Line: 953 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	for (count = 0 ; count < nblocks; count++) {
		size = (remaining > blksize) ? blksize : remaining;

		memcpy(data, curr, size);
		qtnf_non_posted_write(paddr + offset, &bda->bda_img);
		qtnf_non_posted_write(size, &bda->bda_img_size);

		pr_debug("chunk[%u] VA[0x%p] PA[%pad] sz[%u]\n",
			 count, (void *)curr, &paddr, size);

            

Line: 134 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              int qtnf_pcie_fw_boot_done(struct qtnf_bus *bus)
{
	struct qtnf_pcie_bus_priv *priv = get_bus_priv(bus);
	char card_id[64];
	int ret;

	bus->fw_state = QTNF_FW_STATE_BOOT_DONE;
	ret = qtnf_core_attach(bus);
	if (ret) {

            

Line: 628 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	ch->ccw[2].flags = CCW_FLAG_SLI;
	ch->ccw[2].count = 0;
	ch->ccw[2].cda = 0;
	memcpy(&ch->ccw[3], &ch->ccw[0], sizeof(struct ccw1) * 3);
	ch->ccw[4].cda = 0;
	ch->ccw[4].flags &= ~CCW_FLAG_IDA;

	fsm_newstate(fi, CTC_STATE_STARTWAIT);
	fsm_addtimer(&ch->timer, 1000, CTC_EVENT_TIMER, ch);

            

Line: 78 Column: 7 CWE codes: 126

              
		for (i = 0; i < ARRAY_SIZE(words); i++) {
			if (!strncasecmp(words[i].str, buf+offset,
					 strlen(words[i].str))) {
				if (words[i].flags) {
					param->flags |= words[i].flags;
				} else {
					param->cmd = words[i].cmd;
					got_cmd = 1;

            

Line: 133 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

               */
struct channel {
	struct channel *next;
	char id[CTCM_ID_SIZE];
	struct ccw_device *cdev;
	/*
	 * Type of this channel.
	 * CTC/A or Escon for valid channels.
	 */

            

Line: 505 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		sum += ptr[i];

	/* copy response packet payload and compute checksum */
	memcpy(ec_msg->data, ptr + sizeof(*response), len);
	for (i = 0; i < len; i++)
		sum += ec_msg->data[i];

	if (sum) {
		dev_err(ec_dev->dev,

            

Line: 119 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	u32 fw_ver;
	u8 total_tx_chain;
	u8 total_rx_chain;
	char fw_version[ETHTOOL_FWVERS_LEN];
	u32 hw_version;
	u8 hw_capab[QLINK_HW_CAPAB_NUM / BITS_PER_BYTE + 1];
};

struct qtnf_vif *qtnf_mac_get_free_vif(struct qtnf_wmac *mac);

            

Line: 79 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		csum += out[i];

	/* Copy data and update checksum */
	memcpy(out + sizeof(*request), msg->data, msg->outsize);
	for (i = 0; i < msg->outsize; i++)
		csum += msg->data[i];

	request->checksum = -csum;


            

Line: 67 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              typedef struct fsm_instance_t {
	fsm *f;
	atomic_t state;
	char name[16];
	void *userdata;
	int userint;
	wait_queue_head_t wait_q;
#if FSM_DEBUG_HISTORY
	int         history_index;

            

Line: 461 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	param->cmd = LIGHTBAR_CMD_SET_PROGRAM;

	param->set_program.size = count;
	memcpy(param->set_program.data, buf, count);

	/*
	 * We need to set the message size manually or else it will use
	 * EC_LB_PROG_LEN. This might be too long, and the program
	 * is unlikely to use all of the space.