The following issues were found
drivers/media/usb/go7007/go7007-i2c.c
4 issues
Line: 200
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int go7007_i2c_init(struct go7007 *go)
{
memcpy(&go->i2c_adapter, &go7007_adap_templ,
sizeof(go7007_adap_templ));
go->i2c_adapter.dev.parent = go->dev;
i2c_set_adapdata(&go->i2c_adapter, go);
if (i2c_add_adapter(&go->i2c_adapter) < 0) {
dev_err(go->dev,
Reported by FlawFinder.
Line: 38
Column: 61
CWE codes:
120
20
* on the Adlink PCI-MPG24, so access is shared between all of them. */
static DEFINE_MUTEX(adlink_mpg24_i2c_lock);
static int go7007_i2c_xfer(struct go7007 *go, u16 addr, int read,
u16 command, int flags, u8 *data)
{
int i, ret = -EIO;
u16 val;
Reported by FlawFinder.
Line: 48
Column: 6
CWE codes:
120
20
return -ENODEV;
#ifdef GO7007_I2C_DEBUG
if (read)
dev_dbg(go->dev, "go7007-i2c: reading 0x%02x on 0x%02x\n",
command, addr);
else
dev_dbg(go->dev,
"go7007-i2c: writing 0x%02x to 0x%02x on 0x%02x\n",
Reported by FlawFinder.
Line: 83
Column: 7
CWE codes:
120
20
go7007_write_addr(go, I2C_LO_ADDR_REG_ADDR, command);
/* If we're writing, send the data and target address and we're done */
if (!read) {
go7007_write_addr(go, I2C_DATA_REG_ADDR, *data);
go7007_write_addr(go, I2C_DEV_UP_ADDR_REG_ADDR,
(addr << 9) | (command >> 8));
ret = 0;
goto i2c_done;
Reported by FlawFinder.
drivers/media/dvb-frontends/cx24117.c
4 issues
Line: 290
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, state->demod, cmd->len);
buf[0] = CX24117_REG_COMMAND;
memcpy(&buf[1], cmd->args, cmd->len);
msg.addr = state->priv->demod_address;
msg.flags = 0;
msg.len = cmd->len+1;
msg.buf = buf;
Reported by FlawFinder.
Line: 545
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cx24117_state *state = fe->demodulator_priv;
struct cx24117_cmd cmd;
int i, ret;
unsigned char vers[4];
struct i2c_msg msg;
u8 *buf;
dev_dbg(&state->priv->i2c->dev,
Reported by FlawFinder.
Line: 612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fw upload reg */
buf[0] = 0xfa;
memcpy(&buf[1], fw->data, fw->size);
/* prepare i2c message to send */
msg.addr = state->priv->demod_address;
msg.flags = 0;
msg.len = fw->size + 1;
Reported by FlawFinder.
Line: 1200
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
KBUILD_MODNAME, state->demod);
/* create dvb_frontend */
memcpy(&state->frontend.ops, &cx24117_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error2:
Reported by FlawFinder.
drivers/md/dm-mpath.c
4 issues
Line: 1089
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
j = sprintf(p, "%d", hw_argc - 1);
for (i = 0, p+=j+1; i <= hw_argc - 2; i++, p+=j+1)
j = sprintf(p, "%s", as->argv[i]);
}
dm_consume_args(as, hw_argc - 1);
return 0;
fail:
Reported by FlawFinder.
Line: 903
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (m->hw_handler_name) {
r = scsi_dh_attach(q, m->hw_handler_name);
if (r == -EBUSY) {
char b[BDEVNAME_SIZE];
printk(KERN_INFO "dm-mpath: retaining handler on device %s\n",
bdevname(bdev, b));
goto retain;
}
Reported by FlawFinder.
Line: 1087
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = -ENOMEM;
goto fail;
}
j = sprintf(p, "%d", hw_argc - 1);
for (i = 0, p+=j+1; i <= hw_argc - 2; i++, p+=j+1)
j = sprintf(p, "%s", as->argv[i]);
}
dm_consume_args(as, hw_argc - 1);
Reported by FlawFinder.
Line: 1080
Column: 11
CWE codes:
126
int i, j, len = 4;
for (i = 0; i <= hw_argc - 2; i++)
len += strlen(as->argv[i]) + 1;
p = m->hw_handler_params = kzalloc(len, GFP_KERNEL);
if (!p) {
ti->error = "memory allocation failed";
ret = -ENOMEM;
goto fail;
Reported by FlawFinder.
drivers/mfd/tps65010.c
4 issues
Line: 150
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_chgstatus(const char *label, u8 chgstatus)
{
char buf [100];
dbg_chgstat(buf, sizeof buf, chgstatus);
pr_debug("%s: %s %s", DRIVER_NAME, label, buf);
}
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_regstatus(const char *label, u8 regstatus)
{
char buf [100];
dbg_regstat(buf, sizeof buf, regstatus);
pr_debug("%s: %s %s", DRIVER_NAME, label, buf);
}
Reported by FlawFinder.
