The following issues were found
drivers/media/usb/as102/as102_fw.h
4 issues
Line: 11
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern int dual_tuner;
struct as10x_raw_fw_pkt {
unsigned char address[4];
unsigned char data[MAX_FW_PKT_SIZE - 6];
} __packed;
struct as10x_fw_pkt_t {
union {
Reported by FlawFinder.
Line: 12
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct as10x_raw_fw_pkt {
unsigned char address[4];
unsigned char data[MAX_FW_PKT_SIZE - 6];
} __packed;
struct as10x_fw_pkt_t {
union {
unsigned char request[2];
Reported by FlawFinder.
Line: 17
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct as10x_fw_pkt_t {
union {
unsigned char request[2];
unsigned char length[2];
} __packed u;
struct as10x_raw_fw_pkt raw;
} __packed;
Reported by FlawFinder.
Line: 18
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct as10x_fw_pkt_t {
union {
unsigned char request[2];
unsigned char length[2];
} __packed u;
struct as10x_raw_fw_pkt raw;
} __packed;
#ifdef __KERNEL__
Reported by FlawFinder.
drivers/media/mc/mc-devnode.c
4 issues
Line: 167
Column: 21
CWE codes:
362
filp->private_data = devnode;
if (devnode->fops->open) {
ret = devnode->fops->open(filp);
if (ret) {
put_device(&devnode->dev);
filp->private_data = NULL;
return ret;
Reported by FlawFinder.
Line: 168
Column: 24
CWE codes:
362
filp->private_data = devnode;
if (devnode->fops->open) {
ret = devnode->fops->open(filp);
if (ret) {
put_device(&devnode->dev);
filp->private_data = NULL;
return ret;
}
Reported by FlawFinder.
Line: 75
Column: 22
CWE codes:
120
20
{
struct media_devnode *devnode = media_devnode_data(filp);
if (!devnode->fops->read)
return -EINVAL;
if (!media_devnode_is_registered(devnode))
return -EIO;
return devnode->fops->read(filp, buf, sz, off);
}
Reported by FlawFinder.
Line: 79
Column: 24
CWE codes:
120
20
return -EINVAL;
if (!media_devnode_is_registered(devnode))
return -EIO;
return devnode->fops->read(filp, buf, sz, off);
}
static ssize_t media_write(struct file *filp, const char __user *buf,
size_t sz, loff_t *off)
{
Reported by FlawFinder.
drivers/md/md-multipath.c
4 issues
Line: 90
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* oops, IO error:
*/
char b[BDEVNAME_SIZE];
md_error (mp_bh->mddev, rdev);
pr_info("multipath: %s: rescheduling sector %llu\n",
bdevname(rdev->bdev,b),
(unsigned long long)bio->bi_iter.bi_sector);
multipath_reschedule_retry(mp_bh);
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void multipath_error (struct mddev *mddev, struct md_rdev *rdev)
{
struct mpconf *conf = mddev->private;
char b[BDEVNAME_SIZE];
if (conf->raid_disks - mddev->degraded <= 1) {
/*
* Uh oh, we can do nothing if this is our last path, but
* first check if this is a queued request for a device
Reported by FlawFinder.
Line: 203
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
conf->raid_disks);
for (i = 0; i < conf->raid_disks; i++) {
char b[BDEVNAME_SIZE];
tmp = conf->multipaths + i;
if (tmp->rdev)
pr_debug(" disk%d, o:%d, dev:%s\n",
i,!test_bit(Faulty, &tmp->rdev->flags),
bdevname(tmp->rdev->bdev,b));
Reported by FlawFinder.
Line: 302
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
md_check_recovery(mddev);
for (;;) {
char b[BDEVNAME_SIZE];
spin_lock_irqsave(&conf->device_lock, flags);
if (list_empty(head))
break;
mp_bh = list_entry(head->prev, struct multipath_bh, retry_list);
list_del(head->prev);
Reported by FlawFinder.
drivers/media/mc/mc-device.c
4 issues
Line: 865
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
strscpy(mdev->model, pci_name(pci_dev), sizeof(mdev->model));
sprintf(mdev->bus_info, "PCI:%s", pci_name(pci_dev));
mdev->hw_revision = (pci_dev->subsystem_vendor << 16)
| pci_dev->subsystem_device;
media_device_init(mdev);
Reported by FlawFinder.
