The following issues were found
drivers/media/pci/tw68/tw68-video.c
7 issues
Line: 720
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strscpy(cap->driver, "tw68", sizeof(cap->driver));
strscpy(cap->card, "Techwell Capture Card",
sizeof(cap->card));
sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci));
return 0;
}
static int tw68_s_std(struct file *file, void *priv, v4l2_std_id id)
{
Reported by FlawFinder.
Line: 777
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void tw68_dump_regs(struct tw68_dev *dev)
{
unsigned char line[80];
int i, j, k;
unsigned char *cptr;
pr_info("Full dump of TW68 registers:\n");
/* First we do the PCI regs, 8 4-byte regs per line */
Reported by FlawFinder.
Line: 785
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* First we do the PCI regs, 8 4-byte regs per line */
for (i = 0; i < 0x100; i += 32) {
cptr = line;
cptr += sprintf(cptr, "%03x ", i);
/* j steps through the next 4 words */
for (j = i; j < i + 16; j += 4)
cptr += sprintf(cptr, "%08x ", tw_readl(j));
*cptr++ = ' ';
for (; j < i + 32; j += 4)
Reported by FlawFinder.
Line: 788
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cptr += sprintf(cptr, "%03x ", i);
/* j steps through the next 4 words */
for (j = i; j < i + 16; j += 4)
cptr += sprintf(cptr, "%08x ", tw_readl(j));
*cptr++ = ' ';
for (; j < i + 32; j += 4)
cptr += sprintf(cptr, "%08x ", tw_readl(j));
*cptr++ = '\n';
*cptr = 0;
Reported by FlawFinder.
Line: 791
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cptr += sprintf(cptr, "%08x ", tw_readl(j));
*cptr++ = ' ';
for (; j < i + 32; j += 4)
cptr += sprintf(cptr, "%08x ", tw_readl(j));
*cptr++ = '\n';
*cptr = 0;
pr_info("%s", line);
}
/* Next the control regs, which are single-byte, address mod 4 */
Reported by FlawFinder.
Line: 799
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Next the control regs, which are single-byte, address mod 4 */
while (i < 0x400) {
cptr = line;
cptr += sprintf(cptr, "%03x ", i);
/* Print out 4 groups of 4 bytes */
for (j = 0; j < 4; j++) {
for (k = 0; k < 4; k++) {
cptr += sprintf(cptr, "%02x ",
tw_readb(i));
Reported by FlawFinder.
Line: 803
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Print out 4 groups of 4 bytes */
for (j = 0; j < 4; j++) {
for (k = 0; k < 4; k++) {
cptr += sprintf(cptr, "%02x ",
tw_readb(i));
i += 4;
}
*cptr++ = ' ';
}
Reported by FlawFinder.
drivers/net/ethernet/cavium/liquidio/octeon_device.c
7 issues
Line: 530
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
},
};
static char oct_dev_state_str[OCT_DEV_STATES + 1][32] = {
"BEGIN", "PCI-ENABLE-DONE", "PCI-MAP-DONE", "DISPATCH-INIT-DONE",
"IQ-INIT-DONE", "SCBUFF-POOL-INIT-DONE", "RESPLIST-INIT-DONE",
"DROQ-INIT-DONE", "MBOX-SETUP-DONE", "MSIX-ALLOC-VECTOR-DONE",
"INTR-SET-DONE", "IO-QUEUES-INIT-DONE", "CONSOLE-INIT-DONE",
"HOST-READY", "CORE-READY", "RUNNING", "IN-RESET",
Reported by FlawFinder.
Line: 539
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"INVALID"
};
static char oct_dev_app_str[CVM_DRV_APP_COUNT + 1][32] = {
"BASE", "NIC", "UNKNOWN"};
static struct octeon_device *octeon_device[MAX_OCTEON_DEVICES];
static atomic_t adapter_refcounts[MAX_OCTEON_DEVICES];
static atomic_t adapter_fw_states[MAX_OCTEON_DEVICES];
Reported by FlawFinder.
