The following issues were found
drivers/media/i2c/adv7842.c
6 issues
Line: 2494
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (edid->start_block + edid->blocks > blocks)
edid->blocks = blocks - edid->start_block;
memcpy(edid->edid, data + edid->start_block * 128, edid->blocks * 128);
return 0;
}
/*
Reported by FlawFinder.
Line: 2538
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->vga_edid.blocks = e->blocks;
state->vga_edid.present = e->blocks ? 0x1 : 0x0;
if (e->blocks)
memcpy(state->vga_edid.edid, e->edid, 128);
err = edid_write_vga_segment(sd);
break;
case ADV7842_EDID_PORT_A:
case ADV7842_EDID_PORT_B:
memset(state->hdmi_edid.edid, 0, sizeof(state->hdmi_edid.edid));
Reported by FlawFinder.
Line: 2547
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->hdmi_edid.blocks = e->blocks;
if (e->blocks) {
state->hdmi_edid.present |= 0x04 << e->pad;
memcpy(state->hdmi_edid.edid, e->edid, 128 * e->blocks);
} else {
state->hdmi_edid.present &= ~(0x04 << e->pad);
adv7842_s_detect_tx_5v_ctrl(sd);
}
err = edid_write_hdmi_segment(sd, e->pad);
Reported by FlawFinder.
Line: 2700
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool audio_sample_packet_detect = hdmi_read(sd, 0x18) & 0x01;
bool audio_mute = io_read(sd, 0x65) & 0x40;
static const char * const csc_coeff_sel_rb[16] = {
"bypassed", "YPbPr601 -> RGB", "reserved", "YPbPr709 -> RGB",
"reserved", "RGB -> YPbPr601", "reserved", "RGB -> YPbPr709",
"reserved", "YPbPr709 -> YPbPr601", "YPbPr601 -> YPbPr709",
"reserved", "reserved", "reserved", "reserved", "manual"
};
Reported by FlawFinder.
Line: 2706
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"reserved", "YPbPr709 -> YPbPr601", "YPbPr601 -> YPbPr709",
"reserved", "reserved", "reserved", "reserved", "manual"
};
static const char * const input_color_space_txt[16] = {
"RGB limited range (16-235)", "RGB full range (0-255)",
"YCbCr Bt.601 (16-235)", "YCbCr Bt.709 (16-235)",
"xvYCC Bt.601", "xvYCC Bt.709",
"YCbCr Bt.601 (0-255)", "YCbCr Bt.709 (0-255)",
"invalid", "invalid", "invalid", "invalid", "invalid",
Reported by FlawFinder.
Line: 2719
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"RGB limited range (16-235)",
"RGB full range (0-255)",
};
static const char * const deep_color_mode_txt[4] = {
"8-bits per channel",
"10-bits per channel",
"12-bits per channel",
"16-bits per channel (not supported)"
};
Reported by FlawFinder.
drivers/media/i2c/ccs/ccs-reg-access.c
6 issues
Line: 74
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *client = v4l2_get_subdevdata(&sensor->src->sd);
struct i2c_msg msg;
unsigned char data_buf[sizeof(u32)] = { 0 };
unsigned char offset_buf[sizeof(u16)];
int r;
if (len > sizeof(data_buf))
return -EINVAL;
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = v4l2_get_subdevdata(&sensor->src->sd);
struct i2c_msg msg;
unsigned char data_buf[sizeof(u32)] = { 0 };
unsigned char offset_buf[sizeof(u16)];
int r;
if (len > sizeof(data_buf))
return -EINVAL;
Reported by FlawFinder.
Line: 325
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *client = v4l2_get_subdevdata(&sensor->src->sd);
struct i2c_msg msg;
unsigned char data[6];
unsigned int len = ccs_reg_width(reg);
int r;
if (len > sizeof(data) - 2)
return -EINVAL;
Reported by FlawFinder.
