The following issues were found
drivers/spi/spi-imx.c
2 issues
Line: 396
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!n_bytes)
n_bytes = sizeof(val);
memcpy(spi_imx->rx_buf,
((u8 *)&val) + sizeof(val) - n_bytes, n_bytes);
spi_imx->rx_buf += n_bytes;
spi_imx->slave_burst -= n_bytes;
}
Reported by FlawFinder.
Line: 415
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n_bytes = sizeof(val);
if (spi_imx->tx_buf) {
memcpy(((u8 *)&val) + sizeof(val) - n_bytes,
spi_imx->tx_buf, n_bytes);
val = cpu_to_be32(val);
spi_imx->tx_buf += n_bytes;
}
Reported by FlawFinder.
drivers/ssb/sprom.c
2 issues
Line: 39
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int hex2sprom(u16 *sprom, const char *dump, size_t len,
size_t sprom_size_words)
{
char c, tmp[5] = { 0 };
int err, cnt = 0;
unsigned long parsed;
/* Strip whitespace at the end. */
while (len) {
Reported by FlawFinder.
Line: 55
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
while (cnt < sprom_size_words) {
memcpy(tmp, dump, 4);
dump += 4;
err = kstrtoul(tmp, 16, &parsed);
if (err)
return err;
sprom[cnt++] = swab16((u16)parsed);
Reported by FlawFinder.
drivers/usb/gadget/udc/gr_udc.c
2 issues
Line: 829
CWE codes:
476
int i;
for (i = 0; i < length; i++)
reqbuf[i] = buf[i];
dev->ep0reqi->req.length = length;
dev->ep0reqi->req.complete = complete;
status = gr_queue_int(&dev->epi[0], dev->ep0reqi, GFP_ATOMIC);
if (status < 0)
Reported by Cppcheck.
Line: 311
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
char *buftail = ((char *)req->req.buf + req->evenlen);
memcpy(buftail, ep->tailbuf, req->oddlen);
if (req->req.actual > req->req.length) {
/* We got more data than was requested */
dev_dbg(ep->dev->dev, "Overflow for ep %s\n",
ep->ep.name);
Reported by FlawFinder.
drivers/staging/gdm724x/gdm_tty.c
2 issues
Line: 36
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct gdm *gdm_table[TTY_MAX_COUNT][GDM_TTY_MINOR];
static DEFINE_MUTEX(gdm_table_lock);
static const char *DRIVER_STRING[TTY_MAX_COUNT] = {"GCTATC", "GCTDM"};
static char *DEVICE_STRING[TTY_MAX_COUNT] = {"GCT-ATC", "GCT-DM"};
static void gdm_port_destruct(struct tty_port *port)
{
struct gdm *gdm = container_of(port, struct gdm, port);
Reported by FlawFinder.
Line: 37
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static DEFINE_MUTEX(gdm_table_lock);
static const char *DRIVER_STRING[TTY_MAX_COUNT] = {"GCTATC", "GCTDM"};
static char *DEVICE_STRING[TTY_MAX_COUNT] = {"GCT-ATC", "GCT-DM"};
static void gdm_port_destruct(struct tty_port *port)
{
struct gdm *gdm = container_of(port, struct gdm, port);
Reported by FlawFinder.
drivers/scsi/qla4xxx/ql4_def.h
2 issues
Line: 330
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ql4_tuple_ddb {
int port;
int tpgt;
char ip_addr[DDB_IPADDR_LEN];
char iscsi_name[ISCSI_NAME_SIZE];
uint16_t options;
#define DDB_OPT_IPV6 0x0e0e
#define DDB_OPT_IPV4 0x0f0f
uint8_t isid[6];
Reported by FlawFinder.
Line: 331
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int port;
int tpgt;
char ip_addr[DDB_IPADDR_LEN];
char iscsi_name[ISCSI_NAME_SIZE];
uint16_t options;
#define DDB_OPT_IPV6 0x0e0e
#define DDB_OPT_IPV4 0x0f0f
uint8_t isid[6];
};
Reported by FlawFinder.
drivers/video/fbdev/matrox/matroxfb_Ti3026.c
2 issues
Line: 376
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DBG(__func__)
memcpy(hw->DACreg, MGADACbpp32, sizeof(MGADACbpp32));
switch (minfo->fbcon.var.bits_per_pixel) {
case 4: hw->DACreg[POS3026_XLATCHCTRL] = TVP3026_XLATCHCTRL_16_1; /* or _8_1, they are same */
hw->DACreg[POS3026_XTRUECOLORCTRL] = TVP3026_XTRUECOLORCTRL_PSEUDOCOLOR;
hw->DACreg[POS3026_XMUXCTRL] = muxctrl | TVP3026_XMUXCTRL_PIXEL_4BIT;
hw->DACreg[POS3026_XCLKCTRL] = TVP3026_XCLKCTRL_SRC_PLL | TVP3026_XCLKCTRL_DIV8;
Reported by FlawFinder.
