The following issues were found
drivers/misc/lkdtm/bugs.c
10 issues
Line: 93
CWE codes:
476
void lkdtm_EXCEPTION(void)
{
*((volatile int *) 0) = 0;
}
void lkdtm_LOOP(void)
{
for (;;)
Reported by Cppcheck.
Line: 265
CWE codes:
788
pr_info("Array access beyond bounds ...\n");
for (i = 0; i < sizeof(checked->data) + 1; i++)
checked->data[i] = 'B';
kfree(not_checked);
kfree(checked);
pr_err("FAIL: survived array bounds overflow!\n");
}
Reported by Cppcheck.
Line: 551
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* compiler knows at build time that target.a < 20 bytes. Use strcpy()
* to force a runtime error.
*/
strcpy(target.a, src);
/* Use target.a to prevent the code from being eliminated */
pr_err("FAIL: fortify did not catch an sub-object overrun!\n"
"\"%s\" was copied.\n", target.a);
Reported by FlawFinder.
Line: 49
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* */
static int noinline recursive_loop(int remaining)
{
volatile char buf[REC_STACK_SIZE];
memset((void *)buf, remaining & 0xFF, sizeof(buf));
pr_info("loop %d/%d ...\n", (int)buf[remaining % sizeof(buf)],
recur_count);
if (!remaining)
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
noinline void lkdtm_CORRUPT_STACK(void)
{
/* Use default char array length that triggers stack protection. */
char data[8] __aligned(sizeof(void *));
pr_info("Corrupting stack containing char array ...\n");
__lkdtm_CORRUPT_STACK((void *)&data);
}
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct array_bounds_flex_array {
int one;
int two;
char data[1];
};
struct array_bounds {
int one;
int two;
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct array_bounds {
int one;
int two;
char data[8];
int three;
};
void lkdtm_ARRAY_BOUNDS(void)
{
Reported by FlawFinder.
Line: 513
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void lkdtm_FORTIFY_OBJECT(void)
{
struct target {
char a[10];
} target[2] = {};
int result;
/*
* Using volatile prevents the compiler from determining the value of
Reported by FlawFinder.
Line: 536
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void lkdtm_FORTIFY_SUBOBJECT(void)
{
struct target {
char a[10];
char b[10];
} target;
char *src;
src = kmalloc(20, GFP_KERNEL);
Reported by FlawFinder.
Line: 537
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct target {
char a[10];
char b[10];
} target;
char *src;
src = kmalloc(20, GFP_KERNEL);
strscpy(src, "over ten bytes", 20);
Reported by FlawFinder.
drivers/net/ethernet/brocade/bna/bfa_ioc.c
10 issues
Line: 2278
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tlen > ioc->dbg_fwsave_len)
tlen = ioc->dbg_fwsave_len;
memcpy(trcdata, ioc->dbg_fwsave, tlen);
*trclen = tlen;
return BFA_STATUS_OK;
}
static void
Reported by FlawFinder.
Line: 2762
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bfa_ioc_get_adapter_fw_ver(ioc, ad_attr->fw_ver);
bfa_ioc_get_adapter_optrom_ver(ioc, ad_attr->optrom_ver);
bfa_ioc_get_adapter_manufacturer(ioc, ad_attr->manufacturer);
memcpy(&ad_attr->vpd, &ioc_attr->vpd,
sizeof(struct bfa_mfg_vpd));
ad_attr->nports = bfa_ioc_get_nports(ioc);
ad_attr->max_speed = bfa_ioc_speed_sup(ioc);
Reported by FlawFinder.
Line: 2806
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void
bfa_ioc_get_adapter_serial_num(struct bfa_ioc *ioc, char *serial_num)
{
memcpy(serial_num,
(void *)ioc->attr->brcd_serialnum,
BFA_ADAPTER_SERIAL_NUM_LEN);
}
static void
Reported by FlawFinder.
Line: 2814
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void
bfa_ioc_get_adapter_fw_ver(struct bfa_ioc *ioc, char *fw_ver)
{
memcpy(fw_ver, ioc->attr->fw_version, BFA_VERSION_LEN);
}
static void
bfa_ioc_get_pci_chip_rev(struct bfa_ioc *ioc, char *chip_rev)
{
Reported by FlawFinder.
Line: 2835
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void
bfa_ioc_get_adapter_optrom_ver(struct bfa_ioc *ioc, char *optrom_ver)
{
memcpy(optrom_ver, ioc->attr->optrom_version,
BFA_VERSION_LEN);
}
static void
bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
Reported by FlawFinder.
