The following issues were found
drivers/media/v4l2-core/v4l2-dev.c
7 issues
Line: 51
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct video_device *vdev = to_video_device(cd);
return sprintf(buf, "%i\n", vdev->index);
}
static DEVICE_ATTR_RO(index);
static ssize_t dev_debug_show(struct device *cd,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 60
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct video_device *vdev = to_video_device(cd);
return sprintf(buf, "%i\n", vdev->dev_debug);
}
static ssize_t dev_debug_store(struct device *cd, struct device_attribute *attr,
const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 84
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct video_device *vdev = to_video_device(cd);
return sprintf(buf, "%.*s\n", (int)sizeof(vdev->name), vdev->name);
}
static DEVICE_ATTR_RO(name);
static struct attribute *video_device_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 425
Column: 18
CWE codes:
362
/* and increase the device refcount */
video_get(vdev);
mutex_unlock(&videodev_lock);
if (vdev->fops->open) {
if (video_is_registered(vdev))
ret = vdev->fops->open(filp);
else
ret = -ENODEV;
}
Reported by FlawFinder.
Line: 427
Column: 22
CWE codes:
362
mutex_unlock(&videodev_lock);
if (vdev->fops->open) {
if (video_is_registered(vdev))
ret = vdev->fops->open(filp);
else
ret = -ENODEV;
}
if (vdev->dev_debug & V4L2_DEV_DEBUG_FOP)
Reported by FlawFinder.
Line: 311
Column: 19
CWE codes:
120
20
struct video_device *vdev = video_devdata(filp);
int ret = -ENODEV;
if (!vdev->fops->read)
return -EINVAL;
if (video_is_registered(vdev))
ret = vdev->fops->read(filp, buf, sz, off);
if ((vdev->dev_debug & V4L2_DEV_DEBUG_FOP) &&
(vdev->dev_debug & V4L2_DEV_DEBUG_STREAMING))
Reported by FlawFinder.
Line: 314
Column: 21
CWE codes:
120
20
if (!vdev->fops->read)
return -EINVAL;
if (video_is_registered(vdev))
ret = vdev->fops->read(filp, buf, sz, off);
if ((vdev->dev_debug & V4L2_DEV_DEBUG_FOP) &&
(vdev->dev_debug & V4L2_DEV_DEBUG_STREAMING))
dprintk("%s: read: %zd (%d)\n",
video_device_node_name(vdev), sz, ret);
return ret;
Reported by FlawFinder.
drivers/mmc/host/sdhci.c
7 issues
Line: 896
CWE codes:
476
static void sdhci_calc_sw_timeout(struct sdhci_host *host,
struct mmc_command *cmd)
{
struct mmc_data *data = cmd->data;
struct mmc_host *mmc = host->mmc;
struct mmc_ios *ios = &mmc->ios;
unsigned char bus_width = 1 << ios->bus_width;
unsigned int blksz;
unsigned int freq;
Reported by Cppcheck.
Line: 3045
CWE codes:
788
(mrq->cmd->error || data->error)) {
struct dma_chan *chan = sdhci_external_dma_channel(host, data);
host->mrqs_done[i] = NULL;
spin_unlock_irqrestore(&host->lock, flags);
dmaengine_terminate_sync(chan);
spin_lock_irqsave(&host->lock, flags);
sdhci_set_mrq_done(host, mrq);
}
Reported by Cppcheck.
Line: 3096
CWE codes:
788
}
}
host->mrqs_done[i] = NULL;
spin_unlock_irqrestore(&host->lock, flags);
if (host->ops->request_done)
host->ops->request_done(host, mrq);
Reported by Cppcheck.
Line: 872
CWE codes:
476
/* timeout in us */
if (!data) {
target_timeout = cmd->busy_timeout * 1000;
} else {
target_timeout = DIV_ROUND_UP(data->timeout_ns, 1000);
if (host->clock && data->timeout_clks) {
unsigned long long val;
Reported by Cppcheck.
Line: 896
CWE codes:
476
static void sdhci_calc_sw_timeout(struct sdhci_host *host,
struct mmc_command *cmd)
{
struct mmc_data *data = cmd->data;
struct mmc_host *mmc = host->mmc;
struct mmc_ios *ios = &mmc->ios;
unsigned char bus_width = 1 << ios->bus_width;
unsigned int blksz;
unsigned int freq;
Reported by Cppcheck.
