The following issues were found
drivers/md/persistent-data/dm-btree-remove.c
7 issues
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (shift < 0) {
shift = -shift;
BUG_ON(nr_left + shift > le32_to_cpu(left->header.max_entries));
memcpy(key_ptr(left, nr_left),
key_ptr(right, 0),
shift * sizeof(__le64));
memcpy(value_ptr(left, nr_left),
value_ptr(right, 0),
shift * value_size);
Reported by FlawFinder.
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(key_ptr(left, nr_left),
key_ptr(right, 0),
shift * sizeof(__le64));
memcpy(value_ptr(left, nr_left),
value_ptr(right, 0),
shift * value_size);
} else {
BUG_ON(shift > le32_to_cpu(right->header.max_entries));
memcpy(key_ptr(right, 0),
Reported by FlawFinder.
Line: 99
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
shift * value_size);
} else {
BUG_ON(shift > le32_to_cpu(right->header.max_entries));
memcpy(key_ptr(right, 0),
key_ptr(left, nr_left - shift),
shift * sizeof(__le64));
memcpy(value_ptr(right, 0),
value_ptr(left, nr_left - shift),
shift * value_size);
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(key_ptr(right, 0),
key_ptr(left, nr_left - shift),
shift * sizeof(__le64));
memcpy(value_ptr(right, 0),
value_ptr(left, nr_left - shift),
shift * value_size);
}
}
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (r)
return r;
memcpy(n, dm_block_data(child),
dm_bm_block_size(dm_tm_get_bm(info->tm)));
dm_tm_unlock(info->tm, child);
dm_tm_dec(info->tm, dm_block_location(child));
return 0;
Reported by FlawFinder.
Line: 488
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (shadow_has_parent(s)) {
__le64 location = cpu_to_le64(dm_block_location(shadow_current(s)));
memcpy(value_ptr(dm_block_data(shadow_parent(s)), i),
&location, sizeof(__le64));
}
n = dm_block_data(shadow_current(s));
Reported by FlawFinder.
Line: 581
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (shadow_has_parent(s)) {
__le64 location = cpu_to_le64(dm_block_location(shadow_current(s)));
memcpy(value_ptr(dm_block_data(shadow_parent(s)), i),
&location, sizeof(__le64));
}
n = dm_block_data(shadow_current(s));
Reported by FlawFinder.
drivers/media/platform/sti/delta/delta-v4l2.c
7 issues
Line: 364
Column: 25
CWE codes:
362
delta->instance_id, (char *)&streamformat);
/* open decoder instance */
ret = call_dec_op(dec, open, ctx);
if (ret) {
dev_err(delta->dev, "%s failed to open decoder instance (%d)\n",
ctx->name, ret);
return ret;
}
Reported by FlawFinder.
Line: 431
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct delta_dev *delta = ctx->dev;
struct v4l2_pix_format *pix = &f->fmt.pix;
struct delta_streaminfo *streaminfo = &ctx->streaminfo;
unsigned char str[100] = "";
if (!(ctx->flags & DELTA_FLAG_STREAMINFO))
dev_dbg(delta->dev,
"%s V4L2 GET_FMT (OUTPUT): no stream information available, default to %s\n",
ctx->name,
Reported by FlawFinder.
Line: 460
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct v4l2_pix_format *pix = &f->fmt.pix;
struct delta_frameinfo *frameinfo = &ctx->frameinfo;
struct delta_streaminfo *streaminfo = &ctx->streaminfo;
unsigned char str[100] = "";
if (!(ctx->flags & DELTA_FLAG_FRAMEINFO))
dev_dbg(delta->dev,
"%s V4L2 GET_FMT (CAPTURE): no frame information available, default to %s\n",
ctx->name,
Reported by FlawFinder.
Line: 649
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct delta_dec *dec = ctx->dec;
struct v4l2_pix_format *pix = &f->fmt.pix;
struct delta_frameinfo frameinfo;
unsigned char str[100] = "";
struct vb2_queue *vq;
int ret;
vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, f->type);
if (vb2_is_streaming(vq)) {
Reported by FlawFinder.
Line: 1223
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct delta_dev *delta = ctx->dev;
unsigned int i;
struct delta_frame *frame;
unsigned char str[100] = "";
dev_info(delta->dev,
"%s dumping frames status...\n", ctx->name);
for (i = 0; i < ctx->nb_of_frames; i++) {
Reported by FlawFinder.
