The following issues were found
drivers/media/platform/imx-jpeg/mxc-jpeg.c
9 issues
Line: 732
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mxc_jpeg_sof *sof;
struct mxc_jpeg_sos *sos;
memcpy(cfg + offset, jpeg_soi, ARRAY_SIZE(jpeg_soi));
offset += ARRAY_SIZE(jpeg_soi);
if (fourcc == V4L2_PIX_FMT_RGB24 ||
fourcc == V4L2_PIX_FMT_ARGB32) {
memcpy(cfg + offset, jpeg_app14, sizeof(jpeg_app14));
Reported by FlawFinder.
Line: 737
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fourcc == V4L2_PIX_FMT_RGB24 ||
fourcc == V4L2_PIX_FMT_ARGB32) {
memcpy(cfg + offset, jpeg_app14, sizeof(jpeg_app14));
offset += sizeof(jpeg_app14);
} else {
memcpy(cfg + offset, jpeg_app0, sizeof(jpeg_app0));
offset += sizeof(jpeg_app0);
}
Reported by FlawFinder.
Line: 740
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cfg + offset, jpeg_app14, sizeof(jpeg_app14));
offset += sizeof(jpeg_app14);
} else {
memcpy(cfg + offset, jpeg_app0, sizeof(jpeg_app0));
offset += sizeof(jpeg_app0);
}
memcpy(cfg + offset, jpeg_dqt, sizeof(jpeg_dqt));
offset += sizeof(jpeg_dqt);
Reported by FlawFinder.
Line: 744
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset += sizeof(jpeg_app0);
}
memcpy(cfg + offset, jpeg_dqt, sizeof(jpeg_dqt));
offset += sizeof(jpeg_dqt);
memcpy(cfg + offset, jpeg_sof_maximal, sizeof(jpeg_sof_maximal));
offset += 2; /* skip marker ID */
sof = (struct mxc_jpeg_sof *)(cfg + offset);
Reported by FlawFinder.
Line: 747
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cfg + offset, jpeg_dqt, sizeof(jpeg_dqt));
offset += sizeof(jpeg_dqt);
memcpy(cfg + offset, jpeg_sof_maximal, sizeof(jpeg_sof_maximal));
offset += 2; /* skip marker ID */
sof = (struct mxc_jpeg_sof *)(cfg + offset);
offset += mxc_jpeg_fixup_sof(sof, fourcc, w, h);
memcpy(cfg + offset, jpeg_dht, sizeof(jpeg_dht));
Reported by FlawFinder.
Line: 752
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sof = (struct mxc_jpeg_sof *)(cfg + offset);
offset += mxc_jpeg_fixup_sof(sof, fourcc, w, h);
memcpy(cfg + offset, jpeg_dht, sizeof(jpeg_dht));
offset += sizeof(jpeg_dht);
memcpy(cfg + offset, jpeg_dri, sizeof(jpeg_dri));
offset += sizeof(jpeg_dri);
Reported by FlawFinder.
Line: 755
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cfg + offset, jpeg_dht, sizeof(jpeg_dht));
offset += sizeof(jpeg_dht);
memcpy(cfg + offset, jpeg_dri, sizeof(jpeg_dri));
offset += sizeof(jpeg_dri);
memcpy(cfg + offset, jpeg_sos_maximal, sizeof(jpeg_sos_maximal));
offset += 2; /* skip marker ID */
sos = (struct mxc_jpeg_sos *)(cfg + offset);
Reported by FlawFinder.
Line: 758
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cfg + offset, jpeg_dri, sizeof(jpeg_dri));
offset += sizeof(jpeg_dri);
memcpy(cfg + offset, jpeg_sos_maximal, sizeof(jpeg_sos_maximal));
offset += 2; /* skip marker ID */
sos = (struct mxc_jpeg_sos *)(cfg + offset);
offset += mxc_jpeg_fixup_sos(sos, fourcc);
memcpy(cfg + offset, jpeg_eoi, sizeof(jpeg_eoi));
Reported by FlawFinder.