Line: 3082
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bfi_h2i_set(msg->mh, BFI_MC_FLASH, BFI_FLASH_H2I_WRITE_REQ,
bfa_ioc_portid(flash->ioc));
bfa_alen_set(&msg->alen, len, flash->dbuf_pa);
memcpy(flash->dbuf_kva, flash->ubuf + flash->offset, len);
bfa_nw_ioc_mbox_queue(flash->ioc, &flash->mb, NULL, NULL);
flash->residue -= len;
flash->offset += len;
}
Reported by FlawFinder.
Line: 3183
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bfa_flash_cb(flash);
} else {
u32 len = be32_to_cpu(m.read->length);
memcpy(flash->ubuf + flash->offset,
flash->dbuf_kva, len);
flash->residue -= len;
flash->offset += len;
if (flash->residue == 0) {
flash->status = status;
Reported by FlawFinder.
Line: 171
Column: 31
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
bfa_fsm_state_decl(bfa_iocpf, reset, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, fwcheck, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, mismatch, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, semwait, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, hwinit, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, enabling, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, ready, struct bfa_iocpf, enum iocpf_event);
bfa_fsm_state_decl(bfa_iocpf, initfail_sync, struct bfa_iocpf,
Reported by FlawFinder.
Line: 2842
Column: 2
CWE codes:
120
static void
bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
{
strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
}
static void
bfa_ioc_get_adapter_model(struct bfa_ioc *ioc, char *model)
{
Reported by FlawFinder.
drivers/media/i2c/ov5647.c
10 issues
Line: 585
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ov5647_write16(struct v4l2_subdev *sd, u16 reg, u16 val)
{
unsigned char data[4] = { reg >> 8, reg & 0xff, val >> 8, val & 0xff};
struct i2c_client *client = v4l2_get_subdevdata(sd);
int ret;
ret = i2c_master_send(client, data, 4);
if (ret < 0) {
Reported by FlawFinder.
Line: 601
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ov5647_write(struct v4l2_subdev *sd, u16 reg, u8 val)
{
unsigned char data[3] = { reg >> 8, reg & 0xff, val};
struct i2c_client *client = v4l2_get_subdevdata(sd);
int ret;
ret = i2c_master_send(client, data, 3);
if (ret < 0) {
Reported by FlawFinder.
Line: 617
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ov5647_read(struct v4l2_subdev *sd, u16 reg, u8 *val)
{
unsigned char data_w[2] = { reg >> 8, reg & 0xff };
struct i2c_client *client = v4l2_get_subdevdata(sd);
int ret;
ret = i2c_master_send(client, data_w, 2);
if (ret < 0) {
Reported by FlawFinder.
Line: 1078
Column: 5
CWE codes:
120
20
static int ov5647_detect(struct v4l2_subdev *sd)
{
struct i2c_client *client = v4l2_get_subdevdata(sd);
u8 read;
int ret;
ret = ov5647_write(sd, OV5647_SW_RESET, 0x01);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 1085
Column: 46
CWE codes:
120
20
if (ret < 0)
return ret;
ret = ov5647_read(sd, OV5647_REG_CHIPID_H, &read);
if (ret < 0)
return ret;
if (read != 0x56) {
dev_err(&client->dev, "ID High expected 0x56 got %x", read);
Reported by FlawFinder.
Line: 1089
Column: 6
CWE codes:
120
20
if (ret < 0)
return ret;
if (read != 0x56) {
dev_err(&client->dev, "ID High expected 0x56 got %x", read);
return -ENODEV;
}
ret = ov5647_read(sd, OV5647_REG_CHIPID_L, &read);
Reported by FlawFinder.
Line: 1090
Column: 57
CWE codes:
120
20
return ret;
if (read != 0x56) {
dev_err(&client->dev, "ID High expected 0x56 got %x", read);
return -ENODEV;
}
ret = ov5647_read(sd, OV5647_REG_CHIPID_L, &read);
if (ret < 0)
Reported by FlawFinder.
Line: 1094
Column: 46
CWE codes:
120
20
return -ENODEV;
}
ret = ov5647_read(sd, OV5647_REG_CHIPID_L, &read);
if (ret < 0)
return ret;
if (read != 0x47) {
dev_err(&client->dev, "ID Low expected 0x47 got %x", read);
Reported by FlawFinder.
Line: 1098
Column: 6
CWE codes:
120
20
if (ret < 0)
return ret;
if (read != 0x47) {
dev_err(&client->dev, "ID Low expected 0x47 got %x", read);
return -ENODEV;
}
return ov5647_write(sd, OV5647_SW_RESET, 0x00);
Reported by FlawFinder.