Line: 1314
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vb2_v4l2_buffer *vbuf = NULL;
struct delta_streaminfo *streaminfo = &ctx->streaminfo;
struct delta_frameinfo *frameinfo = &ctx->frameinfo;
unsigned char str1[100] = "";
unsigned char str2[100] = "";
if ((ctx->state != DELTA_STATE_WF_FORMAT) &&
(ctx->state != DELTA_STATE_WF_STREAMINFO))
return 0;
Reported by FlawFinder.
Line: 1315
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct delta_streaminfo *streaminfo = &ctx->streaminfo;
struct delta_frameinfo *frameinfo = &ctx->frameinfo;
unsigned char str1[100] = "";
unsigned char str2[100] = "";
if ((ctx->state != DELTA_STATE_WF_FORMAT) &&
(ctx->state != DELTA_STATE_WF_STREAMINFO))
return 0;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/cxusb.c
7 issues
Line: 101
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&d->data_mutex);
st->data[0] = cmd;
memcpy(&st->data[1], wbuf, wlen);
ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0);
if (!ret && rbuf && rlen)
memcpy(rbuf, st->data, rlen);
mutex_unlock(&d->data_mutex);
Reported by FlawFinder.
Line: 104
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&st->data[1], wbuf, wlen);
ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0);
if (!ret && rbuf && rlen)
memcpy(rbuf, st->data, rlen);
mutex_unlock(&d->data_mutex);
return ret;
}
Reported by FlawFinder.
Line: 219
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
warn("i2c read failed");
break;
}
memcpy(msg[i].buf, &ibuf[1], msg[i].len);
} else if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD) &&
msg[i].addr == msg[i + 1].addr) {
/* write to then read from same address */
u8 obuf[MAX_XFER_SIZE], ibuf[MAX_XFER_SIZE];
Reported by FlawFinder.
Line: 240
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
obuf[0] = msg[i].len;
obuf[1] = msg[i + 1].len;
obuf[2] = msg[i].addr;
memcpy(&obuf[3], msg[i].buf, msg[i].len);
if (cxusb_ctrl_msg(d, CMD_I2C_READ,
obuf, 3 + msg[i].len,
ibuf, 1 + msg[i + 1].len) < 0)
break;
Reported by FlawFinder.
Line: 250
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ibuf[0] != 0x08)
dev_info(&d->udev->dev, "i2c read may have failed\n");
memcpy(msg[i + 1].buf, &ibuf[1], msg[i + 1].len);
i++;
} else {
/* write only */
u8 obuf[MAX_XFER_SIZE], ibuf;
Reported by FlawFinder.
Line: 265
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
obuf[0] = msg[i].addr;
obuf[1] = msg[i].len;
memcpy(&obuf[2], msg[i].buf, msg[i].len);
if (cxusb_ctrl_msg(d, CMD_I2C_WRITE, obuf,
2 + msg[i].len, &ibuf, 1) < 0)
break;
if (ibuf != 0x08)
Reported by FlawFinder.
Line: 1403
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new_fw_data)
return -ENOMEM;
memcpy(new_fw_data, fw->data, fw->size);
new_fw.size = fw->size;
new_fw.data = new_fw_data;
new_fw_data[idoff + 2] =
le16_to_cpu(udev->descriptor.idProduct) + 1;
Reported by FlawFinder.
drivers/mtd/nand/raw/marvell_nand.c
7 issues
Line: 1028
struct marvell_nfc *nfc = to_marvell_nfc(chip->controller);
const struct marvell_hw_ecc_layout *lt = to_marvell_nand(chip)->layout;
struct marvell_nfc_op nfc_op = {
.ndcb[0] = NDCB0_CMD_TYPE(TYPE_READ) |
NDCB0_ADDR_CYC(marvell_nand->addr_cyc) |
NDCB0_DBC |
NDCB0_CMD1(NAND_CMD_READ0) |
NDCB0_CMD2(NAND_CMD_READSTART),
.ndcb[1] = NDCB1_ADDRS_PAGE(page),
Reported by Cppcheck.
Line: 912
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 tmp_buf[FIFO_DEPTH];
ioread32_rep(nfc->regs + NDDB, tmp_buf, FIFO_REP(FIFO_DEPTH));
memcpy(in + last_full_offset, tmp_buf, last_len);
}
return 0;
}
Reported by FlawFinder.
