The following issues were found
drivers/media/pci/ivtv/ivtv-ioctl.c
4 issues
Line: 625
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EBUSY;
itv->vbi.in.type = V4L2_BUF_TYPE_SLICED_VBI_CAPTURE;
v4l2_subdev_call(itv->sd_video, vbi, s_sliced_fmt, vbifmt);
memcpy(itv->vbi.sliced_in, vbifmt, sizeof(*itv->vbi.sliced_in));
return 0;
}
static int ivtv_s_fmt_vid_out(struct file *file, void *fh, struct v4l2_format *fmt)
{
Reported by FlawFinder.
Line: 1521
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct v4l2_output vidout;
struct v4l2_audioout audout;
int mode = itv->output_mode;
static const char * const output_modes[5] = {
"None",
"MPEG Streaming",
"YUV Streaming",
"YUV Frames",
"Passthrough",
Reported by FlawFinder.
Line: 1528
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"YUV Frames",
"Passthrough",
};
static const char * const alpha_mode[4] = {
"None",
"Global",
"Local",
"Global and Local"
};
Reported by FlawFinder.
Line: 1534
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Local",
"Global and Local"
};
static const char * const pixel_format[16] = {
"ARGB Indexed",
"RGB 5:6:5",
"ARGB 1:5:5:5",
"ARGB 1:4:4:4",
"ARGB 8:8:8:8",
Reported by FlawFinder.
drivers/mmc/core/sdio_cis.c
4 issues
Line: 63
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for (i = 0; i < nr_strings; i++) {
buffer[i] = string;
strcpy(string, buf);
string += strlen(string) + 1;
buf += strlen(buf) + 1;
}
if (func) {
Reported by FlawFinder.
Line: 105
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static const unsigned char speed_val[16] =
{ 0, 10, 12, 13, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60, 70, 80 };
static const unsigned int speed_unit[8] =
{ 10000, 100000, 1000000, 10000000, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 64
Column: 13
CWE codes:
126
for (i = 0; i < nr_strings; i++) {
buffer[i] = string;
strcpy(string, buf);
string += strlen(string) + 1;
buf += strlen(buf) + 1;
}
if (func) {
func->major_rev = major_rev;
Reported by FlawFinder.
Line: 65
Column: 10
CWE codes:
126
buffer[i] = string;
strcpy(string, buf);
string += strlen(string) + 1;
buf += strlen(buf) + 1;
}
if (func) {
func->major_rev = major_rev;
func->minor_rev = minor_rev;
Reported by FlawFinder.
drivers/net/can/usb/peak_usb/pcan_usb.c
4 issues
Line: 160
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->cmd_buf[PCAN_USB_CMD_NUM] = n;
if (p)
memcpy(dev->cmd_buf + PCAN_USB_CMD_ARGS,
p, PCAN_USB_CMD_ARGS_LEN);
err = usb_bulk_msg(dev->udev,
usb_sndbulkpipe(dev->udev, PCAN_USB_EP_CMDOUT),
dev->cmd_buf, PCAN_USB_CMD_LEN, &actual_length,
Reported by FlawFinder.
Line: 199
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev_err(dev->netdev,
"waiting rsp f=0x%x n=0x%x failure: %d\n", f, n, err);
else if (p)
memcpy(p, dev->cmd_buf + PCAN_USB_CMD_ARGS,
PCAN_USB_CMD_ARGS_LEN);
return err;
}
Reported by FlawFinder.
Line: 745
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((mc->ptr + rec_len) > mc->end)
goto decode_failed;
memcpy(cf->data, mc->ptr, cf->len);
mc->ptr += rec_len;
}
/* convert timestamp into kernel time */
hwts = skb_hwtstamps(skb);
Reported by FlawFinder.
Line: 853
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* can data */
if (!(cf->can_id & CAN_RTR_FLAG)) {
memcpy(pc, cf->data, cf->len);
pc += cf->len;
}
obuf[(*size)-1] = (u8)(stats->tx_packets & 0xff);
Reported by FlawFinder.
drivers/media/pci/meye/meye.c
4 issues
Line: 1015
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
strscpy(cap->driver, "meye", sizeof(cap->driver));
strscpy(cap->card, "meye", sizeof(cap->card));
sprintf(cap->bus_info, "PCI:%s", pci_name(meye.mchip_dev));
return 0;
}
static int vidioc_enum_input(struct file *file, void *fh, struct v4l2_input *i)
{
Reported by FlawFinder.
Line: 186
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i;
for (i = 0; i < (size / PAGE_SIZE) * PAGE_SIZE; i += PAGE_SIZE) {
memcpy(buf + i, meye.mchip_ptable[start++], PAGE_SIZE);
if (start >= pt_pages)
start = 0;
}
memcpy(buf + i, meye.mchip_ptable[start], size % PAGE_SIZE);
}
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (start >= pt_pages)
start = 0;
}
memcpy(buf + i, meye.mchip_ptable[start], size % PAGE_SIZE);
}
/****************************************************************************/
/* JPEG tables at different qualities to load into the VRJ chip */
/****************************************************************************/
Reported by FlawFinder.