Line: 1099
Column: 56
CWE codes:
120
20
return ret;
if (read != 0x47) {
dev_err(&client->dev, "ID Low expected 0x47 got %x", read);
return -ENODEV;
}
return ov5647_write(sd, OV5647_SW_RESET, 0x00);
}
Reported by FlawFinder.
drivers/media/tuners/mt20xx.c
10 issues
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct microtune_priv *priv = fe->tuner_priv;
int try,lock=0;
unsigned char buf[2];
for(try=0;try<10;try++) {
buf[0]=0x0e;
tuner_i2c_xfer_send(&priv->i2c_props,buf,1);
tuner_i2c_xfer_recv(&priv->i2c_props,buf,1);
Reported by FlawFinder.
Line: 207
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mt2032_optimize_vco(struct dvb_frontend *fe,int sel,int lock)
{
struct microtune_priv *priv = fe->tuner_priv;
unsigned char buf[2];
int tad1;
buf[0]=0x0f;
tuner_i2c_xfer_send(&priv->i2c_props,buf,1);
tuner_i2c_xfer_recv(&priv->i2c_props,buf,1);
Reported by FlawFinder.
Line: 245
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int if1, unsigned int if2,
unsigned int from, unsigned int to)
{
unsigned char buf[21];
int lint_try,ret,sel,lock=0;
struct microtune_priv *priv = fe->tuner_priv;
tuner_dbg("mt2032_set_if_freq rfin=%d if1=%d if2=%d from=%d to=%d\n",
rfin,if1,if2,from,to);
Reported by FlawFinder.
Line: 375
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mt2032_init(struct dvb_frontend *fe)
{
struct microtune_priv *priv = fe->tuner_priv;
unsigned char buf[21];
int ret,xogc,xok=0;
// Initialize Registers per spec.
buf[1]=2; // Index to register 2
buf[2]=0xff;
Reported by FlawFinder.
Line: 423
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (xok != 1 );
priv->xogc=xogc;
memcpy(&fe->ops.tuner_ops, &mt2032_tuner_ops, sizeof(struct dvb_tuner_ops));
return(1);
}
static void mt2050_set_antenna(struct dvb_frontend *fe, unsigned char antenna)
Reported by FlawFinder.
Line: 431
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void mt2050_set_antenna(struct dvb_frontend *fe, unsigned char antenna)
{
struct microtune_priv *priv = fe->tuner_priv;
unsigned char buf[2];
buf[0] = 6;
buf[1] = antenna ? 0x11 : 0x10;
tuner_i2c_xfer_send(&priv->i2c_props, buf, 2);
tuner_dbg("mt2050: enabled antenna connector %d\n", antenna);
Reported by FlawFinder.
Line: 445
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int if1=1218*1000*1000;
unsigned int f_lo1,f_lo2,lo1,lo2,f_lo1_modulo,f_lo2_modulo,num1,num2,div1a,div1b,div2a,div2b;
int ret;
unsigned char buf[6];
tuner_dbg("mt2050_set_if_freq freq=%d if1=%d if2=%d\n",
freq,if1,if2);
f_lo1=freq+if1;
Reported by FlawFinder.
Line: 569
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mt2050_init(struct dvb_frontend *fe)
{
struct microtune_priv *priv = fe->tuner_priv;
unsigned char buf[2];
buf[0] = 6;
buf[1] = 0x10;
tuner_i2c_xfer_send(&priv->i2c_props, buf, 2); /* power */
Reported by FlawFinder.
Line: 585
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tuner_dbg("mt2050: sro is %x\n", buf[0]);
memcpy(&fe->ops.tuner_ops, &mt2050_tuner_ops, sizeof(struct dvb_tuner_ops));
return 0;
}
struct dvb_frontend *microtune_attach(struct dvb_frontend *fe,
Reported by FlawFinder.
Line: 596
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct microtune_priv *priv = NULL;
char *name;
unsigned char buf[21];
int company_code;
priv = kzalloc(sizeof(struct microtune_priv), GFP_KERNEL);
if (priv == NULL)
return NULL;
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
10 issues
Line: 103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
from_fp->napi = to_fp->napi;
/* Move bnx2x_fastpath contents */
memcpy(to_fp, from_fp, sizeof(*to_fp));
to_fp->index = to;
/* Retain the tpa_info of the original `to' version as we don't want
* 2 FPs to contain the same tpa_info pointer.
