The following issues were found
drivers/net/ethernet/chelsio/cxgb4/smt.c
6 issues
Line: 164
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
row = (e->idx >> 1);
if (e->idx & 1) {
req->pfvf1 = 0x0;
memcpy(req->src_mac1, e->src_mac, ETH_ALEN);
/* fill pfvf0/src_mac0 with entry
* at prev index from smt-tab.
*/
req->pfvf0 = 0x0;
Reported by FlawFinder.
Line: 170
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* at prev index from smt-tab.
*/
req->pfvf0 = 0x0;
memcpy(req->src_mac0, s->smtab[e->idx - 1].src_mac,
ETH_ALEN);
} else {
req->pfvf0 = 0x0;
memcpy(req->src_mac0, e->src_mac, ETH_ALEN);
Reported by FlawFinder.
Line: 174
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ETH_ALEN);
} else {
req->pfvf0 = 0x0;
memcpy(req->src_mac0, e->src_mac, ETH_ALEN);
/* fill pfvf1/src_mac1 with entry
* at next index from smt-tab
*/
req->pfvf1 = 0x0;
Reported by FlawFinder.
Line: 180
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* at next index from smt-tab
*/
req->pfvf1 = 0x0;
memcpy(req->src_mac1, s->smtab[e->idx + 1].src_mac,
ETH_ALEN);
}
} else {
size = sizeof(*t6req);
skb = alloc_skb(size, GFP_ATOMIC);
Reported by FlawFinder.
Line: 195
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fill pfvf0/src_mac0 from smt-tab */
req->pfvf0 = 0x0;
memcpy(req->src_mac0, s->smtab[e->idx].src_mac, ETH_ALEN);
row = e->idx;
}
OPCODE_TID(req) =
htonl(MK_OPCODE_TID(CPL_SMT_WRITE_REQ, e->idx |
Reported by FlawFinder.
Line: 223
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
e->refcnt = 1;
e->state = SMT_STATE_SWITCHING;
e->pfvf = pfvf;
memcpy(e->src_mac, smac, ETH_ALEN);
write_smt_entry(adap, e);
} else {
++e->refcnt;
}
spin_unlock(&e->lock);
Reported by FlawFinder.
drivers/media/platform/mtk-vpu/mtk_vpu.c
6 issues
Line: 147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct vpu_run {
u32 signaled;
char fw_ver[VPU_FW_VER_LEN];
unsigned int dec_capability;
unsigned int enc_capability;
wait_queue_head_t wq;
};
Reported by FlawFinder.
Line: 177
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct share_obj {
s32 id;
u32 len;
unsigned char share_buf[SHARE_BUF_SIZE];
};
/**
* struct mtk_vpu - vpu driver data
* @extmem: VPU extended memory information
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest = (__force void *)vpu->reg.tcm;
if (fw_type == D_FW)
dest += VPU_DTCM_OFFSET;
memcpy(dest, vpu_fw->data, dl_size);
/* download to extended memory if need */
if (extra_fw_size > 0) {
dest = vpu->extmem[fw_type].va;
dev_dbg(vpu->dev, "download extended memory type %x\n",
fw_type);
Reported by FlawFinder.
Line: 554
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest = vpu->extmem[fw_type].va;
dev_dbg(vpu->dev, "download extended memory type %x\n",
fw_type);
memcpy(dest, vpu_fw->data + tcm_size, extra_fw_size);
}
release_firmware(vpu_fw);
return 0;
Reported by FlawFinder.
Line: 652
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t vpu_debug_read(struct file *file, char __user *user_buf,
size_t count, loff_t *ppos)
{
char buf[256];
unsigned int len;
unsigned int running, pc, vpu_to_host, host_to_vpu, wdt, idle, ra, sp;
int ret;
struct device *dev = file->private_data;
struct mtk_vpu *vpu = dev_get_drvdata(dev);
Reported by FlawFinder.
