The following issues were found
include/linux/nfs4.h
8 issues
Line: 53
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *label;
};
typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
struct nfs4_stateid_struct {
union {
char data[NFS4_STATEID_SIZE];
struct {
Reported by FlawFinder.
Line: 57
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nfs4_stateid_struct {
union {
char data[NFS4_STATEID_SIZE];
struct {
__be32 seqid;
char other[NFS4_STATEID_OTHER_SIZE];
} __attribute__ ((packed));
};
Reported by FlawFinder.
Line: 60
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char data[NFS4_STATEID_SIZE];
struct {
__be32 seqid;
char other[NFS4_STATEID_OTHER_SIZE];
} __attribute__ ((packed));
};
enum {
NFS4_INVALID_STATEID_TYPE = 0,
Reported by FlawFinder.
Line: 558
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* nfs41 types */
struct nfs4_sessionid {
unsigned char data[NFS4_MAX_SESSIONID_LEN];
};
/* Create Session Flags */
#define SESSION4_PERSIST 0x001
#define SESSION4_BACK_CHAN 0x002
Reported by FlawFinder.
Line: 653
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NFS4_DEVICEID4_SIZE 16
struct nfs4_deviceid {
char data[NFS4_DEVICEID4_SIZE];
};
enum data_content4 {
NFS4_CONTENT_DATA = 0,
NFS4_CONTENT_HOLE = 1,
Reported by FlawFinder.
Line: 690
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct nfs42_netaddr {
char netid[RPCBIND_MAXNETIDLEN];
char addr[RPCBIND_MAXUADDRLEN + 1];
u32 netid_len;
u32 addr_len;
};
Reported by FlawFinder.
Line: 691
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nfs42_netaddr {
char netid[RPCBIND_MAXNETIDLEN];
char addr[RPCBIND_MAXUADDRLEN + 1];
u32 netid_len;
u32 addr_len;
};
enum netloc_type4 {
Reported by FlawFinder.
Line: 707
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
struct { /* NL4_NAME, NL4_URL */
int nl4_str_sz;
char nl4_str[NFS4_OPAQUE_LIMIT + 1];
};
struct nfs42_netaddr nl4_addr; /* NL4_NETADDR */
} u;
};
Reported by FlawFinder.
fs/xfs/libxfs/xfs_da_btree.c
8 issues
Line: 709
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* block specific identifiers are kept intact. We update the buffer
* directly for this.
*/
memcpy(node, oldroot, size);
if (oldroot->hdr.info.magic == cpu_to_be16(XFS_DA3_NODE_MAGIC) ||
oldroot->hdr.info.magic == cpu_to_be16(XFS_DIR3_LEAFN_MAGIC)) {
struct xfs_da3_intnode *node3 = (struct xfs_da3_intnode *)node;
node3->hdr.info.blkno = cpu_to_be64(bp->b_bn);
Reported by FlawFinder.
Line: 934
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp = count * (uint)sizeof(xfs_da_node_entry_t);
btree_s = &btree1[nodehdr1.count - count];
btree_d = &btree2[0];
memcpy(btree_d, btree_s, tmp);
nodehdr1.count -= count;
} else {
/*
* Move the req'd B-tree elements from low in node2 to
* high in node1.
Reported by FlawFinder.
Line: 945
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp = count * (uint)sizeof(xfs_da_node_entry_t);
btree_s = &btree2[0];
btree_d = &btree1[nodehdr1.count];
memcpy(btree_d, btree_s, tmp);
nodehdr1.count += count;
xfs_trans_log_buf(tp, blk1->bp,
XFS_DA_LOGRANGE(node1, btree_d, tmp));
Reported by FlawFinder.
Line: 1217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* that could occur. For dir3 blocks we also need to update the block
* number in the buffer header.