*/
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
to_fp->tpa_info = old_tpa_info;
/* move sp_objs contents as well, as their indices match fp ones */
memcpy(to_sp_objs, from_sp_objs, sizeof(*to_sp_objs));
/* move fp_stats contents as well, as their indices match fp ones */
memcpy(to_fp_stats, from_fp_stats, sizeof(*to_fp_stats));
/* Update txdata pointers in fp and move txdata content accordingly:
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(to_sp_objs, from_sp_objs, sizeof(*to_sp_objs));
/* move fp_stats contents as well, as their indices match fp ones */
memcpy(to_fp_stats, from_fp_stats, sizeof(*to_fp_stats));
/* Update txdata pointers in fp and move txdata content accordingly:
* Each fp consumes 'max_cos' txdata structures, so the index should be
* decremented by max_cos x delta.
*/
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_txdata_index = new_max_eth_txqs + FCOE_TXQ_IDX_OFFSET;
}
memcpy(&bp->bnx2x_txq[new_txdata_index],
&bp->bnx2x_txq[old_txdata_index],
sizeof(struct bnx2x_fp_txdata));
to_fp->txdata_ptr[0] = &bp->bnx2x_txq[new_txdata_index];
}
Reported by FlawFinder.
Line: 182
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct bnx2x_fastpath *fp = &bp->fp[i];
int new_idx = cos * (old_eth_num - delta) + i;
memcpy(&bp->bnx2x_txq[new_idx], fp->txdata_ptr[cos],
sizeof(struct bnx2x_fp_txdata));
fp->txdata_ptr[cos] = &bp->bnx2x_txq[new_idx];
}
}
}
Reported by FlawFinder.
Line: 1040
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bnx2x_fp_qstats(bp, fp)->rx_skb_alloc_failed++;
goto reuse_rx;
}
memcpy(skb->data, data + pad, len);
bnx2x_reuse_rx_data(fp, bd_cons, bd_prod);
} else {
if (likely(bnx2x_alloc_rx_data(bp, fp, bd_prod,
GFP_ATOMIC) == 0)) {
dma_unmap_single(&bp->pdev->dev,
Reported by FlawFinder.
Line: 1292
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* We are going to report a new link parameters now -
* remember the current data for the next time.
*/
memcpy(&bp->last_reported_link, &cur_data, sizeof(cur_data));
/* propagate status to VFs */
if (IS_PF(bp))
bnx2x_iov_link_update(bp);
Reported by FlawFinder.
Line: 4339
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
}
memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
if (netif_running(dev))
rc = bnx2x_set_eth_mac(bp, true);
if (IS_PF(bp) && SHMEM2_HAS(bp, curr_cfg))
Reported by FlawFinder.
Line: 153
Column: 18
CWE codes:
126
bnx2x_get_ext_phy_fw_version(&bp->link_params,
phy_fw_ver, PHY_FW_VER_LEN);
strlcpy(buf, bp->fw_ver, buf_len);
snprintf(buf + strlen(bp->fw_ver), 32 - strlen(bp->fw_ver),
"bc %d.%d.%d%s%s",
(bp->common.bc_ver & 0xff0000) >> 16,
(bp->common.bc_ver & 0xff00) >> 8,
(bp->common.bc_ver & 0xff),
((phy_fw_ver[0] != '\0') ? " phy " : ""), phy_fw_ver);
Reported by FlawFinder.
Line: 153
Column: 43
CWE codes:
126
bnx2x_get_ext_phy_fw_version(&bp->link_params,
phy_fw_ver, PHY_FW_VER_LEN);
strlcpy(buf, bp->fw_ver, buf_len);
snprintf(buf + strlen(bp->fw_ver), 32 - strlen(bp->fw_ver),
"bc %d.%d.%d%s%s",
(bp->common.bc_ver & 0xff0000) >> 16,
(bp->common.bc_ver & 0xff00) >> 8,
(bp->common.bc_ver & 0xff),
((phy_fw_ver[0] != '\0') ? " phy " : ""), phy_fw_ver);
Reported by FlawFinder.
drivers/media/tuners/tda8290.c
10 issues
Line: 54
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tda8290_priv *priv = fe->analog_demod_priv;
static unsigned char enable[2] = { 0x21, 0xC0 };
static unsigned char disable[2] = { 0x21, 0x00 };
unsigned char *msg;
if (close) {
msg = enable;
Reported by FlawFinder.
Line: 55
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tda8290_priv *priv = fe->analog_demod_priv;
static unsigned char enable[2] = { 0x21, 0xC0 };
static unsigned char disable[2] = { 0x21, 0x00 };
unsigned char *msg;
if (close) {
msg = enable;
tuner_i2c_xfer_send(&priv->i2c_props, msg, 2);
Reported by FlawFinder.
Line: 75
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tda8290_priv *priv = fe->analog_demod_priv;
static unsigned char enable[2] = { 0x45, 0xc1 };
static unsigned char disable[2] = { 0x46, 0x00 };
static unsigned char buf[3] = { 0x45, 0x01, 0x00 };
unsigned char *msg;
if (close) {
Reported by FlawFinder.
