The following issues were found
drivers/hwmon/pmbus/pmbus_core.c
7 issues
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pmbus_sensor {
struct pmbus_sensor *next;
char name[PMBUS_NAME_SIZE]; /* sysfs sensor name */
struct device_attribute attribute;
u8 page; /* page number */
u8 phase; /* phase number, 0xff for all phases */
u16 reg; /* register */
enum pmbus_sensor_classes class; /* sensor class */
Reported by FlawFinder.
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
container_of(_attr, struct pmbus_sensor, attribute)
struct pmbus_boolean {
char name[PMBUS_NAME_SIZE]; /* sysfs boolean name */
struct sensor_device_attribute attribute;
struct pmbus_sensor *s1;
struct pmbus_sensor *s2;
};
#define to_pmbus_boolean(_attr) \
Reported by FlawFinder.
Line: 57
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
container_of(_attr, struct pmbus_boolean, attribute)
struct pmbus_label {
char name[PMBUS_NAME_SIZE]; /* sysfs label name */
struct device_attribute attribute;
char label[PMBUS_NAME_SIZE]; /* label */
};
#define to_pmbus_label(_attr) \
container_of(_attr, struct pmbus_label, attribute)
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pmbus_label {
char name[PMBUS_NAME_SIZE]; /* sysfs label name */
struct device_attribute attribute;
char label[PMBUS_NAME_SIZE]; /* label */
};
#define to_pmbus_label(_attr) \
container_of(_attr, struct pmbus_label, attribute)
/* Macros for converting between sensor index and register/page/status mask */
Reported by FlawFinder.
Line: 2545
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pmbus_data *data)
{
int i, idx = 0;
char name[PMBUS_NAME_SIZE];
struct pmbus_debugfs_entry *entries;
if (!pmbus_debugfs_dir)
return -ENODEV;
Reported by FlawFinder.
Line: 2750
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strreplace(name, '-', '_');
data->groups[0] = &data->group;
memcpy(data->groups + 1, info->groups, sizeof(void *) * groups_num);
data->hwmon_dev = devm_hwmon_device_register_with_groups(dev,
name, data, data->groups);
if (IS_ERR(data->hwmon_dev)) {
dev_err(dev, "Failed to register hwmon device\n");
return PTR_ERR(data->hwmon_dev);
Reported by FlawFinder.
Line: 1143
Column: 4
CWE codes:
120
snprintf(label->name, sizeof(label->name), "%s%d_label", name, seq);
if (!index) {
if (phase == 0xff)
strncpy(label->label, lstring,
sizeof(label->label) - 1);
else
snprintf(label->label, sizeof(label->label), "%s.%d",
lstring, phase);
} else {
Reported by FlawFinder.
drivers/hwmon/ftsteutates.c
7 issues
Line: 356
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%u\n", data->volt[index]);
}
static ssize_t temp_value_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 370
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%u\n", data->temp_input[index]);
}
static ssize_t temp_fault_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 385
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return err;
/* 00h Temperature = Sensor Error */
return sprintf(buf, "%d\n", data->temp_input[index] == 0);
}
static ssize_t temp_alarm_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 399
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%u\n", !!(data->temp_alarm & BIT(index)));
}
static ssize_t
temp_alarm_store(struct device *dev, struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 445
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%u\n", data->fan_input[index]);
}
static ssize_t fan_source_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 459
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%u\n", data->fan_source[index]);
}
static ssize_t fan_alarm_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 473
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%d\n", !!(data->fan_alarm & BIT(index)));
}
static ssize_t
fan_alarm_store(struct device *dev, struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/input/mouse/elantech.c
7 issues
Line: 140
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *val)
{
struct elantech_data *etd = psmouse->private;
unsigned char param[3];
int rc = 0;
if (reg < 0x07 || reg > 0x26)
return -1;
Reported by FlawFinder.
Line: 1095
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int *y_res,
unsigned int *bus)
{
unsigned char param[3];
if (elantech_send_cmd(psmouse, ETP_RESOLUTION_QUERY, param))
return -1;
*x_res = elantech_convert_res(param[1] & 0x0f);
Reported by FlawFinder.
Line: 1268
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (attr->reg)
rc = elantech_read_reg(psmouse, attr->reg, reg);
return sprintf(buf, "0x%02x\n", (attr->reg && rc) ? -1 : *reg);
}
/*
* Write a register value by writing a sysfs entry
*/
Reported by FlawFinder.
