The following issues were found
drivers/media/usb/dvb-usb-v2/anysee.c
6 issues
Line: 44
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&d->usb_mutex);
memcpy(&state->buf[0], sbuf, slen);
state->buf[60] = state->seq++;
dev_dbg(&d->udev->dev, "%s: >>> %*ph\n", __func__, slen, state->buf);
/* We need receive one message more after dvb_usb_generic_rw due
Reported by FlawFinder.
Line: 97
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request, copy returned data to return buf */
if (rbuf && rlen)
memcpy(rbuf, state->buf, rlen);
error_unlock:
mutex_unlock(&d->usb_mutex);
return ret;
}
Reported by FlawFinder.
Line: 227
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[1] = (msg[i].addr << 1);
buf[2] = msg[i].len;
buf[3] = 0x01;
memcpy(&buf[4], msg[i].buf, msg[i].len);
ret = anysee_ctrl_msg(d, buf, 4 + msg[i].len, NULL, 0);
inc = 1;
}
if (ret)
break;
Reported by FlawFinder.
Line: 1029
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (adap->fe[1]) {
adap->fe[1]->tuner_priv =
adap->fe[0]->tuner_priv;
memcpy(&adap->fe[1]->ops.tuner_ops,
&adap->fe[0]->ops.tuner_ops,
sizeof(struct dvb_tuner_ops));
}
return 0;
Reported by FlawFinder.
Line: 1065
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy tuner ops for 2nd FE as tuner is shared */
if (adap->fe[1]) {
adap->fe[1]->tuner_priv = adap->fe[0]->tuner_priv;
memcpy(&adap->fe[1]->ops.tuner_ops,
&adap->fe[0]->ops.tuner_ops,
sizeof(struct dvb_tuner_ops));
}
return 0;
Reported by FlawFinder.
Line: 1250
Column: 6
CWE codes:
362
}
static int anysee_ci_poll_slot_status(struct dvb_ca_en50221 *ci, int slot,
int open)
{
struct dvb_usb_device *d = ci->data;
struct anysee_state *state = d_to_priv(d);
int ret;
u8 tmp = 0;
Reported by FlawFinder.
drivers/media/usb/cx231xx/cx231xx-video.c
6 issues
Line: 352
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Save the last four bytes of the buffer so we can check the
buffer boundary condition next time */
memcpy(dma_q->partial_buf, p_buffer + buffer_size - 4, 4);
bytes_parsed = 0;
}
return 1;
}
Reported by FlawFinder.
Line: 431
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Save the last four bytes of the buffer so we can check the
buffer boundary condition next time */
memcpy(dma_q->partial_buf, p_buffer + buffer_size - 4, 4);
bytes_parsed = 0;
}
return 1;
}
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Create an array of the last 4 bytes of the last buffer and the first
4 bytes of the current buffer. */
memcpy(boundary_bytes, partial_buf, 4);
memcpy(boundary_bytes + 4, p_buffer, 4);
/* Check for the SAV/EAV in the boundary buffer */
sav_eav = cx231xx_find_next_SAV_EAV((u8 *)&boundary_bytes, 8,
&bytes_used);
Reported by FlawFinder.
Line: 452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
4 bytes of the current buffer. */
memcpy(boundary_bytes, partial_buf, 4);
memcpy(boundary_bytes + 4, p_buffer, 4);
/* Check for the SAV/EAV in the boundary buffer */
sav_eav = cx231xx_find_next_SAV_EAV((u8 *)&boundary_bytes, 8,
&bytes_used);
Reported by FlawFinder.
Line: 1615
Column: 34
CWE codes:
362
else
cx231xx_set_alt_setting(dev, INDEX_HANC, 0);
wake_up_interruptible_nr(&dev->open, 1);
return 0;
}
if (dev->users == 0) {
/* set alternate 0 */
Reported by FlawFinder.
Line: 1624
Column: 30
CWE codes:
362
cx231xx_set_alt_setting(dev, INDEX_VIDEO, 0);
}
wake_up_interruptible(&dev->open);
return 0;
}
static int cx231xx_v4l2_close(struct file *filp)
{
Reported by FlawFinder.
drivers/media/usb/cx231xx/cx231xx-audio.c
6 issues
Line: 131
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int cnt;
cnt = runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, cp,
cnt * stride);
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
Reported by FlawFinder.