Line: 763
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sos = (struct mxc_jpeg_sos *)(cfg + offset);
offset += mxc_jpeg_fixup_sos(sos, fourcc);
memcpy(cfg + offset, jpeg_eoi, sizeof(jpeg_eoi));
offset += sizeof(jpeg_eoi);
return offset;
}
Reported by FlawFinder.
drivers/media/usb/s2255/s2255drv.c
9 issues
Line: 523
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len < CHUNK_SIZE)
memset(data->pfw_data, 0, CHUNK_SIZE);
memcpy(data->pfw_data,
(char *) data->fw->data + data->fw_loaded, len);
usb_fill_bulk_urb(data->fw_urb, udev, usb_sndbulkpipe(udev, 2),
data->pfw_data, CHUNK_SIZE,
s2255_fwchunk_complete, data);
Reported by FlawFinder.
Line: 616
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vc->fmt->fourcc);
break;
case V4L2_PIX_FMT_GREY:
memcpy(vbuf, tmpbuf, vc->width * vc->height);
break;
case V4L2_PIX_FMT_JPEG:
case V4L2_PIX_FMT_MJPEG:
vb2_set_plane_payload(&buf->vb.vb2_buf, 0, jpgsize);
memcpy(vbuf, tmpbuf, jpgsize);
Reported by FlawFinder.
Line: 621
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case V4L2_PIX_FMT_JPEG:
case V4L2_PIX_FMT_MJPEG:
vb2_set_plane_payload(&buf->vb.vb2_buf, 0, jpgsize);
memcpy(vbuf, tmpbuf, jpgsize);
break;
case V4L2_PIX_FMT_YUV422P:
memcpy(vbuf, tmpbuf,
vc->width * vc->height * 2);
break;
Reported by FlawFinder.
Line: 624
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(vbuf, tmpbuf, jpgsize);
break;
case V4L2_PIX_FMT_YUV422P:
memcpy(vbuf, tmpbuf,
vc->width * vc->height * 2);
break;
default:
pr_info("s2255: unknown format?\n");
}
Reported by FlawFinder.
Line: 1822
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* sanity check on pdest */
if ((copy_size + frm->cur_size) < vc->req_image_size)
memcpy(pdest, psrc, copy_size);
frm->cur_size += copy_size;
dprintk(dev, 4, "cur_size: %lu, size: %lu\n", frm->cur_size, size);
if (frm->cur_size >= size) {
Reported by FlawFinder.
Line: 1888
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TransferBufferLength, HZ * 5);
if (r >= 0)
memcpy(TransferBuffer, buf, TransferBufferLength);
} else {
memcpy(buf, TransferBuffer, TransferBufferLength);
r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
Value, Index, buf,
Reported by FlawFinder.
Line: 1890
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (r >= 0)
memcpy(TransferBuffer, buf, TransferBufferLength);
} else {
memcpy(buf, TransferBuffer, TransferBufferLength);
r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
Value, Index, buf,
TransferBufferLength, HZ * 5);
}
Reported by FlawFinder.
Line: 1909
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int fw;
int ret;
unsigned char transBuffer[64];
ret = s2255_vendor_req(dev, S2255_VR_FW, 0, 0, transBuffer, 2,
S2255_VR_IN);
if (ret < 0)
dprintk(dev, 2, "get fw error: %x\n", ret);
fw = transBuffer[0] + (transBuffer[1] << 8);
Reported by FlawFinder.
Line: 2187
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s2255_reset_dsppower(dev);
dev->fw_data->fw_size = dev->fw_data->fw->size;
atomic_set(&dev->fw_data->fw_state, S2255_FW_NOTLOADED);
memcpy(dev->fw_data->pfw_data,
dev->fw_data->fw->data, CHUNK_SIZE);
dev->fw_data->fw_loaded = CHUNK_SIZE;
usb_fill_bulk_urb(dev->fw_data->fw_urb, dev->udev,
usb_sndbulkpipe(dev->udev, 2),
dev->fw_data->pfw_data,
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
9 issues
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
Line: 528
CWE codes:
758
wmb();
for (i = 0; i < sizeof(rx_prods)/4; i++)
REG_WR_RELAXED(bp, fp->ustorm_rx_prods_offset + i * 4,
((u32 *)&rx_prods)[i]);
DP(NETIF_MSG_RX_STATUS,
"queue[%d]: wrote bd_prod %u cqe_prod %u sge_prod %u\n",
fp->index, bd_prod, rx_comp_prod, rx_sge_prod);
Reported by Cppcheck.
drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
9 issues
Line: 219
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (qidx = 0; qidx < nic->qs->rq_cnt; qidx++) {
for (stats = 0; stats < nicvf_n_queue_stats; stats++) {
sprintf(*data, "rxq%d: %s", qidx + start_qidx,
nicvf_queue_stats[stats].name);
*data += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 227
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (qidx = 0; qidx < nic->qs->sq_cnt; qidx++) {
for (stats = 0; stats < nicvf_n_queue_stats; stats++) {
sprintf(*data, "txq%d: %s", qidx + start_qidx,
nicvf_queue_stats[stats].name);
*data += ETH_GSTRING_LEN;
}
}
}
Reported by FlawFinder.