Line: 1187
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int octeon_core_drv_init(struct octeon_recv_info *recv_info, void *buf)
{
u32 i;
char app_name[16];
struct octeon_device *oct = (struct octeon_device *)buf;
struct octeon_recv_pkt *recv_pkt = recv_info->recv_pkt;
struct octeon_core_setup *cs = NULL;
u32 num_nic_ports = 0;
Reported by FlawFinder.
Line: 1243
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
recv_pkt->buffer_size[0]);
}
memcpy(cs, get_rbd(
recv_pkt->buffer_ptr[0]) + OCT_DROQ_INFO_SIZE, sizeof(*cs));
strncpy(oct->boardinfo.name, cs->boardname, OCT_BOARD_NAME);
strncpy(oct->boardinfo.serial_number, cs->board_serial_number,
OCT_SERIAL_LEN);
Reported by FlawFinder.
Line: 1206
Column: 2
CWE codes:
120
goto core_drv_init_err;
}
strncpy(app_name,
get_oct_app_string(
(u32)recv_pkt->rh.r_core_drv_init.app_mode),
sizeof(app_name) - 1);
oct->app_mode = (u32)recv_pkt->rh.r_core_drv_init.app_mode;
if (recv_pkt->rh.r_core_drv_init.app_mode == CVM_DRV_NIC_APP) {
Reported by FlawFinder.
Line: 1246
Column: 2
CWE codes:
120
memcpy(cs, get_rbd(
recv_pkt->buffer_ptr[0]) + OCT_DROQ_INFO_SIZE, sizeof(*cs));
strncpy(oct->boardinfo.name, cs->boardname, OCT_BOARD_NAME);
strncpy(oct->boardinfo.serial_number, cs->board_serial_number,
OCT_SERIAL_LEN);
octeon_swap_8B_data((u64 *)cs, (sizeof(*cs) >> 3));
Reported by FlawFinder.
Line: 1247
Column: 2
CWE codes:
120
recv_pkt->buffer_ptr[0]) + OCT_DROQ_INFO_SIZE, sizeof(*cs));
strncpy(oct->boardinfo.name, cs->boardname, OCT_BOARD_NAME);
strncpy(oct->boardinfo.serial_number, cs->board_serial_number,
OCT_SERIAL_LEN);
octeon_swap_8B_data((u64 *)cs, (sizeof(*cs) >> 3));
oct->boardinfo.major = cs->board_rev_major;
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnxt/bnxt.h
7 issues
Line: 1009
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int vector;
u8 requested:1;
u8 have_cpumask:1;
char name[IFNAMSIZ + 2];
cpumask_var_t cpu_mask;
};
#define HWRM_RING_ALLOC_TX 0x1
#define HWRM_RING_ALLOC_RX 0x2
Reported by FlawFinder.
Line: 1349
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bnxt_test_info {
u8 offline_mask;
u16 timeout;
char string[BNXT_MAX_TEST][ETH_GSTRING_LEN];
};
#define CHIMP_REG_VIEW_ADDR \
((bp->flags & BNXT_FLAG_CHIP_P5) ? 0x80000000 : 0xb1000000)
Reported by FlawFinder.
Line: 1681
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
(chip_num) == CHIP_NUM_58808)
#define BNXT_VPD_FLD_LEN 32
char board_partno[BNXT_VPD_FLD_LEN];
char board_serialno[BNXT_VPD_FLD_LEN];
struct net_device *dev;
struct pci_dev *pdev;
Reported by FlawFinder.
Line: 1682
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BNXT_VPD_FLD_LEN 32
char board_partno[BNXT_VPD_FLD_LEN];
char board_serialno[BNXT_VPD_FLD_LEN];
struct net_device *dev;
struct pci_dev *pdev;
atomic_t intr_sem;
Reported by FlawFinder.
