The following issues were found
drivers/media/usb/cx231xx/cx231xx-core.c
5 issues
Line: 241
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk(KERN_CONT ">>>");
for (i = 0; i < size; i++)
printk(KERN_CONT " %02x",
((unsigned char *)data)[i]);
}
}
/* Do the real call to usb_control_msg */
mutex_lock(&dev->ctrl_urb_lock);
Reported by FlawFinder.
Line: 248
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Do the real call to usb_control_msg */
mutex_lock(&dev->ctrl_urb_lock);
if (!(requesttype & USB_DIR_IN) && size)
memcpy(dev->urb_buf, data, size);
rc = usb_control_msg(dev->udev, pipe, request, requesttype, value,
index, dev->urb_buf, size, timeout);
if ((requesttype & USB_DIR_IN) && size)
memcpy(data, dev->urb_buf, size);
mutex_unlock(&dev->ctrl_urb_lock);
Reported by FlawFinder.
Line: 252
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = usb_control_msg(dev->udev, pipe, request, requesttype, value,
index, dev->urb_buf, size, timeout);
if ((requesttype & USB_DIR_IN) && size)
memcpy(data, dev->urb_buf, size);
mutex_unlock(&dev->ctrl_urb_lock);
if (reg_debug) {
if (unlikely(rc < 0)) {
printk(KERN_CONT "FAILED!\n");
Reported by FlawFinder.
Line: 265
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk(KERN_CONT "<<<");
for (i = 0; i < size; i++)
printk(KERN_CONT " %02x",
((unsigned char *)data)[i]);
}
printk(KERN_CONT "\n");
}
return rc;
Reported by FlawFinder.
Line: 757
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer = kzalloc(4096, GFP_KERNEL);
if (buffer == NULL)
return -ENOMEM;
memcpy(&buffer[0], firmware, 4096);
ret = usb_bulk_msg(dev->udev, usb_sndbulkpipe(dev->udev, 5),
buffer, 4096, &actlen, 2000);
if (ret)
Reported by FlawFinder.
drivers/net/can/spi/hi311x.c
5 issues
Line: 257
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct hi3110_priv *priv = spi_get_drvdata(spi);
priv->spi_tx_buf[0] = HI3110_WRITE_FIFO;
memcpy(priv->spi_tx_buf + 1, buf, len);
hi3110_spi_trans(spi, len + 1);
}
static void hi3110_hw_tx(struct spi_device *spi, struct can_frame *frame)
{
Reported by FlawFinder.
Line: 282
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[HI3110_FIFO_EXT_DLC_OFF] = frame->len;
memcpy(buf + HI3110_FIFO_EXT_DATA_OFF,
frame->data, frame->len);
hi3110_hw_tx_frame(spi, buf, HI3110_TX_EXT_BUF_LEN -
(HI3110_CAN_MAX_DATA_LEN - frame->len));
} else {
Reported by FlawFinder.
Line: 296
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[HI3110_FIFO_STD_DLC_OFF] = frame->len;
memcpy(buf + HI3110_FIFO_STD_DATA_OFF,
frame->data, frame->len);
hi3110_hw_tx_frame(spi, buf, HI3110_TX_STD_BUF_LEN -
(HI3110_CAN_MAX_DATA_LEN - frame->len));
}
Reported by FlawFinder.
Line: 310
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->spi_tx_buf[0] = HI3110_READ_FIFO_WOTIME;
hi3110_spi_trans(spi, HI3110_RX_BUF_LEN);
memcpy(buf, priv->spi_rx_buf + 1, HI3110_RX_BUF_LEN - 1);
}
static void hi3110_hw_rx(struct spi_device *spi)
{
struct hi3110_priv *priv = spi_get_drvdata(spi);
Reported by FlawFinder.
Line: 349
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf[HI3110_FIFO_WOTIME_ID_OFF + 3] & HI3110_FIFO_WOTIME_ID_RTR)
frame->can_id |= CAN_RTR_FLAG;
else
memcpy(frame->data, buf + HI3110_FIFO_WOTIME_DAT_OFF,
frame->len);
priv->net->stats.rx_packets++;
priv->net->stats.rx_bytes += frame->len;
Reported by FlawFinder.
drivers/net/dsa/qca8k.c
5 issues
Line: 293
CWE codes:
908
int ret, ret1;
u32 val;
ret = read_poll_timeout(qca8k_read, ret1, !(val & mask),
0, QCA8K_BUSY_WAIT_TIMEOUT * USEC_PER_MSEC, false,
priv, reg, &val);
/* Check if qca8k_read has failed for a different reason
* before returning -ETIMEDOUT
Reported by Cppcheck.