Line: 745
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct share_obj __iomem *rcv_obj = vpu->recv_buf;
struct vpu_ipi_desc *ipi_desc = vpu->ipi_desc;
unsigned char data[SHARE_BUF_SIZE];
s32 id = readl(&rcv_obj->id);
memcpy_fromio(data, rcv_obj->share_buf, sizeof(data));
if (id < IPI_MAX && ipi_desc[id].handler) {
ipi_desc[id].handler(data, readl(&rcv_obj->len),
Reported by FlawFinder.
drivers/media/platform/qcom/venus/hfi_parser.c
6 issues
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
const struct hfi_profile_level *pl = data;
memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl));
cap->num_pl += num;
}
static void
parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pl->profile_count > HFI_MAX_PROFILE_COUNT)
return;
memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_profile_level, pl_arr, pl->profile_count);
}
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
const struct hfi_capability *caps = data;
memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps));
cap->num_caps += num;
}
static void
parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (num_caps > MAX_CAP_ENTRIES)
return;
memcpy(caps_arr, cap, num_caps * sizeof(*cap));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_caps, caps_arr, num_caps);
}
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
const struct raw_formats *formats = fmts;
memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats));
cap->num_fmts += num_fmts;
}
static void
parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
Reported by FlawFinder.
Line: 259
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
core->codecs_count = count;
core->max_sessions_supported = MAX_SESSIONS;
memset(core->caps, 0, sizeof(*caps) * MAX_CODEC_NUM);
memcpy(core->caps, caps, sizeof(*caps) * entries);
return 0;
}
u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
Reported by FlawFinder.
drivers/media/platform/qcom/venus/hfi_venus.c
6 issues
Line: 210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_wr_idx = wr_idx + dwords;
wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2));
if (new_wr_idx < qsize) {
memcpy(wr_ptr, packet, dwords << 2);
} else {
size_t len;
new_wr_idx -= qsize;
len = (dwords - new_wr_idx) << 2;
Reported by FlawFinder.
Line: 216
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_wr_idx -= qsize;
len = (dwords - new_wr_idx) << 2;
memcpy(wr_ptr, packet, len);
memcpy(queue->qmem.kva, packet + len, new_wr_idx << 2);
}
/* make sure packet is written before updating the write index */
wmb();
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_wr_idx -= qsize;
len = (dwords - new_wr_idx) << 2;
memcpy(wr_ptr, packet, len);
memcpy(queue->qmem.kva, packet + len, new_wr_idx << 2);
}
/* make sure packet is written before updating the write index */
wmb();
Reported by FlawFinder.
Line: 283
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_rd_idx = rd_idx + dwords;
if (((dwords << 2) <= IFACEQ_VAR_HUGE_PKT_SIZE) && rd_idx <= qsize) {
if (new_rd_idx < qsize) {
memcpy(pkt, rd_ptr, dwords << 2);
} else {
size_t len;
new_rd_idx -= qsize;
len = (dwords - new_rd_idx) << 2;
Reported by FlawFinder.
Line: 289
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_rd_idx -= qsize;
len = (dwords - new_rd_idx) << 2;
memcpy(pkt, rd_ptr, len);
memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
}
} else {
/* bad packet received, dropping */
new_rd_idx = qhdr->write_idx;
Reported by FlawFinder.
Line: 290
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_rd_idx -= qsize;
len = (dwords - new_rd_idx) << 2;
memcpy(pkt, rd_ptr, len);
memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
}
} else {
/* bad packet received, dropping */
new_rd_idx = qhdr->write_idx;
ret = -EBADMSG;
Reported by FlawFinder.
drivers/media/platform/s5p-jpeg/jpeg-core.c
6 issues
Line: 347
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#define SJPEG_NUM_FORMATS ARRAY_SIZE(sjpeg_formats)
static const unsigned char qtbl_luminance[4][64] = {
{/*level 0 - high compression quality */
20, 16, 25, 39, 50, 46, 62, 68,
16, 18, 23, 38, 38, 53, 65, 68,
25, 23, 31, 38, 53, 65, 68, 68,
39, 38, 38, 53, 65, 68, 68, 68,
Reported by FlawFinder.