Line: 757
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset) {
if (data->flags & MMC_DATA_WRITE) {
buffer = sdhci_kmap_atomic(sg, &flags);
memcpy(align, buffer, offset);
sdhci_kunmap_atomic(buffer, &flags);
}
/* tran, valid */
__sdhci_adma_write_desc(host, &desc, align_addr,
Reported by FlawFinder.
Line: 831
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(sg_dma_address(sg) & SDHCI_ADMA2_MASK);
buffer = sdhci_kmap_atomic(sg, &flags);
memcpy(buffer, align, size);
sdhci_kunmap_atomic(buffer, &flags);
align += SDHCI_ADMA2_ALIGN;
}
}
Reported by FlawFinder.
drivers/media/i2c/saa6752hs.c
7 issues
Line: 225
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int saa6752hs_chip_command(struct i2c_client *client,
enum saa6752hs_command command)
{
unsigned char buf[3];
unsigned long timeout;
int status = 0;
/* execute the command */
switch(command) {
Reported by FlawFinder.
Line: 426
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int saa6752hs_init(struct v4l2_subdev *sd, u32 leading_null_bytes)
{
unsigned char buf[9], buf2[4];
struct saa6752hs_state *h = to_state(sd);
struct i2c_client *client = v4l2_get_subdevdata(sd);
unsigned size;
u32 crc;
unsigned char localPAT[256];
Reported by FlawFinder.
Line: 431
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = v4l2_get_subdevdata(sd);
unsigned size;
u32 crc;
unsigned char localPAT[256];
unsigned char localPMT[256];
/* Set video format - must be done first as it resets other settings */
set_reg8(client, 0x41, h->video_format);
Reported by FlawFinder.
Line: 432
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned size;
u32 crc;
unsigned char localPAT[256];
unsigned char localPMT[256];
/* Set video format - must be done first as it resets other settings */
set_reg8(client, 0x41, h->video_format);
/* Set number of lines in input signal */
Reported by FlawFinder.
Line: 462
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_reg16(client, 0xf6, leading_null_bytes);
/* compute PAT */
memcpy(localPAT, PAT, sizeof(PAT));
localPAT[17] = 0xe0 | ((h->params.ts_pid_pmt >> 8) & 0x0f);
localPAT[18] = h->params.ts_pid_pmt & 0xff;
crc = crc32_be(~0, &localPAT[7], sizeof(PAT) - 7 - 4);
localPAT[sizeof(PAT) - 4] = (crc >> 24) & 0xFF;
localPAT[sizeof(PAT) - 3] = (crc >> 16) & 0xFF;
Reported by FlawFinder.
Line: 474
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* compute PMT */
if (h->params.au_encoding == V4L2_MPEG_AUDIO_ENCODING_AC3) {
size = sizeof(PMT_AC3);
memcpy(localPMT, PMT_AC3, size);
} else {
size = sizeof(PMT);
memcpy(localPMT, PMT, size);
}
localPMT[3] = 0x40 | ((h->params.ts_pid_pmt >> 8) & 0x0f);
Reported by FlawFinder.
Line: 477
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(localPMT, PMT_AC3, size);
} else {
size = sizeof(PMT);
memcpy(localPMT, PMT, size);
}
localPMT[3] = 0x40 | ((h->params.ts_pid_pmt >> 8) & 0x0f);
localPMT[4] = h->params.ts_pid_pmt & 0xff;
localPMT[15] = 0xE0 | ((h->params.ts_pid_pcr >> 8) & 0x0F);
localPMT[16] = h->params.ts_pid_pcr & 0xFF;
Reported by FlawFinder.
drivers/media/i2c/msp3400-driver.c
7 issues
Line: 564
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct msp_state *state = to_state(sd);
struct i2c_client *client = v4l2_get_subdevdata(sd);
const char *p;
char prefix[V4L2_SUBDEV_NAME_SIZE + 20];
if (state->opmode == OPMODE_AUTOSELECT)
msp_detect_stereo(client);
dev_info(&client->dev, "%s rev1 = 0x%04x rev2 = 0x%04x\n",
client->name, state->rev1, state->rev2);
Reported by FlawFinder.