Line: 376
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t num_regs)
{
struct i2c_client *client = v4l2_get_subdevdata(&sensor->src->sd);
unsigned char buf[2 + MAX_WRITE_LEN];
struct i2c_msg msg = {
.addr = client->addr,
.buf = buf,
};
size_t i;
Reported by FlawFinder.
Line: 389
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (j = 0; j < regs->len;
j += msg.len - 2, regdata += msg.len - 2) {
char printbuf[(MAX_WRITE_LEN << 1) +
1 /* \0 */] = { 0 };
int rval;
msg.len = min(regs->len - j, MAX_WRITE_LEN);
Reported by FlawFinder.
Line: 401
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
regs->addr + j, printbuf);
put_unaligned_be16(regs->addr + j, buf);
memcpy(buf + 2, regdata, msg.len);
msg.len += 2;
rval = ccs_write_retry(client, &msg);
if (rval) {
Reported by FlawFinder.
drivers/mtd/ubi/vtbl.c
6 issues
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vtbl_rec->crc = cpu_to_be32(crc);
}
memcpy(&ubi->vtbl[idx], vtbl_rec, sizeof(struct ubi_vtbl_record));
err = ubi_update_layout_vol(ubi);
self_vtbl_check(ubi);
return err ? err : 0;
}
Reported by FlawFinder.
Line: 132
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ubi_vtbl_record *vtbl_rec = &ubi->vtbl[vol->vol_id];
if (re->remove) {
memcpy(vtbl_rec, &empty_vtbl_record,
sizeof(struct ubi_vtbl_record));
continue;
}
vtbl_rec->name_len = cpu_to_be16(re->new_name_len);
Reported by FlawFinder.
Line: 138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
vtbl_rec->name_len = cpu_to_be16(re->new_name_len);
memcpy(vtbl_rec->name, re->new_name, re->new_name_len);
memset(vtbl_rec->name + re->new_name_len, 0,
UBI_VOL_NAME_MAX + 1 - re->new_name_len);
crc = crc32(UBI_CRC32_INIT, vtbl_rec,
UBI_VTBL_RECORD_SIZE_CRC);
vtbl_rec->crc = cpu_to_be32(crc);
Reported by FlawFinder.
Line: 495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-ENOMEM);
for (i = 0; i < ubi->vtbl_slots; i++)
memcpy(&vtbl[i], &empty_vtbl_record, UBI_VTBL_RECORD_SIZE);
for (i = 0; i < UBI_LAYOUT_VOLUME_EBS; i++) {
int err;
err = create_vtbl(ubi, ai, i, vtbl);
Reported by FlawFinder.
Line: 546
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
UBI_DYNAMIC_VOLUME : UBI_STATIC_VOLUME;
vol->name_len = be16_to_cpu(vtbl[i].name_len);
vol->usable_leb_size = ubi->leb_size - vol->data_pad;
memcpy(vol->name, vtbl[i].name, vol->name_len);
vol->name[vol->name_len] = '\0';
vol->vol_id = i;
if (vtbl[i].flags & UBI_VTBL_SKIP_CRC_CHECK_FLG)
vol->skip_check = 1;
Reported by FlawFinder.
Line: 634
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vol->alignment = UBI_LAYOUT_VOLUME_ALIGN;
vol->vol_type = UBI_DYNAMIC_VOLUME;
vol->name_len = sizeof(UBI_LAYOUT_VOLUME_NAME) - 1;
memcpy(vol->name, UBI_LAYOUT_VOLUME_NAME, vol->name_len + 1);
vol->usable_leb_size = ubi->leb_size;
vol->used_ebs = vol->reserved_pebs;
vol->last_eb_bytes = vol->reserved_pebs;
vol->used_bytes =
(long long)vol->used_ebs * (ubi->leb_size - vol->data_pad);
Reported by FlawFinder.
drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c
6 issues
Line: 61
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, ntohl(ip->saddr), ntohl(ip->daddr),
ntohs(tcp->source), ntohs(tcp->dest));
*iptype = 4;
memcpy(peer_ip, &ip->saddr, 4);
memcpy(local_ip, &ip->daddr, 4);
} else {
pr_debug("%s saddr %pI6 daddr %pI6 sport %u dport %u\n",
__func__, ip6->saddr.s6_addr, ip6->daddr.s6_addr,
ntohs(tcp->source), ntohs(tcp->dest));
Reported by FlawFinder.
