The following issues were found
drivers/misc/fastrpc.c
5 issues
Line: 83
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define miscdev_to_cctx(d) container_of(d, struct fastrpc_channel_ctx, miscdev)
static const char *domains[FASTRPC_DEV_MAX] = { "adsp", "mdsp",
"sdsp", "cdsp"};
struct fastrpc_phy_page {
u64 addr; /* physical address */
u64 size; /* size of contiguous region */
};
Reported by FlawFinder.
Line: 863
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bail;
}
} else {
memcpy(dst, src, len);
}
}
}
for (i = ctx->nbufs; i < ctx->nscalars; ++i) {
Reported by FlawFinder.
Line: 901
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (copy_to_user((void __user *)dst, src, len))
return -EFAULT;
} else {
memcpy(dst, src, len);
}
}
return 0;
}
Reported by FlawFinder.
Line: 1557
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cctx->sesscount++ >= FASTRPC_MAX_SESSIONS)
break;
dup_sess = &cctx->session[cctx->sesscount];
memcpy(dup_sess, sess, sizeof(*dup_sess));
}
}
cctx->sesscount++;
spin_unlock_irqrestore(&cctx->lock, flags);
rc = dma_set_mask(dev, DMA_BIT_MASK(32));
Reported by FlawFinder.
Line: 1048
Column: 18
CWE codes:
126
}
inbuf.pgid = fl->tgid;
inbuf.namelen = strlen(current->comm) + 1;
inbuf.filelen = init.filelen;
inbuf.pageslen = 1;
inbuf.attrs = init.attrs;
inbuf.siglen = init.siglen;
fl->pd = USER_PD;
Reported by FlawFinder.
drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
5 issues
Line: 42
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 tmp[2] = { 0 };
memcpy(((u8 *)tmp) + 2, emac, ETH_ALEN);
mac[0] = swab32(tmp[1]);
mac[1] = swab32(tmp[0]);
}
Reported by FlawFinder.
Line: 582
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
memset(&key_rec, 0, sizeof(key_rec));
memcpy(&key_rec.key, key, secy->key_len);
aq_rotate_keys(&key_rec.key, secy->key_len);
ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx);
Reported by FlawFinder.
Line: 610
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aq_txsc = &cfg->aq_txsc[txsc_idx];
set_bit(ctx->sa.assoc_num, &aq_txsc->tx_sa_idx_busy);
memcpy(aq_txsc->tx_sa_key[ctx->sa.assoc_num], ctx->sa.key,
secy->key_len);
if (netif_carrier_ok(nic->ndev) && netif_running(secy->netdev))
ret = aq_update_txsa(nic, aq_txsc->hw_sc_idx, secy,
ctx->sa.tx_sa, ctx->sa.key,
Reported by FlawFinder.
Line: 915
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
memset(&sa_key_record, 0, sizeof(sa_key_record));
memcpy(&sa_key_record.key, key, secy->key_len);
switch (secy->key_len) {
case AQ_MACSEC_KEY_LEN_128_BIT:
sa_key_record.key_len = 0;
break;
Reported by FlawFinder.
Line: 957
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aq_rxsc = &nic->macsec_cfg->aq_rxsc[rxsc_idx];
set_bit(ctx->sa.assoc_num, &aq_rxsc->rx_sa_idx_busy);
memcpy(aq_rxsc->rx_sa_key[ctx->sa.assoc_num], ctx->sa.key,
secy->key_len);
if (netif_carrier_ok(nic->ndev) && netif_running(secy->netdev))
ret = aq_update_rxsa(nic, aq_rxsc->hw_sc_idx, secy,
ctx->sa.rx_sa, ctx->sa.key,
Reported by FlawFinder.
drivers/media/usb/uvc/uvc_video.c
5 issues
Line: 1167
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < uvc_urb->async_operations; i++) {
struct uvc_copy_op *op = &uvc_urb->copy_operations[i];
memcpy(op->dst, op->src, op->len);
/* Release reference taken on this buffer. */
uvc_queue_buffer_release(op->buf);
}
Reported by FlawFinder.
Line: 1258
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nbytes = min((unsigned int)len, buf->bytesused - queue->buf_used);
nbytes = min(stream->bulk.max_payload_size - stream->bulk.payload_size,
nbytes);
memcpy(data, mem, nbytes);
queue->buf_used += nbytes;
return nbytes;
}
Reported by FlawFinder.
Line: 1330
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
put_unaligned(sof, &meta->sof);
if (has_scr)
memcpy(stream->clock.last_scr, scr, 6);
memcpy(&meta->length, mem, length);
meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof);
uvc_dbg(stream->dev, FRAME,
Reported by FlawFinder.
