_ops->set_trip_temp)
return d->override_ops->set_trip_temp(zone, trip, temp);
snprintf(name, sizeof(name), "PAT%d", trip);
Reported by FlawFinder.
Line: 199
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int34x_zone->psv_trip_id = trip_cnt++;
for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) {
char name[5] = { '_', 'A', 'C', '0' + i, '\0' };
if (int340x_thermal_get_trip_config(int34x_zone->adev->handle,
name,
&int34x_zone->act_trips[i].temp))
break;
Reported by FlawFinder.
drivers/thermal/intel/int340x_thermal/processor_thermal_device.c
2 issues
Line: 24
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{ \
struct proc_thermal_device *proc_dev = dev_get_drvdata(dev); \
\
return sprintf(buf, "%lu\n",\
(unsigned long)proc_dev->power_limits[index].suffix * 1000); \
}
POWER_LIMIT_SHOW(0, min_uw)
POWER_LIMIT_SHOW(0, max_uw)
Reported by FlawFinder.
Line: 82
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return err;
val = (val >> 24) & 0x3f;
return sprintf(buf, "%d\n", (int)val);
}
static int tcc_offset_update(unsigned int tcc)
{
u64 val;
Reported by FlawFinder.