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ntohs(tcp->source), ntohs(tcp->dest));
*iptype = 4;
memcpy(peer_ip, &ip->saddr, 4);
memcpy(local_ip, &ip->daddr, 4);
} else {
pr_debug("%s saddr %pI6 daddr %pI6 sport %u dport %u\n",
__func__, ip6->saddr.s6_addr, ip6->daddr.s6_addr,
ntohs(tcp->source), ntohs(tcp->dest));
*iptype = 6;
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, ip6->saddr.s6_addr, ip6->daddr.s6_addr,
ntohs(tcp->source), ntohs(tcp->dest));
*iptype = 6;
memcpy(peer_ip, ip6->saddr.s6_addr, 16);
memcpy(local_ip, ip6->daddr.s6_addr, 16);
}
*peer_port = tcp->source;
*local_port = tcp->dest;
}
Reported by FlawFinder.
Line: 69
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ntohs(tcp->source), ntohs(tcp->dest));
*iptype = 6;
memcpy(peer_ip, ip6->saddr.s6_addr, 16);
memcpy(local_ip, ip6->daddr.s6_addr, 16);
}
*peer_port = tcp->source;
*local_port = tcp->dest;
}
EXPORT_SYMBOL(cxgb_get_4tuple);
Reported by FlawFinder.
Line: 131
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct flowi6 fl6;
memset(&fl6, 0, sizeof(fl6));
memcpy(&fl6.daddr, peer_ip, 16);
memcpy(&fl6.saddr, local_ip, 16);
if (ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LINKLOCAL)
fl6.flowi6_oif = sin6_scope_id;
dst = ip6_route_output(&init_net, NULL, &fl6);
if (dst->error ||
Reported by FlawFinder.
Line: 132
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&fl6, 0, sizeof(fl6));
memcpy(&fl6.daddr, peer_ip, 16);
memcpy(&fl6.saddr, local_ip, 16);
if (ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LINKLOCAL)
fl6.flowi6_oif = sin6_scope_id;
dst = ip6_route_output(&init_net, NULL, &fl6);
if (dst->error ||
(!cxgb_our_interface(lldi, get_real_dev,
Reported by FlawFinder.
drivers/mtd/parsers/redboot.c
6 issues
Line: 251
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
nullname = (char *)&parts[nrparts];
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
if (nulllen > 0)
strcpy(nullname, nullstring);
#endif
names = nullname + nulllen;
i = 0;
Reported by FlawFinder.
Line: 270
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
parts[i].offset = fl->img->flash_base;
parts[i].name = names;
strcpy(names, fl->img->name);
#ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY
if (!memcmp(names, "RedBoot", 8) ||
!memcmp(names, "RedBoot config", 15) ||
!memcmp(names, "FIS directory", 14)) {
parts[i].mask_flags = MTD_WRITEABLE;
Reported by FlawFinder.
Line: 20
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/module.h>
struct fis_image_desc {
unsigned char name[16]; // Null terminated name
u32 flash_base; // Address within FLASH of image
u32 mem_base; // Address in memory where it executes
u32 size; // Length of image
u32 entry_point; // Execution entry point
u32 data_length; // Length of actual data
Reported by FlawFinder.
Line: 26
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 size; // Length of image
u32 entry_point; // Execution entry point
u32 data_length; // Length of actual data
unsigned char _pad[256 - (16 + 7 * sizeof(u32))];
u32 desc_cksum; // Checksum over image descriptor
u32 file_cksum; // Checksum over image data
};
struct fis_list {
Reported by FlawFinder.