Line: 1391
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int elantech_detect(struct psmouse *psmouse, bool set_properties)
{
struct ps2dev *ps2dev = &psmouse->ps2dev;
unsigned char param[3];
ps2_command(ps2dev, NULL, PSMOUSE_CMD_RESET_DIS);
if (ps2_command(ps2dev, NULL, PSMOUSE_CMD_DISABLE) ||
ps2_command(ps2dev, NULL, PSMOUSE_CMD_SETSCALE11) ||
Reported by FlawFinder.
Line: 1578
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int elantech_change_report_id(struct psmouse *psmouse)
{
unsigned char param[2] = { 0x10, 0x03 };
if (elantech_write_reg_params(psmouse, 0x7, param) ||
elantech_read_reg_params(psmouse, 0x7, param) ||
param[0] != 0x10 || param[1] != 0x03) {
psmouse_err(psmouse, "Unable to change report ID to 0x5f.\n");
Reported by FlawFinder.
Line: 1661
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int elantech_query_info(struct psmouse *psmouse,
struct elantech_device_info *info)
{
unsigned char param[3];
unsigned char traces;
unsigned char ic_body[3];
memset(info, 0, sizeof(*info));
Reported by FlawFinder.
Line: 1663
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned char param[3];
unsigned char traces;
unsigned char ic_body[3];
memset(info, 0, sizeof(*info));
/*
* Do the version query again so we can store the result
Reported by FlawFinder.
drivers/infiniband/ulp/isert/ib_isert.c
7 issues
Line: 923
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__isert_create_send_desc(device, tx_desc);
memcpy(&tx_desc->iscsi_header, &login->rsp[0],
sizeof(struct iscsi_hdr));
isert_init_tx_hdrs(isert_conn, tx_desc);
if (length > 0) {
Reported by FlawFinder.
Line: 934
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_rsp_dma,
length, DMA_TO_DEVICE);
memcpy(isert_conn->login_rsp_buf, login->rsp_buf, length);
ib_dma_sync_single_for_device(ib_dev, isert_conn->login_rsp_dma,
length, DMA_TO_DEVICE);
tx_dsg->addr = isert_conn->login_rsp_dma;
Reported by FlawFinder.
Line: 1000
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
>> 2;
login->version_min = login_req->min_version;
login->version_max = login_req->max_version;
memcpy(login->isid, login_req->isid, 6);
login->cmd_sn = be32_to_cpu(login_req->cmdsn);
login->init_task_tag = login_req->itt;
login->initial_exp_statsn = be32_to_cpu(login_req->exp_statsn);
login->cid = be16_to_cpu(login_req->cid);
login->tsih = be16_to_cpu(login_req->tsih);
Reported by FlawFinder.
Line: 1008
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
login->tsih = be16_to_cpu(login_req->tsih);
}
memcpy(&login->req[0], isert_get_iscsi_hdr(rx_desc), ISCSI_HDR_LEN);
size = min(rx_buflen, MAX_KEY_VALUE_PAIRS);
isert_dbg("Using login payload size: %d, rx_buflen: %d "
"MAX_KEY_VALUE_PAIRS: %d\n", size, rx_buflen,
MAX_KEY_VALUE_PAIRS);
Reported by FlawFinder.
Line: 1014
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
isert_dbg("Using login payload size: %d, rx_buflen: %d "
"MAX_KEY_VALUE_PAIRS: %d\n", size, rx_buflen,
MAX_KEY_VALUE_PAIRS);
memcpy(login->req_buf, isert_get_data(rx_desc), size);
if (login->first_request) {
complete(&isert_conn->login_comp);
return;
}
Reported by FlawFinder.
Line: 1212
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cmd->text_in_ptr = text_in;
memcpy(cmd->text_in_ptr, isert_get_data(rx_desc), payload_length);
return iscsit_process_text_cmd(conn, cmd, hdr);
}
static int
Reported by FlawFinder.
Line: 2285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Setup the np->np_sockaddr from the passed sockaddr setup
* in iscsi_target_configfs.c code..
*/
memcpy(&np->np_sockaddr, ksockaddr,
sizeof(struct sockaddr_storage));
isert_lid = isert_setup_id(isert_np);
if (IS_ERR(isert_lid)) {
ret = PTR_ERR(isert_lid);
Reported by FlawFinder.
drivers/iommu/intel/dmar.c
7 issues
Line: 922
{
int ret;
struct dmar_res_callback validate_drhd_cb = {
.cb[ACPI_DMAR_TYPE_HARDWARE_UNIT] = &dmar_validate_one_drhd,
.ignore_unhandled = true,
};
down_write(&dmar_global_lock);
ret = dmar_table_detect();
Reported by Cppcheck.
