The following issues were found
drivers/staging/rtl8188eu/os_dep/mlme_linux.c
7 issues
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the countermeasure is trigger, the driver have to disconnect
* with AP for 60 seconds.
*/
memcpy(backup_pmkid, psec_priv->PMKIDList,
sizeof(struct rt_pmkid_list) * NUM_PMKID_CACHE);
backup_index = psec_priv->PMKIDIndex;
backup_counter = psec_priv->btkip_countermeasure;
backup_time = psec_priv->btkip_countermeasure_time;
Reported by FlawFinder.
Line: 57
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Restore the PMK information to securitypriv structure
* for the following connection.
*/
memcpy(psec_priv->PMKIDList, backup_pmkid,
sizeof(struct rt_pmkid_list) * NUM_PMKID_CACHE);
psec_priv->PMKIDIndex = backup_index;
psec_priv->btkip_countermeasure = backup_counter;
psec_priv->btkip_countermeasure_time = backup_time;
psec_priv->ndisauthtype = Ndis802_11AuthModeOpen;
Reported by FlawFinder.
Line: 97
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
memset(buff, 0, IW_CUSTOM_MAX);
p = buff;
p += sprintf(p, "ASSOCINFO(ReqIEs =");
len = sec_ie[1] + 2;
len = min_t(uint, len, IW_CUSTOM_MAX);
for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")");
Reported by FlawFinder.
Line: 101
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sec_ie[1] + 2;
len = min_t(uint, len, IW_CUSTOM_MAX);
for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")");
memset(&wrqu, 0, sizeof(wrqu));
wrqu.data.length = min_t(__u16, p - buff, IW_CUSTOM_MAX);
wireless_send_event(adapter->pnetdev, IWEVCUSTOM, &wrqu, buff);
kfree(buff);
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wrqu.addr.sa_family = ARPHRD_ETHER;
memcpy(wrqu.addr.sa_data, psta->hwaddr, ETH_ALEN);
wireless_send_event(padapter->pnetdev, IWEVREGISTERED, &wrqu, NULL);
}
void rtw_indicate_sta_disassoc_event(struct adapter *padapter, struct sta_info *psta)
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wrqu.addr.sa_family = ARPHRD_ETHER;
memcpy(wrqu.addr.sa_data, psta->hwaddr, ETH_ALEN);
wireless_send_event(padapter->pnetdev, IWEVEXPIRED, &wrqu, NULL);
}
#endif
Reported by FlawFinder.
Line: 102
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = min_t(uint, len, IW_CUSTOM_MAX);
for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")");
memset(&wrqu, 0, sizeof(wrqu));
wrqu.data.length = min_t(__u16, p - buff, IW_CUSTOM_MAX);
wireless_send_event(adapter->pnetdev, IWEVCUSTOM, &wrqu, buff);
kfree(buff);
}
Reported by FlawFinder.
drivers/video/fbdev/omap2/omapfb/dss/omapdss-boot-init.c
7 issues
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
while (total < src_len) {
size_t l = strlen(src) + 1;
strcpy(dst, prefix);
dst += strlen(prefix);
strcpy(dst, src);
dst += l;
Reported by FlawFinder.
Line: 71
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(dst, prefix);
dst += strlen(prefix);
strcpy(dst, src);
dst += l;
src += l;
total += l;
}
Reported by FlawFinder.
Line: 39
Column: 7
CWE codes:
126
int i;
for (i = 0; total < prop->length; total += l, p += l, i++)
l = strlen(p) + 1;
return i;
}
static void __init omapdss_update_prop(struct device_node *node, char *compat,
Reported by FlawFinder.
Line: 66
Column: 14
CWE codes:
126
size_t total = 0;
while (total < src_len) {
size_t l = strlen(src) + 1;
strcpy(dst, prefix);
dst += strlen(prefix);
strcpy(dst, src);
Reported by FlawFinder.
Line: 69
Column: 10
CWE codes:
126
size_t l = strlen(src) + 1;
strcpy(dst, prefix);
dst += strlen(prefix);
strcpy(dst, src);
dst += l;
src += l;
Reported by FlawFinder.