Line: 816
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mchip_free_frame();
goto again;
}
memcpy(meye.grab_fbuffer + gbufsize * reqnr, meye.grab_temp,
size);
meye.grab_buffer[reqnr].size = size;
meye.grab_buffer[reqnr].state = MEYE_BUF_DONE;
meye.grab_buffer[reqnr].ts = ktime_get_ns();
meye.grab_buffer[reqnr].sequence = sequence++;
Reported by FlawFinder.
drivers/mmc/core/bus.c
4 issues
Line: 37
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (card->type) {
case MMC_TYPE_MMC:
return sprintf(buf, "MMC\n");
case MMC_TYPE_SD:
return sprintf(buf, "SD\n");
case MMC_TYPE_SDIO:
return sprintf(buf, "SDIO\n");
case MMC_TYPE_SD_COMBO:
Reported by FlawFinder.
Line: 39
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case MMC_TYPE_MMC:
return sprintf(buf, "MMC\n");
case MMC_TYPE_SD:
return sprintf(buf, "SD\n");
case MMC_TYPE_SDIO:
return sprintf(buf, "SDIO\n");
case MMC_TYPE_SD_COMBO:
return sprintf(buf, "SDcombo\n");
default:
Reported by FlawFinder.
Line: 41
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case MMC_TYPE_SD:
return sprintf(buf, "SD\n");
case MMC_TYPE_SDIO:
return sprintf(buf, "SDIO\n");
case MMC_TYPE_SD_COMBO:
return sprintf(buf, "SDcombo\n");
default:
return -EFAULT;
}
Reported by FlawFinder.
Line: 43
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case MMC_TYPE_SDIO:
return sprintf(buf, "SDIO\n");
case MMC_TYPE_SD_COMBO:
return sprintf(buf, "SDcombo\n");
default:
return -EFAULT;
}
}
static DEVICE_ATTR_RO(type);
Reported by FlawFinder.
drivers/net/dsa/lantiq_gswip.c
4 issues
Line: 1382
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct gswip_priv *priv = ds->priv;
struct gswip_pce_table_entry mac_bridge = {0,};
unsigned char addr[6];
int i;
int err;
for (i = 0; i < 2048; i++) {
mac_bridge.table = GSWIP_TABLE_MAC_BRIDGE;
Reported by FlawFinder.
Line: 1903
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fw_addr) {
fw_addr = PTR_ALIGN(fw_addr, XRX200_GPHY_FW_ALIGN);
dev_addr = ALIGN(dma_addr, XRX200_GPHY_FW_ALIGN);
memcpy(fw_addr, fw->data, fw->size);
} else {
dev_err(dev, "failed to alloc firmware memory\n");
release_firmware(fw);
return -ENOMEM;
}
Reported by FlawFinder.
Line: 1928
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *dev = priv->dev;
u32 gphy_mode;
int ret;
char gphyname[10];
snprintf(gphyname, sizeof(gphyname), "gphy%d", i);
gphy_fw->clk_gate = devm_clk_get(dev, gphyname);
if (IS_ERR(gphy_fw->clk_gate)) {
Reported by FlawFinder.
Line: 1740
Column: 3
CWE codes:
120
return;
for (i = 0; i < ARRAY_SIZE(gswip_rmon_cnt); i++)
strncpy(data + i * ETH_GSTRING_LEN, gswip_rmon_cnt[i].name,
ETH_GSTRING_LEN);
}
static u32 gswip_bcm_ram_entry_read(struct gswip_priv *priv, u32 table,
u32 index)
Reported by FlawFinder.
drivers/media/usb/msi2500/msi2500.c
4 issues
Line: 310
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case MSI2500_PIX_FMT_SDR_MSI2500_384: /* 384 x IQ samples */
/* Dump unknown 'garbage' data */
dev_dbg_ratelimited(dev->dev, "%*ph\n", 24, &src[1000]);
memcpy(dst, src, 984);
src += 984 + 24;
dst += 984;
dst_len += 984;
dev->next_sample = sample[i] + 384;
break;
Reported by FlawFinder.
Line: 317
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->next_sample = sample[i] + 384;
break;
case V4L2_SDR_FMT_CS8: /* 504 x IQ samples */
memcpy(dst, src, 1008);
src += 1008;
dst += 1008;
dst_len += 1008;
dev->next_sample = sample[i] + 504;
break;
Reported by FlawFinder.