Line: 1923
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define FW_VER_STR_LEN 32
#define BC_HWRM_STR_LEN 21
#define PHY_VER_STR_LEN (FW_VER_STR_LEN - BC_HWRM_STR_LEN)
char fw_ver_str[FW_VER_STR_LEN];
char hwrm_ver_supp[FW_VER_STR_LEN];
char nvm_cfg_ver[FW_VER_STR_LEN];
u64 fw_ver_code;
#define BNXT_FW_VER_CODE(maj, min, bld, rsv) \
((u64)(maj) << 48 | (u64)(min) << 32 | (u64)(bld) << 16 | (rsv))
Reported by FlawFinder.
Line: 1924
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BC_HWRM_STR_LEN 21
#define PHY_VER_STR_LEN (FW_VER_STR_LEN - BC_HWRM_STR_LEN)
char fw_ver_str[FW_VER_STR_LEN];
char hwrm_ver_supp[FW_VER_STR_LEN];
char nvm_cfg_ver[FW_VER_STR_LEN];
u64 fw_ver_code;
#define BNXT_FW_VER_CODE(maj, min, bld, rsv) \
((u64)(maj) << 48 | (u64)(min) << 32 | (u64)(bld) << 16 | (rsv))
#define BNXT_FW_MAJ(bp) ((bp)->fw_ver_code >> 48)
Reported by FlawFinder.
Line: 1925
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define PHY_VER_STR_LEN (FW_VER_STR_LEN - BC_HWRM_STR_LEN)
char fw_ver_str[FW_VER_STR_LEN];
char hwrm_ver_supp[FW_VER_STR_LEN];
char nvm_cfg_ver[FW_VER_STR_LEN];
u64 fw_ver_code;
#define BNXT_FW_VER_CODE(maj, min, bld, rsv) \
((u64)(maj) << 48 | (u64)(min) << 32 | (u64)(bld) << 16 | (rsv))
#define BNXT_FW_MAJ(bp) ((bp)->fw_ver_code >> 48)
Reported by FlawFinder.
drivers/net/can/usb/usb_8dev.c
7 issues
Line: 212
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&priv->usb_8dev_cmd_lock);
memcpy(priv->cmd_msg_buffer, out,
sizeof(struct usb_8dev_cmd_msg));
err = usb_8dev_send_cmd_msg(priv, priv->cmd_msg_buffer,
sizeof(struct usb_8dev_cmd_msg));
if (err < 0) {
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto failed;
}
memcpy(in, priv->cmd_msg_buffer, sizeof(struct usb_8dev_cmd_msg));
if (in->begin != USB_8DEV_CMD_START || in->end != USB_8DEV_CMD_END ||
num_bytes_read != 16 || in->opt1 != 0)
err = -EPROTO;
Reported by FlawFinder.
Line: 261
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* BRP */
bebrp = cpu_to_be16((u16)bt->brp);
memcpy(&outmsg.data[3], &bebrp, sizeof(bebrp));
/* flags */
if (ctrlmode & CAN_CTRLMODE_LOOPBACK)
flags |= USB_8DEV_LOOPBACK;
if (ctrlmode & CAN_CTRLMODE_LISTENONLY)
Reported by FlawFinder.
Line: 272
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
flags |= USB_8DEV_DISABLE_AUTO_RESTRANS;
beflags = cpu_to_be32(flags);
memcpy(&outmsg.data[5], &beflags, sizeof(beflags));
return usb_8dev_send_cmd(priv, &outmsg, &inmsg);
}
/* Send close command to device */
Reported by FlawFinder.
Line: 482
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msg->flags & USB_8DEV_RTR)
cf->can_id |= CAN_RTR_FLAG;
else
memcpy(cf->data, msg->data, cf->len);
stats->rx_packets++;
stats->rx_bytes += cf->len;
netif_rx(skb);
Reported by FlawFinder.
Line: 642
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->id = cpu_to_be32(cf->can_id & CAN_ERR_MASK);
msg->dlc = can_get_cc_dlc(cf, priv->can.ctrlmode);
memcpy(msg->data, cf->data, cf->len);
msg->end = USB_8DEV_DATA_END;
for (i = 0; i < MAX_TX_URBS; i++) {
if (priv->tx_contexts[i].echo_index == MAX_TX_URBS) {
context = &priv->tx_contexts[i];
Reported by FlawFinder.