Line: 122
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* Optimize out kzalloc()/kfree() for normal cases */
static char dmar_pci_notify_info_buf[64];
static struct dmar_pci_notify_info *
dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event)
{
int level = 0;
Reported by FlawFinder.
Line: 432
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* copy the content because the memory buffer will be freed on return.
*/
dmaru->hdr = (void *)(dmaru + 1);
memcpy(dmaru->hdr, header, header->length);
dmaru->reg_base_addr = drhd->address;
dmaru->segment = drhd->segment;
dmaru->include_all = drhd->flags & 0x1; /* BIT0: INCLUDE_ALL */
dmaru->devices = dmar_alloc_dev_scope((void *)(drhd + 1),
((void *)drhd) + drhd->header.length,
Reported by FlawFinder.
Line: 1040
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
iommu->seq_id = -1;
} else {
set_bit(iommu->seq_id, dmar_seq_ids);
sprintf(iommu->name, "dmar%d", iommu->seq_id);
}
return iommu->seq_id;
}
Reported by FlawFinder.
Line: 1295
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* used by software as private data. We won't print
* out these two qw's for security consideration.
*/
memcpy(desc, qi->desc + (wait_index << shift),
1 << shift);
writel(DMA_FSTS_IQE, iommu->reg + DMAR_FSTS_REG);
pr_info("Invalidation Queue Error (IQE) cleared\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 1394
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < count; i++) {
offset = ((index + i) % QI_LENGTH) << shift;
memcpy(qi->desc + offset, &desc[i], 1 << shift);
qi->desc_status[(index + i) % QI_LENGTH] = QI_IN_USE;
trace_qi_submit(iommu, desc[i].qw0, desc[i].qw1,
desc[i].qw2, desc[i].qw3);
}
qi->desc_status[wait_index] = QI_IN_USE;
Reported by FlawFinder.
Line: 1410
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wait_desc.qw3 = 0;
offset = wait_index << shift;
memcpy(qi->desc + offset, &wait_desc, 1 << shift);
qi->free_head = (qi->free_head + count + 1) % QI_LENGTH;
qi->free_cnt -= count + 1;
/*
Reported by FlawFinder.
drivers/input/misc/adxl34x.c
7 issues
Line: 198
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct axis_triple swcal;
struct axis_triple hwcal;
struct axis_triple saved;
char phys[32];
unsigned orient2d_saved;
unsigned orient3d_saved;
bool disabled; /* P: mutex */
bool opened; /* P: mutex */
bool suspended; /* P: mutex */
Reported by FlawFinder.
Line: 446
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct adxl34x *ac = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", ac->disabled);
}
static ssize_t adxl34x_disable_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 489
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t count;
mutex_lock(&ac->mutex);
count = sprintf(buf, "%d,%d,%d\n",
ac->hwcal.x * 4 + ac->swcal.x,
ac->hwcal.y * 4 + ac->swcal.y,
ac->hwcal.z * 4 + ac->swcal.z);
mutex_unlock(&ac->mutex);
Reported by FlawFinder.
Line: 535
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct adxl34x *ac = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", RATE(ac->pdata.data_rate));
}
static ssize_t adxl34x_rate_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 569
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct adxl34x *ac = dev_get_drvdata(dev);
return sprintf(buf, "%u\n",
ac->pdata.power_mode & (PCTL_AUTO_SLEEP | PCTL_LINK) ? 1 : 0);
}
static ssize_t adxl34x_autosleep_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 610
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t count;
mutex_lock(&ac->mutex);
count = sprintf(buf, "(%d, %d, %d)\n",
ac->saved.x, ac->saved.y, ac->saved.z);
mutex_unlock(&ac->mutex);
return count;
}
Reported by FlawFinder.
Line: 181
Column: 39
CWE codes:
120
20
#define ADXL_Y_AXIS 1
#define ADXL_Z_AXIS 2
#define AC_READ(ac, reg) ((ac)->bops->read((ac)->dev, reg))
#define AC_WRITE(ac, reg, val) ((ac)->bops->write((ac)->dev, reg, val))
struct axis_triple {
int x;
int y;
Reported by FlawFinder.
drivers/input/evdev.c
7 issues
Line: 29
Column: 6
CWE codes:
362
#include "input-compat.h"
struct evdev {
int open;
struct input_handle handle;
struct evdev_client __rcu *grab;
struct list_head client_list;
spinlock_t client_lock; /* protects client_list */
struct mutex mutex;
Reported by FlawFinder.
