The following issues were found
sound/soc/mediatek/common/mtk-btcvsd.c
4 issues
Line: 329
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (band == BT_SCO_NB)
memset(bt->tx->temp_packet_buf, 170, SCO_PACKET_180);
else
memcpy(bt->tx->temp_packet_buf,
table_msbc_silence, SCO_PACKET_180);
/* write mute data to bt tx sram buffer */
spin_lock_irqsave(&bt->tx_lock, flags);
num_valid_addr = bt->tx->buffer_info.num_valid_addr;
Reported by FlawFinder.
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < blk_size; i++) {
packet_buf_ofs = (bt->rx->packet_w & SCO_RX_PACKET_MASK) *
bt->rx->packet_size;
memcpy(bt->rx_packet_buf + packet_buf_ofs,
bt->rx->temp_packet_buf + (SCO_RX_PLC_SIZE * i),
SCO_RX_PLC_SIZE);
if ((control & btsco_packet_valid_mask[packet_type][i]) ==
btsco_packet_valid_mask[packet_type][i])
pv = 1;
Reported by FlawFinder.
Line: 402
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pv = 0;
packet_buf_ofs += SCO_RX_PLC_SIZE;
memcpy(bt->rx_packet_buf + packet_buf_ofs, (void *)&pv,
SCO_CVSD_PACKET_VALID_SIZE);
bt->rx->packet_w++;
}
spin_unlock_irqrestore(&bt->rx_lock, flags);
return 0;
Reported by FlawFinder.
Line: 435
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&bt->tx_lock, flags);
for (i = 0; i < blk_size; i++) {
memcpy(bt->tx->temp_packet_buf + (bt->tx->packet_size * i),
(bt->tx_packet_buf +
(bt->tx->packet_r % SCO_TX_PACKER_BUF_NUM) *
bt->tx->packet_size),
bt->tx->packet_size);
Reported by FlawFinder.
sound/pci/hda/hda_intel.c
4 issues
Line: 111
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX;
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR;
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
static char *model[SNDRV_CARDS];
static int position_fix[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] = -1};
static int bdl_pos_adj[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] = -1};
static int probe_mask[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] = -1};
Reported by FlawFinder.
Line: 113
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX;
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR;
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
static char *model[SNDRV_CARDS];
static int position_fix[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] = -1};
static int bdl_pos_adj[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] = -1};
static int probe_mask[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] = -1};
static int probe_only[SNDRV_CARDS];
static int jackpoll_ms[SNDRV_CARDS];
Reported by FlawFinder.
Line: 122
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int single_cmd = -1;
static int enable_msi = -1;
#ifdef CONFIG_SND_HDA_PATCH_LOADER
static char *patch[SNDRV_CARDS];
#endif
#ifdef CONFIG_SND_HDA_INPUT_BEEP
static bool beep_mode[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS-1)] =
CONFIG_SND_HDA_INPUT_BEEP_MODE};
#endif
Reported by FlawFinder.
Line: 2017
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (azx_acquire_irq(chip, 0) < 0)
return -EBUSY;
strcpy(card->driver, "HDA-Intel");
strscpy(card->shortname, driver_short_names[chip->driver_type],
sizeof(card->shortname));
snprintf(card->longname, sizeof(card->longname),
"%s at 0x%lx irq %i",
card->shortname, bus->addr, bus->irq);
Reported by FlawFinder.
sound/synth/emux/emux_synth.c
4 issues
Line: 619
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* calculate pitch parameter
*/
static const unsigned char pan_volumes[256] = {
0x00,0x03,0x06,0x09,0x0c,0x0f,0x12,0x14,0x17,0x1a,0x1d,0x20,0x22,0x25,0x28,0x2a,
0x2d,0x30,0x32,0x35,0x37,0x3a,0x3c,0x3f,0x41,0x44,0x46,0x49,0x4b,0x4d,0x50,0x52,
0x54,0x57,0x59,0x5b,0x5d,0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6f,0x71,0x73,0x75,
0x77,0x79,0x7b,0x7c,0x7e,0x80,0x82,0x84,0x86,0x88,0x89,0x8b,0x8d,0x8f,0x90,0x92,
0x94,0x96,0x97,0x99,0x9a,0x9c,0x9e,0x9f,0xa1,0xa2,0xa4,0xa5,0xa7,0xa8,0xaa,0xab,
Reported by FlawFinder.