Line: 96
Column: 35
CWE codes:
126
return;
/* is it already prefixed? */
if (strncmp(prefix, prop->value, strlen(prefix)) == 0)
return;
num_strs = omapdss_count_strings(prop);
new_len = prop->length + strlen(prefix) * num_strs;
Reported by FlawFinder.
Line: 101
Column: 27
CWE codes:
126
num_strs = omapdss_count_strings(prop);
new_len = prop->length + strlen(prefix) * num_strs;
new_compat = kmalloc(new_len, GFP_KERNEL);
if (!new_compat)
return;
omapdss_prefix_strcpy(new_compat, new_len, prop->value, prop->length);
Reported by FlawFinder.
drivers/video/fbdev/controlfb.h
7 issues
Line: 21
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct cmap_regs {
unsigned char addr; /* index for both cmap and misc registers */
char pad1[15];
unsigned char crsr; /* cursor palette */
char pad2[15];
unsigned char dat; /* RADACAL misc register data */
char pad3[15];
unsigned char lut; /* cmap data */
Reported by FlawFinder.
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char addr; /* index for both cmap and misc registers */
char pad1[15];
unsigned char crsr; /* cursor palette */
char pad2[15];
unsigned char dat; /* RADACAL misc register data */
char pad3[15];
unsigned char lut; /* cmap data */
char pad4[15];
};
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char crsr; /* cursor palette */
char pad2[15];
unsigned char dat; /* RADACAL misc register data */
char pad3[15];
unsigned char lut; /* cmap data */
char pad4[15];
};
/*
Reported by FlawFinder.
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dat; /* RADACAL misc register data */
char pad3[15];
unsigned char lut; /* cmap data */
char pad4[15];
};
/*
* Structure of the registers for the "control" display adaptor.
*/
Reported by FlawFinder.
Line: 33
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* Structure of the registers for the "control" display adaptor.
*/
#define PAD(x) char x[12]
struct preg { /* padded register */
unsigned r;
char pad[12];
};
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct preg { /* padded register */
unsigned r;
char pad[12];
};
struct control_regs {
struct preg vcount; /* vertical counter */
/* Vertical parameters are in units of 1/2 scan line */
Reported by FlawFinder.
Line: 103
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned regs[16]; /* for vswin .. hserr */
unsigned char mode;
unsigned char radacal_ctrl;
unsigned char clock_params[3];
};
#define CTRLFB_OFF 16 /* position of pixel 0 in frame buffer */
Reported by FlawFinder.
drivers/video/fbdev/core/fbcon.c
7 issues
Line: 110
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct fbcon_display fb_display[MAX_NR_CONSOLES];
static signed char con2fb_map[MAX_NR_CONSOLES];
static signed char con2fb_map_boot[MAX_NR_CONSOLES];
static int logo_lines;
/* logo_shown is an index to vc_cons when >= 0; otherwise follows FBCON_LOGO
enums. */
Reported by FlawFinder.
Line: 111
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct fbcon_display fb_display[MAX_NR_CONSOLES];
static signed char con2fb_map[MAX_NR_CONSOLES];
static signed char con2fb_map_boot[MAX_NR_CONSOLES];
static int logo_lines;
/* logo_shown is an index to vc_cons when >= 0; otherwise follows FBCON_LOGO
enums. */
static int logo_shown = FBCON_LOGO_CANSHOW;
Reported by FlawFinder.
Line: 144
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
/* font data */
static char fontname[40];
/* current fb_info */
static int info_idx = -1;
/* console rotation */
Reported by FlawFinder.
Line: 2261
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 32 - j);
data += 32;
fontdata += j;
}
} else if (font->width <= 16) {
Reported by FlawFinder.
Line: 2272
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 64 - j);
data += 64;
fontdata += j;
}
} else if (font->width <= 24) {
Reported by FlawFinder.
Line: 2297
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 128 - j);
data += 128;
fontdata += j;
}
}
Reported by FlawFinder.