*/
memcpy(root_blk->bp->b_addr, bp->b_addr, args->geo->blksize);
root_blk->bp->b_ops = bp->b_ops;
xfs_trans_buf_copy_type(root_blk->bp, bp);
if (oldroothdr.magic == XFS_DA3_NODE_MAGIC) {
struct xfs_da3_blkinfo *da3 = root_blk->bp->b_addr;
da3->blkno = cpu_to_be64(root_blk->bp->b_bn);
Reported by FlawFinder.
Line: 1285
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* path point to the block we want to drop (this one).
*/
forward = (info->forw != 0);
memcpy(&state->altpath, &state->path, sizeof(state->path));
error = xfs_da3_path_shift(state, &state->altpath, forward,
0, &retval);
if (error)
return error;
if (retval) {
Reported by FlawFinder.
Line: 1340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Make altpath point to the block we want to keep (the lower
* numbered block) and path point to the block we want to drop.
*/
memcpy(&state->altpath, &state->path, sizeof(state->path));
if (blkno < blk->blkno) {
error = xfs_da3_path_shift(state, &state->altpath, forward,
0, &retval);
} else {
error = xfs_da3_path_shift(state, &state->path, forward,
Reported by FlawFinder.
Line: 1541
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Move all the B-tree elements from drop_blk to save_blk.
*/
tmp = drop_hdr.count * (uint)sizeof(xfs_da_node_entry_t);
memcpy(&save_btree[sindex], &drop_btree[0], tmp);
save_hdr.count += drop_hdr.count;
xfs_da3_node_hdr_to_disk(dp->i_mount, save_node, &save_hdr);
xfs_trans_log_buf(tp, save_blk->bp,
XFS_DA_LOGRANGE(save_node, &save_node->hdr,
Reported by FlawFinder.
Line: 2308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* Copy the last block into the dead buffer and log it.
*/
memcpy(dead_buf->b_addr, last_buf->b_addr, args->geo->blksize);
xfs_trans_log_buf(tp, dead_buf, 0, args->geo->blksize - 1);
dead_info = dead_buf->b_addr;
/*
* Get values from the moved block.
*/
Reported by FlawFinder.
security/integrity/evm/evm_secfs.c
8 issues
Line: 159
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!xattr->enabled)
continue;
sprintf(temp + offset, "%s\n", xattr->name);
offset += strlen(xattr->name) + 1;
}
mutex_unlock(&xattr_list_mutex);
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t evm_read_key(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
{
char temp[80];
ssize_t rc;
if (*ppos != 0)
return 0;
Reported by FlawFinder.
Line: 48
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (*ppos != 0)
return 0;
sprintf(temp, "%d", (evm_initialized & ~EVM_SETUP_COMPLETE));
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
return rc;
}
Reported by FlawFinder.
Line: 49
Column: 55
CWE codes:
126
return 0;
sprintf(temp, "%d", (evm_initialized & ~EVM_SETUP_COMPLETE));
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
return rc;
}
/**
Reported by FlawFinder.
Line: 146
Column: 11
CWE codes:
126
if (!xattr->enabled)
continue;
size += strlen(xattr->name) + 1;
}
temp = kmalloc(size + 1, GFP_KERNEL);
if (!temp) {
mutex_unlock(&xattr_list_mutex);
Reported by FlawFinder.
Line: 160
Column: 13
CWE codes:
126
continue;
sprintf(temp + offset, "%s\n", xattr->name);
offset += strlen(xattr->name) + 1;
}
mutex_unlock(&xattr_list_mutex);
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
Reported by FlawFinder.
Line: 164
Column: 55
CWE codes:
126
}
mutex_unlock(&xattr_list_mutex);
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
kfree(temp);
return rc;
}
Reported by FlawFinder.