Line: 632
CWE codes:
908
qca8k_split_addr(reg, &r1, &r2, &page);
ret = read_poll_timeout(qca8k_mii_read32, ret1, !(val & mask), 0,
QCA8K_BUSY_WAIT_TIMEOUT * USEC_PER_MSEC, false,
bus, 0x10 | r2, r1, &val);
/* Check if qca8k_read has failed for a different reason
* before returnting -ETIMEDOUT
Reported by Cppcheck.
Line: 100
Column: 14
CWE codes:
120
20
ret = bus->read(bus, phy_id, regnum);
if (ret >= 0) {
*val = ret;
ret = bus->read(bus, phy_id, regnum + 1);
*val |= ret << 16;
}
if (ret < 0) {
dev_err_ratelimited(&bus->dev,
Reported by FlawFinder.
Line: 1404
Column: 3
CWE codes:
120
return;
for (i = 0; i < ARRAY_SIZE(ar8327_mib); i++)
strncpy(data + i * ETH_GSTRING_LEN, ar8327_mib[i].name,
ETH_GSTRING_LEN);
}
static void
qca8k_get_ethtool_stats(struct dsa_switch *ds, int port,
Reported by FlawFinder.
drivers/misc/cxl/flash.c
5 issues
Line: 59
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&rtas_data_buf_lock);
memcpy(rtas_data_buf, buf, RTAS_DATA_BUF_SIZE);
rc = rtas_call(token, 2, 1, NULL, rtas_data_buf, scope);
memcpy(buf, rtas_data_buf, RTAS_DATA_BUF_SIZE);
spin_unlock(&rtas_data_buf_lock);
return rc;
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rtas_data_buf, buf, RTAS_DATA_BUF_SIZE);
rc = rtas_call(token, 2, 1, NULL, rtas_data_buf, scope);
memcpy(buf, rtas_data_buf, RTAS_DATA_BUF_SIZE);
spin_unlock(&rtas_data_buf_lock);
return rc;
}
Reported by FlawFinder.
Line: 91
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(new_prop);
return -ENOMEM;
}
memcpy(new_prop->value, value, vd);
val = (u32 *)new_prop->value;
rc = cxl_update_properties(dn, new_prop);
pr_devel("%pOFn: update property (%s, length: %i, value: %#x)\n",
dn, name, vd, be32_to_cpu(*val));
Reported by FlawFinder.
Line: 286
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((need_header) && (i == 0)) {
/* add adapter image header */
memcpy(buffer[i], header, sizeof(struct ai_header));
s_copy = CXL_AI_BUFFER_SIZE - CXL_AI_HEADER_SIZE;
dest += CXL_AI_HEADER_SIZE; /* image offset */
}
if ((i == (entries - 1)) && mod)
s_copy = mod;
Reported by FlawFinder.
Line: 152
Column: 17
CWE codes:
126
char *prop_name;
prop_name = prop_data;
prop_data += strlen(prop_name) + 1;
vd = be32_to_cpu(*(__be32 *)prop_data);
prop_data += sizeof(vd);
if ((vd != 0x00000000) && (vd != 0x80000000)) {
ret = update_property(dn, prop_name, vd,
Reported by FlawFinder.
drivers/media/platform/sti/bdisp/bdisp-debug.c
5 issues
Line: 642
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void bdisp_debugfs_create(struct bdisp_dev *bdisp)
{
char dirname[16];
snprintf(dirname, sizeof(dirname), "%s%d", BDISP_NAME, bdisp->id);
bdisp->dbg.debugfs_entry = debugfs_create_dir(dirname, NULL);
bdisp_dbg_create_entry(regs);
Reported by FlawFinder.
Line: 178
Column: 25
CWE codes:
126
seq_printf(s, "%s\t0x%08X\t", name, val);
if (!addr || !name || (strlen(name) < 2))
goto done;
s1 = name[strlen(name) - 1] == '1';
s2 = name[strlen(name) - 1] == '2';
s3 = name[strlen(name) - 1] == '3';
Reported by FlawFinder.
Line: 181
Column: 12
CWE codes:
126
if (!addr || !name || (strlen(name) < 2))
goto done;
s1 = name[strlen(name) - 1] == '1';
s2 = name[strlen(name) - 1] == '2';
s3 = name[strlen(name) - 1] == '3';
seq_printf(s, "Pitch=%d - ", val & 0xFFFF);
Reported by FlawFinder.