Line: 1332
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (has_scr)
memcpy(stream->clock.last_scr, scr, 6);
memcpy(&meta->length, mem, length);
meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof);
uvc_dbg(stream->dev, FRAME,
"%s(): t-sys %lluns, SOF %u, len %u, flags 0x%x, PTS %u, STC %u frame SOF %u\n",
__func__, ktime_to_ns(time), meta->sof, meta->length,
Reported by FlawFinder.
Line: 1464
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0 || buf == NULL) {
stream->bulk.skip_payload = 1;
} else {
memcpy(stream->bulk.header, mem, ret);
stream->bulk.header_size = ret;
uvc_video_decode_meta(stream, meta_buf, mem, ret);
mem += ret;
Reported by FlawFinder.
drivers/net/ethernet/atheros/atl1c/atl1c_main.c
5 issues
Line: 485
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (netif_running(netdev))
return -EBUSY;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(adapter->hw.mac_addr, addr->sa_data, netdev->addr_len);
atl1c_hw_set_mac_addr(&adapter->hw, adapter->hw.mac_addr);
return 0;
Reported by FlawFinder.
Line: 486
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EBUSY;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(adapter->hw.mac_addr, addr->sa_data, netdev->addr_len);
atl1c_hw_set_mac_addr(&adapter->hw, adapter->hw.mac_addr);
return 0;
}
Reported by FlawFinder.
Line: 2247
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
use_tpd = tpd;
else {
use_tpd = atl1c_get_tpd(adapter, queue);
memcpy(use_tpd, tpd, sizeof(struct atl1c_tpd_desc));
}
buffer_info = atl1c_get_tx_buffer(adapter, use_tpd);
buffer_info->length = buf_len - mapped_len;
buffer_info->dma =
dma_map_single(&adapter->pdev->dev,
Reported by FlawFinder.
Line: 2269
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_frag_t *frag = &skb_shinfo(skb)->frags[f];
use_tpd = atl1c_get_tpd(adapter, queue);
memcpy(use_tpd, tpd, sizeof(struct atl1c_tpd_desc));
buffer_info = atl1c_get_tx_buffer(adapter, use_tpd);
buffer_info->length = skb_frag_size(frag);
buffer_info->dma = skb_frag_dma_map(&adapter->pdev->dev,
frag, 0,
Reported by FlawFinder.
Line: 2772
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* got a random MAC address, set NET_ADDR_RANDOM to netdev */
netdev->addr_assign_type = NET_ADDR_RANDOM;
}
memcpy(netdev->dev_addr, adapter->hw.mac_addr, netdev->addr_len);
if (netif_msg_probe(adapter))
dev_dbg(&pdev->dev, "mac address : %pM\n",
adapter->hw.mac_addr);
atl1c_hw_set_mac_addr(&adapter->hw, adapter->hw.mac_addr);
Reported by FlawFinder.
drivers/media/dvb-frontends/stv6110.c
5 issues
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (start + len > 8)
return -EINVAL;
memcpy(&cmdbuf[1], buf, len);
cmdbuf[0] = start;
if (fe->ops.i2c_gate_ctrl)
fe->ops.i2c_gate_ctrl(fe, 1);
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fe->ops.i2c_gate_ctrl)
fe->ops.i2c_gate_ctrl(fe, 0);
memcpy(&priv->regs[start], regs, len);
return 0;
}
static int stv6110_read_reg(struct dvb_frontend *fe, int start)
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct stv6110_priv *priv = fe->tuner_priv;
u8 buf0[] = { 0x07, 0x11, 0xdc, 0x85, 0x17, 0x01, 0xe6, 0x1e };
memcpy(priv->regs, buf0, 8);
/* K = (Reference / 1000000) - 16 */
priv->regs[RSTV6110_CTRL1] &= ~(0x1f << 3);
priv->regs[RSTV6110_CTRL1] |=
((((priv->mclk / 1000000) - 16) & 0x1f) << 3);
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->clk_div = config->clk_div;
priv->gain = config->gain;
memcpy(&priv->regs, ®0[1], 8);
memcpy(&fe->ops.tuner_ops, &stv6110_tuner_ops,
sizeof(struct dvb_tuner_ops));
fe->tuner_priv = priv;
printk(KERN_INFO "STV6110 attached on addr=%x!\n", priv->i2c_address);
Reported by FlawFinder.
Line: 423
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->regs, ®0[1], 8);
memcpy(&fe->ops.tuner_ops, &stv6110_tuner_ops,
sizeof(struct dvb_tuner_ops));
fe->tuner_priv = priv;
printk(KERN_INFO "STV6110 attached on addr=%x!\n", priv->i2c_address);
return fe;
Reported by FlawFinder.
drivers/media/tuners/tda827x.c
5 issues
Line: 240
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tda827xo_set_analog_params(struct dvb_frontend *fe,
struct analog_parameters *params)
{
unsigned char tuner_reg[8];
unsigned char reg2[2];
u32 N;
int i;
struct tda827x_priv *priv = fe->tuner_priv;
struct i2c_msg msg = { .addr = priv->i2c_addr, .flags = 0 };
Reported by FlawFinder.