Line: 561
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void Ti3026_restore(struct matrox_fb_info *minfo)
{
int i;
unsigned char progdac[6];
struct matrox_hw_state *hw = &minfo->hw;
CRITFLAGS
DBG(__func__)
Reported by FlawFinder.
drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
2 issues
Line: 2124
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!pEEPROM->EepromOrEfuse) {
/* Read EFUSE real map to shadow. */
EFUSE_ShadowMapUpdate(padapter, EFUSE_WIFI, false);
memcpy((void *)PROMContent, (void *)pEEPROM->efuse_eeprom_data, HWSET_MAX_SIZE_8723B);
}
} else {/* autoload fail */
if (!pEEPROM->EepromOrEfuse)
EFUSE_ShadowMapUpdate(padapter, EFUSE_WIFI, false);
memcpy((void *)PROMContent, (void *)pEEPROM->efuse_eeprom_data, HWSET_MAX_SIZE_8723B);
Reported by FlawFinder.
Line: 2129
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {/* autoload fail */
if (!pEEPROM->EepromOrEfuse)
EFUSE_ShadowMapUpdate(padapter, EFUSE_WIFI, false);
memcpy((void *)PROMContent, (void *)pEEPROM->efuse_eeprom_data, HWSET_MAX_SIZE_8723B);
}
}
void Hal_EfuseParseIDCode(struct adapter *padapter, u8 *hwinfo)
{
Reported by FlawFinder.
drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
2 issues
Line: 169
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tmp)
return;
memcpy(tmp, pbuf, length);
res = rtw_c2h_packet_wk_cmd(padapter, tmp, length);
if (!res)
kfree(tmp);
Reported by FlawFinder.
Line: 308
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
precvframe->u.hdr.pkt = pkt_copy;
skb_reserve(pkt_copy, 8 - ((SIZE_PTR)(pkt_copy->data) & 7));/* force pkt_copy->data at 8-byte alignment address */
skb_reserve(pkt_copy, shift_sz);/* force ip_hdr at 8-byte alignment address according to shift_sz. */
memcpy(pkt_copy->data, (ptr + rx_report_sz + pattrib->shift_sz), skb_len);
precvframe->u.hdr.rx_head = pkt_copy->head;
precvframe->u.hdr.rx_data = precvframe->u.hdr.rx_tail = pkt_copy->data;
precvframe->u.hdr.rx_end = skb_end_pointer(pkt_copy);
recvframe_put(precvframe, skb_len);
Reported by FlawFinder.
drivers/tty/serial/ucc_uart.c
2 issues
Line: 1206
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (qe_fw_info && strstr(qe_fw_info->id, "Soft-UART")) {
firmware_loaded = 1;
} else {
char filename[32];
unsigned int soc;
unsigned int rev_h;
unsigned int rev_l;
soc = soc_info(&rev_h, &rev_l);
Reported by FlawFinder.
Line: 1216
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_err(&ofdev->dev, "unknown CPU model\n");
return -ENXIO;
}
sprintf(filename, "fsl_qe_ucode_uart_%u_%u%u.bin",
soc, rev_h, rev_l);
dev_info(&ofdev->dev, "waiting for firmware %s\n",
filename);
Reported by FlawFinder.
drivers/spi/atmel-quadspi.c
2 issues
Line: 230
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 value = readl_relaxed(aq->regs + offset);
#ifdef VERBOSE_DEBUG
char tmp[8];
dev_vdbg(&aq->pdev->dev, "read 0x%08x from %s\n", value,
atmel_qspi_reg_name(offset, tmp, sizeof(tmp)));
#endif /* VERBOSE_DEBUG */
Reported by FlawFinder.
Line: 242
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void atmel_qspi_write(u32 value, struct atmel_qspi *aq, u32 offset)
{
#ifdef VERBOSE_DEBUG
char tmp[8];
dev_vdbg(&aq->pdev->dev, "write 0x%08x into %s\n", value,
atmel_qspi_reg_name(offset, tmp, sizeof(tmp)));
#endif /* VERBOSE_DEBUG */
Reported by FlawFinder.