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DRV_NAME "nicvf"
struct nicvf_stat {
char name[ETH_GSTRING_LEN];
unsigned int index;
};
#define NICVF_HW_STAT(stat) { \
.name = #stat, \
Reported by FlawFinder.
Line: 244
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
for (stats = 0; stats < nicvf_n_hw_stats; stats++) {
memcpy(data, nicvf_hw_stats[stats].name, ETH_GSTRING_LEN);
data += ETH_GSTRING_LEN;
}
for (stats = 0; stats < nicvf_n_drv_stats; stats++) {
memcpy(data, nicvf_drv_stats[stats].name, ETH_GSTRING_LEN);
Reported by FlawFinder.
Line: 249
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (stats = 0; stats < nicvf_n_drv_stats; stats++) {
memcpy(data, nicvf_drv_stats[stats].name, ETH_GSTRING_LEN);
data += ETH_GSTRING_LEN;
}
nicvf_get_qset_strings(nic, &data, 0);
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (stats = 0; stats < BGX_RX_STATS_COUNT; stats++) {
sprintf(data, "bgx_rxstat%d: ", stats);
data += ETH_GSTRING_LEN;
}
for (stats = 0; stats < BGX_TX_STATS_COUNT; stats++) {
sprintf(data, "bgx_txstat%d: ", stats);
Reported by FlawFinder.
Line: 267
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (stats = 0; stats < BGX_TX_STATS_COUNT; stats++) {
sprintf(data, "bgx_txstat%d: ", stats);
data += ETH_GSTRING_LEN;
}
}
static int nicvf_get_sset_count(struct net_device *netdev, int sset)
Reported by FlawFinder.
Line: 663
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (hkey)
memcpy(hkey, rss->key, RSS_HASH_KEY_SIZE * sizeof(u64));
if (hfunc)
*hfunc = ETH_RSS_HASH_TOP;
return 0;
Reported by FlawFinder.
Line: 693
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (hkey) {
memcpy(rss->key, hkey, RSS_HASH_KEY_SIZE * sizeof(u64));
nicvf_set_rss_key(nic);
}
nicvf_config_rss(nic);
return 0;
Reported by FlawFinder.
drivers/media/tuners/tuner-xc2028.c
9 issues
Line: 54
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"1 keep device energized and with tuner ready all the times.\n"
" Faster, but consumes more power and keeps the device hotter\n");
static char audio_std[8];
module_param_string(audio_std, audio_std, sizeof(audio_std), 0);
MODULE_PARM_DESC(audio_std,
"Audio standard. XC3028 audio decoder explicitly needs to know what audio\n"
"standard is needed for some video standards with audio A2 or NICAM.\n"
"The valid values are:\n"
Reported by FlawFinder.
Line: 67
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"NICAM/A\n"
"NICAM/B\n");
static char firmware_name[30];
module_param_string(firmware_name, firmware_name, sizeof(firmware_name), 0);
MODULE_PARM_DESC(firmware_name,
"Firmware file name. Allows overriding the default firmware name\n");
static LIST_HEAD(hybrid_tuner_instance_list);
Reported by FlawFinder.
Line: 160
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int xc2028_get_reg(struct xc2028_data *priv, u16 reg, u16 *val)
{
unsigned char buf[2];
unsigned char ibuf[2];
tuner_dbg("%s %04x called\n", __func__, reg);
buf[0] = reg >> 8;
Reported by FlawFinder.
Line: 161
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int xc2028_get_reg(struct xc2028_data *priv, u16 reg, u16 *val)
{
unsigned char buf[2];
unsigned char ibuf[2];
tuner_dbg("%s %04x called\n", __func__, reg);
buf[0] = reg >> 8;
buf[1] = (unsigned char) reg;
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *p, *endp;
int rc = 0;
int n, n_array;
char name[33];
tuner_dbg("%s called\n", __func__);
p = fw->data;
endp = p + fw->size;
Reported by FlawFinder.