Line: 241
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct analog_parameters *params)
{
unsigned char tuner_reg[8];
unsigned char reg2[2];
u32 N;
int i;
struct tda827x_priv *priv = fe->tuner_priv;
struct i2c_msg msg = { .addr = priv->i2c_addr, .flags = 0 };
unsigned int freq = params->frequency;
Reported by FlawFinder.
Line: 651
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tda827xa_set_analog_params(struct dvb_frontend *fe,
struct analog_parameters *params)
{
unsigned char tuner_reg[11];
u32 N;
int i;
struct tda827x_priv *priv = fe->tuner_priv;
struct i2c_msg msg = { .addr = priv->i2c_addr, .flags = 0,
.buf = tuner_reg, .len = sizeof(tuner_reg) };
Reported by FlawFinder.
Line: 862
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->cfg->agcf = tda827xo_agcf;
} else {
dprintk("tda827xa tuner found\n");
memcpy(&fe->ops.tuner_ops, &tda827xa_tuner_ops, sizeof(struct dvb_tuner_ops));
if (priv->cfg)
priv->cfg->agcf = tda827xa_agcf;
}
return 0;
}
Reported by FlawFinder.
Line: 883
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->i2c_addr = addr;
priv->i2c_adap = i2c;
priv->cfg = cfg;
memcpy(&fe->ops.tuner_ops, &tda827xo_tuner_ops, sizeof(struct dvb_tuner_ops));
fe->tuner_priv = priv;
dprintk("type set to %s\n", fe->ops.tuner_ops.info.name);
return fe;
Reported by FlawFinder.
drivers/media/tuners/tea5761.c
5 issues
Line: 142
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tea5761_priv *priv = fe->tuner_priv;
unsigned int frq = freq;
unsigned char buffer[7] = {0, 0, 0, 0, 0, 0, 0 };
unsigned div;
int rc;
tuner_dbg("radio freq counter %d\n", frq);
Reported by FlawFinder.
Line: 236
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tea5761_get_status(struct dvb_frontend *fe, u32 *status)
{
unsigned char buffer[16];
*status = 0;
if (0 == tea5761_read_status(fe, buffer)) {
if (tea5761_signal(fe, buffer))
Reported by FlawFinder.
Line: 252
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tea5761_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
{
unsigned char buffer[16];
*strength = 0;
if (0 == tea5761_read_status(fe, buffer))
*strength = tea5761_signal(fe, buffer);
Reported by FlawFinder.
Line: 264
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tea5761_autodetection(struct i2c_adapter* i2c_adap, u8 i2c_addr)
{
unsigned char buffer[16];
int rc;
struct tuner_i2c_props i2c = { .adap = i2c_adap, .addr = i2c_addr };
if (16 != (rc = tuner_i2c_xfer_recv(&i2c, buffer, 16))) {
printk(KERN_WARNING "it is not a TEA5761. Received %i chars.\n", rc);
Reported by FlawFinder.
Line: 327
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->i2c_props.adap = i2c_adap;
priv->i2c_props.name = "tea5761";
memcpy(&fe->ops.tuner_ops, &tea5761_tuner_ops,
sizeof(struct dvb_tuner_ops));
tuner_info("type set to %s\n", "Philips TEA5761HN FM Radio");
return fe;
Reported by FlawFinder.
drivers/misc/sgi-gru/grukservices.c
5 issues
Line: 412
CWE codes:
476
kgts = NULL;
}
BUG_ON(!kgts);
cbrnum = thread_cbr_number(kgts, get_cb_number(cb));
cbe = get_cbe(GRUBASE(cb), cbrnum);
gru_flush_cache(cbe); /* CBE not coherent */
sync_core();
excdet->opc = cbe->opccpy;
excdet->exopc = cbe->exopccpy;
Reported by Cppcheck.
Line: 503
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gru_abort(int ret, void *cb, char *str)
{
char buf[GRU_EXC_STR_SIZE];
panic("GRU FATAL ERROR: %s - %s\n", str,
gru_get_cb_exception_detail_str(ret, cb, buf, sizeof(buf)));
}
Reported by FlawFinder.
Line: 810
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
clines = DIV_ROUND_UP(bytes, GRU_CACHE_LINE_BYTES);
if (gru_get_cpu_resources(bytes, &cb, &dsr))
return MQE_BUG_NO_RESOURCES;
memcpy(dsr, mesg, bytes);
mhdr = dsr;
mhdr->present = MQS_FULL;
mhdr->lines = clines;
if (clines == 2) {
mhdr->present2 = get_present2(mhdr);
Reported by FlawFinder.