Line: 914
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_8dev_priv *priv;
int i, err = -ENOMEM;
u32 version;
char buf[18];
struct usb_device *usbdev = interface_to_usbdev(intf);
/* product id looks strange, better we also check iProduct string */
if (usb_string(usbdev, usbdev->descriptor.iProduct, buf,
sizeof(buf)) > 0 && strcmp(buf, "USB2CAN converter")) {
Reported by FlawFinder.
drivers/media/usb/cx231xx/cx231xx.h
7 issues
Line: 261
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 mpeg_buffer_done;
u32 mpeg_buffer_completed;
enum ps_package_head add_ps_package_head;
char ps_head[10];
};
/* inputs */
#define MAX_CX231XX_INPUT 4
Reported by FlawFinder.
Line: 407
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define CX231XX_DVB 0x20
struct cx231xx_audio {
char name[50];
char *transfer_buffer[CX231XX_AUDIO_BUFS];
struct urb *urb[CX231XX_AUDIO_BUFS];
struct usb_device *udev;
unsigned int capture_transfer_done;
struct snd_pcm_substream *capture_pcm_substream;
Reported by FlawFinder.
Line: 408
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cx231xx_audio {
char name[50];
char *transfer_buffer[CX231XX_AUDIO_BUFS];
struct urb *urb[CX231XX_AUDIO_BUFS];
struct usb_device *udev;
unsigned int capture_transfer_done;
struct snd_pcm_substream *capture_pcm_substream;
Reported by FlawFinder.
Line: 561
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* main device struct */
struct cx231xx {
/* generic device properties */
char name[30]; /* name (including minor) of the device */
int model; /* index in the device_data struct */
int devno; /* marks the number of this device */
struct device *dev; /* pointer to USB interface's dev */
struct cx231xx_board board;
Reported by FlawFinder.
Line: 631
Column: 20
CWE codes:
362
struct mutex lock;
struct mutex ctrl_urb_lock; /* protects urb_buf */
struct list_head inqueue, outqueue;
wait_queue_head_t open, wait_frame, wait_stream;
struct video_device vbi_dev;
struct video_device radio_dev;
#if defined(CONFIG_MEDIA_CONTROLLER)
struct media_device *media_dev;
Reported by FlawFinder.
Line: 645
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vb2_queue vidq;
struct vb2_queue vbiq;
unsigned char eedata[256];
struct cx231xx_video_mode video_mode;
struct cx231xx_video_mode vbi_mode;
struct cx231xx_video_mode sliced_cc_mode;
struct cx231xx_video_mode ts1_mode;
Reported by FlawFinder.
Line: 655
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
atomic_t devlist_count;
struct usb_device *udev; /* the usb device */
char urb_buf[URB_MAX_CTRL_SIZE]; /* urb control msg buffer */
/* helper funcs that call usb_control_msg */
int (*cx231xx_read_ctrl_reg) (struct cx231xx *dev, u8 req, u16 reg,
char *buf, int len);
int (*cx231xx_write_ctrl_reg) (struct cx231xx *dev, u8 req, u16 reg,
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_isr.c
7 issues
Line: 892
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fpin_pkt = &item->iocb;
memcpy(fpin_pkt, &purex->els_frame_payload[0], no_bytes);
buffer_copy_offset += no_bytes;
pending_bytes -= no_bytes;
--entry_count_remaining;
((response_t *)purex)->signature = RESPONSE_PROCESSED;
Reported by FlawFinder.
Line: 930
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
no_bytes = (pending_bytes > sizeof(new_pkt->data)) ?
sizeof(new_pkt->data) : pending_bytes;
if ((buffer_copy_offset + no_bytes) <= total_bytes) {
memcpy(((uint8_t *)fpin_pkt +
buffer_copy_offset), new_pkt->data,
no_bytes);
buffer_copy_offset += no_bytes;
pending_bytes -= no_bytes;
--entry_count_remaining;
Reported by FlawFinder.