Line: 206
Column: 14
CWE codes:
126
break;
new_fl = kmalloc(sizeof(struct fis_list), GFP_KERNEL);
namelen += strlen(buf[i].name) + 1;
if (!new_fl) {
ret = -ENOMEM;
goto out;
}
new_fl->img = &buf[i];
Reported by FlawFinder.
Line: 278
Column: 12
CWE codes:
126
parts[i].mask_flags = MTD_WRITEABLE;
}
#endif
names += strlen(names) + 1;
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
if (fl->next && fl->img->flash_base + fl->img->size + master->erasesize <= fl->next->img->flash_base) {
i++;
parts[i].offset = parts[i - 1].size + parts[i - 1].offset;
Reported by FlawFinder.
drivers/media/pci/bt8xx/bttv-driver.c
6 issues
Line: 178
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct video_device *vfd = to_video_device(cd);
struct bttv *btv = video_get_drvdata(vfd);
return sprintf(buf, "%d\n", btv ? btv->c.type : UNSET);
}
static DEVICE_ATTR(card, S_IRUGO, show_card, NULL);
/* ----------------------------------------------------------------------- */
/* dvb auto-load setup */
Reported by FlawFinder.
Line: 1743
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
i->audioset = 0;
if (btv->tuner_type != TUNER_ABSENT && i->index == 0) {
sprintf(i->name, "Television");
i->type = V4L2_INPUT_TYPE_TUNER;
i->tuner = 0;
} else if (i->index == btv->svhs) {
sprintf(i->name, "S-Video");
} else {
Reported by FlawFinder.
Line: 1747
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
i->type = V4L2_INPUT_TYPE_TUNER;
i->tuner = 0;
} else if (i->index == btv->svhs) {
sprintf(i->name, "S-Video");
} else {
sprintf(i->name, "Composite%d", i->index);
}
if (i->index == btv->input) {
Reported by FlawFinder.
Line: 1749
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else if (i->index == btv->svhs) {
sprintf(i->name, "S-Video");
} else {
sprintf(i->name, "Composite%d", i->index);
}
if (i->index == btv->input) {
__u32 dstatus = btread(BT848_DSTATUS);
if (0 == (dstatus & BT848_DSTATUS_PRES))
Reported by FlawFinder.
Line: 2143
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (NULL == clips)
return -ENOMEM;
if (n > 0)
memcpy(clips, win->clips, sizeof(struct v4l2_clip) * n);
/* clip against screen */
if (NULL != btv->fbuf.base)
n = btcx_screen_clips(btv->fbuf.fmt.width, btv->fbuf.fmt.height,
&win->w, clips, n);
Reported by FlawFinder.
Line: 3322
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int bttv_risc_decode(u32 risc)
{
static char *instr[16] = {
[ BT848_RISC_WRITE >> 28 ] = "write",
[ BT848_RISC_SKIP >> 28 ] = "skip",
[ BT848_RISC_WRITEC >> 28 ] = "writec",
[ BT848_RISC_JUMP >> 28 ] = "jump",
[ BT848_RISC_SYNC >> 28 ] = "sync",
Reported by FlawFinder.
drivers/mtd/maps/pismo.c
6 issues
Line: 23
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct pismo_cs_block {
u8 type;
u8 width;
__le16 access;
__le32 size;
u32 reserved[2];
char device[32];
} __packed;
Reported by FlawFinder.
Line: 38
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct pismo_mem {
phys_addr_t base;
u32 size;
u16 access;
u8 width;
u8 type;
};
struct pismo_data {
Reported by FlawFinder.