Line: 931
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (last_len) {
u8 tmp_buf[FIFO_DEPTH];
memcpy(tmp_buf, out + last_full_offset, last_len);
iowrite32_rep(nfc->regs + NDDB, tmp_buf, FIFO_REP(FIFO_DEPTH));
}
return 0;
}
Reported by FlawFinder.
Line: 1062
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nfc->use_dma) {
marvell_nfc_xfer_data_dma(nfc, DMA_FROM_DEVICE,
lt->data_bytes + oob_bytes);
memcpy(data_buf, nfc->dma_buf, lt->data_bytes);
memcpy(oob_buf, nfc->dma_buf + lt->data_bytes, oob_bytes);
} else {
marvell_nfc_xfer_data_in_pio(nfc, data_buf, lt->data_bytes);
marvell_nfc_xfer_data_in_pio(nfc, oob_buf, oob_bytes);
}
Reported by FlawFinder.
Line: 1063
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
marvell_nfc_xfer_data_dma(nfc, DMA_FROM_DEVICE,
lt->data_bytes + oob_bytes);
memcpy(data_buf, nfc->dma_buf, lt->data_bytes);
memcpy(oob_buf, nfc->dma_buf + lt->data_bytes, oob_bytes);
} else {
marvell_nfc_xfer_data_in_pio(nfc, data_buf, lt->data_bytes);
marvell_nfc_xfer_data_in_pio(nfc, oob_buf, oob_bytes);
}
Reported by FlawFinder.
Line: 1169
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write the page then the OOB area */
if (nfc->use_dma) {
memcpy(nfc->dma_buf, data_buf, lt->data_bytes);
memcpy(nfc->dma_buf + lt->data_bytes, oob_buf, oob_bytes);
marvell_nfc_xfer_data_dma(nfc, DMA_TO_DEVICE, lt->data_bytes +
lt->ecc_bytes + lt->spare_bytes);
} else {
marvell_nfc_xfer_data_out_pio(nfc, data_buf, lt->data_bytes);
Reported by FlawFinder.
Line: 1170
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write the page then the OOB area */
if (nfc->use_dma) {
memcpy(nfc->dma_buf, data_buf, lt->data_bytes);
memcpy(nfc->dma_buf + lt->data_bytes, oob_buf, oob_bytes);
marvell_nfc_xfer_data_dma(nfc, DMA_TO_DEVICE, lt->data_bytes +
lt->ecc_bytes + lt->spare_bytes);
} else {
marvell_nfc_xfer_data_out_pio(nfc, data_buf, lt->data_bytes);
marvell_nfc_xfer_data_out_pio(nfc, oob_buf, oob_bytes);
Reported by FlawFinder.
drivers/media/usb/pvrusb2/pvrusb2-hdw-internal.h
7 issues
Line: 119
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define PVR2_CTLD_INFO_DESC_SIZE 32
struct pvr2_ctld_info {
struct pvr2_ctl_info info;
char desc[PVR2_CTLD_INFO_DESC_SIZE];
};
struct pvr2_ctrl {
const struct pvr2_ctl_info *info;
struct pvr2_hdw *hdw;
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
driver. It is unique within the set of existing devices, but
there is no attempt to keep the name consistent with the same
physical device each time. */
char name[32];
/* This is a simple string which identifies the physical device
instance itself - if possible. (If not possible, then it is
based on the specific driver instance, similar to name above.)
The idea here is that userspace might hopefully be able to use
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
The idea here is that userspace might hopefully be able to use
this recognize specific tuners. It will encode a serial number,
if available. */
char identifier[32];
/* I2C stuff */
struct i2c_adapter i2c_adap;
struct i2c_algorithm i2c_algo;
pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
Reported by FlawFinder.
Line: 208
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ctl_read_pend_flag;
int ctl_timeout_flag;
struct completion ctl_done;
unsigned char cmd_buffer[PVR2_CTL_BUFFSIZE];
int cmd_debug_state; // Low level command debugging info
unsigned char cmd_debug_code; //
unsigned int cmd_debug_write_len; //
unsigned int cmd_debug_read_len; //
Reported by FlawFinder.