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
entd->type = MEDIA_ENT_T_DEVNODE_UNKNOWN;
}
memcpy(&entd->raw, &ent->info, sizeof(ent->info));
return 0;
}
static void media_device_kpad_to_upad(const struct media_pad *kpad,
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct media_device *dev = devnode->media_dev;
const struct media_ioctl_info *info;
void __user *arg = (void __user *)__arg;
char __karg[256], *karg = __karg;
long ret;
if (_IOC_NR(cmd) >= ARRAY_SIZE(ioctl_info)
|| ioctl_info[_IOC_NR(cmd)].cmd != cmd)
return -ENOIOCTLCMD;
Reported by FlawFinder.
Line: 565
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct media_devnode *devnode = to_media_devnode(cd);
struct media_device *mdev = devnode->media_dev;
return sprintf(buf, "%.*s\n", (int)sizeof(mdev->model), mdev->model);
}
static DEVICE_ATTR(model, S_IRUGO, show_model, NULL);
/* -----------------------------------------------------------------------------
Reported by FlawFinder.
drivers/media/i2c/ths7303.c
4 issues
Line: 234
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
#endif
static const char * const stc_lpf_sel_txt[4] = {
"500-kHz Filter",
"2.5-MHz Filter",
"5-MHz Filter",
"5-MHz Filter",
};
Reported by FlawFinder.
Line: 241
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"5-MHz Filter",
};
static const char * const in_mux_sel_txt[2] = {
"Input A Select",
"Input B Select",
};
static const char * const lpf_freq_sel_txt[4] = {
Reported by FlawFinder.
Line: 246
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Input B Select",
};
static const char * const lpf_freq_sel_txt[4] = {
"9-MHz LPF",
"16-MHz LPF",
"35-MHz LPF",
"Bypass LPF",
};
Reported by FlawFinder.
Line: 253
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Bypass LPF",
};
static const char * const in_bias_sel_dis_cont_txt[8] = {
"Disable Channel",
"Mute Function - No Output",
"DC Bias Select",
"DC Bias + 250 mV Offset Select",
"AC Bias Select",
Reported by FlawFinder.
drivers/mtd/sm_ftl.c
4 issues
Line: 913
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Put sector in one block cache */
static void sm_cache_put(struct sm_ftl *ftl, char *buffer, int boffset)
{
memcpy(ftl->cache_data + boffset, buffer, SM_SECTOR_SIZE);
clear_bit(boffset / SM_SECTOR_SIZE, &ftl->cache_data_invalid_bitmap);
ftl->cache_clean = 0;
}
/* Read a sector from the cache */
Reported by FlawFinder.
Line: 925
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&ftl->cache_data_invalid_bitmap))
return -1;
memcpy(buffer, ftl->cache_data + boffset, SM_SECTOR_SIZE);
return 0;
}
/* Write the cache to hardware */
static int sm_cache_flush(struct sm_ftl *ftl)
Reported by FlawFinder.
Line: 47
Column: 2
CWE codes:
120
struct sm_sysfs_attribute *sm_attr =
container_of(attr, struct sm_sysfs_attribute, dev_attr);
strncpy(buf, sm_attr->data, sm_attr->len);
return sm_attr->len;
}
#define NUM_ATTRIBUTES 1
Reported by FlawFinder.
Line: 75
Column: 26
CWE codes:
126
sysfs_attr_init(&vendor_attribute->dev_attr.attr);
vendor_attribute->data = vendor;
vendor_attribute->len = strlen(vendor);
vendor_attribute->dev_attr.attr.name = "vendor";
vendor_attribute->dev_attr.attr.mode = S_IRUGO;
vendor_attribute->dev_attr.show = sm_attr_show;
Reported by FlawFinder.
drivers/mtd/spi-nor/sfdp.c
4 issues
Line: 225
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
ret = spi_nor_read_sfdp(nor, addr, len, dma_safe_buf);
memcpy(buf, dma_safe_buf, len);
kfree(dma_safe_buf);
return ret;
}
Reported by FlawFinder.
Line: 232
Column: 66
CWE codes:
120
20
}
static void
spi_nor_set_read_settings_from_bfpt(struct spi_nor_read_command *read,
u16 half,
enum spi_nor_protocol proto)
{
read->num_mode_clocks = (half >> 5) & 0x07;
read->num_wait_states = (half >> 0) & 0x1f;
Reported by FlawFinder.
Line: 498
Column: 32
CWE codes:
120
20
/* Fast Read settings. */
for (i = 0; i < ARRAY_SIZE(sfdp_bfpt_reads); i++) {
const struct sfdp_bfpt_read *rd = &sfdp_bfpt_reads[i];
struct spi_nor_read_command *read;
if (!(bfpt.dwords[rd->supported_dword] & rd->supported_bit)) {
params->hwcaps.mask &= ~rd->hwcaps;
continue;
}
Reported by FlawFinder.