Line: 390
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
};
static const unsigned char qtbl_chrominance[4][64] = {
{/*level 0 - high compression quality */
21, 25, 32, 38, 54, 68, 68, 68,
25, 28, 24, 38, 54, 68, 68, 68,
32, 24, 32, 43, 66, 68, 68, 68,
38, 38, 43, 53, 68, 68, 68, 68,
Reported by FlawFinder.
Line: 433
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
};
static const unsigned char hdctbl0[16] = {
0, 1, 5, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0
};
static const unsigned char hdctblg0[12] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb
Reported by FlawFinder.
Line: 437
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0, 1, 5, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0
};
static const unsigned char hdctblg0[12] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb
};
static const unsigned char hactbl0[16] = {
0, 2, 1, 3, 3, 2, 4, 3, 5, 5, 4, 4, 0, 0, 1, 0x7d
};
Reported by FlawFinder.
Line: 440
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const unsigned char hdctblg0[12] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb
};
static const unsigned char hactbl0[16] = {
0, 2, 1, 3, 3, 2, 4, 3, 5, 5, 4, 4, 0, 0, 1, 0x7d
};
static const unsigned char hactblg0[162] = {
0x01, 0x02, 0x03, 0x00, 0x04, 0x11, 0x05, 0x12,
0x21, 0x31, 0x41, 0x06, 0x13, 0x51, 0x61, 0x07,
Reported by FlawFinder.
Line: 443
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const unsigned char hactbl0[16] = {
0, 2, 1, 3, 3, 2, 4, 3, 5, 5, 4, 4, 0, 0, 1, 0x7d
};
static const unsigned char hactblg0[162] = {
0x01, 0x02, 0x03, 0x00, 0x04, 0x11, 0x05, 0x12,
0x21, 0x31, 0x41, 0x06, 0x13, 0x51, 0x61, 0x07,
0x22, 0x71, 0x14, 0x32, 0x81, 0x91, 0xa1, 0x08,
0x23, 0x42, 0xb1, 0xc1, 0x15, 0x52, 0xd1, 0xf0,
0x24, 0x33, 0x62, 0x72, 0x82, 0x09, 0x0a, 0x16,
Reported by FlawFinder.
drivers/media/usb/tm6000/tm6000-alsa.c
6 issues
Line: 208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf_pos + length >= runtime->buffer_size) {
unsigned int cnt = runtime->buffer_size - buf_pos;
memcpy(runtime->dma_area + buf_pos * stride, buf, cnt * stride);
memcpy(runtime->dma_area, buf + cnt * stride,
length * stride - cnt * stride);
} else
memcpy(runtime->dma_area + buf_pos * stride, buf,
length * stride);
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf_pos + length >= runtime->buffer_size) {
unsigned int cnt = runtime->buffer_size - buf_pos;
memcpy(runtime->dma_area + buf_pos * stride, buf, cnt * stride);
memcpy(runtime->dma_area, buf + cnt * stride,
length * stride - cnt * stride);
} else
memcpy(runtime->dma_area + buf_pos * stride, buf,
length * stride);
Reported by FlawFinder.
Line: 212
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, buf + cnt * stride,
length * stride - cnt * stride);
} else
memcpy(runtime->dma_area + buf_pos * stride, buf,
length * stride);
snd_pcm_stream_lock(substream);
chip->buf_pos += length;
Reported by FlawFinder.
Line: 332
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_tm6000_card *chip;
int rc;
static int devnr;
char component[14];
struct snd_pcm *pcm;
if (!dev)
return 0;
Reported by FlawFinder.