Line: 106
Column: 5
CWE codes:
120
20
static u8 reset_off[3] = { I2C_MSP_CONTROL, 0x80, 0x00 };
static u8 reset_on[3] = { I2C_MSP_CONTROL, 0x00, 0x00 };
static u8 write[3] = { I2C_MSP_DSP + 1, 0x00, 0x1e };
u8 read[2];
struct i2c_msg reset[2] = {
{
.addr = client->addr,
.flags = I2C_M_IGNORE_NAK,
.len = 3,
Reported by FlawFinder.
Line: 131
Column: 11
CWE codes:
120
20
.addr = client->addr,
.flags = I2C_M_RD,
.len = 2,
.buf = read
},
};
dev_dbg_lvl(&client->dev, 3, msp_debug, "msp_reset\n");
if (i2c_transfer(client->adapter, &reset[0], 1) != 1 ||
Reported by FlawFinder.
Line: 180
Column: 26
CWE codes:
120
20
msp_reset(client);
return -1;
}
retval = read[0] << 8 | read[1];
dev_dbg_lvl(&client->dev, 3, msp_debug, "msp_read(0x%x, 0x%x): 0x%x\n",
dev, addr, retval);
return retval;
}
Reported by FlawFinder.
Line: 180
Column: 11
CWE codes:
120
20
msp_reset(client);
return -1;
}
retval = read[0] << 8 | read[1];
dev_dbg_lvl(&client->dev, 3, msp_debug, "msp_read(0x%x, 0x%x): 0x%x\n",
dev, addr, retval);
return retval;
}
Reported by FlawFinder.
drivers/media/platform/qcom/camss/camss.h
7 issues
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define CAMSS_RES_MAX 17
struct resources {
char *regulator[CAMSS_RES_MAX];
char *clock[CAMSS_RES_MAX];
u32 clock_rate[CAMSS_RES_MAX][CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt[CAMSS_RES_MAX];
};
Reported by FlawFinder.
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct resources {
char *regulator[CAMSS_RES_MAX];
char *clock[CAMSS_RES_MAX];
u32 clock_rate[CAMSS_RES_MAX][CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt[CAMSS_RES_MAX];
};
Reported by FlawFinder.
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *regulator[CAMSS_RES_MAX];
char *clock[CAMSS_RES_MAX];
u32 clock_rate[CAMSS_RES_MAX][CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt[CAMSS_RES_MAX];
};
struct resources_ispif {
char *clock[CAMSS_RES_MAX];
Reported by FlawFinder.
Line: 49
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *clock[CAMSS_RES_MAX];
u32 clock_rate[CAMSS_RES_MAX][CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt[CAMSS_RES_MAX];
};
struct resources_ispif {
char *clock[CAMSS_RES_MAX];
char *clock_for_reset[CAMSS_RES_MAX];
Reported by FlawFinder.
Line: 53
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct resources_ispif {
char *clock[CAMSS_RES_MAX];
char *clock_for_reset[CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt;
};
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct resources_ispif {
char *clock[CAMSS_RES_MAX];
char *clock_for_reset[CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt;
};
enum pm_domain {
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct resources_ispif {
char *clock[CAMSS_RES_MAX];
char *clock_for_reset[CAMSS_RES_MAX];
char *reg[CAMSS_RES_MAX];
char *interrupt;
};
enum pm_domain {
PM_DOMAIN_VFE0 = 0,
Reported by FlawFinder.
drivers/net/ethernet/dec/tulip/tulip_core.c
7 issues
Line: 1656
Column: 3
CWE codes:
134
Suggestion:
Make format string constant
}
if (tp->flags & HAS_MEDIA_TABLE) {
sprintf(dev->name, DRV_NAME "%d", board_idx); /* hack */
tulip_parse_eeprom(dev);
strcpy(dev->name, "eth%d"); /* un-hack */
}
if ((tp->flags & ALWAYS_CHECK_MII) ||
Reported by FlawFinder.
Line: 45
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mtu[MAX_UNITS]; /* Jumbo MTU for interfaces. */
/* The possible media types that can be set in options[] are: */
const char * const medianame[32] = {
"10baseT", "10base2", "AUI", "100baseTx",
"10baseT-FDX", "100baseTx-FDX", "100baseT4", "100baseFx",
"100baseFx-FDX", "MII 10baseT", "MII 10baseT-FDX", "MII",
"10baseT(forced)", "MII 100baseTx", "MII 100baseTx-FDX", "MII 100baseT4",
"MII 100baseFx-HDX", "MII 100baseFx-FDX", "Home-PNA 1Mbps", "Invalid-19",
Reported by FlawFinder.
