The following issues were found
drivers/media/rc/streamzap.c
5 issues
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ktime_t signal_start;
bool timeout_enabled;
char name[128];
char phys[64];
};
/* local function prototypes */
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool timeout_enabled;
char name[128];
char phys[64];
};
/* local function prototypes */
static int streamzap_probe(struct usb_interface *interface,
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_device *usbdev = interface_to_usbdev(intf);
struct usb_host_interface *iface_host;
struct streamzap_ir *sz = NULL;
char buf[63], name[128] = "";
int retval = -ENOMEM;
int pipe, maxp;
/* Allocate space for device driver specific data */
sz = kzalloc(sizeof(struct streamzap_ir), GFP_KERNEL);
Reported by FlawFinder.
Line: 392
Column: 48
CWE codes:
126
if (usbdev->descriptor.iProduct
&& usb_string(usbdev, usbdev->descriptor.iProduct,
buf, sizeof(buf)) > 0)
snprintf(name + strlen(name), sizeof(name) - strlen(name),
" %s", buf);
sz->rdev = streamzap_init_rc_dev(sz);
if (!sz->rdev)
goto rc_dev_fail;
Reported by FlawFinder.
Line: 392
Column: 19
CWE codes:
126
if (usbdev->descriptor.iProduct
&& usb_string(usbdev, usbdev->descriptor.iProduct,
buf, sizeof(buf)) > 0)
snprintf(name + strlen(name), sizeof(name) - strlen(name),
" %s", buf);
sz->rdev = streamzap_init_rc_dev(sz);
if (!sz->rdev)
goto rc_dev_fail;
Reported by FlawFinder.
drivers/net/ethernet/amd/nmclan_cs.c
5 issues
Line: 638
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(buf);
goto failed;
}
memcpy(dev->dev_addr, buf, ETH_ALEN);
kfree(buf);
/* Verify configuration by reading the MACE ID. */
{
char sig[2];
Reported by FlawFinder.
Line: 643
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Verify configuration by reading the MACE ID. */
{
char sig[2];
sig[0] = mace_read(lp, ioaddr, MACE_CHIPIDL);
sig[1] = mace_read(lp, ioaddr, MACE_CHIPIDH);
if ((sig[0] == 0x40) && ((sig[1] & 0x0F) == 0x09)) {
dev_dbg(&link->dev, "nmclan_cs configured: mace id=%x %x\n",
Reported by FlawFinder.
Line: 693
Column: 12
CWE codes:
362
{
struct net_device *dev = link->priv;
if (link->open)
netif_device_detach(dev);
return 0;
}
Reported by FlawFinder.
Line: 703
Column: 12
CWE codes:
362
{
struct net_device *dev = link->priv;
if (link->open) {
nmclan_reset(dev);
netif_device_attach(dev);
}
return 0;
Reported by FlawFinder.
Line: 1439
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Calculate multicast logical address filter */
memset(lp->multicast_ladrf, 0, MACE_LADRF_LEN);
netdev_for_each_mc_addr(ha, dev) {
memcpy(adr, ha->addr, ETH_ALEN);
BuildLAF(lp->multicast_ladrf, adr);
}
}
restore_multicast_list(dev);
Reported by FlawFinder.
drivers/net/ethernet/cavium/liquidio/octeon_mailbox.c
5 issues
Line: 154
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (mbox_cmd->msg.s.type == OCTEON_MBOX_REQUEST) {
memcpy(&mbox->mbox_resp, mbox_cmd,
sizeof(struct octeon_mbox_cmd));
mbox->state = OCTEON_MBOX_STATE_RESPONSE_PENDING;
}
spin_unlock_irqrestore(&mbox->lock, flags);
Reported by FlawFinder.
Line: 254
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
LIQUIDIO_BASE_MINOR_VERSION;
((struct lio_version *)&mbox_cmd->data[0])->micro =
LIQUIDIO_BASE_MICRO_VERSION;
memcpy(mbox_cmd->msg.s.params, (uint8_t *)&oct->pfvf_hsword, 6);
/* Sending core cofig info to the corresponding active VF.*/
octeon_mbox_write(oct, mbox_cmd);
break;
case OCTEON_VF_FLR_REQUEST:
Reported by FlawFinder.
Line: 303
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mbox->state & OCTEON_MBOX_STATE_ERROR) {
if (mbox->state & (OCTEON_MBOX_STATE_RESPONSE_PENDING |
OCTEON_MBOX_STATE_RESPONSE_RECEIVING)) {
memcpy(&mbox_cmd, &mbox->mbox_resp,
sizeof(struct octeon_mbox_cmd));
mbox->state = OCTEON_MBOX_STATE_IDLE;
writeq(OCTEON_PFVFSIG, mbox->mbox_read_reg);
spin_unlock_irqrestore(&mbox->lock, flags);
mbox_cmd.recv_status = 1;
Reported by FlawFinder.