Line: 313
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pvr2_ctl_info std_info_detect;
// Generated string names, one per actual V4L2 standard
const char *std_mask_ptrs[32];
char std_mask_names[32][16];
int unit_number; /* ID for driver instance */
unsigned long serial_number; /* ID for hardware itself */
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// Generated string names, one per actual V4L2 standard
const char *std_mask_ptrs[32];
char std_mask_names[32][16];
int unit_number; /* ID for driver instance */
unsigned long serial_number; /* ID for hardware itself */
char bus_info[32]; /* Bus location info */
Reported by FlawFinder.
Line: 319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int unit_number; /* ID for driver instance */
unsigned long serial_number; /* ID for hardware itself */
char bus_info[32]; /* Bus location info */
/* Minor numbers used by v4l logic (yes, this is a hack, as there
should be no v4l junk here). Probably a better way to do this. */
int v4l_minor_number_video;
int v4l_minor_number_vbi;
Reported by FlawFinder.
drivers/misc/eeprom/idt_89hpesx.c
7 issues
Line: 487
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Collect the data to send. Length byte must be added prior the data */
buf[0] = seq->bytecnt;
memcpy(&buf[1], seq->data, seq->bytecnt);
/* Collect the command code byte */
ccode = seq->ccode | CCODE_BLOCK | CCODE_START | CCODE_END;
/* Send length and block of data to the device */
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENODATA;
/* Copy retrieved data to the output data buffer */
memcpy(seq->data, &buf[1], seq->bytecnt);
return 0;
}
/*===========================================================================
Reported by FlawFinder.
Line: 1002
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct idt_89hpesx_dev *pdev = filep->private_data;
u32 csraddr, csrval;
char buf[CSRBUF_SIZE];
int ret, size;
/* Perform CSR read operation */
ret = idt_csr_read(pdev, pdev->csr, &csrval);
if (ret != 0)
Reported by FlawFinder.
Line: 1066
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct i2c_device_id *id = ee_ids;
const char *compatible, *p;
char devname[I2C_NAME_SIZE];
int ret;
ret = fwnode_property_read_string(fwnode, "compatible", &compatible);
if (ret)
return NULL;
Reported by FlawFinder.
Line: 1299
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
/* Copy the declared EEPROM attr structure to change some of fields */
memcpy(pdev->ee_file, &bin_attr_eeprom, sizeof(*pdev->ee_file));
/* In case of read-only EEPROM get rid of write ability */
if (pdev->eero) {
pdev->ee_file->attr.mode &= ~0200;
pdev->ee_file->write = NULL;
Reported by FlawFinder.
Line: 1341
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void idt_create_dbgfs_files(struct idt_89hpesx_dev *pdev)
{
struct i2c_client *cli = pdev->client;
char fname[CSRNAME_LEN];
/* Create Debugfs directory for CSR file */
snprintf(fname, CSRNAME_LEN, "%d-%04hx", cli->adapter->nr, cli->addr);
pdev->csr_dir = debugfs_create_dir(fname, csr_dbgdir);
Reported by FlawFinder.
Line: 940
Column: 3
CWE codes:
120
goto free_buf;
}
/* Copy the register address to the substring buffer */
strncpy(csraddr_str, buf, csraddr_len);
csraddr_str[csraddr_len] = '\0';
/* Register value must follow the colon */
csrval_str = colon_ch + 1;
} else /* if (str_colon == NULL) */ {
csraddr_str = (char *)buf; /* Just to shut warning up */
Reported by FlawFinder.
drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
7 issues
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "xgbe-common.h"
struct xgbe_stats {
char stat_string[ETH_GSTRING_LEN];
int stat_size;
int stat_offset;
};
#define XGMAC_MMC_STAT(_string, _var) \
Reported by FlawFinder.
Line: 199
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < XGBE_STATS_COUNT; i++) {
memcpy(data, xgbe_gstring_stats[i].stat_string,
ETH_GSTRING_LEN);
data += ETH_GSTRING_LEN;
}
for (i = 0; i < pdata->tx_ring_count; i++) {
sprintf(data, "txq_%u_packets", i);
Reported by FlawFinder.
Line: 204
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data += ETH_GSTRING_LEN;
}
for (i = 0; i < pdata->tx_ring_count; i++) {
sprintf(data, "txq_%u_packets", i);
data += ETH_GSTRING_LEN;
sprintf(data, "txq_%u_bytes", i);
data += ETH_GSTRING_LEN;
}
for (i = 0; i < pdata->rx_ring_count; i++) {
Reported by FlawFinder.