Line: 76
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tda8290_priv *priv = fe->analog_demod_priv;
static unsigned char enable[2] = { 0x45, 0xc1 };
static unsigned char disable[2] = { 0x46, 0x00 };
static unsigned char buf[3] = { 0x45, 0x01, 0x00 };
unsigned char *msg;
if (close) {
msg = enable;
Reported by FlawFinder.
Line: 77
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char enable[2] = { 0x45, 0xc1 };
static unsigned char disable[2] = { 0x46, 0x00 };
static unsigned char buf[3] = { 0x45, 0x01, 0x00 };
unsigned char *msg;
if (close) {
msg = enable;
tuner_i2c_xfer_send(&priv->i2c_props, msg, 2);
Reported by FlawFinder.
Line: 145
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static struct {
unsigned char seq[2];
} fm_mode[] = {
{ { 0x01, 0x81} }, /* Put device into expert mode */
{ { 0x03, 0x48} }, /* Disable NOTCH and VIDEO filters */
{ { 0x04, 0x04} }, /* Disable color carrier filter (SSIF) */
{ { 0x05, 0x04} }, /* ADC headroom */
Reported by FlawFinder.
Line: 444
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tda8290_priv *priv = fe->analog_demod_priv;
unsigned char i2c_get_afc[1] = { 0x1B };
unsigned char afc = 0;
tuner_i2c_xfer_send_recv(&priv->i2c_props,
i2c_get_afc, ARRAY_SIZE(i2c_get_afc), &afc, 1);
*signal = (afc & 0x80) ? 65535 : 0;
Reported by FlawFinder.
Line: 752
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tda8290_probe(&priv->i2c_props) == 0) {
priv->ver = TDA8290;
memcpy(&fe->ops.analog_ops, &tda8290_ops,
sizeof(struct analog_demod_ops));
}
if (tda8295_probe(&priv->i2c_props) == 0) {
priv->ver = TDA8295;
Reported by FlawFinder.
Line: 758
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tda8295_probe(&priv->i2c_props) == 0) {
priv->ver = TDA8295;
memcpy(&fe->ops.analog_ops, &tda8295_ops,
sizeof(struct analog_demod_ops));
}
if (cfg && cfg->no_i2c_gate)
fe->ops.analog_ops.i2c_gate_ctrl = NULL;
Reported by FlawFinder.
Line: 834
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char addr_dto_lsb = 0x07;
unsigned char data;
#define PROBE_BUFFER_SIZE 8
unsigned char buf[PROBE_BUFFER_SIZE];
int i;
/* rule out tda9887, which would return the same byte repeatedly */
tuner_i2c_xfer_send_recv(&i2c_props,
soft_reset, 1, buf, PROBE_BUFFER_SIZE);
Reported by FlawFinder.
drivers/media/tuners/tda9887.c
10 issues
Line: 35
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tuner_i2c_props i2c_props;
struct list_head hybrid_tuner_instance_list;
unsigned char data[4];
unsigned int config;
unsigned int mode;
unsigned int audmode;
v4l2_std_id std;
Reported by FlawFinder.
Line: 275
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tda9887_priv *priv = fe->analog_demod_priv;
static char *afc[16] = {
"- 12.5 kHz",
"- 37.5 kHz",
"- 62.5 kHz",
"- 87.5 kHz",
"-112.5 kHz",
Reported by FlawFinder.
Line: 305
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tda9887_priv *priv = fe->analog_demod_priv;
static char *sound[4] = {
"AM/TV",
"FM/radio",
"FM/TV",
"FM/radio"
};
Reported by FlawFinder.
Line: 311
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"FM/TV",
"FM/radio"
};
static char *adjust[32] = {
"-16", "-15", "-14", "-13", "-12", "-11", "-10", "-9",
"-8", "-7", "-6", "-5", "-4", "-3", "-2", "-1",
"0", "+1", "+2", "+3", "+4", "+5", "+6", "+7",
"+8", "+9", "+10", "+11", "+12", "+13", "+14", "+15"
};
Reported by FlawFinder.
Line: 317
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"0", "+1", "+2", "+3", "+4", "+5", "+6", "+7",
"+8", "+9", "+10", "+11", "+12", "+13", "+14", "+15"
};
static char *deemph[4] = {
"no", "no", "75", "50"
};
static char *carrier[4] = {
"4.5 MHz",
"5.5 MHz",
Reported by FlawFinder.
Line: 320
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *deemph[4] = {
"no", "no", "75", "50"
};
static char *carrier[4] = {
"4.5 MHz",
"5.5 MHz",
"6.0 MHz",
"6.5 MHz / AM"
};
Reported by FlawFinder.