Line: 322
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (mbox->state & OCTEON_MBOX_STATE_RESPONSE_RECEIVED) {
memcpy(&mbox_cmd, &mbox->mbox_resp,
sizeof(struct octeon_mbox_cmd));
mbox->state = OCTEON_MBOX_STATE_IDLE;
writeq(OCTEON_PFVFSIG, mbox->mbox_read_reg);
spin_unlock_irqrestore(&mbox->lock, flags);
mbox_cmd.recv_status = 0;
Reported by FlawFinder.
Line: 334
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (mbox->state & OCTEON_MBOX_STATE_REQUEST_RECEIVED) {
memcpy(&mbox_cmd, &mbox->mbox_req,
sizeof(struct octeon_mbox_cmd));
if (!mbox_cmd.msg.s.resp_needed) {
mbox->state &= ~OCTEON_MBOX_STATE_REQUEST_RECEIVED;
if (!(mbox->state &
OCTEON_MBOX_STATE_RESPONSE_PENDING))
Reported by FlawFinder.
drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c
5 issues
Line: 135
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @seg_id_buf : segmentation map working buffer (AP-W, VPU-R)
*/
struct vdec_vp9_vsi {
unsigned char sf_bs_buf[VP9_SUPER_FRAME_BS_SZ];
struct vp9_sf_ref_fb sf_ref_fb[VP9_MAX_FRM_BUF_NUM-1];
int sf_next_ref_fb_idx;
unsigned int sf_frm_cnt;
unsigned int sf_frm_offset[VP9_MAX_FRM_BUF_NUM-1];
unsigned int sf_frm_sz[VP9_MAX_FRM_BUF_NUM-1];
Reported by FlawFinder.
Line: 483
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
frm_to_show->fb->base_y.size) &&
(inst->cur_fb->base_c.size >=
frm_to_show->fb->base_c.size)) {
memcpy((void *)inst->cur_fb->base_y.va,
(void *)frm_to_show->fb->base_y.va,
frm_to_show->fb->base_y.size);
memcpy((void *)inst->cur_fb->base_c.va,
(void *)frm_to_show->fb->base_c.va,
frm_to_show->fb->base_c.size);
Reported by FlawFinder.
Line: 486
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy((void *)inst->cur_fb->base_y.va,
(void *)frm_to_show->fb->base_y.va,
frm_to_show->fb->base_y.size);
memcpy((void *)inst->cur_fb->base_c.va,
(void *)frm_to_show->fb->base_c.va,
frm_to_show->fb->base_c.size);
} else {
/* After resolution change case, current CAPTURE buffer
* may have less buffer size than frm_to_show buffer
Reported by FlawFinder.
Line: 867
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sf_bs_off = VP9_SUPER_FRAME_BS_SZ - sf_bs_sz;
sf_bs_src = bs->va + bs->size - sf_bs_sz;
sf_bs_dst = vsi->sf_bs_buf + sf_bs_off;
memcpy(sf_bs_dst, sf_bs_src, sf_bs_sz);
} else {
if ((vsi->sf_frm_cnt > 0) &&
(vsi->sf_frm_idx < vsi->sf_frm_cnt)) {
unsigned int idx = vsi->sf_frm_idx;
Reported by FlawFinder.
Line: 873
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(vsi->sf_frm_idx < vsi->sf_frm_cnt)) {
unsigned int idx = vsi->sf_frm_idx;
memcpy((void *)bs->va,
(void *)(bs->va +
vsi->sf_frm_offset[idx]),
vsi->sf_frm_sz[idx]);
}
}
Reported by FlawFinder.
drivers/media/firewire/firedtv-avc.c
5 issues
Line: 300
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(fdtv->avc_data, data, length);
fdtv->avc_data_length = length;
wake:
fdtv->avc_reply_received = true;
wake_up(&fdtv->avc_wait);
Reported by FlawFinder.
Line: 1001
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
app_info[2] = (EN50221_TAG_APP_INFO >> 0) & 0xff;
app_info[3] = 6 + r->operand[pos + 4];
app_info[4] = 0x01;
memcpy(&app_info[5], &r->operand[pos], 5 + r->operand[pos + 4]);
*len = app_info[3] + 4;
out:
mutex_unlock(&fdtv->avc_mutex);
return ret;
Reported by FlawFinder.
Line: 1163
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(&c->operand[write_pos], &msg[read_pos],
program_info_length);
read_pos += program_info_length;
write_pos += program_info_length;
}
while (read_pos < length) {
Reported by FlawFinder.