Line: 206
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < pdata->tx_ring_count; i++) {
sprintf(data, "txq_%u_packets", i);
data += ETH_GSTRING_LEN;
sprintf(data, "txq_%u_bytes", i);
data += ETH_GSTRING_LEN;
}
for (i = 0; i < pdata->rx_ring_count; i++) {
sprintf(data, "rxq_%u_packets", i);
data += ETH_GSTRING_LEN;
Reported by FlawFinder.
Line: 210
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data += ETH_GSTRING_LEN;
}
for (i = 0; i < pdata->rx_ring_count; i++) {
sprintf(data, "rxq_%u_packets", i);
data += ETH_GSTRING_LEN;
sprintf(data, "rxq_%u_bytes", i);
data += ETH_GSTRING_LEN;
}
break;
Reported by FlawFinder.
Line: 212
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < pdata->rx_ring_count; i++) {
sprintf(data, "rxq_%u_packets", i);
data += ETH_GSTRING_LEN;
sprintf(data, "rxq_%u_bytes", i);
data += ETH_GSTRING_LEN;
}
break;
}
}
Reported by FlawFinder.
Line: 536
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (key)
memcpy(key, pdata->rss_key, sizeof(pdata->rss_key));
if (hfunc)
*hfunc = ETH_RSS_HASH_TOP;
return 0;
Reported by FlawFinder.
drivers/media/pci/cx23885/altera-ci.c
7 issues
Line: 444
Column: 25
CWE codes:
362
EXPORT_SYMBOL(altera_ci_irq);
static int altera_poll_ci_slot_status(struct dvb_ca_en50221 *en50221,
int slot, int open)
{
struct altera_ci_state *state = en50221->data;
if (0 != slot)
return -EINVAL;
Reported by FlawFinder.
Line: 250
Column: 19
CWE codes:
120
20
}
static int netup_fpga_op_rw(struct fpga_internal *inter, int addr,
u8 val, u8 read)
{
inter->fpga_rw(inter->dev, NETUP_CI_FLG_AD, addr, 0);
return inter->fpga_rw(inter->dev, 0, val, read);
}
Reported by FlawFinder.
Line: 253
Column: 44
CWE codes:
120
20
u8 val, u8 read)
{
inter->fpga_rw(inter->dev, NETUP_CI_FLG_AD, addr, 0);
return inter->fpga_rw(inter->dev, 0, val, read);
}
/* flag - mem/io, read - read/write */
static int altera_ci_op_cam(struct dvb_ca_en50221 *en50221, int slot,
u8 flag, u8 read, int addr, u8 val)
Reported by FlawFinder.
Line: 258
Column: 17
CWE codes:
120
20
/* flag - mem/io, read - read/write */
static int altera_ci_op_cam(struct dvb_ca_en50221 *en50221, int slot,
u8 flag, u8 read, int addr, u8 val)
{
struct altera_ci_state *state = en50221->data;
struct fpga_internal *inter = state->internal;
Reported by FlawFinder.
Line: 280
Column: 52
CWE codes:
120
20
store |= ((state->nr << 7) | (flag << 6));
netup_fpga_op_rw(inter, NETUP_CI_BUSCTRL, store, 0);
mem = netup_fpga_op_rw(inter, NETUP_CI_DATA, val, read);
mutex_unlock(&inter->fpga_mutex);
ci_dbg_print("%s: %s: addr=[0x%02x], %s=%x\n", __func__,
(read) ? "read" : "write", addr,
Reported by FlawFinder.
Line: 285
Column: 5
CWE codes:
120
20
mutex_unlock(&inter->fpga_mutex);
ci_dbg_print("%s: %s: addr=[0x%02x], %s=%x\n", __func__,
(read) ? "read" : "write", addr,
(flag == NETUP_CI_FLG_CTL) ? "ctl" : "mem",
(read) ? mem : val);
return mem;
}
Reported by FlawFinder.
Line: 287
Column: 5
CWE codes:
120
20
ci_dbg_print("%s: %s: addr=[0x%02x], %s=%x\n", __func__,
(read) ? "read" : "write", addr,
(flag == NETUP_CI_FLG_CTL) ? "ctl" : "mem",
(read) ? mem : val);
return mem;
}
static int altera_ci_read_attribute_mem(struct dvb_ca_en50221 *en50221,
Reported by FlawFinder.
drivers/mtd/ubi/block.c
7 issues
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return -EINVAL;
}
strcpy(buf, val);
/* Get rid of the final newline */
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
Reported by FlawFinder.