Line: 413
Column: 32
CWE codes:
362
{
mutex_lock(&evdev->mutex);
if (evdev->exist && !--evdev->open)
input_close_device(&evdev->handle);
mutex_unlock(&evdev->mutex);
}
Reported by FlawFinder.
Line: 1327
Column: 13
CWE codes:
362
evdev_hangup(evdev);
/* evdev is marked dead so no one else accesses evdev->open */
if (evdev->open) {
input_flush_device(handle, NULL);
input_close_device(handle);
}
}
Reported by FlawFinder.
Line: 588
Column: 37
CWE codes:
120
20
while (read + input_event_size() <= count &&
evdev_fetch_next_event(client, &event)) {
if (input_event_to_user(buffer + read, &event))
return -EFAULT;
read += input_event_size();
}
Reported by FlawFinder.
Line: 594
Column: 7
CWE codes:
120
20
read += input_event_size();
}
if (read)
break;
if (!(file->f_flags & O_NONBLOCK)) {
error = wait_event_interruptible(client->wait,
client->packet_head != client->tail ||
Reported by FlawFinder.
Line: 771
Column: 8
CWE codes:
126
if (!str)
return -ENOENT;
len = strlen(str) + 1;
if (len > maxlen)
len = maxlen;
return copy_to_user(p, str, len) ? -EFAULT : len;
}
Reported by FlawFinder.
drivers/iio/pressure/mpl115.c
7 issues
Line: 57
Column: 19
CWE codes:
120
20
if (ret < 0)
goto done;
ret = data->ops->read(data->dev, MPL115_PADC);
if (ret < 0)
goto done;
padc = ret >> 6;
ret = data->ops->read(data->dev, MPL115_TADC);
Reported by FlawFinder.
Line: 171
Column: 19
CWE codes:
120
20
if (ret)
return ret;
ret = data->ops->read(data->dev, MPL115_A0);
if (ret < 0)
return ret;
data->a0 = ret;
ret = data->ops->read(data->dev, MPL115_B1);
if (ret < 0)
Reported by FlawFinder.
Line: 175
Column: 19
CWE codes:
120
20
if (ret < 0)
return ret;
data->a0 = ret;
ret = data->ops->read(data->dev, MPL115_B1);
if (ret < 0)
return ret;
data->b1 = ret;
ret = data->ops->read(data->dev, MPL115_B2);
if (ret < 0)
Reported by FlawFinder.
Line: 179
Column: 19
CWE codes:
120
20
if (ret < 0)
return ret;
data->b1 = ret;
ret = data->ops->read(data->dev, MPL115_B2);
if (ret < 0)
return ret;
data->b2 = ret;
ret = data->ops->read(data->dev, MPL115_C12);
if (ret < 0)
Reported by FlawFinder.
Line: 183
Column: 19
CWE codes:
120
20
if (ret < 0)
return ret;
data->b2 = ret;
ret = data->ops->read(data->dev, MPL115_C12);
if (ret < 0)
return ret;
data->c12 = ret;
return devm_iio_device_register(dev, indio_dev);
Reported by FlawFinder.
drivers/isdn/capi/capiutil.c
7 issues
Line: 394
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
return NULL;
va_start(f, fmt);
r = cdb->size - cdb->pos;
n = vsnprintf(cdb->p, r, fmt, f);
va_end(f);
if (n >= r) {
/* truncated, need bigger buffer */
size_t ns = 2 * cdb->size;
u_char *nb;
Reported by FlawFinder.
Line: 416
Column: 7
CWE codes:
134
Suggestion:
Use a constant for the format specification
cdb->size = ns;
va_start(f, fmt);
r = cdb->size - cdb->pos;
n = vsnprintf(cdb->p, r, fmt, f);
va_end(f);
}
cdb->p += n;
cdb->pos += n;
return cdb;
Reported by FlawFinder.
Line: 195
Column: 33
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define byteTLcpy(x, y) *(u8 *)(x) = *(u8 *)(y);
#define wordTLcpy(x, y) *(u16 *)(x) = *(u16 *)(y);
#define dwordTLcpy(x, y) memcpy(x, y, 4);
#define structTLcpy(x, y, l) memcpy(x, y, l)
#define structTLcpyovl(x, y, l) memmove(x, y, l)
#define byteTRcpy(x, y) *(u8 *)(y) = *(u8 *)(x);
#define wordTRcpy(x, y) *(u16 *)(y) = *(u16 *)(x);
Reported by FlawFinder.