Line: 687
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
/* tables for volume->attenuation calculation */
static const unsigned char voltab1[128] = {
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,
0x63, 0x2b, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22,
0x21, 0x20, 0x1f, 0x1e, 0x1e, 0x1d, 0x1c, 0x1b, 0x1b, 0x1a,
0x19, 0x19, 0x18, 0x17, 0x17, 0x16, 0x16, 0x15, 0x15, 0x14,
0x14, 0x13, 0x13, 0x13, 0x12, 0x12, 0x11, 0x11, 0x11, 0x10,
Reported by FlawFinder.
Line: 703
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
static const unsigned char voltab2[128] = {
0x32, 0x31, 0x30, 0x2f, 0x2e, 0x2d, 0x2c, 0x2b, 0x2a, 0x2a,
0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x24, 0x23, 0x22, 0x21,
0x21, 0x20, 0x1f, 0x1e, 0x1e, 0x1d, 0x1c, 0x1c, 0x1b, 0x1a,
0x1a, 0x19, 0x19, 0x18, 0x18, 0x17, 0x16, 0x16, 0x15, 0x15,
0x14, 0x14, 0x13, 0x13, 0x13, 0x12, 0x12, 0x11, 0x11, 0x10,
Reported by FlawFinder.
Line: 719
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00
};
static const unsigned char expressiontab[128] = {
0x7f, 0x6c, 0x62, 0x5a, 0x54, 0x50, 0x4b, 0x48, 0x45, 0x42,
0x40, 0x3d, 0x3b, 0x39, 0x38, 0x36, 0x34, 0x33, 0x31, 0x30,
0x2f, 0x2d, 0x2c, 0x2b, 0x2a, 0x29, 0x28, 0x27, 0x26, 0x25,
0x24, 0x24, 0x23, 0x22, 0x21, 0x21, 0x20, 0x1f, 0x1e, 0x1e,
0x1d, 0x1d, 0x1c, 0x1b, 0x1b, 0x1a, 0x1a, 0x19, 0x18, 0x18,
Reported by FlawFinder.
samples/bpf/xdpsock_ctrl_proc.c
4 issues
Line: 127
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
server.sun_family = AF_UNIX;
strcpy(server.sun_path, SOCKET_NAME);
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &flag, sizeof(int));
if (bind(sock, (struct sockaddr *)&server, sizeof(struct sockaddr_un))) {
fprintf(stderr, "Binding to socket stream failed: %s", strerror(errno));
Reported by FlawFinder.
Line: 44
Column: 7
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
opterr = 0;
for (;;) {
c = getopt_long(argc, argv, "i:",
long_options, &option_index);
if (c == -1)
break;
switch (c) {
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int send_xsks_map_fd(int sock, int fd)
{
char cmsgbuf[CMSG_SPACE(sizeof(int))];
struct msghdr msg;
struct iovec iov;
int value = 0;
if (fd == -1) {
Reported by FlawFinder.
Line: 157
Column: 11
CWE codes:
120
20
goto cleanup;
}
do {
rval = read(msgsock, &cmd, sizeof(int));
if (rval < 0) {
fprintf(stderr, "Error reading stream message");
} else {
if (cmd != CLOSE_CONN)
fprintf(stderr, "Recv unknown cmd = %d\n", cmd);
Reported by FlawFinder.
sound/pci/hda/hda_controller.c
4 issues
Line: 364
Column: 31
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
static int azx_get_sync_time(ktime_t *device,
struct system_counterval_t *system, void *ctx)
{
struct snd_pcm_substream *substream = ctx;
struct azx_dev *azx_dev = get_azx_dev(substream);
struct azx_pcm *apcm = snd_pcm_substream_chip(substream);
struct azx *chip = apcm->chip;
Reported by FlawFinder.