Line: 547
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xc2028_data *priv = fe->tuner_priv;
int pos, rc;
unsigned char *p, *endp, buf[MAX_XFER_SIZE];
if (priv->ctrl.max_len > sizeof(buf))
priv->ctrl.max_len = sizeof(buf);
tuner_dbg("%s called\n", __func__);
Reported by FlawFinder.
Line: 631
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = (size < priv->ctrl.max_len - 1) ?
size : priv->ctrl.max_len - 1;
memcpy(buf + 1, p, len);
rc = i2c_send(priv, buf, len + 1);
if (rc < 0) {
tuner_err("%d returned from send\n", rc);
return -EINVAL;
Reported by FlawFinder.
Line: 1016
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xc2028_data *priv = fe->tuner_priv;
int rc = -EINVAL;
unsigned char buf[4];
u32 div, offset = 0;
tuner_dbg("%s called\n", __func__);
mutex_lock(&priv->lock);
Reported by FlawFinder.
Line: 1497
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(&fe->ops.tuner_ops, &xc2028_dvb_tuner_ops,
sizeof(xc2028_dvb_tuner_ops));
tuner_info("type set to %s\n", "XCeive xc2028/xc3028 tuner");
if (cfg->ctrl)
Reported by FlawFinder.
drivers/mtd/nand/raw/lpc32xx_slc.c
9 issues
Line: 519
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dma_buf = host->data_buf;
dma_mapped = false;
if (!read)
memcpy(host->data_buf, buf, mtd->writesize);
}
if (read) {
writel(readl(SLC_CFG(host->io_base)) |
SLCCFG_DMA_DIR | SLCCFG_ECC_EN | SLCCFG_DMA_ECC |
Reported by FlawFinder.
Line: 605
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SLCCFG_DMA_BURST), SLC_CFG(host->io_base));
if (!dma_mapped && read)
memcpy(buf, host->data_buf, mtd->writesize);
return status;
}
/*
Reported by FlawFinder.
Line: 500
Column: 8
CWE codes:
120
20
* DMA read/write transfers with ECC support
*/
static int lpc32xx_xfer(struct mtd_info *mtd, uint8_t *buf, int eccsubpages,
int read)
{
struct nand_chip *chip = mtd_to_nand(mtd);
struct lpc32xx_nand_host *host = nand_get_controller_data(chip);
int i, status = 0;
unsigned long timeout;
Reported by FlawFinder.
Line: 508
Column: 3
CWE codes:
120
20
unsigned long timeout;
int res;
enum dma_transfer_direction dir =
read ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
uint8_t *dma_buf;
bool dma_mapped;
if ((void *)buf <= high_memory) {
dma_buf = buf;
Reported by FlawFinder.
Line: 518
Column: 8
CWE codes:
120
20
} else {
dma_buf = host->data_buf;
dma_mapped = false;
if (!read)
memcpy(host->data_buf, buf, mtd->writesize);
}
if (read) {
writel(readl(SLC_CFG(host->io_base)) |
Reported by FlawFinder.
Line: 522
Column: 6
CWE codes:
120
20
memcpy(host->data_buf, buf, mtd->writesize);
}
if (read) {
writel(readl(SLC_CFG(host->io_base)) |
SLCCFG_DMA_DIR | SLCCFG_ECC_EN | SLCCFG_DMA_ECC |
SLCCFG_DMA_BURST, SLC_CFG(host->io_base));
} else {
writel((readl(SLC_CFG(host->io_base)) |
Reported by FlawFinder.
Line: 554
Column: 8
CWE codes:
120
20
/* Always _read_ ECC */
if (i == chip->ecc.steps - 1)
break;
if (!read) /* ECC availability delayed on write */
udelay(10);
res = lpc32xx_xmit_dma(mtd, SLC_ECC(host->io_base_dma),
&host->ecc_buf[i], 4, DMA_DEV_TO_MEM);
if (res)
return res;
Reported by FlawFinder.