Line: 218
Column: 8
CWE codes:
126
}
/* Remove any trailing newline */
len = strlen(xattr->name);
if (len && xattr->name[len-1] == '\n')
xattr->name[len-1] = '\0';
audit_log_format(ab, "xattr=");
audit_log_untrustedstring(ab, xattr->name);
Reported by FlawFinder.
sound/soc/sof/debug.c
8 issues
Line: 509
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
dev_info(sdev->dev,
"Copying cached debugfs data\n");
memcpy(buf, dfse->cache_buf + pos, size);
}
#else
/* if the DSP is in D3 */
if (!pm_runtime_active(sdev->dev) &&
dfse->access_type == SOF_DEBUGFS_ACCESS_D0_ONLY) {
Reported by FlawFinder.
Line: 524
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy_fromio(buf, dfse->io_mem + pos, size);
#endif
} else {
memcpy(buf, ((u8 *)(dfse->buf) + pos), size);
}
/* copy to userspace */
size_ret = copy_to_user(buffer, buf + skip, count);
Reported by FlawFinder.
Line: 325
Column: 29
CWE codes:
126
min_response_time);
/* format output string */
snprintf(dfse->cache_buf + strlen(dfse->cache_buf),
IPC_FLOOD_TEST_RESULT_LEN - strlen(dfse->cache_buf),
"IPC Flood count: %d\nAvg response time: %lluns\n",
i, avg_response_time);
snprintf(dfse->cache_buf + strlen(dfse->cache_buf),
Reported by FlawFinder.
Line: 326
Column: 32
CWE codes:
126
/* format output string */
snprintf(dfse->cache_buf + strlen(dfse->cache_buf),
IPC_FLOOD_TEST_RESULT_LEN - strlen(dfse->cache_buf),
"IPC Flood count: %d\nAvg response time: %lluns\n",
i, avg_response_time);
snprintf(dfse->cache_buf + strlen(dfse->cache_buf),
IPC_FLOOD_TEST_RESULT_LEN - strlen(dfse->cache_buf),
Reported by FlawFinder.
Line: 330
Column: 29
CWE codes:
126
"IPC Flood count: %d\nAvg response time: %lluns\n",
i, avg_response_time);
snprintf(dfse->cache_buf + strlen(dfse->cache_buf),
IPC_FLOOD_TEST_RESULT_LEN - strlen(dfse->cache_buf),
"Max response time: %lluns\nMin response time: %lluns\n",
max_response_time, min_response_time);
return ret;
Reported by FlawFinder.
Line: 331
Column: 32
CWE codes:
126
i, avg_response_time);
snprintf(dfse->cache_buf + strlen(dfse->cache_buf),
IPC_FLOOD_TEST_RESULT_LEN - strlen(dfse->cache_buf),
"Max response time: %lluns\nMin response time: %lluns\n",
max_response_time, min_response_time);
return ret;
}
Reported by FlawFinder.
Line: 458
Column: 11
CWE codes:
126
if (*ppos)
return 0;
count = strlen(dfse->cache_buf);
size_ret = copy_to_user(buffer, dfse->cache_buf, count);
if (size_ret)
return -EFAULT;
*ppos += count;
Reported by FlawFinder.
Line: 611
Column: 34
CWE codes:
126
dfse->sdev = sdev;
#if IS_ENABLED(CONFIG_SND_SOC_SOF_DEBUG_IPC_FLOOD_TEST)
if (!strncmp(name, "ipc_flood", strlen("ipc_flood"))) {
/*
* cache_buf is unused for SOF_DFSENTRY_TYPE_BUF debugfs entries.
* So, use it to save the results of the last IPC flood test.
*/
dfse->cache_buf = devm_kzalloc(sdev->dev, IPC_FLOOD_TEST_RESULT_LEN,
Reported by FlawFinder.
sound/soc/soc-topology-test.c
8 issues
Line: 407
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_empty, sizeof(tplg_tmpl_empty));
kunit_comp->fw.data = (u8 *)data;
kunit_comp->fw.size = size;
kunit_comp->card.dev = test_dev,
Reported by FlawFinder.
