The following issues were found
drivers/pinctrl/pinctrl-st.c
2 issues
Line: 125
* +----------------+
*/
#define ST_PINCONF_UNPACK(conf, param)\
((conf >> ST_PINCONF_ ##param ##_SHIFT) \
& ST_PINCONF_ ##param ##_MASK)
#define ST_PINCONF_PACK(conf, val, param) (conf |=\
((val & ST_PINCONF_ ##param ##_MASK) << \
Reported by Cppcheck.
Line: 1003
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long config;
unsigned int function;
int offset = st_gpio_pin(pin_id);
char f[16];
int oe;
mutex_unlock(&pctldev->mutex);
pc = st_get_pio_control(pctldev, pin_id);
st_pinconf_get(pctldev, pin_id, &config);
Reported by FlawFinder.
drivers/pinctrl/renesas/core.c
2 issues
Line: 131
CWE codes:
476
static int sh_pfc_enum_in_range(u16 enum_id, const struct pinmux_range *r)
{
if (enum_id < r->begin)
return 0;
if (enum_id > r->end)
return 0;
Reported by Cppcheck.
Line: 131
CWE codes:
476
static int sh_pfc_enum_in_range(u16 enum_id, const struct pinmux_range *r)
{
if (enum_id < r->begin)
return 0;
if (enum_id > r->end)
return 0;
Reported by Cppcheck.
drivers/platform/chrome/cros_ec_debugfs.c
2 issues
Line: 198
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count,
loff_t *ppos)
{
char read_buf[EC_USB_PD_MAX_PORTS * 40], *p = read_buf;
struct cros_ec_debugfs *debug_info = file->private_data;
struct cros_ec_device *ec_dev = debug_info->ec->ec_dev;
struct {
struct cros_ec_command msg;
union {
Reported by FlawFinder.
Line: 274
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ec_response_uptime_info resp;
} __packed msg = {};
struct ec_response_uptime_info *resp;
char read_buf[32];
int ret;
resp = (struct ec_response_uptime_info *)&msg.resp;
msg.cmd.command = EC_CMD_GET_UPTIME_INFO;
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_rpmsg.c
2 issues
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy response packet payload and compute checksum */
memcpy(ec_msg->data, ec_dev->din + sizeof(*response),
response->data_len);
sum = 0;
for (i = 0; i < sizeof(*response) + response->data_len; i++)
sum += ec_dev->din[i];
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = ec_dev->din_size;
}
memcpy(ec_dev->din, resp->data, len);
complete(&ec_rpmsg->xfer_ack);
} else if (resp->type == HOST_EVENT_MARK) {
/*
* If the host event is sent before cros_ec_register is
* finished, queue the host event.
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_sensorhub_ring.c
2 issues
Line: 777
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cros_ec_cmd_xfer_status(ec->ec_dev, sensorhub->msg) < 0)
goto error;
memcpy(fifo_info, &sensorhub->resp->fifo_info,
fifo_info_length);
/*
* Update collection time, will not be as precise as the
* non-error case.
Reported by FlawFinder.
Line: 920
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (queued_during_suspend)
return NOTIFY_OK;
memcpy(sensorhub->fifo_info, &ec_dev->event_data.data.sensor_fifo.info,
sizeof(*sensorhub->fifo_info));
sensorhub->fifo_timestamp[CROS_EC_SENSOR_NEW_TS] =
ec_dev->last_event_time;
cros_ec_sensorhub_ring_handler(sensorhub);
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_typec.c
2 issues
Line: 403
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->insize = insize;
if (outsize)
memcpy(msg->data, outdata, outsize);
ret = cros_ec_cmd_xfer_status(typec->ec, msg);
if (ret >= 0 && insize)
memcpy(indata, msg->data, insize);
Reported by FlawFinder.
Line: 407
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = cros_ec_cmd_xfer_status(typec->ec, msg);
if (ret >= 0 && insize)
memcpy(indata, msg->data, insize);
kfree(msg);
return ret;
}
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_vbc.c
2 issues
Line: 50
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
}
memcpy(buf, msg->data, resp_sz);
kfree(msg);
return resp_sz;
}
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
params = (struct ec_params_vbnvcontext *)msg->data;
params->op = EC_VBNV_CONTEXT_OP_WRITE;
memcpy(params->block, buf, data_sz);
msg->version = EC_VER_VBNV_CONTEXT;
msg->command = EC_CMD_VBNV_CONTEXT;
msg->outsize = para_sz;
msg->insize = 0;
Reported by FlawFinder.
drivers/platform/chrome/cros_usbpd_logger.c
2 issues
Line: 56
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
int i;
va_start(args, fmt);
i = vsnprintf(buf + pos, BUF_SIZE - pos, fmt, args);
va_end(args);
return i;
}
Reported by FlawFinder.
Line: 87
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_chg_measures *meas;
struct mcdp_info *minfo;
int role_idx, type_idx;
char buf[BUF_SIZE + 1];
struct rtc_time rt;
int len = 0;
s32 rem;
int i;
Reported by FlawFinder.
drivers/platform/chrome/wilco_ec/debugfs.c
2 issues
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int word_len;
/* Temp buffer for holding a "word" of chars that represents one byte */
#define MAX_WORD_SIZE 16
char tmp[MAX_WORD_SIZE + 1];
u8 byte;
while (word_start < isize && n_parsed < osize) {
/* Find the start of the next word */
while (word_start < isize && isspace(in[word_start]))
Reported by FlawFinder.
Line: 75
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
word_len = word_end - word_start;
if (word_len > MAX_WORD_SIZE)
return -EINVAL;
memcpy(tmp, in + word_start, word_len);
tmp[word_len] = '\0';
/*
* Convert from hex string, place in output. If fails to parse,
* just return -EINVAL because specific error code is only
Reported by FlawFinder.
drivers/platform/mellanox/mlxreg-io.c
2 issues
Line: 124
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
goto access_error;
return sprintf(buf, "%u\n", regval);
access_error:
return ret;
}
Reported by FlawFinder.
Line: 183
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < priv->pdata->counter; i++) {
priv->mlxreg_io_attr[i] =
&priv->mlxreg_io_dev_attr[i].dev_attr.attr;
memcpy(&priv->mlxreg_io_dev_attr[i].dev_attr,
&mlxreg_io_devattr_rw, sizeof(struct device_attribute));
/* Set attribute name as a label. */
priv->mlxreg_io_attr[i]->name =
devm_kasprintf(&priv->pdev->dev, GFP_KERNEL,
Reported by FlawFinder.