Line: 133
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cnt = runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, cp,
cnt * stride);
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
length * stride);
}
Reported by FlawFinder.
Line: 136
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
length * stride);
}
snd_pcm_stream_lock_irqsave(substream, flags);
Reported by FlawFinder.
Line: 218
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int cnt;
cnt = runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, cp,
cnt * stride);
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
Reported by FlawFinder.
Line: 220
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cnt = runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, cp,
cnt * stride);
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
length * stride);
}
Reported by FlawFinder.
Line: 223
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
length * stride);
}
snd_pcm_stream_lock_irqsave(substream, flags);
Reported by FlawFinder.
drivers/media/tuners/tea5767.c
6 issues
Line: 192
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tea5767_priv *priv = fe->tuner_priv;
unsigned int frq = params->frequency;
unsigned char buffer[5];
unsigned div;
int rc;
tuner_dbg("radio freq = %d.%03d MHz\n", frq/16000,(frq/16)%1000);
Reported by FlawFinder.
Line: 322
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tea5767_get_status(struct dvb_frontend *fe, u32 *status)
{
unsigned char buffer[5];
*status = 0;
if (0 == tea5767_read_status(fe, buffer)) {
if (tea5767_signal(fe, buffer))
Reported by FlawFinder.
Line: 338
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tea5767_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
{
unsigned char buffer[5];
*strength = 0;
if (0 == tea5767_read_status(fe, buffer))
*strength = tea5767_signal(fe, buffer);
Reported by FlawFinder.
Line: 350
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tea5767_standby(struct dvb_frontend *fe)
{
unsigned char buffer[5];
struct tea5767_priv *priv = fe->tuner_priv;
unsigned div, rc;
div = (87500 * 4 + 700 + 225 + 25) / 50; /* Set frequency to 87.5 MHz */
buffer[0] = (div >> 8) & 0x3f;
Reported by FlawFinder.
Line: 371
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tea5767_autodetection(struct i2c_adapter* i2c_adap, u8 i2c_addr)
{
struct tuner_i2c_props i2c = { .adap = i2c_adap, .addr = i2c_addr };
unsigned char buffer[7] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
int rc;
if ((rc = tuner_i2c_xfer_recv(&i2c, buffer, 7))< 5) {
pr_warn("It is not a TEA5767. Received %i bytes.\n", rc);
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->ctrl.st_noise = 1;
priv->ctrl.japan_band = 1;
memcpy(&fe->ops.tuner_ops, &tea5767_tuner_ops,
sizeof(struct dvb_tuner_ops));
tuner_info("type set to %s\n", "Philips TEA5767HN FM Radio");
return fe;
Reported by FlawFinder.
drivers/media/test-drivers/vivid/vivid-vid-cap.c
6 issues
Line: 1926
if (tpf.denominator == 0)
tpf = webcam_intervals[ival_sz - 1];
for (i = 0; i < ival_sz; i++)
if (V4L2_FRACT_COMPARE(tpf, >=, webcam_intervals[i]))
break;
if (i == ival_sz)
i = ival_sz - 1;
dev->webcam_ival_idx = i;
tpf = webcam_intervals[dev->webcam_ival_idx];
Reported by Cppcheck.
Line: 1111
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
}
if (clipcount && win->clips)
memcpy(win->clips, dev->clips_cap,
clipcount * sizeof(dev->clips_cap[0]));
return 0;
}
int vidioc_try_fmt_vid_overlay(struct file *file, void *priv,
Reported by FlawFinder.
Line: 1142
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (win->clipcount > MAX_CLIPS)
win->clipcount = MAX_CLIPS;
if (win->clipcount) {
memcpy(dev->try_clips_cap, win->clips,
win->clipcount * sizeof(dev->clips_cap[0]));
for (i = 0; i < win->clipcount; i++) {
struct v4l2_rect *r = &dev->try_clips_cap[i].c;
r->top = clamp_t(s32, r->top, 0, dev->fb_cap.fmt.height - 1);
Reported by FlawFinder.
Line: 1166
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
}
memcpy(win->clips, dev->try_clips_cap,
win->clipcount * sizeof(dev->clips_cap[0]));
}
return 0;
}
Reported by FlawFinder.