Line: 458
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_empty, sizeof(tplg_tmpl_empty));
/*
* override abi
* any value != magic number is wrong
*/
data->header.magic = cpu_to_le32(SND_SOC_TPLG_MAGIC + 1);
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_empty, sizeof(tplg_tmpl_empty));
/*
* override abi
* any value != accepted range is wrong
*/
data->header.abi = cpu_to_le32(SND_SOC_TPLG_ABI_VERSION + 1);
Reported by FlawFinder.
Line: 570
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_empty, sizeof(tplg_tmpl_empty));
/*
* override size
* any value != struct size is wrong
*/
data->header.size = cpu_to_le32(sizeof(struct snd_soc_tplg_hdr) + 1);
Reported by FlawFinder.
Line: 626
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_empty, sizeof(tplg_tmpl_empty));
/*
* override payload size
* there is only explicit check for 0, so check with it, other values
* are handled by just not reading behind EOF
*/
Reported by FlawFinder.
Line: 681
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_with_pcm, sizeof(tplg_tmpl_with_pcm));
kunit_comp->fw.data = data;
kunit_comp->fw.size = size;
kunit_comp->card.dev = test_dev,
Reported by FlawFinder.
Line: 732
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_with_pcm, sizeof(tplg_tmpl_with_pcm));
kunit_comp->fw.data = data;
kunit_comp->fw.size = size;
kunit_comp->card.dev = test_dev,
Reported by FlawFinder.
Line: 785
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = kunit_kzalloc(kunit_comp->kunit, size, GFP_KERNEL);
KUNIT_EXPECT_NOT_ERR_OR_NULL(kunit_comp->kunit, data);
memcpy(data, &tplg_tmpl_with_pcm, sizeof(tplg_tmpl_with_pcm));
kunit_comp->fw.data = data;
kunit_comp->fw.size = size;
kunit_comp->card.dev = test_dev,
Reported by FlawFinder.
sound/soc/soc-core.c
8 issues
Line: 75
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct snd_soc_pcm_runtime *rtd = dev_get_drvdata(dev);
return sprintf(buf, "%ld\n", rtd->pmdown_time);
}
static ssize_t pmdown_time_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 3057
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *prefix)
{
int ret, i;
char prop[128];
unsigned int format = 0;
int bit, frame;
const char *str;
struct {
char *name;
Reported by FlawFinder.
Line: 3143
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_node **bitclkmaster,
struct device_node **framemaster)
{
char prop[128];
unsigned int bit, frame;
if (!prefix)
prefix = "";
Reported by FlawFinder.
Line: 1680
Column: 8
CWE codes:
126
size_t dst_len = sizeof(card->dmi_longname);
size_t len;
len = strlen(dst);
snprintf(dst + len, dst_len - len, "-%s", str);
len++; /* skip the separator "-" */
if (len < dst_len)
cleanup_dmi_name(dst + len);
Reported by FlawFinder.
Line: 2386
Column: 21
CWE codes:
126
found = strstr(name, dev->driver->name);
if (found) {
/* get ID */
if (sscanf(&found[strlen(dev->driver->name)], ".%d", id) == 1) {
/* discard ID from name if ID == -1 */
if (*id == -1)
found[strlen(dev->driver->name)] = '\0';
}
Reported by FlawFinder.
Line: 2390
Column: 11
CWE codes:
126
/* discard ID from name if ID == -1 */
if (*id == -1)
found[strlen(dev->driver->name)] = '\0';
}
/* I2C component devices are named "bus-addr" */
} else if (sscanf(name, "%x-%x", &id1, &id2) == 2) {
Reported by FlawFinder.
Line: 2640
Column: 55
CWE codes:
120
20
goto err_cleanup;
}
if (!component->driver->write && !component->driver->read) {
if (!component->regmap)
component->regmap = dev_get_regmap(component->dev,
NULL);
if (component->regmap)
snd_soc_component_setup_regmap(component);
Reported by FlawFinder.