Line: 352
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
strscpy(card->driver, "tm6000-alsa", sizeof(card->driver));
strscpy(card->shortname, "TM5600/60x0", sizeof(card->shortname));
sprintf(card->longname, "TM5600/60x0 Audio at bus %d device %d",
dev->udev->bus->busnum, dev->udev->devnum);
sprintf(component, "USB%04x:%04x",
le16_to_cpu(dev->udev->descriptor.idVendor),
le16_to_cpu(dev->udev->descriptor.idProduct));
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(card->longname, "TM5600/60x0 Audio at bus %d device %d",
dev->udev->bus->busnum, dev->udev->devnum);
sprintf(component, "USB%04x:%04x",
le16_to_cpu(dev->udev->descriptor.idVendor),
le16_to_cpu(dev->udev->descriptor.idProduct));
snd_component_add(card, component);
chip = kzalloc(sizeof(struct snd_tm6000_card), GFP_KERNEL);
Reported by FlawFinder.
drivers/media/usb/em28xx/em28xx-dvb.c
6 issues
Line: 498
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static const struct {
unsigned char r[4];
int len;
} regs[] = {
{{ 0x06, 0x02, 0x00, 0x31 }, 4},
{{ 0x01, 0x02 }, 2},
{{ 0x01, 0x02, 0x00, 0xc6 }, 4},
Reported by FlawFinder.
Line: 555
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ -1, -1, -1, -1},
};
static const struct {
unsigned char r[4];
int len;
} regs[] = {
{{ 0x06, 0x02, 0x00, 0x31 }, 4},
{{ 0x01, 0x02 }, 2},
{{ 0x01, 0x02, 0x00, 0xc6 }, 4},
Reported by FlawFinder.
Line: 616
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* it's probably still a good idea.
*/
static const struct {
unsigned char r[4];
int len;
} regs[] = {
{{ 0x06, 0x02, 0x00, 0x31 }, 4},
{{ 0x01, 0x02 }, 2},
{{ 0x01, 0x02, 0x00, 0xc6 }, 4},
Reported by FlawFinder.
Line: 665
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* it's probably still a good idea.
*/
static const struct {
unsigned char r[4];
int len;
} regs[] = {
{{ 0x06, 0x02, 0x00, 0x31 }, 4},
{{ 0x01, 0x02 }, 2},
{{ 0x01, 0x02, 0x00, 0xc6 }, 4},
Reported by FlawFinder.
Line: 709
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int i;
static const struct {
unsigned char r[4];
int len;
} regs[] = {
{{ 0x06, 0x02, 0x00, 0x31 }, 4},
{{ 0x01, 0x02 }, 2},
{{ 0x01, 0x02, 0x00, 0xc6 }, 4},
Reported by FlawFinder.
Line: 805
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
static const struct {
unsigned char r[4];
int len;
} regs1[] = {
{{ 0x0e, 0x77 }, 2},
{{ 0x0f, 0x77 }, 2},
{{ 0x03, 0x90 }, 2},
Reported by FlawFinder.
drivers/media/usb/em28xx/em28xx-audio.c
6 issues
Line: 591
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
tmp.name = ctl_name;
/* Add Mute Control */
sprintf(ctl_name, "%s Switch", name);
tmp.get = em28xx_vol_get_mute;
tmp.put = em28xx_vol_put_mute;
tmp.info = snd_ctl_boolean_mono_info;
kctl = snd_ctl_new1(&tmp, dev);
err = snd_ctl_add(card, kctl);
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
tmp.name = ctl_name;
/* Add Volume Control */
sprintf(ctl_name, "%s Volume", name);
tmp.get = em28xx_vol_get;
tmp.put = em28xx_vol_put;
tmp.info = em28xx_vol_info;
tmp.tlv.p = em28xx_db_scale;
kctl = snd_ctl_new1(&tmp, dev);
Reported by FlawFinder.
Line: 130
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (oldptr + length >= runtime->buffer_size) {
unsigned int cnt =
runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, cp,
cnt * stride);
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
Reported by FlawFinder.
Line: 132
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, cp,
cnt * stride);
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
length * stride);
}
Reported by FlawFinder.
Line: 135
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, cp + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, cp,
length * stride);
}
snd_pcm_stream_lock_irqsave(substream, flags);
Reported by FlawFinder.