Line: 244
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* A full-duplex map for media types. */
const char tulip_media_cap[32] =
{0,0,0,16, 3,19,16,24, 27,4,7,5, 0,20,23,20, 28,31,0,0, };
static void tulip_tx_timeout(struct net_device *dev, unsigned int txqueue);
static void tulip_init_ring(struct net_device *dev);
static void tulip_free_ring(struct net_device *dev);
Reported by FlawFinder.
Line: 1293
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tulip_private *tp;
/* See note below on the multiport cards. */
static unsigned char last_phys_addr[ETH_ALEN] = {
0x00, 'L', 'i', 'n', 'u', 'x'
};
#if defined(__i386__) || defined(__x86_64__) /* Patch up x86 BIOS bug. */
static int last_irq;
#endif
Reported by FlawFinder.
Line: 1554
Column: 10
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Cobalt MAC address in first EEPROM locations. */
sa_offset = 0;
/* Ensure our media table fixup get's applied */
memcpy(ee_data + 16, ee_data, 8);
}
#endif
#ifdef CONFIG_GSC
/* Check to see if we have a broken srom */
if (ee_data[0] == 0x61 && ee_data[1] == 0x10) {
Reported by FlawFinder.
Line: 1612
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#if defined(CONFIG_SPARC)
addr = of_get_property(dp, "local-mac-address", &len);
if (addr && len == ETH_ALEN)
memcpy(dev->dev_addr, addr, ETH_ALEN);
#endif
#if defined(__i386__) || defined(__x86_64__) /* Patch up x86 BIOS bug. */
if (last_irq)
irq = last_irq;
#endif
Reported by FlawFinder.
Line: 1658
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (tp->flags & HAS_MEDIA_TABLE) {
sprintf(dev->name, DRV_NAME "%d", board_idx); /* hack */
tulip_parse_eeprom(dev);
strcpy(dev->name, "eth%d"); /* un-hack */
}
if ((tp->flags & ALWAYS_CHECK_MII) ||
(tp->mtable && tp->mtable->has_mii) ||
( ! tp->mtable && (tp->flags & HAS_MII))) {
Reported by FlawFinder.
drivers/media/rc/ati_remote.c
7 issues
Line: 871
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
udev->product ?: "");
if (!strlen(ati_remote->rc_name))
snprintf(ati_remote->rc_name, sizeof(ati_remote->rc_name),
DRIVER_DESC "(%04x,%04x)",
le16_to_cpu(ati_remote->udev->descriptor.idVendor),
le16_to_cpu(ati_remote->udev->descriptor.idProduct));
snprintf(ati_remote->mouse_name, sizeof(ati_remote->mouse_name),
Reported by FlawFinder.
Line: 254
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int repeat_count;
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
char mouse_name[NAME_BUFSIZE];
char mouse_phys[NAME_BUFSIZE];
wait_queue_head_t wait;
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int repeat_count;
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
char mouse_name[NAME_BUFSIZE];
char mouse_phys[NAME_BUFSIZE];
wait_queue_head_t wait;
int send_flags;
Reported by FlawFinder.
Line: 256
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
char mouse_name[NAME_BUFSIZE];
char mouse_phys[NAME_BUFSIZE];
wait_queue_head_t wait;
int send_flags;
Reported by FlawFinder.
Line: 257
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
char mouse_name[NAME_BUFSIZE];
char mouse_phys[NAME_BUFSIZE];
wait_queue_head_t wait;
int send_flags;
int users; /* 0-2, users are rc and input */
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int retval = 0;
/* Set up out_urb */
memcpy(ati_remote->out_urb->transfer_buffer + 1, data, LO(cmd));
((char *) ati_remote->out_urb->transfer_buffer)[0] = HI(cmd);
ati_remote->out_urb->transfer_buffer_length = LO(cmd) + 1;
ati_remote->out_urb->dev = ati_remote->udev;
ati_remote->send_flags = SEND_FLAG_IN_PROGRESS;
Reported by FlawFinder.