Line: 326
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"6.0 MHz",
"6.5 MHz / AM"
};
static char *vif[8] = {
"58.75 MHz",
"45.75 MHz",
"38.9 MHz",
"38.0 MHz",
"33.9 MHz",
Reported by FlawFinder.
Line: 336
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"45.75 MHz + pin13",
"38.9 MHz + pin13",
};
static char *rif[4] = {
"44 MHz",
"52 MHz",
"52 MHz",
"44 MHz",
};
Reported by FlawFinder.
Line: 537
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tda9887_status(struct dvb_frontend *fe)
{
struct tda9887_priv *priv = fe->analog_demod_priv;
unsigned char buf[1];
int rc;
rc = tuner_i2c_xfer_recv(&priv->i2c_props, buf, 1);
if (rc != 1)
tuner_info("i2c i/o error: rc == %d (should be 1)\n", rc);
Reported by FlawFinder.
Line: 703
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&tda9887_list_mutex);
memcpy(&fe->ops.analog_ops, &tda9887_ops,
sizeof(struct analog_demod_ops));
return fe;
}
EXPORT_SYMBOL_GPL(tda9887_attach);
Reported by FlawFinder.
drivers/net/ethernet/atheros/alx/main.c
10 issues
Line: 869
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
vector++;
if (np->txq && np->rxq)
sprintf(np->irq_lbl, "%s-TxRx-%u", netdev->name,
np->txq->queue_idx);
else if (np->txq)
sprintf(np->irq_lbl, "%s-tx-%u", netdev->name,
np->txq->queue_idx);
else if (np->rxq)
Reported by FlawFinder.
Line: 872
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(np->irq_lbl, "%s-TxRx-%u", netdev->name,
np->txq->queue_idx);
else if (np->txq)
sprintf(np->irq_lbl, "%s-tx-%u", netdev->name,
np->txq->queue_idx);
else if (np->rxq)
sprintf(np->irq_lbl, "%s-rx-%u", netdev->name,
np->rxq->queue_idx);
else
Reported by FlawFinder.
Line: 875
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(np->irq_lbl, "%s-tx-%u", netdev->name,
np->txq->queue_idx);
else if (np->rxq)
sprintf(np->irq_lbl, "%s-rx-%u", netdev->name,
np->rxq->queue_idx);
else
sprintf(np->irq_lbl, "%s-unused", netdev->name);
np->vec_idx = vector;
Reported by FlawFinder.
Line: 878
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(np->irq_lbl, "%s-rx-%u", netdev->name,
np->rxq->queue_idx);
else
sprintf(np->irq_lbl, "%s-unused", netdev->name);
np->vec_idx = vector;
err = request_irq(pci_irq_vector(alx->hw.pdev, vector),
alx_intr_msix_ring, 0, np->irq_lbl, np);
if (err)
Reported by FlawFinder.
Line: 610
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (netdev->addr_assign_type & NET_ADDR_RANDOM)
netdev->addr_assign_type ^= NET_ADDR_RANDOM;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(hw->mac_addr, addr->sa_data, netdev->addr_len);
alx_set_macaddr(hw, hw->mac_addr);
return 0;
}
Reported by FlawFinder.
Line: 611
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev->addr_assign_type ^= NET_ADDR_RANDOM;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(hw->mac_addr, addr->sa_data, netdev->addr_len);
alx_set_macaddr(hw, hw->mac_addr);
return 0;
}
Reported by FlawFinder.
Line: 1831
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_warn(&pdev->dev,
"Invalid permanent address programmed, using random one\n");
eth_hw_addr_random(netdev);
memcpy(hw->perm_addr, netdev->dev_addr, netdev->addr_len);
}
memcpy(hw->mac_addr, hw->perm_addr, ETH_ALEN);
memcpy(netdev->dev_addr, hw->mac_addr, ETH_ALEN);
memcpy(netdev->perm_addr, hw->perm_addr, ETH_ALEN);
Reported by FlawFinder.
Line: 1834
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hw->perm_addr, netdev->dev_addr, netdev->addr_len);
}
memcpy(hw->mac_addr, hw->perm_addr, ETH_ALEN);
memcpy(netdev->dev_addr, hw->mac_addr, ETH_ALEN);
memcpy(netdev->perm_addr, hw->perm_addr, ETH_ALEN);
hw->mdio.prtad = 0;
hw->mdio.mmds = 0;
Reported by FlawFinder.