Line: 164
Column: 34
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
region.base = base;
region.type = cs->type;
region.width = pismo_width_to_bytes(cs->width);
region.access = le16_to_cpu(cs->access);
region.size = le32_to_cpu(cs->size);
if (region.width == 0) {
dev_err(dev, "cs%u: bad width: %02x, ignoring\n", i, cs->width);
return;
Reported by FlawFinder.
Line: 179
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
*/
dev_info(dev, "cs%u: %.32s: type %02x access %u00ps size %uK\n",
i, cs->device, region.type, region.access, region.size / 1024);
switch (region.type) {
case 0:
break;
case 1:
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le16 access;
__le32 size;
u32 reserved[2];
char device[32];
} __packed;
struct pismo_eeprom {
struct pismo_cs_block cs[PISMO_NUM_CS];
char board[15];
Reported by FlawFinder.
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pismo_eeprom {
struct pismo_cs_block cs[PISMO_NUM_CS];
char board[15];
u8 sum;
} __packed;
struct pismo_mem {
phys_addr_t base;
Reported by FlawFinder.
drivers/mtd/devices/sst25l.c
6 issues
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_message m;
struct spi_transfer t;
unsigned char cmd_resp[2];
int err;
spi_message_init(&m);
memset(&t, 0, sizeof(struct spi_transfer));
Reported by FlawFinder.
Line: 93
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sst25l_write_enable(struct sst25l_flash *flash, int enable)
{
unsigned char command[2];
int status, err;
command[0] = enable ? SST25L_CMD_WREN : SST25L_CMD_WRDI;
err = spi_write(flash->spi, command, 1);
if (err)
Reported by FlawFinder.
Line: 144
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sst25l_erase_sector(struct sst25l_flash *flash, uint32_t offset)
{
unsigned char command[4];
int err;
err = sst25l_write_enable(flash, 1);
if (err)
return err;
Reported by FlawFinder.
Line: 212
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sst25l_flash *flash = to_sst25l_flash(mtd);
struct spi_transfer transfer[2];
struct spi_message message;
unsigned char command[4];
int ret;
spi_message_init(&message);
memset(&transfer, 0, sizeof(transfer));
Reported by FlawFinder.
Line: 254
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct sst25l_flash *flash = to_sst25l_flash(mtd);
int i, j, ret, bytes, copied = 0;
unsigned char command[5];
if ((uint32_t)to % mtd->writesize)
return -EINVAL;
mutex_lock(&flash->lock);
Reported by FlawFinder.
Line: 313
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct flash_info *flash_info = NULL;
struct spi_message m;
struct spi_transfer t;
unsigned char cmd_resp[6];
int i, err;
uint16_t id;
spi_message_init(&m);
memset(&t, 0, sizeof(struct spi_transfer));
Reported by FlawFinder.
drivers/mtd/devices/docg3.c
6 issues
Line: 1315
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void doc_fill_autooob(u8 *dst, u8 *oobsrc)
{
memcpy(dst, oobsrc, DOC_LAYOUT_OOB_PAGEINFO_SZ);
dst[DOC_LAYOUT_OOB_UNUSED_OFS] = oobsrc[DOC_LAYOUT_OOB_PAGEINFO_SZ];
}
/**
* doc_backup_oob - Backup OOB into docg3 structure
Reported by FlawFinder.
Line: 1353
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
doc_fill_autooob(docg3->oob_write_buf, ops->oobbuf);
ops->oobretlen = 8;
} else {
memcpy(docg3->oob_write_buf, ops->oobbuf, DOC_LAYOUT_OOB_SIZE);
ops->oobretlen = DOC_LAYOUT_OOB_SIZE;
}
return 0;
}
Reported by FlawFinder.
Line: 1432
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (!ret && len > 0) {
memset(oob, 0, sizeof(oob));
if (ofs == docg3->oob_write_ofs)
memcpy(oob, docg3->oob_write_buf, DOC_LAYOUT_OOB_SIZE);
else if (ooblen > 0 && ops->mode == MTD_OPS_AUTO_OOB)
doc_fill_autooob(oob, oobbuf);
else if (ooblen > 0)
memcpy(oob, oobbuf, DOC_LAYOUT_OOB_SIZE);
ret = doc_write_page(docg3, ofs, buf, oob, autoecc);
Reported by FlawFinder.