Line: 2460
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FNTSIZE(new_data) = size;
REFCOUNT(new_data) = 0; /* usage counter */
for (i=0; i< charcount; i++) {
memcpy(new_data + i*h*pitch, data + i*32*pitch, h*pitch);
}
/* Since linux has a nice crc32 function use it for counting font
* checksums. */
csum = crc32(0, new_data, size);
Reported by FlawFinder.
drivers/video/fbdev/matrox/matroxfb_base.c
7 issues
Line: 1094
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memset(&r, 0, sizeof(r));
strcpy(r.driver, "matroxfb");
strcpy(r.card, "Matrox");
sprintf(r.bus_info, "PCI:%s", pci_name(minfo->pcidev));
r.version = KERNEL_VERSION(1,0,0);
r.capabilities = V4L2_CAP_VIDEO_OUTPUT;
if (copy_to_user(argp, &r, sizeof(r)))
return -EFAULT;
return 0;
Reported by FlawFinder.
Line: 710
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct fb_fix_screeninfo *fix = &minfo->fbcon.fix;
DBG(__func__)
strcpy(fix->id,"MATROX");
fix->xpanstep = 8; /* 8 for 8bpp, 4 for 16bpp, 2 for 32bpp */
fix->ypanstep = 1;
fix->ywrapstep = 0;
fix->mmio_start = minfo->mmio.base;
Reported by FlawFinder.
Line: 1092
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct v4l2_capability r;
memset(&r, 0, sizeof(r));
strcpy(r.driver, "matroxfb");
strcpy(r.card, "Matrox");
sprintf(r.bus_info, "PCI:%s", pci_name(minfo->pcidev));
r.version = KERNEL_VERSION(1,0,0);
r.capabilities = V4L2_CAP_VIDEO_OUTPUT;
if (copy_to_user(argp, &r, sizeof(r)))
Reported by FlawFinder.
Line: 1093
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(&r, 0, sizeof(r));
strcpy(r.driver, "matroxfb");
strcpy(r.card, "Matrox");
sprintf(r.bus_info, "PCI:%s", pci_name(minfo->pcidev));
r.version = KERNEL_VERSION(1,0,0);
r.capabilities = V4L2_CAP_VIDEO_OUTPUT;
if (copy_to_user(argp, &r, sizeof(r)))
return -EFAULT;
Reported by FlawFinder.
Line: 1274
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dfp; /* "matroxfb:dfp */
static int dfp_type = -1; /* "matroxfb:dfp:xxx */
static int memtype = -1; /* "matroxfb:memtype:xxx" */
static char outputs[8]; /* "matroxfb:outputs:xxx" */
#ifndef MODULE
static char videomode[64]; /* "matroxfb:mode:xxxxx" or "matroxfb:xxxxx" */
#endif
Reported by FlawFinder.
Line: 1277
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char outputs[8]; /* "matroxfb:outputs:xxx" */
#ifndef MODULE
static char videomode[64]; /* "matroxfb:mode:xxxxx" or "matroxfb:xxxxx" */
#endif
static int matroxfb_getmemory(struct matrox_fb_info *minfo,
unsigned int maxSize, unsigned int *realSize)
{
Reported by FlawFinder.
Line: 1287
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int offs;
unsigned int offs2;
unsigned char orig;
unsigned char bytes[32];
unsigned char* tmp;
DBG(__func__)
vm = minfo->video.vbase;
Reported by FlawFinder.
drivers/scsi/mpt3sas/mpt3sas_base.h
7 issues
Line: 946
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 msix_index;
u32 reply_post_host_index;
Mpi2ReplyDescriptorsUnion_t *reply_post_free;
char name[MPT_NAME_LENGTH];
atomic_t busy;
u32 os_irq;
struct irq_poll irqpoll;
bool irq_poll_scheduled;
bool irq_line_enable;
Reported by FlawFinder.