Line: 144
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ret = kstrtoint(tokens[1], 10, ¶m->vol_id);
if (ret < 0) {
param->vol_id = -1;
strcpy(param->name, tokens[1]);
}
} else {
/* One parameter: must be device path */
strcpy(param->name, tokens[0]);
Reported by FlawFinder.
Line: 149
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else {
/* One parameter: must be device path */
strcpy(param->name, tokens[0]);
param->ubi_num = -1;
param->vol_id = -1;
}
ubiblock_devs++;
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ubiblock_param {
int ubi_num;
int vol_id;
char name[UBIBLOCK_PARAM_LEN+1];
};
struct ubiblock_pdu {
struct work_struct work;
struct ubi_sgl usgl;
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, ret;
size_t len;
struct ubiblock_param *param;
char buf[UBIBLOCK_PARAM_LEN];
char *pbuf = &buf[0];
char *tokens[UBIBLOCK_PARAM_COUNT];
if (!val)
return -EINVAL;
Reported by FlawFinder.
Line: 107
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ubiblock_param *param;
char buf[UBIBLOCK_PARAM_LEN];
char *pbuf = &buf[0];
char *tokens[UBIBLOCK_PARAM_COUNT];
if (!val)
return -EINVAL;
len = strnlen(val, UBIBLOCK_PARAM_LEN);
Reported by FlawFinder.
Line: 430
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto out_cleanup_disk;
}
gd->private_data = dev;
sprintf(gd->disk_name, "ubiblock%d_%d", dev->ubi_num, dev->vol_id);
set_capacity(gd, disk_capacity);
dev->gd = gd;
dev->rq = gd->queue;
blk_queue_max_segments(dev->rq, UBI_MAX_SG_COUNT);
Reported by FlawFinder.
drivers/misc/vmw_vmci/vmci_queue_pair.c
7 issues
Line: 495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int qp_populate_ppn_set(u8 *call_buf, const struct ppn_set *ppn_set)
{
if (vmci_use_ppn64()) {
memcpy(call_buf, ppn_set->produce_ppns,
ppn_set->num_produce_pages *
sizeof(*ppn_set->produce_ppns));
memcpy(call_buf +
ppn_set->num_produce_pages *
sizeof(*ppn_set->produce_ppns),
Reported by FlawFinder.
Line: 498
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(call_buf, ppn_set->produce_ppns,
ppn_set->num_produce_pages *
sizeof(*ppn_set->produce_ppns));
memcpy(call_buf +
ppn_set->num_produce_pages *
sizeof(*ppn_set->produce_ppns),
ppn_set->consume_ppns,
ppn_set->num_consume_pages *
sizeof(*ppn_set->consume_ppns));
Reported by FlawFinder.
Line: 2605
Column: 9
CWE codes:
120
20
size_t buf_size = iov_iter_count(to);
s64 buf_ready;
u64 head;
size_t read;
ssize_t result;
result = qp_map_queue_headers(produce_q, consume_q);
if (unlikely(result != VMCI_SUCCESS))
return result;
Reported by FlawFinder.
Line: 2623
Column: 20
CWE codes:
120
20
read = (size_t) (buf_ready > buf_size ? buf_size : buf_ready);
head = vmci_q_header_consumer_head(produce_q->q_header);
if (likely(head + read < consume_q_size)) {
result = qp_memcpy_from_queue_iter(to, consume_q, head, read);
} else {
/* Head pointer wraps around. */
const size_t tmp = (size_t) (consume_q_size - head);
Reported by FlawFinder.
Line: 2624
Column: 59
CWE codes:
120
20
read = (size_t) (buf_ready > buf_size ? buf_size : buf_ready);
head = vmci_q_header_consumer_head(produce_q->q_header);
if (likely(head + read < consume_q_size)) {
result = qp_memcpy_from_queue_iter(to, consume_q, head, read);
} else {
/* Head pointer wraps around. */
const size_t tmp = (size_t) (consume_q_size - head);
Reported by FlawFinder.
Line: 2644
Column: 9
CWE codes:
120
20
vmci_q_header_add_consumer_head(produce_q->q_header,
read, consume_q_size);
return read;
}
/*
* vmci_qpair_alloc() - Allocates a queue pair.
* @qpair: Pointer for the new vmci_qp struct.
Reported by FlawFinder.