Line: 604
Column: 21
CWE codes:
120
20
~(SLCCFG_DMA_DIR | SLCCFG_ECC_EN | SLCCFG_DMA_ECC |
SLCCFG_DMA_BURST), SLC_CFG(host->io_base));
if (!dma_mapped && read)
memcpy(buf, host->data_buf, mtd->writesize);
return status;
}
Reported by FlawFinder.
drivers/media/rc/ir-rc5-decoder.c
9 issues
Line: 114
Column: 23
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (data->is_rc5x && data->count == RC5X_NBITS) {
/* RC5X */
u8 xdata, command, system;
if (!(dev->enabled_protocols & RC_PROTO_BIT_RC5X_20)) {
data->state = STATE_INACTIVE;
return 0;
}
xdata = (data->bits & 0x0003F) >> 0;
Reported by FlawFinder.
Line: 124
Column: 15
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
system = (data->bits & 0x1F000) >> 12;
toggle = (data->bits & 0x20000) ? 1 : 0;
command += (data->bits & 0x40000) ? 0 : 0x40;
scancode = system << 16 | command << 8 | xdata;
protocol = RC_PROTO_RC5X_20;
} else if (!data->is_rc5x && data->count == RC5_NBITS) {
/* RC5 */
u8 command, system;
Reported by FlawFinder.
Line: 129
Column: 16
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} else if (!data->is_rc5x && data->count == RC5_NBITS) {
/* RC5 */
u8 command, system;
if (!(dev->enabled_protocols & RC_PROTO_BIT_RC5)) {
data->state = STATE_INACTIVE;
return 0;
}
command = (data->bits & 0x0003F) >> 0;
Reported by FlawFinder.
Line: 138
Column: 15
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
system = (data->bits & 0x007C0) >> 6;
toggle = (data->bits & 0x00800) ? 1 : 0;
command += (data->bits & 0x01000) ? 0 : 0x40;
scancode = system << 8 | command;
protocol = RC_PROTO_RC5;
} else if (!data->is_rc5x && data->count == RC5_SZ_NBITS) {
/* RC5 StreamZap */
u8 command, system;
Reported by FlawFinder.
Line: 143
Column: 16
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} else if (!data->is_rc5x && data->count == RC5_SZ_NBITS) {
/* RC5 StreamZap */
u8 command, system;
if (!(dev->enabled_protocols & RC_PROTO_BIT_RC5_SZ)) {
data->state = STATE_INACTIVE;
return 0;
}
command = (data->bits & 0x0003F) >> 0;
Reported by FlawFinder.
Line: 151
Column: 15
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
command = (data->bits & 0x0003F) >> 0;
system = (data->bits & 0x02FC0) >> 6;
toggle = (data->bits & 0x01000) ? 1 : 0;
scancode = system << 6 | command;
protocol = RC_PROTO_RC5_SZ;
} else
break;
Reported by FlawFinder.
Line: 214
Column: 47
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
{
int ret;
struct ir_raw_event *e = events;
unsigned int data, xdata, command, commandx, system, pre_space_data;
/* Detect protocol and convert scancode to raw data */
if (protocol == RC_PROTO_RC5) {
/* decode scancode */
command = (scancode & 0x003f) >> 0;
Reported by FlawFinder.
Line: 223
Column: 28
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
commandx = (scancode & 0x0040) >> 6;
system = (scancode & 0x1f00) >> 8;
/* encode data */
data = !commandx << 12 | system << 6 | command;
/* First bit is encoded by leader_pulse */
ret = ir_raw_gen_manchester(&e, max, &ir_rc5_timings,
RC5_NBITS - 1, data);
if (ret < 0)
Reported by FlawFinder.
Line: 238
Column: 27
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
system = (scancode & 0x1f0000) >> 16;
/* encode data */
data = commandx << 18 | system << 12 | command << 6 | xdata;
/* First bit is encoded by leader_pulse */
pre_space_data = data >> (RC5X_NBITS - CHECK_RC5X_NBITS);
ret = ir_raw_gen_manchester(&e, max, &ir_rc5x_timings[0],
CHECK_RC5X_NBITS - 1,
Reported by FlawFinder.
drivers/mtd/nand/raw/arasan-nand-controller.c
9 issues
Line: 888
NAND_OP_PARSER_PAT_DATA_IN_ELEM(false, ANFC_MAX_CHUNK_SIZE)),
NAND_OP_PARSER_PATTERN(
anfc_wait_type_exec,
NAND_OP_PARSER_PAT_WAITRDY_ELEM(false)),
);
static int anfc_check_op(struct nand_chip *chip,
const struct nand_operation *op)
{
Reported by Cppcheck.