Line: 1314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct Scsi_Host *shost;
u8 id;
int cpu_count;
char name[MPT_NAME_LENGTH];
char driver_name[MPT_NAME_LENGTH - 8];
char tmp_string[MPT_STRING_LENGTH];
struct pci_dev *pdev;
Mpi2SystemInterfaceRegs_t __iomem *chip;
phys_addr_t chip_phys;
Reported by FlawFinder.
Line: 1315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 id;
int cpu_count;
char name[MPT_NAME_LENGTH];
char driver_name[MPT_NAME_LENGTH - 8];
char tmp_string[MPT_STRING_LENGTH];
struct pci_dev *pdev;
Mpi2SystemInterfaceRegs_t __iomem *chip;
phys_addr_t chip_phys;
int logging_level;
Reported by FlawFinder.
Line: 1316
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cpu_count;
char name[MPT_NAME_LENGTH];
char driver_name[MPT_NAME_LENGTH - 8];
char tmp_string[MPT_STRING_LENGTH];
struct pci_dev *pdev;
Mpi2SystemInterfaceRegs_t __iomem *chip;
phys_addr_t chip_phys;
int logging_level;
int fwfault_debug;
Reported by FlawFinder.
Line: 1327
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 mask_interrupts;
/* fw fault handler */
char fault_reset_work_q_name[20];
struct workqueue_struct *fault_reset_work_q;
struct delayed_work fault_reset_work;
/* fw event handler */
char firmware_event_name[20];
Reported by FlawFinder.
Line: 1332
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct delayed_work fault_reset_work;
/* fw event handler */
char firmware_event_name[20];
struct workqueue_struct *firmware_event_thread;
spinlock_t fw_event_lock;
struct list_head fw_event_list;
struct fw_event_work *current_event;
u8 fw_events_cleanup;
Reported by FlawFinder.
Line: 1629
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* base shared API */
extern struct list_head mpt3sas_ioc_list;
extern char driver_name[MPT_NAME_LENGTH];
/* spinlock on list operations over IOCs
* Case: when multiple warpdrive cards(IOCs) are in use
* Each IOC will added to the ioc list structure on initialization.
* Watchdog threads run at regular intervals to check IOC for any
* fault conditions which will trigger the dead_ioc thread to
Reported by FlawFinder.
drivers/staging/iio/impedance-analyzer/ad5933.c
7 issues
Line: 352
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sprintf(buf, "%d\n", st->settling_cycles);
break;
case AD5933_IN_PGA_GAIN:
len = sprintf(buf, "%s\n",
(st->ctrl_hb & AD5933_CTRL_PGA_GAIN_1) ?
"1" : "0.2");
break;
case AD5933_IN_PGA_GAIN_AVAIL:
len = sprintf(buf, "1 0.2\n");
Reported by FlawFinder.
Line: 288
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
freqreg = (u64)freqreg * (u64)(st->mclk_hz / 4);
do_div(freqreg, BIT(27));
return sprintf(buf, "%d\n", (int)freqreg);
}
static ssize_t ad5933_store_frequency(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 340
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&st->lock);
switch ((u32)this_attr->address) {
case AD5933_OUT_RANGE:
len = sprintf(buf, "%u\n",
st->range_avail[(st->ctrl_hb >> 1) & 0x3]);
break;
case AD5933_OUT_RANGE_AVAIL:
len = sprintf(buf, "%u %u %u %u\n", st->range_avail[0],
st->range_avail[3], st->range_avail[2],
Reported by FlawFinder.
Line: 344
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
st->range_avail[(st->ctrl_hb >> 1) & 0x3]);
break;
case AD5933_OUT_RANGE_AVAIL:
len = sprintf(buf, "%u %u %u %u\n", st->range_avail[0],
st->range_avail[3], st->range_avail[2],
st->range_avail[1]);
break;
case AD5933_OUT_SETTLING_CYCLES:
len = sprintf(buf, "%d\n", st->settling_cycles);
Reported by FlawFinder.
Line: 349
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
st->range_avail[1]);
break;
case AD5933_OUT_SETTLING_CYCLES:
len = sprintf(buf, "%d\n", st->settling_cycles);
break;
case AD5933_IN_PGA_GAIN:
len = sprintf(buf, "%s\n",
(st->ctrl_hb & AD5933_CTRL_PGA_GAIN_1) ?