Line: 1835
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(hw->mac_addr, hw->perm_addr, ETH_ALEN);
memcpy(netdev->dev_addr, hw->mac_addr, ETH_ALEN);
memcpy(netdev->perm_addr, hw->perm_addr, ETH_ALEN);
hw->mdio.prtad = 0;
hw->mdio.mmds = 0;
hw->mdio.dev = netdev;
Reported by FlawFinder.
Line: 1836
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hw->mac_addr, hw->perm_addr, ETH_ALEN);
memcpy(netdev->dev_addr, hw->mac_addr, ETH_ALEN);
memcpy(netdev->perm_addr, hw->perm_addr, ETH_ALEN);
hw->mdio.prtad = 0;
hw->mdio.mmds = 0;
hw->mdio.dev = netdev;
hw->mdio.mode_support = MDIO_SUPPORTS_C45 |
Reported by FlawFinder.
drivers/media/rc/mceusb.c
10 issues
Line: 497
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 carrier;
unsigned char tx_mask;
char name[128];
char phys[64];
enum mceusb_model_type model;
bool need_reset; /* flag to issue a device resume cmd */
u8 emver; /* emulator interface version */
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char tx_mask;
char name[128];
char phys[64];
enum mceusb_model_type model;
bool need_reset; /* flag to issue a device resume cmd */
u8 emver; /* emulator interface version */
u8 num_txports; /* number of transmit ports */
Reported by FlawFinder.
Line: 845
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
usb_fill_bulk_urb(urb, ir->usbdev, ir->pipe_out,
buf_out, size, mce_write_callback, &tx_done);
memcpy(buf_out, data, size);
ret = usb_submit_urb(urb, GFP_KERNEL);
if (ret) {
dev_err(dev, "Error: mce write submit urb error = %d", ret);
kfree(buf_out);
Reported by FlawFinder.
Line: 1037
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mceusb_dev *ir = dev->priv;
int clk = 10000000;
int prescaler = 0, divisor = 0;
unsigned char cmdbuf[4] = { MCE_CMD_PORT_IR,
MCE_CMD_SETIRCFS, 0x00, 0x00 };
/* Carrier has changed */
if (ir->carrier != carrier) {
Reported by FlawFinder.
Line: 1101
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mceusb_set_rx_wideband(struct rc_dev *dev, int enable)
{
struct mceusb_dev *ir = dev->priv;
unsigned char cmdbuf[3] = { MCE_CMD_PORT_IR,
MCE_CMD_SETIRRXPORTEN, 0x00 };
dev_dbg(ir->dev, "select %s-range receive sensor",
enable ? "short" : "long");
if (enable) {
Reported by FlawFinder.
Line: 1127
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mceusb_set_rx_carrier_report(struct rc_dev *dev, int enable)
{
struct mceusb_dev *ir = dev->priv;
unsigned char cmdbuf[3] = { MCE_CMD_PORT_IR,
MCE_CMD_SETIRRXPORTEN, 0x00 };
dev_dbg(ir->dev, "%s short-range receiver carrier reporting",
enable ? "enable" : "disable");
if (enable) {
Reported by FlawFinder.
Line: 1480
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void mceusb_get_parameters(struct mceusb_dev *ir)
{
int i;
unsigned char cmdbuf[3] = { MCE_CMD_PORT_SYS,
MCE_CMD_GETPORTSTATUS, 0x00 };
/* defaults, if the hardware doesn't support querying */
ir->num_txports = 2;
ir->num_rxports = 2;
Reported by FlawFinder.
Line: 1674
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_endpoint_descriptor *ep_out = NULL;
struct mceusb_dev *ir = NULL;
int pipe, maxp, i, res;
char buf[63], name[128] = "";
enum mceusb_model_type model = id->driver_info;
bool is_gen3;
bool is_microsoft_gen1;
bool tx_mask_normal;
int ir_intfnum;
Reported by FlawFinder.
Line: 1770
Column: 19
CWE codes:
126
if (dev->descriptor.iProduct
&& usb_string(dev, dev->descriptor.iProduct,
buf, sizeof(buf)) > 0)
snprintf(name + strlen(name), sizeof(name) - strlen(name),
" %s", buf);
/*
* Initialize async USB error handler before registering
* or activating any mceusb RX and TX functions
Reported by FlawFinder.
Line: 1770
Column: 48
CWE codes:
126
if (dev->descriptor.iProduct
&& usb_string(dev, dev->descriptor.iProduct,
buf, sizeof(buf)) > 0)
snprintf(name + strlen(name), sizeof(name) - strlen(name),
" %s", buf);
/*
* Initialize async USB error handler before registering
* or activating any mceusb RX and TX functions
Reported by FlawFinder.