Line: 509
Column: 39
CWE codes:
120
20
cmd = spi_nor_hwcaps_read2cmd(rd->hwcaps);
read = ¶ms->reads[cmd];
half = bfpt.dwords[rd->settings_dword] >> rd->settings_shift;
spi_nor_set_read_settings_from_bfpt(read, half, rd->proto);
}
/*
* Sector Erase settings. Reinitialize the uniform erase map using the
* Erase Types defined in the bfpt table.
Reported by FlawFinder.
drivers/media/i2c/saa6588.c
4 issues
Line: 157
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dprintk("0x%02x ", s->buffer[i]);
}
memcpy(buf, &s->buffer[s->rd_index], 3);
s->rd_index += 3;
if (s->rd_index >= s->buf_size)
s->rd_index = 0;
s->block_count--;
Reported by FlawFinder.
Line: 173
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void read_from_buf(struct saa6588 *s, struct saa6588_command *a)
{
unsigned char __user *buf_ptr = a->buffer;
unsigned char buf[3];
unsigned long flags;
unsigned int rd_blocks;
unsigned int i;
a->result = 0;
Reported by FlawFinder.
Line: 252
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *client = v4l2_get_subdevdata(&s->sd);
unsigned long flags;
unsigned char tmpbuf[6];
unsigned char blocknum;
unsigned char tmp;
/* Although we only need 3 bytes, we have to read at least 6.
SAA6588 returns garbage otherwise. */
Reported by FlawFinder.
Line: 329
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void saa6588_configure(struct saa6588 *s)
{
struct i2c_client *client = v4l2_get_subdevdata(&s->sd);
unsigned char buf[3];
int rc;
buf[0] = cSyncRestart;
if (mmbs)
buf[0] |= cProcessingModeRBDS;
Reported by FlawFinder.
drivers/mtd/nand/ecc.c
4 issues
Line: 552
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the data that must be writen in the bounce buffers, if needed */
if (orig->type == NAND_PAGE_WRITE) {
if (ctx->bounce_data)
memcpy((void *)tweak->databuf.out + orig->dataoffs,
orig->databuf.out, orig->datalen);
if (ctx->bounce_oob)
memcpy((void *)tweak->oobbuf.out + orig->ooboffs,
orig->oobbuf.out, orig->ooblen);
Reported by FlawFinder.
Line: 556
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
orig->databuf.out, orig->datalen);
if (ctx->bounce_oob)
memcpy((void *)tweak->oobbuf.out + orig->ooboffs,
orig->oobbuf.out, orig->ooblen);
}
}
EXPORT_SYMBOL_GPL(nand_ecc_tweak_req);
Reported by FlawFinder.
Line: 573
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Restore the data read from the bounce buffers, if needed */
if (orig->type == NAND_PAGE_READ) {
if (ctx->bounce_data)
memcpy(orig->databuf.in,
tweak->databuf.in + orig->dataoffs,
orig->datalen);
if (ctx->bounce_oob)
memcpy(orig->oobbuf.in,
Reported by FlawFinder.
Line: 578
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
orig->datalen);
if (ctx->bounce_oob)
memcpy(orig->oobbuf.in,
tweak->oobbuf.in + orig->ooboffs,
orig->ooblen);
}
/* Ensure the original request is restored */
Reported by FlawFinder.
drivers/mtd/mtdcore.c
4 issues
Line: 1791
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int cnt;
cnt = min_t(int, nbytes, oobregion.length);
memcpy(buf, oobbuf + oobregion.offset, cnt);
buf += cnt;
nbytes -= cnt;
if (!nbytes)
break;
Reported by FlawFinder.
Line: 1834
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int cnt;
cnt = min_t(int, nbytes, oobregion.length);
memcpy(oobbuf + oobregion.offset, buf, cnt);
buf += cnt;
nbytes -= cnt;
if (!nbytes)
break;
Reported by FlawFinder.
Line: 1492
Column: 73
CWE codes:
120
20
return ret;
}
static int mtd_io_emulated_slc(struct mtd_info *mtd, loff_t start, bool read,
struct mtd_oob_ops *ops)
{
struct mtd_info *master = mtd_get_master(mtd);
int ngroups = mtd_pairing_groups(master);
int npairs = mtd_wunit_per_eb(master) / ngroups;
Reported by FlawFinder.
Line: 1531
Column: 7
CWE codes:
120
20
if (adjops.ooblen > oobavail - adjops.ooboffs)
adjops.ooblen = oobavail - adjops.ooboffs;
if (read) {
ret = mtd_read_oob_std(mtd, pos + pageofs, &adjops);
if (ret > 0)
max_bitflips = max(max_bitflips, ret);
} else {
ret = mtd_write_oob_std(mtd, pos + pageofs, &adjops);
Reported by FlawFinder.