Line: 1191
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(&c->operand[write_pos], &msg[read_pos],
es_info_length);
read_pos += es_info_length;
write_pos += es_info_length;
}
}
Reported by FlawFinder.
Line: 1318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* FIXME: check response code and validate response data */
*len = get_ca_object_length(r);
memcpy(mmi_object, &r->operand[get_ca_object_pos(r)], *len);
out:
mutex_unlock(&fdtv->avc_mutex);
return ret;
}
Reported by FlawFinder.
drivers/net/dsa/mt7530.c
5 issues
Line: 2022
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
ds->slave_mii_bus = bus;
bus->priv = priv;
bus->name = KBUILD_MODNAME "-mii";
snprintf(bus->id, MII_BUS_ID_SIZE, KBUILD_MODNAME "-%d", idx++);
bus->read = mt753x_phy_read;
bus->write = mt753x_phy_write;
bus->parent = dev;
bus->phy_mask = ~ds->phys_mii_mask;
Reported by FlawFinder.
Line: 99
Column: 15
CWE codes:
120
20
goto err;
/* Read the content of the MMD's selected register */
value = bus->read(bus, 0, MII_MMD_DATA);
return value;
err:
dev_err(&bus->dev, "failed to read mmd register\n");
Reported by FlawFinder.
Line: 849
Column: 3
CWE codes:
120
return;
for (i = 0; i < ARRAY_SIZE(mt7530_mib); i++)
strncpy(data + i * ETH_GSTRING_LEN, mt7530_mib[i].name,
ETH_GSTRING_LEN);
}
static void
mt7530_get_ethtool_stats(struct dsa_switch *ds, int port,
Reported by FlawFinder.
drivers/media/rc/xbox_remote.c
5 issues
Line: 242
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
udev->product ?: "");
if (!strlen(xbox_remote->rc_name))
snprintf(xbox_remote->rc_name, sizeof(xbox_remote->rc_name),
DRIVER_DESC "(%04x,%04x)",
le16_to_cpu(xbox_remote->udev->descriptor.idVendor),
le16_to_cpu(xbox_remote->udev->descriptor.idProduct));
rc_dev->map_name = RC_MAP_XBOX_DVD; /* default map */
Reported by FlawFinder.
Line: 58
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_interface *interface;
struct urb *irq_urb;
unsigned char inbuf[DATA_BUFSIZE] __aligned(sizeof(u16));
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
};
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct urb *irq_urb;
unsigned char inbuf[DATA_BUFSIZE] __aligned(sizeof(u16));
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
};
static int xbox_remote_rc_open(struct rc_dev *rdev)
{
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char inbuf[DATA_BUFSIZE] __aligned(sizeof(u16));
char rc_name[NAME_BUFSIZE];
char rc_phys[NAME_BUFSIZE];
};
static int xbox_remote_rc_open(struct rc_dev *rdev)
{
struct xbox_remote *xbox_remote = rdev->priv;
Reported by FlawFinder.
Line: 241
Column: 7
CWE codes:
126
udev->manufacturer && udev->product ? " " : "",
udev->product ?: "");
if (!strlen(xbox_remote->rc_name))
snprintf(xbox_remote->rc_name, sizeof(xbox_remote->rc_name),
DRIVER_DESC "(%04x,%04x)",
le16_to_cpu(xbox_remote->udev->descriptor.idVendor),
le16_to_cpu(xbox_remote->udev->descriptor.idProduct));
Reported by FlawFinder.
drivers/net/ethernet/emulex/benet/be.h
5 issues
Line: 183
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct be_eq_obj {
struct be_queue_info q;
char desc[32];
struct be_adapter *adapter;
struct napi_struct napi;
u8 idx; /* array index */
u8 msix_idx;
Reported by FlawFinder.
Line: 346
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BE_RESET_VLAN_TAG_ID 0xFFFF
struct be_vf_cfg {
unsigned char mac_addr[ETH_ALEN];
int if_handle;
int pmac_id;
u16 vlan_tag;
u32 tx_rate;
u32 plink_tracking;
Reported by FlawFinder.
Line: 481
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct be_eth_addr {
unsigned char mac[ETH_ALEN];
};
#define BE_SEC 1000 /* in msec */
#define BE_MIN (60 * BE_SEC) /* in msec */
#define BE_HOUR (60 * BE_MIN) /* in msec */
Reported by FlawFinder.
Line: 606
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 flags;
u32 cmd_privileges;
/* Ethtool knobs and info */
char fw_ver[FW_VER_LEN];
char fw_on_flash[FW_VER_LEN];
/* IFACE filtering fields */
int if_handle; /* Used to configure filtering */
u32 if_flags; /* Interface filtering flags */
Reported by FlawFinder.