Line: 940
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ql_log(ql_log_warn, vha, 0x5044,
"Attempt to copy more that we got, optimizing..%x\n",
buffer_copy_offset);
memcpy(((uint8_t *)fpin_pkt +
buffer_copy_offset), new_pkt->data,
total_bytes - buffer_copy_offset);
}
((response_t *)new_pkt)->signature = RESPONSE_PROCESSED;
Reported by FlawFinder.
Line: 1216
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(ha->current_topology == ISP_CFG_F)) {
void *wwpn = ha->init_cb->port_name;
memcpy(vha->port_name, wwpn, WWN_SIZE);
fc_host_port_name(vha->host) =
wwn_to_u64(vha->port_name);
ql_dbg(ql_dbg_init + ql_dbg_verbose,
vha, 0x00d8, "LOOP DOWN detected,"
"restore WWPN %016llx\n",
Reported by FlawFinder.
Line: 2084
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res = DID_ERROR << 16;
bsg_reply->reply_payload_rcv_len = 0;
}
memcpy(bsg_job->reply + sizeof(struct fc_bsg_reply),
fw_status, sizeof(fw_status));
ql_dump_buffer(ql_dbg_user + ql_dbg_buffer, vha, 0x5056,
pkt, sizeof(*pkt));
}
else {
Reported by FlawFinder.
Line: 2575
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sense_len > par_sense_len)
sense_len = par_sense_len;
memcpy(cp->sense_buffer, sense_data, sense_len);
SET_CMD_SENSE_PTR(sp, cp->sense_buffer + sense_len);
track_sense_len -= sense_len;
SET_CMD_SENSE_LEN(sp, track_sense_len);
Reported by FlawFinder.
Line: 3302
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Move sense data. */
if (IS_FWI2_CAPABLE(ha))
host_to_fcp_swap(pkt->data, sizeof(pkt->data));
memcpy(sense_ptr, pkt->data, sense_sz);
ql_dump_buffer(ql_dbg_io + ql_dbg_buffer, vha, 0x302c,
sense_ptr, sense_sz);
sense_len -= sense_sz;
sense_ptr += sense_sz;
Reported by FlawFinder.
drivers/staging/media/atomisp/pci/sh_css.c
7 issues
Line: 2163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Initialize pipe to pre-defined defaults */
memcpy(pipe, &default_pipe, sizeof(default_pipe));
/* TODO: JB should not be needed, but temporary backward reference */
switch (mode) {
case IA_CSS_PIPE_MODE_PREVIEW:
pipe->mode = IA_CSS_PIPE_ID_PREVIEW;
Reported by FlawFinder.
Line: 2169
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (mode) {
case IA_CSS_PIPE_MODE_PREVIEW:
pipe->mode = IA_CSS_PIPE_ID_PREVIEW;
memcpy(&pipe->pipe_settings.preview, &preview, sizeof(preview));
break;
case IA_CSS_PIPE_MODE_CAPTURE:
if (copy_pipe)
pipe->mode = IA_CSS_PIPE_ID_COPY;
else
Reported by FlawFinder.
Line: 2177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
pipe->mode = IA_CSS_PIPE_ID_CAPTURE;
memcpy(&pipe->pipe_settings.capture, &capture, sizeof(capture));
break;
case IA_CSS_PIPE_MODE_VIDEO:
pipe->mode = IA_CSS_PIPE_ID_VIDEO;
memcpy(&pipe->pipe_settings.video, &video, sizeof(video));
break;
Reported by FlawFinder.
Line: 2181
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case IA_CSS_PIPE_MODE_VIDEO:
pipe->mode = IA_CSS_PIPE_ID_VIDEO;
memcpy(&pipe->pipe_settings.video, &video, sizeof(video));
break;
case IA_CSS_PIPE_MODE_ACC:
pipe->mode = IA_CSS_PIPE_ID_ACC;
break;
case IA_CSS_PIPE_MODE_COPY:
Reported by FlawFinder.