"1" : "0.2");
Reported by FlawFinder.
Line: 357
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"1" : "0.2");
break;
case AD5933_IN_PGA_GAIN_AVAIL:
len = sprintf(buf, "1 0.2\n");
break;
case AD5933_FREQ_POINTS:
len = sprintf(buf, "%d\n", st->freq_points);
break;
default:
Reported by FlawFinder.
Line: 360
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sprintf(buf, "1 0.2\n");
break;
case AD5933_FREQ_POINTS:
len = sprintf(buf, "%d\n", st->freq_points);
break;
default:
ret = -EINVAL;
}
Reported by FlawFinder.
drivers/staging/media/sunxi/cedrus/cedrus_vp8.c
7 issues
Line: 599
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int i, j, k;
memcpy(&prob_table[0x1008], slice->entropy.y_mode_probs,
sizeof(slice->entropy.y_mode_probs));
memcpy(&prob_table[0x1010], slice->entropy.uv_mode_probs,
sizeof(slice->entropy.uv_mode_probs));
memcpy(&prob_table[0x1018], slice->segment.segment_probs,
Reported by FlawFinder.
Line: 601
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&prob_table[0x1008], slice->entropy.y_mode_probs,
sizeof(slice->entropy.y_mode_probs));
memcpy(&prob_table[0x1010], slice->entropy.uv_mode_probs,
sizeof(slice->entropy.uv_mode_probs));
memcpy(&prob_table[0x1018], slice->segment.segment_probs,
sizeof(slice->segment.segment_probs));
Reported by FlawFinder.
Line: 604
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&prob_table[0x1010], slice->entropy.uv_mode_probs,
sizeof(slice->entropy.uv_mode_probs));
memcpy(&prob_table[0x1018], slice->segment.segment_probs,
sizeof(slice->segment.segment_probs));
prob_table[0x101c] = slice->prob_skip_false;
prob_table[0x101d] = slice->prob_intra;
prob_table[0x101e] = slice->prob_last;
Reported by FlawFinder.
Line: 612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prob_table[0x101e] = slice->prob_last;
prob_table[0x101f] = slice->prob_gf;
memcpy(&prob_table[0x1020], slice->entropy.mv_probs[0],
V4L2_VP8_MV_PROB_CNT);
memcpy(&prob_table[0x1040], slice->entropy.mv_probs[1],
V4L2_VP8_MV_PROB_CNT);
for (i = 0; i < 4; ++i)
Reported by FlawFinder.
Line: 614
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&prob_table[0x1020], slice->entropy.mv_probs[0],
V4L2_VP8_MV_PROB_CNT);
memcpy(&prob_table[0x1040], slice->entropy.mv_probs[1],
V4L2_VP8_MV_PROB_CNT);
for (i = 0; i < 4; ++i)
for (j = 0; j < 8; ++j)
for (k = 0; k < 3; ++k)
Reported by FlawFinder.
Line: 620
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 4; ++i)
for (j = 0; j < 8; ++j)
for (k = 0; k < 3; ++k)
memcpy(&prob_table[i * 512 + j * 64 + k * 16],
slice->entropy.coeff_probs[i][j][k], 11);
}
static enum cedrus_irq_status
cedrus_vp8_irq_status(struct cedrus_ctx *ctx)
Reported by FlawFinder.
Line: 875
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* This offset has been discovered by reverse engineering, we don’t know
* what it actually means.
*/
memcpy(&ctx->codec.vp8.entropy_probs_buf[2048],
prob_table_init, sizeof(prob_table_init));
return 0;
}
Reported by FlawFinder.
drivers/staging/media/atomisp/pci/hmm/hmm.c
7 issues
Line: 392
CWE codes:
476
void *src = bo->vmap_addr;
src += (virt - bo->start);
memcpy(data, src, bytes);
if (bo->status & HMM_BO_VMAPED_CACHED)
clflush_cache_range(src, bytes);
} else {
void *vptr;
Reported by Cppcheck.