Line: 870
Column: 7
CWE codes:
126
udev->manufacturer && udev->product ? " " : "",
udev->product ?: "");
if (!strlen(ati_remote->rc_name))
snprintf(ati_remote->rc_name, sizeof(ati_remote->rc_name),
DRIVER_DESC "(%04x,%04x)",
le16_to_cpu(ati_remote->udev->descriptor.idVendor),
le16_to_cpu(ati_remote->udev->descriptor.idProduct));
Reported by FlawFinder.
drivers/media/dvb-core/dvb_ca_en50221.c
7 issues
Line: 138
Column: 15
CWE codes:
362
struct task_struct *thread;
/* Flag indicating if the CA device is open */
unsigned int open:1;
/* Flag indicating the thread should wake up now */
unsigned int wakeup:1;
/* Delay the main thread should use */
Reported by FlawFinder.
Line: 234
Column: 61
CWE codes:
362
return (atomic_read(&sl->camchange_count) != 0);
/* poll mode */
slot_status = ca->pub->poll_slot_status(ca->pub, slot, ca->open);
cam_present_now = (slot_status & DVB_CA_EN50221_POLL_CAM_PRESENT) ? 1 : 0;
cam_changed = (slot_status & DVB_CA_EN50221_POLL_CAM_CHANGED) ? 1 : 0;
if (!cam_changed) {
int cam_present_old = (sl->slot_state != DVB_CA_SLOTSTATE_NONE);
Reported by FlawFinder.
Line: 756
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
dvb_ringbuffer_pkt_write(&sl->rx_buffer, buf, bytes_read);
} else {
memcpy(ebuf, buf, bytes_read);
}
dprintk("Received CA packet for slot %i connection id 0x%x last_frag:%i size:0x%x\n", slot,
buf[0], (buf[1] & 0x80) == 0, bytes_read);
Reported by FlawFinder.
Line: 998
Column: 11
CWE codes:
362
break;
case DVB_CA_SLOTSTATE_RUNNING:
if (ca->open)
dvb_ca_en50221_thread_wakeup(ca);
break;
}
}
EXPORT_SYMBOL(dvb_ca_en50221_frda_irq);
Reported by FlawFinder.
Line: 1065
Column: 12
CWE codes:
362
delay = HZ * 60; /* 60s */
if (!(ca->flags & DVB_CA_EN50221_FLAG_IRQ_CAMCHANGE))
delay = HZ / 10; /* 100ms */
if (ca->open) {
if ((!sl->da_irq_supported) ||
(!(ca->flags & DVB_CA_EN50221_FLAG_IRQ_DA)))
delay = HZ / 10; /* 100ms */
}
break;
Reported by FlawFinder.
Line: 1253
Column: 12
CWE codes:
362
break;
case DVB_CA_SLOTSTATE_RUNNING:
if (!ca->open)
break;
/* poll slots for data */
pktcount = 0;
while (dvb_ca_en50221_read_data(ca, slot, NULL, 0) > 0) {
Reported by FlawFinder.
Line: 1259
Column: 13
CWE codes:
362
/* poll slots for data */
pktcount = 0;
while (dvb_ca_en50221_read_data(ca, slot, NULL, 0) > 0) {
if (!ca->open)
break;
/*
* if a CAMCHANGE occurred at some point, do not do any
* more processing of this slot
Reported by FlawFinder.
drivers/md/dm-zoned-metadata.c
7 issues
Line: 2895
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!zmd)
return -ENOMEM;
strcpy(zmd->devname, devname);
zmd->dev = dev;
zmd->nr_devs = num_dev;
zmd->mblk_rbtree = RB_ROOT;
init_rwsem(&zmd->mblk_sem);
mutex_init(&zmd->mblk_flush_lock);
Reported by FlawFinder.
Line: 147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dmz_dev *dev;
unsigned int nr_devs;
char devname[BDEVNAME_SIZE];
char label[BDEVNAME_SIZE];
uuid_t uuid;
sector_t zone_bitmap_size;
unsigned int zone_nr_bitmap_blocks;
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int nr_devs;
char devname[BDEVNAME_SIZE];
char label[BDEVNAME_SIZE];
uuid_t uuid;
sector_t zone_bitmap_size;
unsigned int zone_nr_bitmap_blocks;
unsigned int zone_bits_per_mblk;
Reported by FlawFinder.