Line: 182
Column: 12
CWE codes:
126
goto done;
s1 = name[strlen(name) - 1] == '1';
s2 = name[strlen(name) - 1] == '2';
s3 = name[strlen(name) - 1] == '3';
seq_printf(s, "Pitch=%d - ", val & 0xFFFF);
switch ((val & BLT_TTY_COL_MASK) >> BLT_TTY_COL_SHIFT) {
Reported by FlawFinder.
Line: 183
Column: 12
CWE codes:
126
s1 = name[strlen(name) - 1] == '1';
s2 = name[strlen(name) - 1] == '2';
s3 = name[strlen(name) - 1] == '3';
seq_printf(s, "Pitch=%d - ", val & 0xFFFF);
switch ((val & BLT_TTY_COL_MASK) >> BLT_TTY_COL_SHIFT) {
case BDISP_RGB565:
Reported by FlawFinder.
drivers/media/usb/pwc/pwc-dec23.h
5 issues
Line: 33
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *stream;
int temp_colors[16];
unsigned char table_0004_pass1[16][1024];
unsigned char table_0004_pass2[16][1024];
unsigned char table_8004_pass1[16][256];
unsigned char table_8004_pass2[16][256];
unsigned int table_subblock[256][12];
Reported by FlawFinder.
Line: 34
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int temp_colors[16];
unsigned char table_0004_pass1[16][1024];
unsigned char table_0004_pass2[16][1024];
unsigned char table_8004_pass1[16][256];
unsigned char table_8004_pass2[16][256];
unsigned int table_subblock[256][12];
unsigned char table_bitpowermask[8][256];
Reported by FlawFinder.
Line: 35
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char table_0004_pass1[16][1024];
unsigned char table_0004_pass2[16][1024];
unsigned char table_8004_pass1[16][256];
unsigned char table_8004_pass2[16][256];
unsigned int table_subblock[256][12];
unsigned char table_bitpowermask[8][256];
unsigned int table_d800[256];
Reported by FlawFinder.
Line: 36
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char table_0004_pass1[16][1024];
unsigned char table_0004_pass2[16][1024];
unsigned char table_8004_pass1[16][256];
unsigned char table_8004_pass2[16][256];
unsigned int table_subblock[256][12];
unsigned char table_bitpowermask[8][256];
unsigned int table_d800[256];
unsigned int table_dc00[256];
Reported by FlawFinder.
Line: 39
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char table_8004_pass2[16][256];
unsigned int table_subblock[256][12];
unsigned char table_bitpowermask[8][256];
unsigned int table_d800[256];
unsigned int table_dc00[256];
};
Reported by FlawFinder.
drivers/media/usb/pwc/pwc-dec23.c
5 issues
Line: 59
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int temp_values[12];
int i, j;
memcpy(temp_values, initial_values, sizeof(initial_values));
for (i = 0; i < 256; i++) {
for (j = 0; j < 12; j++) {
pdec->table_subblock[i][j] = temp_values[j];
temp_values[j] += values_derivated[j];
}
Reported by FlawFinder.
Line: 89
Column: 19
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void build_table_color(const unsigned int romtable[16][8],
unsigned char p0004[16][1024],
unsigned char p8004[16][256])
{
int compression_mode, j, k, bit, pw;
unsigned char *p0, *p8;
const unsigned int *r;
Reported by FlawFinder.
Line: 90
Column: 19
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void build_table_color(const unsigned int romtable[16][8],
unsigned char p0004[16][1024],
unsigned char p8004[16][256])
{
int compression_mode, j, k, bit, pw;
unsigned char *p0, *p8;
const unsigned int *r;
Reported by FlawFinder.
Line: 186
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* op == 0 otherwise
*
*/
static const unsigned char hash_table_ops[64*4] = {
0x02, 0x00, 0x00, 0x00,
0x00, 0x03, 0x01, 0x00,
0x00, 0x04, 0x01, 0x10,
0x00, 0x06, 0x01, 0x30,
0x02, 0x00, 0x00, 0x00,
Reported by FlawFinder.