Line: 166
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_chgconfig(int por, const char *label, u8 chgconfig)
{
char buf [100];
dbg_chgconf(por, buf, sizeof buf, chgconfig);
pr_debug("%s: %s %s", DRIVER_NAME, label, buf);
}
Reported by FlawFinder.
Line: 187
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tps65010 *tps = s->private;
u8 value, v2;
unsigned i;
char buf[100];
const char *chip;
switch (tps->model) {
case TPS65010: chip = "tps65010"; break;
case TPS65011: chip = "tps65011"; break;
Reported by FlawFinder.
drivers/media/rc/ite-cir.c
4 issues
Line: 559
Column: 9
CWE codes:
120
20
buf_size--;
}
return read;
}
/* return how many bytes are still in the FIFO; this will be called
* with the device spinlock NOT HELD while waiting for the TX FIFO to get
* empty; let's expect this won't be a problem */
Reported by FlawFinder.
Line: 762
Column: 9
CWE codes:
120
20
buf_size--;
}
return read;
}
/* return how many bytes are still in the FIFO; this will be called
* with the device spinlock NOT HELD while waiting for the TX FIFO to get
* empty; let's expect this won't be a problem */
Reported by FlawFinder.
Line: 1025
Column: 43
CWE codes:
120
20
fifo = it8709_rm(dev, IT8709_RFSR) & IT85_RXFBC;
while (fifo > 0 && buf_size > 0) {
*(buf++) = it8709_rm(dev, IT8709_FIFO + read);
fifo--;
read++;
buf_size--;
}
Reported by FlawFinder.
Line: 1036
Column: 9
CWE codes:
120
20
* limitation of the protocol */
it8709_wm(dev, 0, IT8709_RFSR);
return read;
}
/* return how many bytes are still in the FIFO; this will be called
* with the device spinlock NOT HELD while waiting for the TX FIFO to get
* empty; let's expect this won't be a problem */
Reported by FlawFinder.
drivers/net/ethernet/brocade/bna/bnad.c
4 issues
Line: 1423
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
spin_unlock_irqrestore(&bnad->bna_lock, flags);
sprintf(bnad->mbox_irq_name, "%s", BNAD_NAME);
/*
* Set the Mbox IRQ disable flag, so that the IRQ handler
* called from request_irq() for SHARED IRQs do not execute
*/
Reported by FlawFinder.
Line: 1538
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < num_txqs; i++) {
vector_num = tx_info->tcb[i]->intr_vector;
sprintf(tx_info->tcb[i]->name, "%s TXQ %d", bnad->netdev->name,
tx_id + tx_info->tcb[i]->id);
err = request_irq(bnad->msix_table[vector_num].vector,
(irq_handler_t)bnad_msix_tx, 0,
tx_info->tcb[i]->name,
tx_info->tcb[i]);
Reported by FlawFinder.
Line: 1589
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < num_rxps; i++) {
vector_num = rx_info->rx_ctrl[i].ccb->intr_vector;
sprintf(rx_info->rx_ctrl[i].ccb->name, "%s CQ %d",
bnad->netdev->name,
rx_id + rx_info->rx_ctrl[i].ccb->id);
err = request_irq(bnad->msix_table[vector_num].vector,
(irq_handler_t)bnad_msix_rx, 0,
rx_info->rx_ctrl[i].ccb->name,
Reported by FlawFinder.
Line: 3499
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bnad->tx_coalescing_timeo = BFI_TX_COALESCING_TIMEO;
bnad->rx_coalescing_timeo = BFI_RX_COALESCING_TIMEO;
sprintf(bnad->wq_name, "%s_wq_%d", BNAD_NAME, bnad->id);
bnad->work_q = create_singlethread_workqueue(bnad->wq_name);
if (!bnad->work_q) {
iounmap(bnad->bar0);
return -ENOMEM;
}
Reported by FlawFinder.
drivers/net/ethernet/brocade/bna/bnad.h
4 issues
Line: 347
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bnad_diag *diag;
char adapter_name[BNAD_NAME_LEN];
char port_name[BNAD_NAME_LEN];
char mbox_irq_name[BNAD_NAME_LEN];
char wq_name[BNAD_NAME_LEN];
/* debugfs specific data */
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bnad_diag *diag;
char adapter_name[BNAD_NAME_LEN];
char port_name[BNAD_NAME_LEN];
char mbox_irq_name[BNAD_NAME_LEN];
char wq_name[BNAD_NAME_LEN];
/* debugfs specific data */
char *regdata;
Reported by FlawFinder.