Line: 796
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (zmd->sb_version > 1) {
BUILD_BUG_ON(UUID_SIZE != 16);
export_uuid(sb->dmz_uuid, &zmd->uuid);
memcpy(sb->dmz_label, zmd->label, BDEVNAME_SIZE);
export_uuid(sb->dev_uuid, &dev->uuid);
}
sb->gen = cpu_to_le64(sb_gen);
Reported by FlawFinder.
Line: 1053
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENXIO;
}
if (!strlen(zmd->label))
memcpy(zmd->label, sb->dmz_label, BDEVNAME_SIZE);
else if (memcmp(zmd->label, sb->dmz_label, BDEVNAME_SIZE)) {
dmz_dev_err(dev, "mismatching DM-Zoned label, "
"is %s expected %s",
sb->dmz_label, zmd->label);
return -ENXIO;
Reported by FlawFinder.
Line: 2448
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return PTR_ERR(to_mblk);
}
memcpy(to_mblk->data, from_mblk->data, DMZ_BLOCK_SIZE);
dmz_dirty_mblock(zmd, to_mblk);
dmz_release_mblock(zmd, to_mblk);
dmz_release_mblock(zmd, from_mblk);
Reported by FlawFinder.
Line: 1052
Column: 8
CWE codes:
126
&sb_uuid, &zmd->uuid);
return -ENXIO;
}
if (!strlen(zmd->label))
memcpy(zmd->label, sb->dmz_label, BDEVNAME_SIZE);
else if (memcmp(zmd->label, sb->dmz_label, BDEVNAME_SIZE)) {
dmz_dev_err(dev, "mismatching DM-Zoned label, "
"is %s expected %s",
sb->dmz_label, zmd->label);
Reported by FlawFinder.
drivers/md/raid5-ppl.c
7 issues
Line: 419
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ppl_submit_iounit_bio(struct ppl_io_unit *io, struct bio *bio)
{
char b[BDEVNAME_SIZE];
pr_debug("%s: seq: %llu size: %u sector: %llu dev: %s\n",
__func__, io->seq, bio->bi_iter.bi_size,
(unsigned long long)bio->bi_iter.bi_sector,
bio_devname(bio, b));
Reported by FlawFinder.
Line: 593
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ppl_log *log = io->log;
struct ppl_conf *ppl_conf = log->ppl_conf;
struct r5conf *conf = ppl_conf->mddev->private;
char b[BDEVNAME_SIZE];
pr_debug("%s: dev: %s\n", __func__, bio_devname(bio, b));
if (bio->bi_status) {
struct md_rdev *rdev;
Reported by FlawFinder.
Line: 638
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (bdev) {
struct bio *bio;
char b[BDEVNAME_SIZE];
bio = bio_alloc_bioset(GFP_NOIO, 0, &ppl_conf->flush_bs);
bio_set_dev(bio, bdev);
bio->bi_private = io;
bio->bi_opf = REQ_OP_WRITE | REQ_PREFLUSH;
Reported by FlawFinder.
Line: 810
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int data_disks;
int i;
int ret = 0;
char b[BDEVNAME_SIZE];
unsigned int pp_size = le32_to_cpu(e->pp_size);
unsigned int data_size = le32_to_cpu(e->data_size);
page1 = alloc_page(GFP_KERNEL);
page2 = alloc_page(GFP_KERNEL);
Reported by FlawFinder.
Line: 1264
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ppl_validate_rdev(struct md_rdev *rdev)
{
char b[BDEVNAME_SIZE];
int ppl_data_sectors;
int ppl_size_new;
/*
* The configured PPL size must be enough to store
Reported by FlawFinder.
Line: 1471
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ppl_conf *ppl_conf = conf->log_private;
struct ppl_log *log;
int ret = 0;
char b[BDEVNAME_SIZE];
if (!rdev)
return -EINVAL;
pr_debug("%s: disk: %d operation: %s dev: %s\n",
Reported by FlawFinder.
Line: 1515
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
conf = mddev->private;
if (conf && raid5_has_ppl(conf))
ppl_conf = conf->log_private;
ret = sprintf(buf, "%d\n", ppl_conf ? ppl_conf->write_hint : 0);
spin_unlock(&mddev->lock);
return ret;
}
Reported by FlawFinder.