Line: 607
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 cmd_privileges;
/* Ethtool knobs and info */
char fw_ver[FW_VER_LEN];
char fw_on_flash[FW_VER_LEN];
/* IFACE filtering fields */
int if_handle; /* Used to configure filtering */
u32 if_flags; /* Interface filtering flags */
u32 *pmac_id; /* MAC addr handle used by BE card */
Reported by FlawFinder.
drivers/net/arcnet/arcnet.c
5 issues
Line: 149
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void arcnet_dump_skb(struct net_device *dev,
struct sk_buff *skb, char *desc)
{
char hdr[32];
/* dump the packet */
snprintf(hdr, sizeof(hdr), "%6s:%s skb->data:", dev->name, desc);
print_hex_dump(KERN_DEBUG, hdr, DUMP_PREFIX_OFFSET,
16, 1, skb->data, skb->len, true);
Reported by FlawFinder.
Line: 168
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, length;
unsigned long flags = 0;
static uint8_t buf[512];
char hdr[32];
/* hw.copy_from_card expects IRQ context so take the IRQ lock
* to keep it single threaded
*/
if (take_arcnet_lock)
Reported by FlawFinder.
Line: 575
Column: 13
CWE codes:
362
lp->rfc1201.sequence = 1;
/* bring up the hardware driver */
if (lp->hw.open)
lp->hw.open(dev);
if (dev->dev_addr[0] == 0)
arc_printk(D_NORMAL, dev, "WARNING! Station address 00 is reserved for broadcasts!\n");
else if (dev->dev_addr[0] == 255)
Reported by FlawFinder.
Line: 576
Column: 10
CWE codes:
362
/* bring up the hardware driver */
if (lp->hw.open)
lp->hw.open(dev);
if (dev->dev_addr[0] == 0)
arc_printk(D_NORMAL, dev, "WARNING! Station address 00 is reserved for broadcasts!\n");
else if (dev->dev_addr[0] == 255)
arc_printk(D_NORMAL, dev, "WARNING! Station address FF may confuse DOS networking programs!\n");
Reported by FlawFinder.
Line: 1125
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arcnet_local *lp = netdev_priv(dev);
union {
struct archdr pkt;
char buf[512];
} rxdata;
struct arc_rfc1201 *soft;
int length, ofs;
soft = &rxdata.pkt.soft.rfc1201;
Reported by FlawFinder.
drivers/misc/habanalabs/common/habanalabs.h
5 issues
Line: 481
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct asic_fixed_properties {
struct hw_queue_properties *hw_queues_props;
struct cpucp_info cpucp_info;
char uboot_ver[VERSION_MAX_LEN];
char preboot_ver[VERSION_MAX_LEN];
struct hl_mmu_properties dmmu;
struct hl_mmu_properties pmmu;
struct hl_mmu_properties pmmu_huge;
u64 sram_base_address;
Reported by FlawFinder.
Line: 482
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hw_queue_properties *hw_queues_props;
struct cpucp_info cpucp_info;
char uboot_ver[VERSION_MAX_LEN];
char preboot_ver[VERSION_MAX_LEN];
struct hl_mmu_properties dmmu;
struct hl_mmu_properties pmmu;
struct hl_mmu_properties pmmu_huge;
u64 sram_base_address;
u64 sram_end_address;
Reported by FlawFinder.
Line: 2221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct delayed_work work_freq;
struct delayed_work work_heartbeat;
struct hl_device_reset_work device_reset_work;
char asic_name[HL_STR_MAX];
char status[HL_DEV_STS_MAX][HL_STR_MAX];
enum hl_asic_type asic_type;
struct hl_cq *completion_queue;
struct hl_user_interrupt *user_interrupt;
struct hl_user_interrupt common_user_interrupt;
Reported by FlawFinder.
Line: 2222
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct delayed_work work_heartbeat;
struct hl_device_reset_work device_reset_work;
char asic_name[HL_STR_MAX];
char status[HL_DEV_STS_MAX][HL_STR_MAX];
enum hl_asic_type asic_type;
struct hl_cq *completion_queue;
struct hl_user_interrupt *user_interrupt;
struct hl_user_interrupt common_user_interrupt;
struct workqueue_struct **cq_wq;
Reported by FlawFinder.
Line: 2617
Column: 51
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fw_load_mgr *fw_loader,
enum comms_cmd cmd, unsigned int size,
bool wait_ok, u32 timeout);
int hl_pci_bars_map(struct hl_device *hdev, const char * const name[3],
bool is_wc[3]);
int hl_pci_elbi_read(struct hl_device *hdev, u64 addr, u32 *data);
int hl_pci_iatu_write(struct hl_device *hdev, u32 addr, u32 data);
int hl_pci_set_inbound_region(struct hl_device *hdev, u8 region,
struct hl_inbound_pci_region *pci_region);
Reported by FlawFinder.