Line: 701
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nfc_op->read) {
remainder = readl_relaxed(nfc->base + DATA_PORT_REG);
memcpy(&buf[offset], &remainder, last_len);
} else {
memcpy(&remainder, &buf[offset], last_len);
writel_relaxed(remainder, nfc->base + DATA_PORT_REG);
}
}
Reported by FlawFinder.
Line: 703
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remainder = readl_relaxed(nfc->base + DATA_PORT_REG);
memcpy(&buf[offset], &remainder, last_len);
} else {
memcpy(&remainder, &buf[offset], last_len);
writel_relaxed(remainder, nfc->base + DATA_PORT_REG);
}
}
return anfc_wait_for_event(nfc, XFER_COMPLETE);
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
tmp = readl_relaxed(nfc->base + FLASH_STS_REG);
memcpy(subop->instrs[1].ctx.data.buf.in, &tmp, 1);
return 0;
}
static int anfc_reset_type_exec(struct nand_chip *chip,
Reported by FlawFinder.
Line: 677
Column: 17
CWE codes:
120
20
int ret, i;
for (i = 0; i < nfc_op->steps; i++) {
dir = nfc_op->read ? READ_READY : WRITE_READY;
ret = anfc_wait_for_event(nfc, dir);
if (ret) {
dev_err(nfc->dev, "PIO %s ready signal not received\n",
nfc_op->read ? "Read" : "Write");
return ret;
Reported by FlawFinder.
Line: 681
Column: 13
CWE codes:
120
20
ret = anfc_wait_for_event(nfc, dir);
if (ret) {
dev_err(nfc->dev, "PIO %s ready signal not received\n",
nfc_op->read ? "Read" : "Write");
return ret;
}
offset = i * (dwords * 4);
if (nfc_op->read)
Reported by FlawFinder.
Line: 686
Column: 15
CWE codes:
120
20
}
offset = i * (dwords * 4);
if (nfc_op->read)
ioread32_rep(nfc->base + DATA_PORT_REG, &buf[offset],
dwords);
else
iowrite32_rep(nfc->base + DATA_PORT_REG, &buf[offset],
dwords);
Reported by FlawFinder.
Line: 699
Column: 15
CWE codes:
120
20
offset = nfc_op->len - last_len;
if (nfc_op->read) {
remainder = readl_relaxed(nfc->base + DATA_PORT_REG);
memcpy(&buf[offset], &remainder, last_len);
} else {
memcpy(&remainder, &buf[offset], last_len);
writel_relaxed(remainder, nfc->base + DATA_PORT_REG);
Reported by FlawFinder.
drivers/media/dvb-frontends/stb0899_drv.c
9 issues
Line: 504
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = reg >> 8;
buf[1] = reg & 0xff;
memcpy(&buf[2], data, count);
dprintk(state->verbose, FE_DEBUGREG, 1,
"%s [0x%04x]: %*ph", __func__, reg, count, data);
ret = i2c_transfer(state->i2c, &i2c_msg, 1);
Reported by FlawFinder.
Line: 1263
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 chip_id, release;
u16 id;
u32 demod_ver = 0, fec_ver = 0;
char demod_str[5] = { 0 };
char fec_str[5] = { 0 };
id = stb0899_read_reg(state, STB0899_DEV_ID);
dprintk(state->verbose, FE_DEBUG, 1, "ID reg=[0x%02x]", id);
chip_id = STB0899_GETFIELD(CHIP_ID, id);
Reported by FlawFinder.
Line: 1264
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 id;
u32 demod_ver = 0, fec_ver = 0;
char demod_str[5] = { 0 };
char fec_str[5] = { 0 };
id = stb0899_read_reg(state, STB0899_DEV_ID);
dprintk(state->verbose, FE_DEBUG, 1, "ID reg=[0x%02x]", id);
chip_id = STB0899_GETFIELD(CHIP_ID, id);
release = STB0899_GETFIELD(CHIP_REL, id);
Reported by FlawFinder.
Line: 927
Column: 21
CWE codes:
120
20
int res = 0;
int min = 0, med;
if (val < tab[min].read)
res = tab[min].real;
else if (val >= tab[max].read)
res = tab[max].real;
else {
while ((max - min) > 1) {
Reported by FlawFinder.