Line: 1204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->bitmap_cap = new_bitmap;
dev->clipcount_cap = win->clipcount;
if (dev->clipcount_cap)
memcpy(dev->clips_cap, dev->try_clips_cap, clips_size);
return 0;
}
int vivid_vid_cap_overlay(struct file *file, void *fh, unsigned i)
{
Reported by FlawFinder.
Line: 1802
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EBUSY;
dev->edid_blocks = edid->blocks;
memcpy(dev->edid, edid->edid, edid->blocks * 128);
for (i = 0, j = 0; i < dev->num_outputs; i++)
if (dev->output_type[i] == HDMI)
display_present |=
dev->display_present[i] << j++;
Reported by FlawFinder.
drivers/media/tuners/r820t.c
6 issues
Line: 349
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tuner_dbg("%s: prev reg=%02x len=%d: %*ph\n",
__func__, r + REG_SHADOW_START, len, len, val);
memcpy(&priv->regs[r], val, len);
}
static int r820t_write(struct r820t_priv *priv, u8 reg, const u8 *val,
int len)
{
Reported by FlawFinder.
Line: 368
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill I2C buffer */
priv->buf[0] = reg;
memcpy(&priv->buf[1], &val[pos], size);
rc = tuner_i2c_xfer_send(&priv->i2c_props, priv->buf, size + 1);
if (rc != size + 1) {
tuner_info("%s: i2c wr failed=%d reg=%02x len=%d: %*ph\n",
__func__, rc, reg, size, size, &priv->buf[1]);
Reported by FlawFinder.
Line: 1040
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Initialize the shadow registers */
memcpy(priv->regs, r820t_init_array, sizeof(r820t_init_array));
/* Init Flag & Xtal_check Result */
if (priv->imr_done)
val = 1 | priv->xtal_cap_sel << 1;
else
Reported by FlawFinder.
Line: 1389
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 data[3], val;
/* Initialize the shadow registers */
memcpy(priv->regs, r820t_init_array, sizeof(r820t_init_array));
/* cap 30pF & Drive Low */
rc = r820t_write_reg_mask(priv, 0x10, 0x0b, 0x0b);
if (rc < 0)
return rc;
Reported by FlawFinder.
Line: 1446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int rc;
/* Initialize the shadow registers */
memcpy(priv->regs, r820t_init_array, sizeof(r820t_init_array));
/* lna off (air-in off) */
rc = r820t_write_reg_mask(priv, 0x05, 0x20, 0x20);
if (rc < 0)
return rc;
Reported by FlawFinder.
Line: 2365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&r820t_list_mutex);
memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops,
sizeof(struct dvb_tuner_ops));
return fe;
err:
if (fe->ops.i2c_gate_ctrl)
Reported by FlawFinder.
drivers/media/cec/usb/rainshadow/rainshadow-cec.c
6 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct work_struct work;
/* Low-level ringbuffer, collecting incoming characters */
char buf[DATA_SIZE];
unsigned int buf_rd_idx;
unsigned int buf_wr_idx;
unsigned int buf_len;
spinlock_t buf_lock;
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t buf_lock;
/* command buffer */
char cmd[DATA_SIZE];
unsigned int cmd_idx;
bool cmd_started;
/* reply to a command, only used to store the firmware version */
char cmd_reply[DATA_SIZE];
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool cmd_started;
/* reply to a command, only used to store the firmware version */
char cmd_reply[DATA_SIZE];
struct mutex write_lock;
};
static void rain_process_msg(struct rain *rain)
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 signal_free_time, struct cec_msg *msg)
{
struct rain *rain = cec_get_drvdata(adap);
char cmd[2 * CEC_MAX_MSG_SIZE + 16];
unsigned int i;
int err;
if (msg->len == 1) {
snprintf(cmd, sizeof(cmd), "x%x", cec_msg_destination(msg));
Reported by FlawFinder.
Line: 285
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (msg->len == 1) {
snprintf(cmd, sizeof(cmd), "x%x", cec_msg_destination(msg));
} else {
char hex[3];
snprintf(cmd, sizeof(cmd), "x%x %02x ",
cec_msg_destination(msg), msg->msg[1]);
for (i = 2; i < msg->len; i++) {
snprintf(hex, sizeof(hex), "%02x", msg->msg[i]);
Reported by FlawFinder.