Line: 324
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->next_sample = sample[i] + 504;
break;
case MSI2500_PIX_FMT_SDR_S12: /* 336 x IQ samples */
memcpy(dst, src, 1008);
src += 1008;
dst += 1008;
dst_len += 1008;
dev->next_sample = sample[i] + 336;
break;
Reported by FlawFinder.
Line: 331
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->next_sample = sample[i] + 336;
break;
case V4L2_SDR_FMT_CS14LE: /* 252 x IQ samples */
memcpy(dst, src, 1008);
src += 1008;
dst += 1008;
dst_len += 1008;
dev->next_sample = sample[i] + 252;
break;
Reported by FlawFinder.
drivers/media/pci/pt1/pt1.c
4 issues
Line: 199
Column: 6
CWE codes:
126
int i, len;
is_sat = !strncmp(cl->name, TC90522_I2C_DEV_SAT,
strlen(TC90522_I2C_DEV_SAT));
if (is_sat) {
struct i2c_msg msg[2];
u8 wbuf, rbuf;
wbuf = 0x07;
Reported by FlawFinder.
Line: 265
Column: 8
CWE codes:
126
for (i = 0; i < PT1_NR_ADAPS; i++) {
cl = pt1->adaps[i]->demod_i2c_client;
if (strncmp(cl->name, TC90522_I2C_DEV_TER,
strlen(TC90522_I2C_DEV_TER)))
continue;
ret = i2c_master_send(cl, buf, 2);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 277
Column: 8
CWE codes:
126
for (i = 0; i < PT1_NR_ADAPS; i++) {
cl = pt1->adaps[i]->demod_i2c_client;
if (strncmp(cl->name, TC90522_I2C_DEV_SAT,
strlen(TC90522_I2C_DEV_SAT)))
continue;
ret = i2c_master_send(cl, buf, 2);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 986
Column: 9
CWE codes:
126
pt1->adaps[i]->demod_i2c_client = cl;
if (!strncmp(cl->name, TC90522_I2C_DEV_SAT,
strlen(TC90522_I2C_DEV_SAT))) {
struct qm1d1b0004_config tcfg;
info = &pt1_configs[i].tuner_info;
tcfg = pt1_configs[i].tuner_cfg.qm1d1b0004;
tcfg.fe = dcfg.fe;
Reported by FlawFinder.
drivers/net/dsa/mv88e6xxx/serdes.c
4 issues
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct mv88e6352_serdes_hw_stat {
char string[ETH_GSTRING_LEN];
int sizeof_stat;
int reg;
};
static struct mv88e6352_serdes_hw_stat mv88e6352_serdes_hw_stats[] = {
Reported by FlawFinder.
Line: 284
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ARRAY_SIZE(mv88e6352_serdes_hw_stats); i++) {
stat = &mv88e6352_serdes_hw_stats[i];
memcpy(data + i * ETH_GSTRING_LEN, stat->string,
ETH_GSTRING_LEN);
}
return ARRAY_SIZE(mv88e6352_serdes_hw_stats);
}
Reported by FlawFinder.
Line: 713
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct mv88e6390_serdes_hw_stat {
char string[ETH_GSTRING_LEN];
int reg;
};
static struct mv88e6390_serdes_hw_stat mv88e6390_serdes_hw_stats[] = {
{ "serdes_rx_pkts", 0xf021 },
Reported by FlawFinder.
Line: 742
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ARRAY_SIZE(mv88e6390_serdes_hw_stats); i++) {
stat = &mv88e6390_serdes_hw_stats[i];
memcpy(data + i * ETH_GSTRING_LEN, stat->string,
ETH_GSTRING_LEN);
}
return ARRAY_SIZE(mv88e6390_serdes_hw_stats);
}
Reported by FlawFinder.
drivers/media/usb/hdpvr/hdpvr-i2c.c
4 issues
Line: 60
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
if (wlen) {
memcpy(dev->i2c_buf, wdata, wlen);
ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
REQTYPE_I2C_WRITE, CTRL_WRITE_REQUEST,
(bus << 8) | addr, 0, dev->i2c_buf,
wlen, 1000);
if (ret < 0)
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(bus << 8) | addr, 0, dev->i2c_buf, len, 1000);
if (ret == len) {
memcpy(data, dev->i2c_buf, len);
ret = 0;
} else if (ret >= 0)
ret = -EIO;
return ret;
Reported by FlawFinder.
Line: 90
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > sizeof(dev->i2c_buf))
return -EINVAL;
memcpy(dev->i2c_buf, data, len);
ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
REQTYPE_I2C_WRITE, CTRL_WRITE_REQUEST,
(bus << 8) | addr, 0, dev->i2c_buf, len, 1000);
if (ret < 0)
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int hdpvr_activate_ir(struct hdpvr_device *dev)
{
char buffer[2];
mutex_lock(&dev->i2c_mutex);
hdpvr_i2c_read(dev, 0, 0x54, NULL, 0, buffer, 1);
Reported by FlawFinder.