Line: 2818
Column: 10
CWE codes:
126
for (j = 0; j < ARRAY_SIZE(simple_widgets); j++) {
if (!strncmp(template, simple_widgets[j].name,
strlen(simple_widgets[j].name))) {
widgets[i] = simple_widgets[j];
break;
}
}
Reported by FlawFinder.
sound/soc/fsl/fsl_xcvr.c
8 issues
Line: 179
Column: 26
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (kctl == NULL)
return -ENOENT;
enabled = ((kctl->vd[0].access & SNDRV_CTL_ELEM_ACCESS_WRITE) != 0);
if (active == enabled)
return 0; /* nothing to do */
if (active)
kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_WRITE;
Reported by FlawFinder.
Line: 184
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return 0; /* nothing to do */
if (active)
kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_WRITE;
else
kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_WRITE;
snd_ctl_notify(card->snd_card, SNDRV_CTL_EVENT_MASK_INFO, &kctl->id);
Reported by FlawFinder.
Line: 186
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (active)
kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_WRITE;
else
kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_WRITE;
snd_ctl_notify(card->snd_card, SNDRV_CTL_EVENT_MASK_INFO, &kctl->id);
return 1;
}
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct snd_soc_dai *dai = snd_kcontrol_chip(kcontrol);
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
memcpy(ucontrol->value.bytes.data, xcvr->cap_ds, FSL_XCVR_CAPDS_SIZE);
return 0;
}
static int fsl_xcvr_capds_put(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
Line: 154
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct snd_soc_dai *dai = snd_kcontrol_chip(kcontrol);
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
memcpy(xcvr->cap_ds, ucontrol->value.bytes.data, FSL_XCVR_CAPDS_SIZE);
return 0;
}
static struct snd_kcontrol_new fsl_xcvr_earc_capds_kctl = {
Reported by FlawFinder.
Line: 793
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct snd_soc_dai *dai = snd_kcontrol_chip(kcontrol);
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
memcpy(ucontrol->value.iec958.status, xcvr->rx_iec958.status, 24);
return 0;
}
static int fsl_xcvr_tx_cs_get(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
Line: 804
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct snd_soc_dai *dai = snd_kcontrol_chip(kcontrol);
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
memcpy(ucontrol->value.iec958.status, xcvr->tx_iec958.status, 24);
return 0;
}
static int fsl_xcvr_tx_cs_put(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
Line: 815
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct snd_soc_dai *dai = snd_kcontrol_chip(kcontrol);
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
memcpy(xcvr->tx_iec958.status, ucontrol->value.iec958.status, 24);
return 0;
}
static struct snd_kcontrol_new fsl_xcvr_rx_ctls[] = {
Reported by FlawFinder.
sound/soc/fsl/fsl_spdif.c
8 issues
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t ctl_lock;
/* IEC958 channel tx status bit */
unsigned char ch_status[4];
/* User bits */
unsigned char subcode[2 * SPDIF_UBITS_SIZE];
/* Q subcode part of user bits */
Reported by FlawFinder.
Line: 80
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ch_status[4];
/* User bits */
unsigned char subcode[2 * SPDIF_UBITS_SIZE];
/* Q subcode part of user bits */
unsigned char qsub[2 * SPDIF_QSUB_SIZE];
/* Buffer offset for U/Q */
Reported by FlawFinder.
Line: 83
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char subcode[2 * SPDIF_UBITS_SIZE];
/* Q subcode part of user bits */
unsigned char qsub[2 * SPDIF_QSUB_SIZE];
/* Buffer offset for U/Q */
u32 upos;
u32 qpos;
Reported by FlawFinder.
Line: 779
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&ctrl->ctl_lock, flags);
if (ctrl->ready_buf) {
int idx = (ctrl->ready_buf - 1) * SPDIF_UBITS_SIZE;
memcpy(&ucontrol->value.iec958.subcode[0],
&ctrl->subcode[idx], SPDIF_UBITS_SIZE);
ret = 0;
}
spin_unlock_irqrestore(&ctrl->ctl_lock, flags);
Reported by FlawFinder.