Line: 196
Column: 33
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define byteTLcpy(x, y) *(u8 *)(x) = *(u8 *)(y);
#define wordTLcpy(x, y) *(u16 *)(x) = *(u16 *)(y);
#define dwordTLcpy(x, y) memcpy(x, y, 4);
#define structTLcpy(x, y, l) memcpy(x, y, l)
#define structTLcpyovl(x, y, l) memmove(x, y, l)
#define byteTRcpy(x, y) *(u8 *)(y) = *(u8 *)(x);
#define wordTRcpy(x, y) *(u16 *)(y) = *(u16 *)(x);
#define dwordTRcpy(x, y) memcpy(y, x, 4);
Reported by FlawFinder.
Line: 201
Column: 33
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define byteTRcpy(x, y) *(u8 *)(y) = *(u8 *)(x);
#define wordTRcpy(x, y) *(u16 *)(y) = *(u16 *)(x);
#define dwordTRcpy(x, y) memcpy(y, x, 4);
#define structTRcpy(x, y, l) memcpy(y, x, l)
#define structTRcpyovl(x, y, l) memmove(y, x, l)
/*-------------------------------------------------------*/
static unsigned command_2_index(u8 c, u8 sc)
Reported by FlawFinder.
Line: 202
Column: 33
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define byteTRcpy(x, y) *(u8 *)(y) = *(u8 *)(x);
#define wordTRcpy(x, y) *(u16 *)(y) = *(u16 *)(x);
#define dwordTRcpy(x, y) memcpy(y, x, 4);
#define structTRcpy(x, y, l) memcpy(y, x, l)
#define structTRcpyovl(x, y, l) memmove(y, x, l)
/*-------------------------------------------------------*/
static unsigned command_2_index(u8 c, u8 sc)
{
Reported by FlawFinder.
Line: 408
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cdebbuf_free(cdb);
return NULL;
}
memcpy(nb, cdb->buf, cdb->pos);
kfree(cdb->buf);
nb[cdb->pos] = 0;
cdb->buf = nb;
cdb->p = cdb->buf + cdb->pos;
cdb->size = ns;
Reported by FlawFinder.
drivers/gpu/drm/radeon/radeon_vce.c
7 issues
Line: 245
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rdev->family < CHIP_BONAIRE)
r = vce_v1_0_load_fw(rdev, cpu_addr);
else
memcpy(cpu_addr, rdev->vce_fw->data, rdev->vce_fw->size);
radeon_bo_kunmap(rdev->vce.vcpu_bo);
radeon_bo_unreserve(rdev->vce.vcpu_bo);
Reported by FlawFinder.
Line: 96
Column: 30
CWE codes:
126
/* search for firmware version */
size = rdev->vce_fw->size - strlen(fw_version) - 9;
c = rdev->vce_fw->data;
for (;size > 0; --size, ++c)
if (strncmp(c, fw_version, strlen(fw_version)) == 0)
break;
Reported by FlawFinder.
Line: 99
Column: 30
CWE codes:
126
size = rdev->vce_fw->size - strlen(fw_version) - 9;
c = rdev->vce_fw->data;
for (;size > 0; --size, ++c)
if (strncmp(c, fw_version, strlen(fw_version)) == 0)
break;
if (size == 0)
return -EINVAL;
Reported by FlawFinder.
Line: 105
Column: 7
CWE codes:
126
if (size == 0)
return -EINVAL;
c += strlen(fw_version);
if (sscanf(c, "%2hhd.%2hhd.%2hhd]", &start, &mid, &end) != 3)
return -EINVAL;
/* search for feedback version */
Reported by FlawFinder.
Line: 111
Column: 30
CWE codes:
126
/* search for feedback version */
size = rdev->vce_fw->size - strlen(fb_version) - 3;
c = rdev->vce_fw->data;
for (;size > 0; --size, ++c)
if (strncmp(c, fb_version, strlen(fb_version)) == 0)
break;
Reported by FlawFinder.
Line: 114
Column: 30
CWE codes:
126
size = rdev->vce_fw->size - strlen(fb_version) - 3;
c = rdev->vce_fw->data;
for (;size > 0; --size, ++c)
if (strncmp(c, fb_version, strlen(fb_version)) == 0)
break;
if (size == 0)
return -EINVAL;
Reported by FlawFinder.
Line: 120
Column: 7
CWE codes:
126
if (size == 0)
return -EINVAL;
c += strlen(fb_version);
if (sscanf(c, "%2u]", &rdev->vce.fb_version) != 1)
return -EINVAL;
DRM_INFO("Found VCE firmware/feedback version %d.%d.%d / %d!\n",
start, mid, end, rdev->vce.fb_version);
Reported by FlawFinder.