Line: 2191
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case IA_CSS_PIPE_MODE_YUVPP:
pipe->mode = IA_CSS_PIPE_ID_YUVPP;
memcpy(&pipe->pipe_settings.yuvpp, &yuvpp, sizeof(yuvpp));
break;
default:
return -EINVAL;
}
Reported by FlawFinder.
Line: 8564
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void ia_css_pipe_config_defaults(struct ia_css_pipe_config *pipe_config)
{
ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE, "ia_css_pipe_config_defaults()\n");
memcpy(pipe_config, &ia_css_pipe_default_config, sizeof(*pipe_config));
}
void
ia_css_pipe_extra_config_defaults(struct ia_css_pipe_extra_config *extra_config)
{
Reported by FlawFinder.
Line: 8216
Column: 4
CWE codes:
126
(const unsigned char *)(IA_CSS_EXT_ISP_PROG_NAME(
firmware));
blob = binary_name +
strlen((const char *)binary_name) +
1;
binary = sh_css_load_blob(blob, size);
firmware->info.isp.xmem_addr = binary;
}
Reported by FlawFinder.
drivers/staging/nvec/nvec_power.c
7 issues
Line: 41
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bat_temperature;
int bat_cap;
int bat_type_enum;
char bat_manu[30];
char bat_model[30];
char bat_type[30];
};
enum {
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bat_cap;
int bat_type_enum;
char bat_manu[30];
char bat_model[30];
char bat_type[30];
};
enum {
SLOT_STATUS,
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bat_type_enum;
char bat_manu[30];
char bat_model[30];
char bat_type[30];
};
enum {
SLOT_STATUS,
VOLTAGE,
Reported by FlawFinder.
Line: 75
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 status;
/* payload */
union {
char plc[30];
u16 plu;
s16 pls;
};
};
Reported by FlawFinder.
Line: 196
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
power->bat_temperature = res->plu - 2732;
break;
case MANUFACTURER:
memcpy(power->bat_manu, &res->plc, res->length - 2);
power->bat_model[res->length - 2] = '\0';
break;
case MODEL:
memcpy(power->bat_model, &res->plc, res->length - 2);
power->bat_model[res->length - 2] = '\0';
Reported by FlawFinder.
Line: 200
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
power->bat_model[res->length - 2] = '\0';
break;
case MODEL:
memcpy(power->bat_model, &res->plc, res->length - 2);
power->bat_model[res->length - 2] = '\0';
break;
case TYPE:
memcpy(power->bat_type, &res->plc, res->length - 2);
power->bat_type[res->length - 2] = '\0';
Reported by FlawFinder.
Line: 204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
power->bat_model[res->length - 2] = '\0';
break;
case TYPE:
memcpy(power->bat_type, &res->plc, res->length - 2);
power->bat_type[res->length - 2] = '\0';
/*
* This differs a little from the spec fill in more if you find
* some.
*/
Reported by FlawFinder.
drivers/usb/gadget/function/storage_common.c
7 issues
Line: 370
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t fsg_show_inquiry_string(struct fsg_lun *curlun, char *buf)
{
return sprintf(buf, "%s\n", curlun->inquiry_string);
}
EXPORT_SYMBOL_GPL(fsg_show_inquiry_string);
/*
* The caller must hold fsg->filesem for reading when calling this function.
Reported by FlawFinder.
Line: 318
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t fsg_show_ro(struct fsg_lun *curlun, char *buf)
{
return sprintf(buf, "%d\n", fsg_lun_is_open(curlun)
? curlun->ro
: curlun->initially_ro);
}
EXPORT_SYMBOL_GPL(fsg_show_ro);
Reported by FlawFinder.