Line: 929
Column: 27
CWE codes:
120
20
if (val < tab[min].read)
res = tab[min].real;
else if (val >= tab[max].read)
res = tab[max].real;
else {
while ((max - min) > 1) {
med = (max + min) / 2;
if (val >= tab[min].read && val < tab[med].read)
Reported by FlawFinder.
Line: 934
Column: 47
CWE codes:
120
20
else {
while ((max - min) > 1) {
med = (max + min) / 2;
if (val >= tab[min].read && val < tab[med].read)
max = med;
else
min = med;
}
res = ((val - tab[min].read) *
Reported by FlawFinder.
Line: 934
Column: 24
CWE codes:
120
20
else {
while ((max - min) > 1) {
med = (max + min) / 2;
if (val >= tab[min].read && val < tab[med].read)
max = med;
else
min = med;
}
res = ((val - tab[min].read) *
Reported by FlawFinder.
drivers/net/ethernet/cavium/liquidio/octeon_console.c
9 issues
Line: 430
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
console->waiting = 0;
}
static char console_buffer[OCTEON_CONSOLE_MAX_READ_BYTES];
static void output_console_line(struct octeon_device *oct,
struct octeon_console *console,
size_t console_num,
char *console_buffer,
Reported by FlawFinder.
Line: 812
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t size)
{
struct octeon_firmware_file_header *h;
char boottime[MAX_BOOTTIME_SIZE];
struct timespec64 ts;
u32 crc32_result;
u64 load_addr;
u32 image_len;
int ret = 0;
Reported by FlawFinder.
Line: 250
Column: 3
CWE codes:
120
struct cvmx_bootmem_named_block_desc,
size));
strncpy(desc->name, name, sizeof(desc->name));
desc->name[sizeof(desc->name) - 1] = 0;
return &oct->bootmem_named_block_desc;
} else {
return NULL;
}
Reported by FlawFinder.
Line: 364
Column: 17
CWE codes:
126
int octeon_console_send_cmd(struct octeon_device *oct, char *cmd_str,
u32 wait_hundredths)
{
u32 len = (u32)strlen(cmd_str);
dev_dbg(&oct->pci_dev->dev, "sending \"%s\" to bootloader\n", cmd_str);
if (len > BOOTLOADER_PCI_WRITE_BUFFER_STR_LEN - 1) {
dev_err(&oct->pci_dev->dev, "Command string too long, max length is: %d\n",
Reported by FlawFinder.
Line: 473
Column: 9
CWE codes:
126
/* Save off any leftovers */
if (line != &console_buffer[bytes_read]) {
console_buffer[bytes_read] = '\0';
len = strlen(console->leftover);
strncpy(&console->leftover[len], line,
sizeof(console->leftover) - len);
}
}
Reported by FlawFinder.
Line: 474
Column: 3
CWE codes:
120
if (line != &console_buffer[bytes_read]) {
console_buffer[bytes_read] = '\0';
len = strlen(console->leftover);
strncpy(&console->leftover[len], line,
sizeof(console->leftover) - len);
}
}
static void check_console(struct work_struct *work)
Reported by FlawFinder.
Line: 522
Column: 9
CWE codes:
126
if (console->print && (total_read == 0) &&
(console->leftover[0])) {
/* append '\n' as terminator for 'output_console_line' */
len = strlen(console->leftover);
console->leftover[len] = '\n';
output_console_line(oct, console, console_num,
console->leftover, (s32)(len + 1));
console->leftover[0] = '\0';
}
Reported by FlawFinder.
Line: 844
Column: 6
CWE codes:
126
}
if (memcmp(LIQUIDIO_BASE_VERSION, h->version,
strlen(LIQUIDIO_BASE_VERSION))) {
dev_err(&oct->pci_dev->dev, "Unmatched firmware version. Expected %s.x, got %s.\n",
LIQUIDIO_BASE_VERSION,
h->version);
return -EINVAL;
}
Reported by FlawFinder.
Line: 908
Column: 2
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
dev_err(&oct->pci_dev->dev, "Boot command buffer too small\n");
return -EINVAL;
}
strncat(h->bootcmd, boottime,
sizeof(h->bootcmd) - strnlen(h->bootcmd, sizeof(h->bootcmd)));
dev_info(&oct->pci_dev->dev, "Writing boot command: %s\n",
h->bootcmd);
Reported by FlawFinder.