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
10 issues
Line: 1204
CWE codes:
758
netif_dbg(pdata, drv, pdata->netdev, "SFP detected:\n");
memcpy(sfp_data, &sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_NAME],
XGBE_SFP_BASE_VENDOR_NAME_LEN);
sfp_data[XGBE_SFP_BASE_VENDOR_NAME_LEN] = '\0';
netif_dbg(pdata, drv, pdata->netdev, " vendor: %s\n",
sfp_data);
memcpy(sfp_data, &sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_PN],
XGBE_SFP_BASE_VENDOR_PN_LEN);
Reported by Cppcheck.
Line: 289
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xgbe_sfp_ascii {
union {
char vendor[XGBE_SFP_BASE_VENDOR_NAME_LEN + 1];
char partno[XGBE_SFP_BASE_VENDOR_PN_LEN + 1];
char rev[XGBE_SFP_BASE_VENDOR_REV_LEN + 1];
char serno[XGBE_SFP_BASE_VENDOR_SN_LEN + 1];
} u;
};
Reported by FlawFinder.
Line: 290
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xgbe_sfp_ascii {
union {
char vendor[XGBE_SFP_BASE_VENDOR_NAME_LEN + 1];
char partno[XGBE_SFP_BASE_VENDOR_PN_LEN + 1];
char rev[XGBE_SFP_BASE_VENDOR_REV_LEN + 1];
char serno[XGBE_SFP_BASE_VENDOR_SN_LEN + 1];
} u;
};
Reported by FlawFinder.
Line: 291
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
char vendor[XGBE_SFP_BASE_VENDOR_NAME_LEN + 1];
char partno[XGBE_SFP_BASE_VENDOR_PN_LEN + 1];
char rev[XGBE_SFP_BASE_VENDOR_REV_LEN + 1];
char serno[XGBE_SFP_BASE_VENDOR_SN_LEN + 1];
} u;
};
/* MDIO PHY reset types */
Reported by FlawFinder.
Line: 292
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char vendor[XGBE_SFP_BASE_VENDOR_NAME_LEN + 1];
char partno[XGBE_SFP_BASE_VENDOR_PN_LEN + 1];
char rev[XGBE_SFP_BASE_VENDOR_REV_LEN + 1];
char serno[XGBE_SFP_BASE_VENDOR_SN_LEN + 1];
} u;
};
/* MDIO PHY reset types */
enum xgbe_mdio_reset {
Reported by FlawFinder.
Line: 1202
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *sfp_data = (char *)&sfp_ascii;
netif_dbg(pdata, drv, pdata->netdev, "SFP detected:\n");
memcpy(sfp_data, &sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_NAME],
XGBE_SFP_BASE_VENDOR_NAME_LEN);
sfp_data[XGBE_SFP_BASE_VENDOR_NAME_LEN] = '\0';
netif_dbg(pdata, drv, pdata->netdev, " vendor: %s\n",
sfp_data);
Reported by FlawFinder.
Line: 1208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netif_dbg(pdata, drv, pdata->netdev, " vendor: %s\n",
sfp_data);
memcpy(sfp_data, &sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_PN],
XGBE_SFP_BASE_VENDOR_PN_LEN);
sfp_data[XGBE_SFP_BASE_VENDOR_PN_LEN] = '\0';
netif_dbg(pdata, drv, pdata->netdev, " part number: %s\n",
sfp_data);
Reported by FlawFinder.
Line: 1214
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netif_dbg(pdata, drv, pdata->netdev, " part number: %s\n",
sfp_data);
memcpy(sfp_data, &sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_REV],
XGBE_SFP_BASE_VENDOR_REV_LEN);
sfp_data[XGBE_SFP_BASE_VENDOR_REV_LEN] = '\0';
netif_dbg(pdata, drv, pdata->netdev, " revision level: %s\n",
sfp_data);
Reported by FlawFinder.
Line: 1220
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netif_dbg(pdata, drv, pdata->netdev, " revision level: %s\n",
sfp_data);
memcpy(sfp_data, &sfp_eeprom->extd[XGBE_SFP_BASE_VENDOR_SN],
XGBE_SFP_BASE_VENDOR_SN_LEN);
sfp_data[XGBE_SFP_BASE_VENDOR_SN_LEN] = '\0';
netif_dbg(pdata, drv, pdata->netdev, " serial number: %s\n",
sfp_data);
}
Reported by FlawFinder.
Line: 1284
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (netif_msg_drv(pdata))
xgbe_phy_sfp_eeprom_info(pdata, &sfp_eeprom);
memcpy(&phy_data->sfp_eeprom, &sfp_eeprom, sizeof(sfp_eeprom));
xgbe_phy_free_phy_device(pdata);
} else {
phy_data->sfp_changed = 0;
}
Reported by FlawFinder.