Line: 1000
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gru_message_queue_desc mqd;
void *p, *mq;
int i, ret = -EIO;
char mes[GRU_CACHE_LINE_BYTES], *m;
/* Need 1K cacheline aligned that does not cross page boundary */
p = kmalloc(4096, 0);
if (p == NULL)
return -ENOMEM;
Reported by FlawFinder.
Line: 1107
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BUFSIZE 200
static int quicktest3(unsigned long arg)
{
char buf1[BUFSIZE], buf2[BUFSIZE];
int ret = 0;
memset(buf2, 0, sizeof(buf2));
memset(buf1, get_cycles() & 255, sizeof(buf1));
gru_copy_gpa(uv_gpa(buf2), uv_gpa(buf1), BUFSIZE);
Reported by FlawFinder.
drivers/net/can/slcan.c
5 issues
Line: 90
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct work_struct tx_work; /* Flushes transmit buffer */
/* These are pointers to the malloc()ed frame buffers. */
unsigned char rbuff[SLC_MTU]; /* receiver buffer */
int rcount; /* received chars counter */
unsigned char xbuff[SLC_MTU]; /* transmitter buffer */
unsigned char *xhead; /* pointer to next XMIT byte */
int xleft; /* bytes left in XMIT queue */
Reported by FlawFinder.
Line: 92
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* These are pointers to the malloc()ed frame buffers. */
unsigned char rbuff[SLC_MTU]; /* receiver buffer */
int rcount; /* received chars counter */
unsigned char xbuff[SLC_MTU]; /* transmitter buffer */
unsigned char *xhead; /* pointer to next XMIT byte */
int xleft; /* bytes left in XMIT queue */
unsigned long flags; /* Flag values/ mode etc */
#define SLF_INUSE 0 /* Channel in use */
Reported by FlawFinder.
Line: 518
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct slcan *slc_alloc(void)
{
int i;
char name[IFNAMSIZ];
struct net_device *dev = NULL;
struct can_ml_priv *can_ml;
struct slcan *sl;
int size;
Reported by FlawFinder.
Line: 535
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i >= maxdev)
return NULL;
sprintf(name, "slcan%d", i);
size = ALIGN(sizeof(*sl), NETDEV_ALIGN) + sizeof(struct can_ml_priv);
dev = alloc_netdev(size, name, NET_NAME_UNKNOWN, slc_setup);
if (!dev)
return NULL;
Reported by FlawFinder.
Line: 686
Column: 9
CWE codes:
126
switch (cmd) {
case SIOCGIFNAME:
tmp = strlen(sl->dev->name) + 1;
if (copy_to_user((void __user *)arg, sl->dev->name, tmp))
return -EFAULT;
return 0;
case SIOCSIFHWADDR:
Reported by FlawFinder.
drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
5 issues
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (debug >= 3)
dprintk("> %*ph\n", len, data);
memcpy(data, ttusb->send_buf, len);
err = usb_bulk_msg(ttusb->dev, ttusb->bulk_out_pipe,
ttusb->send_buf, len, &actual_len, 1000);
if (err != 0) {
dprintk("usb_bulk_msg(send) failed, err == %i!\n", err);
Reported by FlawFinder.
Line: 181
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (len_result)
memcpy(ttusb->send_buf, ttusb->last_result, len_result);
err:
mutex_unlock(&ttusb->semusb);
return err;
}
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* upload dsp code in 32 byte steps (36 didn't work for me ...) */
/* 32 is max packet size, no messages should be split. */
for (i = 0; i < fw->size; i += 28) {
memcpy(&b[4], &fw->data[i], 28);
b[1] = ++ttusb->c;
err = ttusb_cmd(ttusb, b, 32, 0);
if (err)
Reported by FlawFinder.
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b[4] = 0xFF; /* send diseqc master, not burst */
b[5] = cmd->msg_len;
memcpy(b + 5, cmd->msg, cmd->msg_len);
/* Diseqc */
if ((err = ttusb_cmd(ttusb, b, 4 + b[3], 0))) {
dprintk("usb_bulk_msg() failed, return value %i!\n", err);
}
Reported by FlawFinder.
Line: 643
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avail =
ttusb->muxpack_len -
ttusb->muxpack_ptr;
memcpy(ttusb->muxpack + ttusb->muxpack_ptr,
data, avail);
ttusb->muxpack_ptr += avail;
BUG_ON(ttusb->muxpack_ptr > 264);
data += avail;
len -= avail;
Reported by FlawFinder.