Line: 277
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#if USE_LOOKUP_TABLE_TO_CLAMP
#define MAX_OUTER_CROP_VALUE (512)
static unsigned char pwc_crop_table[256 + 2*MAX_OUTER_CROP_VALUE];
#define CLAMP(x) (pwc_crop_table[MAX_OUTER_CROP_VALUE+(x)])
#else
#define CLAMP(x) ((x)>255?255:((x)<0?0:x))
#endif
Reported by FlawFinder.
drivers/media/pci/bt8xx/bttvp.h
5 issues
Line: 115
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bttv *btv;
struct timer_list timer;
char name[32];
char phys[32];
/* Usual gpio signalling */
u32 mask_keycode;
u32 mask_keydown;
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct timer_list timer;
char name[32];
char phys[32];
/* Usual gpio signalling */
u32 mask_keycode;
u32 mask_keydown;
u32 mask_keyup;
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* for gpio-connected remote control */
struct bttv_input {
struct input_dev *dev;
char name[32];
char phys[32];
u32 mask_keycode;
u32 mask_keydown;
};
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bttv_input {
struct input_dev *dev;
char name[32];
char phys[32];
u32 mask_keycode;
u32 mask_keydown;
};
struct bttv_suspend_state {
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int mbox_csel;
/* switch status for multi-controller cards */
char sw_status[4];
/* risc memory management data
- must acquire s_lock before changing these
- only the irq handler is supported to touch top + bottom + vcurr */
struct btcx_riscmem main;
Reported by FlawFinder.
drivers/mtd/devices/st_spi_fsm.c
5 issues
Line: 647
};
static struct stfsm_seq stfsm_seq_write_status = {
.seq_opc[0] = (SEQ_OPC_PADS_1 | SEQ_OPC_CYCLES(8) |
SEQ_OPC_OPCODE(SPINOR_OP_WREN) | SEQ_OPC_CSDEASSERT),
.seq_opc[1] = (SEQ_OPC_PADS_1 | SEQ_OPC_CYCLES(8) |
SEQ_OPC_OPCODE(SPINOR_OP_WRSR)),
.seq = {
STFSM_INST_CMD1,
Reported by Cppcheck.
Line: 1555
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size_mop) {
stfsm_read_fifo(fsm, tmp, read_mask + 1);
memcpy(p + size_lb, &tmp, size_mop);
}
/* Handle non-aligned buf */
if ((uintptr_t)buf & 0x3)
memcpy(buf, page_buf, size);
Reported by FlawFinder.
Line: 1560
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Handle non-aligned buf */
if ((uintptr_t)buf & 0x3)
memcpy(buf, page_buf, size);
/* Wait for sequence to finish */
stfsm_wait_seq(fsm);
stfsm_clear_fifo(fsm);
Reported by FlawFinder.
Line: 1602
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Handle non-aligned buf */
if ((uintptr_t)buf & 0x3) {
memcpy(page_buf, buf, size);
p = (uint8_t *)page_buf;
} else {
p = buf;
}
Reported by FlawFinder.
Line: 1840
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
stfsm_read_fifo(fsm, tmp, 8);
memcpy(jedec, tmp, 5);
stfsm_wait_seq(fsm);
}
static struct flash_info *stfsm_jedec_probe(struct stfsm *fsm)
Reported by FlawFinder.
drivers/media/pci/bt8xx/bttv-cards.c
5 issues
Line: 77
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int terratec_active_radio_upgrade(struct bttv *btv);
static int tea575x_init(struct bttv *btv);
static void identify_by_eeprom(struct bttv *btv,
unsigned char eeprom_data[256]);
static int pvr_boot(struct bttv *btv);
/* config variables */
static unsigned int triton1;
static unsigned int vsfx;
Reported by FlawFinder.
Line: 2888
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ----------------------------------------------------------------------- */
static unsigned char eeprom_data[256];
/*
* identify card
*/
void bttv_idcard(struct bttv *btv)
Reported by FlawFinder.
Line: 2965
Column: 59
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
/* Some Modular Technology cards have an eeprom, but no subsystem ID */
static void identify_by_eeprom(struct bttv *btv, unsigned char eeprom_data[256])
{
int type = -1;
if (0 == strncmp(eeprom_data,"GET MM20xPCTV",13))
type = BTTV_BOARD_MODTEC_205;
Reported by FlawFinder.
Line: 4503
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int xaddr, yaddr;
struct bttv *mctlr;
static unsigned char map[4] = {3, 0, 2, 1};
mctlr = master[btv->c.nr];
if (mctlr == NULL) { /* ignore if master not yet detected */
return;
}
Reported by FlawFinder.
Line: 4684
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc;
long mux;
int bitmask;
unsigned char buf[2];
/* Read PIC config to determine if this is a PXC200F */
/* PX_I2C_CMD_CFG*/
buf[0]=0;
buf[1]=0;
Reported by FlawFinder.