Line: 365
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virt += len; /* update virt for next loop */
if (des) {
memcpy(des, src, len);
des += len;
}
clflush_cache_range(src, len);
Reported by FlawFinder.
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *src = bo->vmap_addr;
src += (virt - bo->start);
memcpy(data, src, bytes);
if (bo->status & HMM_BO_VMAPED_CACHED)
clflush_cache_range(src, bytes);
} else {
void *vptr;
Reported by FlawFinder.
Line: 404
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
vptr = vptr + (virt - bo->start);
memcpy(data, vptr, bytes);
clflush_cache_range(vptr, bytes);
hmm_bo_vunmap(bo);
}
return 0;
Reported by FlawFinder.
Line: 462
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *dst = bo->vmap_addr;
dst += (virt - bo->start);
memcpy(dst, data, bytes);
if (bo->status & HMM_BO_VMAPED_CACHED)
clflush_cache_range(dst, bytes);
} else {
void *vptr;
Reported by FlawFinder.
Line: 472
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vptr) {
vptr = vptr + (virt - bo->start);
memcpy(vptr, data, bytes);
clflush_cache_range(vptr, bytes);
hmm_bo_vunmap(bo);
return 0;
}
}
Reported by FlawFinder.
Line: 508
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virt += len;
memcpy(des, src, len);
src += len;
clflush_cache_range(des, len);
Reported by FlawFinder.
drivers/usb/class/cdc-acm.c
7 issues
Line: 259
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_interface *intf = to_usb_interface(dev);
struct acm *acm = usb_get_intfdata(intf);
return sprintf(buf, "%d", acm->ctrl_caps);
}
static DEVICE_ATTR_RO(bmCapabilities);
static ssize_t wCountryCodes_show
(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 269
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct usb_interface *intf = to_usb_interface(dev);
struct acm *acm = usb_get_intfdata(intf);
memcpy(buf, acm->country_codes, acm->country_code_size);
return acm->country_code_size;
}
static DEVICE_ATTR_RO(wCountryCodes);
Reported by FlawFinder.
Line: 281
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_interface *intf = to_usb_interface(dev);
struct acm *acm = usb_get_intfdata(intf);
return sprintf(buf, "%d", acm->country_rel_date);
}
static DEVICE_ATTR_RO(iCountryCodeRelDate);
/*
* Interrupt handlers for various ACM device responses
Reported by FlawFinder.
Line: 415
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy_size = min(current_size,
expected_size - acm->nb_index);
memcpy(&acm->notification_buffer[acm->nb_index],
urb->transfer_buffer, copy_size);
acm->nb_index += copy_size;
current_size = acm->nb_index;
}
Reported by FlawFinder.
Line: 817
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = (count > acm->writesize) ? acm->writesize : count;
dev_vdbg(&acm->data->dev, "writing %d bytes\n", count);
memcpy(wb->buf, buf, count);
wb->len = count;
stat = usb_autopm_get_interface_async(acm->control);
if (stat) {
wb->use = false;
Reported by FlawFinder.
Line: 1075
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acm_set_control(acm, acm->ctrlout = newctrl);
if (memcmp(&acm->line, &newline, sizeof newline)) {
memcpy(&acm->line, &newline, sizeof newline);
dev_dbg(&acm->control->dev, "%s - set line: %d %d %d %d\n",
__func__,
le32_to_cpu(newline.dwDTERate),
newline.bCharFormat, newline.bParityType,
newline.bDataBits);
Reported by FlawFinder.
Line: 1431
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!acm->country_codes)
goto skip_countries;
acm->country_code_size = cfd->bLength - 4;
memcpy(acm->country_codes, (u8 *)&cfd->wCountyCode0,
cfd->bLength - 4);
acm->country_rel_date = cfd->iCountryCodeRelDate;
i = device_create_file(&intf->dev, &dev_attr_wCountryCodes);
if (i < 0) {
Reported by FlawFinder.