Line: 349
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char adapter_name[BNAD_NAME_LEN];
char port_name[BNAD_NAME_LEN];
char mbox_irq_name[BNAD_NAME_LEN];
char wq_name[BNAD_NAME_LEN];
/* debugfs specific data */
char *regdata;
u32 reglen;
Reported by FlawFinder.
Line: 350
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char adapter_name[BNAD_NAME_LEN];
char port_name[BNAD_NAME_LEN];
char mbox_irq_name[BNAD_NAME_LEN];
char wq_name[BNAD_NAME_LEN];
/* debugfs specific data */
char *regdata;
u32 reglen;
struct dentry *bnad_dentry_files[5];
Reported by FlawFinder.
drivers/mfd/ab8500-debugfs.c
4 issues
Line: 1256
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static irqreturn_t ab8500_debug_handler(int irq, void *data)
{
char buf[16];
struct kobject *kobj = (struct kobject *)data;
unsigned int irq_abb = irq - irq_first;
if (irq_abb < num_irqs)
irq_count[irq_abb]++;
Reported by FlawFinder.
Line: 1266
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* This makes it possible to use poll for events (EPOLLPRI | EPOLLERR)
* from userspace on sysfs file named <irq-nr>
*/
sprintf(buf, "%d", irq);
sysfs_notify(kobj, NULL, buf);
return IRQ_HANDLED;
}
Reported by FlawFinder.
Line: 1788
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user *user_buf, size_t count, loff_t *ppos)
{
struct device *dev = ((struct seq_file *)(file->private_data))->private;
char buf[128];
int buf_size, ret;
/* Get userspace string and assure termination */
buf_size = min((int)count, (int)(sizeof(buf)-1));
if (copy_from_user(buf, user_buf, buf_size))
Reported by FlawFinder.
Line: 1838
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (irq_index >= num_irqs)
return -EINVAL;
return sprintf(buf, "%u\n", irq_count[irq_index]);
}
static ssize_t ab8500_subscribe_write(struct file *file,
const char __user *user_buf,
size_t count, loff_t *ppos)
Reported by FlawFinder.
drivers/media/dvb-frontends/bcm3510.c
4 issues
Line: 88
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct i2c_msg msg = { .addr = state->config->demod_address, .flags = 0, .buf = b, .len = len + 1 };
b[0] = reg;
memcpy(&b[1],buf,len);
deb_i2c("i2c wr %02x: ",reg);
dbufout(buf,len,deb_i2c);
deb_i2c("\n");
Reported by FlawFinder.
Line: 222
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ob[0] = cmd;
ob[1] = msgid;
memcpy(&ob[2],obuf,olen);
deb_hab("hab snd: ");
dbufout(ob,olen+2,deb_hab);
deb_hab("\n");
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dbufout(ib,ilen+2,deb_hab);
deb_hab("\n");
memcpy(ibuf,&ib[2],ilen);
error:
mutex_unlock(&st->hab_mutex);
return ret;
}
Reported by FlawFinder.
Line: 813
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->i2c = i2c;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &bcm3510_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
mutex_init(&state->hab_mutex);
if ((ret = bcm3510_readB(state,0xe0,&v)) < 0)
Reported by FlawFinder.
drivers/media/dvb-frontends/ascot2e.c
4 issues
Line: 308
Column: 18
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
dev_dbg(&priv->i2c->dev,
"%s(): ASCOT2E DTV system %d (delsys %d, bandwidth %d)\n",
__func__, (int)system, p->delivery_system, p->bandwidth_hz);
return system;
}
static int ascot2e_set_params(struct dvb_frontend *fe)
{
Reported by FlawFinder.
Line: 309
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
dev_dbg(&priv->i2c->dev,
"%s(): ASCOT2E DTV system %d (delsys %d, bandwidth %d)\n",
__func__, (int)system, p->delivery_system, p->bandwidth_hz);
return system;
}
static int ascot2e_set_params(struct dvb_frontend *fe)
{
u8 data[10];
Reported by FlawFinder.
Line: 134
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ascot2e_i2c_debug(priv, reg, 1, data, len);
buf[0] = reg;
memcpy(&buf[1], data, len);
ret = i2c_transfer(priv->i2c, msg, 1);
if (ret >= 0 && ret != 1)
ret = -EREMOTEIO;
if (ret < 0) {
dev_warn(&priv->i2c->dev,
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fe->ops.i2c_gate_ctrl)
fe->ops.i2c_gate_ctrl(fe, 0);
memcpy(&fe->ops.tuner_ops, &ascot2e_tuner_ops,
sizeof(struct dvb_tuner_ops));
fe->tuner_priv = priv;
dev_info(&priv->i2c->dev,
"Sony ASCOT2E attached on addr=%x at I2C adapter %p\n",
priv->i2c_address, priv->i2c);
Reported by FlawFinder.