Line: 326
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t fsg_show_nofua(struct fsg_lun *curlun, char *buf)
{
return sprintf(buf, "%u\n", curlun->nofua);
}
EXPORT_SYMBOL_GPL(fsg_show_nofua);
ssize_t fsg_show_file(struct fsg_lun *curlun, struct rw_semaphore *filesem,
char *buf)
Reported by FlawFinder.
Line: 358
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t fsg_show_cdrom(struct fsg_lun *curlun, char *buf)
{
return sprintf(buf, "%u\n", curlun->cdrom);
}
EXPORT_SYMBOL_GPL(fsg_show_cdrom);
ssize_t fsg_show_removable(struct fsg_lun *curlun, char *buf)
{
Reported by FlawFinder.
Line: 364
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t fsg_show_removable(struct fsg_lun *curlun, char *buf)
{
return sprintf(buf, "%u\n", curlun->removable);
}
EXPORT_SYMBOL_GPL(fsg_show_removable);
ssize_t fsg_show_inquiry_string(struct fsg_lun *curlun, char *buf)
{
Reported by FlawFinder.
Line: 446
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Remove a trailing newline */
if (count > 0 && buf[count-1] == '\n')
((char *) buf)[count-1] = 0; /* Ugh! */
/* Load new medium */
down_write(filesem);
if (count > 0 && buf[0]) {
/* fsg_lun_open() will close existing file if any. */
Reported by FlawFinder.
Line: 342
Column: 9
CWE codes:
126
if (IS_ERR(p))
rc = PTR_ERR(p);
else {
rc = strlen(p);
memmove(buf, p, rc);
buf[rc] = '\n'; /* Add a newline */
buf[++rc] = 0;
}
} else { /* No file, return 0 bytes */
Reported by FlawFinder.
drivers/tty/tty_buffer.c
7 issues
Line: 326
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(space == 0))
break;
memcpy(char_buf_ptr(tb, tb->used), chars, space);
if (~tb->flags & TTYB_NORMAL)
memset(flag_buf_ptr(tb, tb->used), flag, space);
tb->used += space;
copied += space;
chars += space;
Reported by FlawFinder.
Line: 364
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(space == 0))
break;
memcpy(char_buf_ptr(tb, tb->used), chars, space);
memcpy(flag_buf_ptr(tb, tb->used), flags, space);
tb->used += space;
copied += space;
chars += space;
flags += space;
Reported by FlawFinder.
Line: 365
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(space == 0))
break;
memcpy(char_buf_ptr(tb, tb->used), chars, space);
memcpy(flag_buf_ptr(tb, tb->used), flags, space);
tb->used += space;
copied += space;
chars += space;
flags += space;
/* There is a small chance that we need to split the data over
Reported by FlawFinder.
Line: 70
Column: 44
CWE codes:
120
20
struct tty_bufhead *buf = &port->buf;
int restart;
restart = buf->head->commit != buf->head->read;
atomic_dec(&buf->priority);
mutex_unlock(&buf->lock);
if (restart)
queue_work(system_unbound_wq, &buf->work);
Reported by FlawFinder.
Line: 484
Column: 46
CWE codes:
120
20
static int
receive_buf(struct tty_port *port, struct tty_buffer *head, int count)
{
unsigned char *p = char_buf_ptr(head, head->read);
const char *f = NULL;
int n;
if (~head->flags & TTYB_NORMAL)
f = flag_buf_ptr(head, head->read);
Reported by FlawFinder.
Line: 489
Column: 32
CWE codes:
120
20
int n;
if (~head->flags & TTYB_NORMAL)
f = flag_buf_ptr(head, head->read);
n = port->client_ops->receive_buf(port, p, f, count);
if (n > 0)
memset(p, 0, n);
return n;
Reported by FlawFinder.
Line: 534
Column: 51
CWE codes:
120
20
/* paired w/ release in __tty_buffer_request_room() or in
* tty_buffer_flush(); ensures we see the committed buffer data
*/
count = smp_load_acquire(&head->commit) - head->read;
if (!count) {
if (next == NULL)
break;
buf->head = next;
tty_buffer_free(port, head);
Reported by FlawFinder.