Line: 1436
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (ooblen > 0 && ops->mode == MTD_OPS_AUTO_OOB)
doc_fill_autooob(oob, oobbuf);
else if (ooblen > 0)
memcpy(oob, oobbuf, DOC_LAYOUT_OOB_SIZE);
ret = doc_write_page(docg3, ofs, buf, oob, autoecc);
ofs += DOC_LAYOUT_PAGE_SIZE;
len -= DOC_LAYOUT_PAGE_SIZE;
buf += DOC_LAYOUT_PAGE_SIZE;
Reported by FlawFinder.
Line: 1480
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
doc_set_device_id(docg3, 0);
mutex_unlock(&docg3->cascade->lock);
return sprintf(buf, "%d\n", !(dps0 & DOC_DPS_KEY_OK));
}
static ssize_t dps1_is_key_locked(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 1495
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
doc_set_device_id(docg3, 0);
mutex_unlock(&docg3->cascade->lock);
return sprintf(buf, "%d\n", !(dps1 & DOC_DPS_KEY_OK));
}
static ssize_t dps0_insert_key(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/mmc/host/usdhi6rol0.c
6 issues
Line: 335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data->flags & MMC_DATA_READ)
return;
memcpy(host->bounce_buf, host->head_pg.mapped + PAGE_SIZE - blk_head,
blk_head);
memcpy(host->bounce_buf + blk_head, host->pg.mapped,
data->blksz - blk_head);
}
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(host->bounce_buf, host->head_pg.mapped + PAGE_SIZE - blk_head,
blk_head);
memcpy(host->bounce_buf + blk_head, host->pg.mapped,
data->blksz - blk_head);
}
/* Only called for multiple block IO */
static void usdhi6_sg_prep(struct usdhi6_host *host)
Reported by FlawFinder.
Line: 407
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t blk_head = host->head_len;
if (!data->error && data->flags & MMC_DATA_READ) {
memcpy(host->head_pg.mapped + PAGE_SIZE - blk_head,
host->bounce_buf, blk_head);
memcpy(host->pg.mapped, host->bounce_buf + blk_head,
data->blksz - blk_head);
}
Reported by FlawFinder.
Line: 409
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!data->error && data->flags & MMC_DATA_READ) {
memcpy(host->head_pg.mapped + PAGE_SIZE - blk_head,
host->bounce_buf, blk_head);
memcpy(host->pg.mapped, host->bounce_buf + blk_head,
data->blksz - blk_head);
}
flush_dcache_page(page);
kunmap(page);
Reported by FlawFinder.
Line: 254
Column: 65
CWE codes:
120
20
USDHI6_SD_INFO2_ERR);
}
static void usdhi6_wait_for_brwe(struct usdhi6_host *host, bool read)
{
usdhi6_irq_enable(host, USDHI6_SD_INFO1_ACCESS_END |
USDHI6_SD_INFO1_CARD_CD, USDHI6_SD_INFO2_ERR |
(read ? USDHI6_SD_INFO2_BRE : USDHI6_SD_INFO2_BWE));
}
Reported by FlawFinder.
Line: 258
Column: 7
CWE codes:
120
20
{
usdhi6_irq_enable(host, USDHI6_SD_INFO1_ACCESS_END |
USDHI6_SD_INFO1_CARD_CD, USDHI6_SD_INFO2_ERR |
(read ? USDHI6_SD_INFO2_BRE : USDHI6_SD_INFO2_BWE));
}
static void usdhi6_only_cd(struct usdhi6_host *host)
{
/* Mask all except card hotplug */
Reported by FlawFinder.