Line: 811
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&ctrl->ctl_lock, flags);
if (ctrl->ready_buf) {
int idx = (ctrl->ready_buf - 1) * SPDIF_QSUB_SIZE;
memcpy(&ucontrol->value.bytes.data[0],
&ctrl->qsub[idx], SPDIF_QSUB_SIZE);
ret = 0;
}
spin_unlock_irqrestore(&ctrl->ctl_lock, flags);
Reported by FlawFinder.
Line: 1295
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *dev = &pdev->dev;
u64 savesub = 100000, ret;
struct clk *clk;
char tmp[16];
int i;
for (i = 0; i < STC_TXCLK_SRC_MAX; i++) {
sprintf(tmp, "rxtx%d", i);
clk = devm_clk_get(dev, tmp);
Reported by FlawFinder.
Line: 1299
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
for (i = 0; i < STC_TXCLK_SRC_MAX; i++) {
sprintf(tmp, "rxtx%d", i);
clk = devm_clk_get(dev, tmp);
if (IS_ERR(clk)) {
dev_err(dev, "no rxtx%d clock in devicetree\n", i);
return PTR_ERR(clk);
}
Reported by FlawFinder.
Line: 1352
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spdif_priv->soc = of_device_get_match_data(&pdev->dev);
/* Initialize this copy of the CPU DAI driver structure */
memcpy(&spdif_priv->cpu_dai_drv, &fsl_spdif_dai, sizeof(fsl_spdif_dai));
spdif_priv->cpu_dai_drv.name = dev_name(&pdev->dev);
spdif_priv->cpu_dai_drv.playback.formats =
spdif_priv->soc->tx_formats;
/* Get the addresses and IRQ */
Reported by FlawFinder.
sound/soc/codecs/cros_ec_codec.c
8 issues
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->insize = insize;
if (outsize)
memcpy(msg->data, out, outsize);
ret = cros_ec_cmd_xfer_status(ec_dev, msg);
if (ret < 0)
goto error;
Reported by FlawFinder.
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
if (in && insize)
memcpy(in, msg->data, insize);
ret = 0;
error:
kfree(msg);
return ret;
Reported by FlawFinder.
Line: 484
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
req = min(req, sizeof(priv->wov_buf) - priv->wov_rp);
memcpy(runtime->dma_area + priv->wov_dma_offset,
priv->wov_buf + priv->wov_rp, req);
priv->wov_dma_offset += req;
if (priv->wov_dma_offset == runtime->dma_bytes)
priv->wov_dma_offset = 0;
Reported by FlawFinder.
Line: 537
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy_fromio(priv->wov_buf + priv->wov_wp,
(void __force __iomem *)addr, req);
else
memcpy(priv->wov_buf + priv->wov_wp, addr, req);
priv->wov_wp += req;
if (priv->wov_wp == sizeof(priv->wov_buf))
priv->wov_wp = 0;
Reported by FlawFinder.
Line: 690
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0, priv->wov_lang_shm_len - size);
break;
case EC_CODEC_SHM_TYPE_SYSTEM_RAM:
memcpy(priv->wov_lang_shm_p, buf, size);
memset(priv->wov_lang_shm_p + size, 0,
priv->wov_lang_shm_len - size);
/* make sure write to memory before calling host command */
wmb();
Reported by FlawFinder.
Line: 700
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
p.cmd = EC_CODEC_WOV_SET_LANG_SHM;
memcpy(pp->hash, digest, SHA256_DIGEST_SIZE);
pp->total_len = size;
ret = send_ec_host_command(priv->ec_device, EC_CMD_EC_CODEC_WOV,
(uint8_t *)&p, sizeof(p), NULL, 0);
if (ret) {
dev_err(priv->dev, "failed to EC_CODEC_WOV_SET_LANG_SHM\n");
Reported by FlawFinder.