Line: 228
Column: 47
CWE codes:
126
err = -ETIMEDOUT;
goto err;
}
if (reply && strncmp(rain->cmd_reply, reply, strlen(reply))) {
dev_dbg(rain->dev,
"transmit of '%s': received '%s' instead of '%s'\n",
cmd, rain->cmd_reply, reply);
err = -EIO;
}
Reported by FlawFinder.
drivers/media/common/saa7146/saa7146_fops.c
6 issues
Line: 229
Column: 30
CWE codes:
362
if (vdev->vfl_type == VFL_TYPE_VBI) {
DEB_S("initializing vbi...\n");
if (dev->ext_vv_data->capabilities & V4L2_CAP_VBI_CAPTURE)
result = saa7146_vbi_uops.open(dev,file);
if (dev->ext_vv_data->vbi_fops.open)
dev->ext_vv_data->vbi_fops.open(file);
} else {
DEB_S("initializing video...\n");
result = saa7146_video_uops.open(dev,file);
Reported by FlawFinder.
Line: 230
Column: 34
CWE codes:
362
DEB_S("initializing vbi...\n");
if (dev->ext_vv_data->capabilities & V4L2_CAP_VBI_CAPTURE)
result = saa7146_vbi_uops.open(dev,file);
if (dev->ext_vv_data->vbi_fops.open)
dev->ext_vv_data->vbi_fops.open(file);
} else {
DEB_S("initializing video...\n");
result = saa7146_video_uops.open(dev,file);
}
Reported by FlawFinder.
Line: 231
Column: 31
CWE codes:
362
if (dev->ext_vv_data->capabilities & V4L2_CAP_VBI_CAPTURE)
result = saa7146_vbi_uops.open(dev,file);
if (dev->ext_vv_data->vbi_fops.open)
dev->ext_vv_data->vbi_fops.open(file);
} else {
DEB_S("initializing video...\n");
result = saa7146_video_uops.open(dev,file);
}
Reported by FlawFinder.
Line: 234
Column: 31
CWE codes:
362
dev->ext_vv_data->vbi_fops.open(file);
} else {
DEB_S("initializing video...\n");
result = saa7146_video_uops.open(dev,file);
}
if (0 != result) {
goto out;
}
Reported by FlawFinder.
Line: 382
Column: 29
CWE codes:
120
20
DEB_EE("V4L2_BUF_TYPE_VIDEO_CAPTURE: file:%p, data:%p, count:%lun",
file, data, (unsigned long)count);
*/
return saa7146_video_uops.read(file,data,count,ppos);
case VFL_TYPE_VBI:
/*
DEB_EE("V4L2_BUF_TYPE_VBI_CAPTURE: file:%p, data:%p, count:%lu\n",
file, data, (unsigned long)count);
*/
Reported by FlawFinder.
Line: 391
Column: 27
CWE codes:
120
20
if (fh->dev->ext_vv_data->capabilities & V4L2_CAP_VBI_CAPTURE) {
if (mutex_lock_interruptible(vdev->lock))
return -ERESTARTSYS;
ret = saa7146_vbi_uops.read(file, data, count, ppos);
mutex_unlock(vdev->lock);
return ret;
}
return -EINVAL;
default:
Reported by FlawFinder.
drivers/md/dm-log-writes.c
6 issues
Line: 243
CWE codes:
476
ptr = kmap_atomic(page);
memcpy(ptr, entry, entrylen);
if (datalen)
memcpy(ptr + entrylen, data, datalen);
memset(ptr + entrylen + datalen, 0,
lc->sectorsize - entrylen - datalen);
kunmap_atomic(ptr);
ret = bio_add_page(bio, page, lc->sectorsize, 0);
Reported by Cppcheck.
Line: 241
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ptr = kmap_atomic(page);
memcpy(ptr, entry, entrylen);
if (datalen)
memcpy(ptr + entrylen, data, datalen);
memset(ptr + entrylen + datalen, 0,
lc->sectorsize - entrylen - datalen);
kunmap_atomic(ptr);
Reported by FlawFinder.