Line: 581
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *name, int id)
{
int err;
char ctl_name[44];
struct snd_kcontrol *kctl;
struct snd_kcontrol_new tmp;
memset(&tmp, 0, sizeof(tmp));
tmp.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/pctv452e.c
6 issues
Line: 441
CWE codes:
476
buf[5] = snd_len;
buf[6] = rcv_len;
memcpy(buf + 7, snd_buf, snd_len);
ret = dvb_usb_generic_rw(d, buf, 7 + snd_len,
buf, /* rcv_len */ 64,
/* delay_ms */ 0);
if (ret < 0)
Reported by Cppcheck.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[2] = cmd;
buf[3] = write_len;
memcpy(buf + 4, data, write_len);
rlen = (read_len > 0) ? 64 : 0;
ret = dvb_usb_generic_rw(d, buf, 4 + write_len,
buf, rlen, /* delay_ms */ 0);
if (0 != ret)
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (SYNC_BYTE_IN != buf[0] || id != buf[1])
goto failed;
memcpy(data, buf + 4, read_len);
kfree(buf);
return 0;
failed:
Reported by FlawFinder.
Line: 333
Column: 12
CWE codes:
362
static int tt3650_ci_poll_slot_status(struct dvb_ca_en50221 *ca,
int slot,
int open)
{
u8 buf[1];
int ret;
if (0 != slot)
Reported by FlawFinder.
Line: 441
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[5] = snd_len;
buf[6] = rcv_len;
memcpy(buf + 7, snd_buf, snd_len);
ret = dvb_usb_generic_rw(d, buf, 7 + snd_len,
buf, /* rcv_len */ 64,
/* delay_ms */ 0);
if (ret < 0)
Reported by FlawFinder.
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf[5] < snd_len || buf[6] < rcv_len)
goto failed;
memcpy(rcv_buf, buf + 7, rcv_len);
kfree(buf);
return rcv_len;
failed:
Reported by FlawFinder.
kernel/kprobes.c
6 issues
Line: 401
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static inline void copy_kprobe(struct kprobe *ap, struct kprobe *p)
{
memcpy(&p->opcode, &ap->opcode, sizeof(kprobe_opcode_t));
memcpy(&p->ainsn, &ap->ainsn, sizeof(struct arch_specific_insn));
}
#ifdef CONFIG_OPTPROBES
/* NOTE: change this value only with kprobe_mutex held */
Reported by FlawFinder.
Line: 402
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void copy_kprobe(struct kprobe *ap, struct kprobe *p)
{
memcpy(&p->opcode, &ap->opcode, sizeof(kprobe_opcode_t));
memcpy(&p->ainsn, &ap->ainsn, sizeof(struct arch_specific_insn));
}
#ifdef CONFIG_OPTPROBES
/* NOTE: change this value only with kprobe_mutex held */
static bool kprobes_allow_optimization;
Reported by FlawFinder.
Line: 1445
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool within_kprobe_blacklist(unsigned long addr)
{
char symname[KSYM_NAME_LEN], *p;
if (__within_kprobe_blacklist(addr))
return true;
/* Check if the address is on a suffixed-symbol */
Reported by FlawFinder.
Line: 2590
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *sym = NULL;
unsigned int i = *(loff_t *) v;
unsigned long offset = 0;
char *modname, namebuf[KSYM_NAME_LEN];
head = &kprobe_table[i];
preempt_disable();
hlist_for_each_entry_rcu(p, head, hlist) {
sym = kallsyms_lookup((unsigned long)p->addr, NULL,
Reported by FlawFinder.
Line: 2759
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t read_enabled_file_bool(struct file *file,
char __user *user_buf, size_t count, loff_t *ppos)
{
char buf[3];
if (!kprobes_all_disarmed)
buf[0] = '1';
else
buf[0] = '0';
Reported by FlawFinder.
Line: 2773
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t write_enabled_file_bool(struct file *file,
const char __user *user_buf, size_t count, loff_t *ppos)
{
char buf[32];
size_t buf_size;
int ret = 0;
buf_size = min(count, (sizeof(buf)-1));
if (copy_from_user(buf, user_buf, buf_size))
Reported by FlawFinder.