Line: 724
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req = min(size - i, ARRAY_SIZE(pp->buf));
p.cmd = EC_CODEC_WOV_SET_LANG;
memcpy(pp->hash, digest, SHA256_DIGEST_SIZE);
pp->total_len = size;
pp->offset = i;
memcpy(pp->buf, buf + i, req);
pp->len = req;
ret = send_ec_host_command(priv->ec_device, EC_CMD_EC_CODEC_WOV,
Reported by FlawFinder.
Line: 727
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pp->hash, digest, SHA256_DIGEST_SIZE);
pp->total_len = size;
pp->offset = i;
memcpy(pp->buf, buf + i, req);
pp->len = req;
ret = send_ec_host_command(priv->ec_device, EC_CMD_EC_CODEC_WOV,
(uint8_t *)&p, sizeof(p), NULL, 0);
if (ret) {
dev_err(priv->dev, "failed to EC_CODEC_WOV_SET_LANG\n");
Reported by FlawFinder.
sound/ppc/snd_ps3.c
8 issues
Line: 487
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
}
memcpy(avs.avs_cs_info, ps3av_mode_cs_info, 8);
if (memcmp(&card->avs, &avs, sizeof(avs))) {
pr_debug("%s: after freq=%d width=%d\n", __func__,
card->avs.avs_audio_rate, card->avs.avs_audio_width);
Reported by FlawFinder.
Line: 704
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int snd_ps3_spdif_default_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
memcpy(ucontrol->value.iec958.status, ps3av_mode_cs_info, 8);
return 0;
}
static int snd_ps3_spdif_default_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
Reported by FlawFinder.
Line: 712
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct snd_ctl_elem_value *ucontrol)
{
if (memcmp(ps3av_mode_cs_info, ucontrol->value.iec958.status, 8)) {
memcpy(ps3av_mode_cs_info, ucontrol->value.iec958.status, 8);
return 1;
}
return 0;
}
Reported by FlawFinder.
Line: 880
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
card->avs.avs_audio_width = PS3AV_CMD_AUDIO_WORD_BITS_16;
card->avs.avs_audio_format = PS3AV_CMD_AUDIO_FORMAT_PCM;
card->avs.avs_audio_source = PS3AV_CMD_AUDIO_SOURCE_SERIAL;
memcpy(card->avs.avs_cs_info, ps3av_mode_cs_info, 8);
ret = snd_ps3_change_avsetting(card);
snd_ps3_audio_fixup(card);
Reported by FlawFinder.
Line: 954
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (ret < 0)
goto clean_irq;
strcpy(the_card.card->driver, "PS3");
strcpy(the_card.card->shortname, "PS3");
strcpy(the_card.card->longname, "PS3 sound");
/* create control elements */
for (i = 0; i < ARRAY_SIZE(spdif_ctls); i++) {
Reported by FlawFinder.
Line: 955
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto clean_irq;
strcpy(the_card.card->driver, "PS3");
strcpy(the_card.card->shortname, "PS3");
strcpy(the_card.card->longname, "PS3 sound");
/* create control elements */
for (i = 0; i < ARRAY_SIZE(spdif_ctls); i++) {
ret = snd_ctl_add(the_card.card,
Reported by FlawFinder.
Line: 956
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(the_card.card->driver, "PS3");
strcpy(the_card.card->shortname, "PS3");
strcpy(the_card.card->longname, "PS3 sound");
/* create control elements */
for (i = 0; i < ARRAY_SIZE(spdif_ctls); i++) {
ret = snd_ctl_add(the_card.card,
snd_ctl_new1(&spdif_ctls[i], &the_card));
Reported by FlawFinder.
Line: 978
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto clean_card;
the_card.pcm->private_data = &the_card;
strcpy(the_card.pcm->name, "SPDIF");
/* set pcm ops */
snd_pcm_set_ops(the_card.pcm, SNDRV_PCM_STREAM_PLAYBACK,
&snd_ps3_pcm_spdif_ops);
Reported by FlawFinder.