Line: 243
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = kmap_atomic(page);
memcpy(ptr, entry, entrylen);
if (datalen)
memcpy(ptr + entrylen, data, datalen);
memset(ptr + entrylen + datalen, 0,
lc->sectorsize - entrylen - datalen);
kunmap_atomic(ptr);
ret = bio_add_page(bio, page, lc->sectorsize, 0);
Reported by FlawFinder.
Line: 302
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ptr = kmap_atomic(page);
memcpy(ptr, data, pg_datalen);
if (pg_sectorlen > pg_datalen)
memset(ptr + pg_datalen, 0, pg_sectorlen - pg_datalen);
kunmap_atomic(ptr);
ret = bio_add_page(bio, page, pg_sectorlen, 0);
Reported by FlawFinder.
Line: 770
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = kmap_atomic(bv.bv_page);
dst = kmap_atomic(page);
memcpy(dst, src + bv.bv_offset, bv.bv_len);
kunmap_atomic(dst);
kunmap_atomic(src);
block->vecs[i].bv_page = page;
block->vecs[i].bv_len = bv.bv_len;
block->vec_cnt++;
Reported by FlawFinder.
Line: 624
Column: 19
CWE codes:
126
return -ENOMEM;
}
atomic_inc(&lc->pending_blocks);
block->datalen = strlen(block->data);
block->flags |= LOG_MARK_FLAG;
spin_lock_irq(&lc->blocks_lock);
list_add_tail(&block->list, &lc->logging_blocks);
spin_unlock_irq(&lc->blocks_lock);
wake_up_process(lc->log_kthread);
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb3/sge.c
6 issues
Line: 799
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pci_dma_sync_single_for_cpu(adap->pdev,
dma_unmap_addr(sd, dma_addr), len,
PCI_DMA_FROMDEVICE);
memcpy(skb->data, sd->skb->data, len);
pci_dma_sync_single_for_device(adap->pdev,
dma_unmap_addr(sd, dma_addr), len,
PCI_DMA_FROMDEVICE);
} else if (!drop_thres)
goto use_orig_buf;
Reported by FlawFinder.
Line: 859
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__skb_put(newskb, len);
pci_dma_sync_single_for_cpu(adap->pdev, dma_addr, len,
PCI_DMA_FROMDEVICE);
memcpy(newskb->data, sd->pg_chunk.va, len);
pci_dma_sync_single_for_device(adap->pdev, dma_addr,
len,
PCI_DMA_FROMDEVICE);
} else if (!drop_thres)
return NULL;
Reported by FlawFinder.
Line: 896
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
PCI_DMA_FROMDEVICE);
if (!skb) {
__skb_put(newskb, SGE_RX_PULL_LEN);
memcpy(newskb->data, sd->pg_chunk.va, SGE_RX_PULL_LEN);
skb_fill_page_desc(newskb, 0, sd->pg_chunk.page,
sd->pg_chunk.offset + SGE_RX_PULL_LEN,
len - SGE_RX_PULL_LEN);
newskb->len = len;
newskb->data_len = len - SGE_RX_PULL_LEN;
Reported by FlawFinder.
Line: 1131
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (avail > sgl_flits)
avail = sgl_flits;
memcpy(&d->flit[flits], fp, avail * sizeof(*fp));
sgl_flits -= avail;
ndesc--;
if (!sgl_flits)
break;
Reported by FlawFinder.
Line: 1392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct work_request_hdr *to = (struct work_request_hdr *)d;
if (likely(!skb->data_len))
memcpy(&to[1], &from[1], len - sizeof(*from));
else
skb_copy_bits(skb, sizeof(*from), &to[1], len - sizeof(*from));
to->wr_hi = from->wr_hi | htonl(F_WR_SOP | F_WR_EOP |
V_WR_BCNTLFLT(len & 7));
Reported by FlawFinder.
Line: 1652
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Only TX_DATA builds SGLs */
from = (struct work_request_hdr *)skb->data;
memcpy(&d->flit[1], &from[1],
skb_transport_offset(skb) - sizeof(*from));
flits = skb_transport_offset(skb) / 8;
sgp = ndesc == 1 ? (struct sg_ent *)&d->flit[flits] : sgl;
sgl_flits = write_sgl(skb, sgp, skb_transport_header(skb),
Reported by FlawFinder.