Line: 466
Column: 31
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
#else
static int azx_get_sync_time(ktime_t *device,
struct system_counterval_t *system, void *ctx)
{
return -ENXIO;
}
#endif
Reported by FlawFinder.
Line: 632
Column: 17
CWE codes:
362
snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES,
buff_step);
snd_hda_power_up(apcm->codec);
if (hinfo->ops.open)
err = hinfo->ops.open(hinfo, apcm->codec, substream);
else
err = -ENODEV;
if (err < 0) {
azx_release_device(azx_dev);
Reported by FlawFinder.
Line: 633
Column: 20
CWE codes:
362
buff_step);
snd_hda_power_up(apcm->codec);
if (hinfo->ops.open)
err = hinfo->ops.open(hinfo, apcm->codec, substream);
else
err = -ENODEV;
if (err < 0) {
azx_release_device(azx_dev);
goto powerdown;
Reported by FlawFinder.
net/tipc/monitor.c
4 issues
Line: 675
Column: 56
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
self->is_head = true;
INIT_LIST_HEAD(&self->list);
timer_setup(&mon->timer, mon_timeout, 0);
mon->timer_intv = msecs_to_jiffies(MON_TIMEOUT + (tn->random & 0xffff));
mod_timer(&mon->timer, jiffies + mon->timer_intv);
return 0;
}
void tipc_mon_delete(struct net *net, int bearer_id)
Reported by FlawFinder.
Line: 538
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dom_bef.member_cnt = 0;
dom = peer->domain;
if (dom)
memcpy(&dom_bef, dom, dom->len);
/* Transform and store received domain record */
if (!dom || (dom->len < new_dlen)) {
kfree(dom);
dom = kmalloc(new_dlen, GFP_ATOMIC);
Reported by FlawFinder.
Line: 592
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
read_lock_bh(&mon->lock);
len = mon_le16_to_cpu(mon->cache.len);
*dlen = len;
memcpy(data, &mon->cache, len);
read_unlock_bh(&mon->lock);
dom->ack_gen = mon_cpu_to_le16(state->peer_gen);
}
void tipc_mon_get_state(struct net *net, u32 addr,
Reported by FlawFinder.
Line: 828
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 bearer_id)
{
struct tipc_monitor *mon = tipc_monitor(net, bearer_id);
char bearer_name[TIPC_MAX_BEARER_NAME];
struct nlattr *attrs;
void *hdr;
int ret;
ret = tipc_bearer_get_name(net, bearer_name, bearer_id);
Reported by FlawFinder.
net/tipc/name_distr.c
4 issues
Line: 322
Column: 28
CWE codes:
362
}
static struct sk_buff *tipc_named_dequeue(struct sk_buff_head *namedq,
u16 *rcv_nxt, bool *open)
{
struct sk_buff *skb, *tmp;
struct tipc_msg *hdr;
u16 seqno;
Reported by FlawFinder.
Line: 348
Column: 8
CWE codes:
362
return skb;
}
if (*open && (*rcv_nxt == seqno)) {
(*rcv_nxt)++;
__skb_unlink(skb, namedq);
spin_unlock_bh(&namedq->lock);
return skb;
}
Reported by FlawFinder.
Line: 373
Column: 27
CWE codes:
362
* @open: last bulk msg was received (FIXME)
*/
void tipc_named_rcv(struct net *net, struct sk_buff_head *namedq,
u16 *rcv_nxt, bool *open)
{
struct tipc_net *tn = tipc_net(net);
struct distr_item *item;
struct tipc_msg *hdr;
struct sk_buff *skb;
Reported by FlawFinder.
Line: 382
Column: 52
CWE codes:
362
u32 count, node;
spin_lock_bh(&tn->nametbl_lock);
while ((skb = tipc_named_dequeue(namedq, rcv_nxt, open))) {
hdr = buf_msg(skb);
node = msg_orignode(hdr);
item = (struct distr_item *)msg_data(hdr);
count = msg_data_sz(hdr) / ITEM_SIZE;
while (count--) {
Reported by FlawFinder.
samples/bpf/sampleip_user.c
4 issues
Line: 148
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
char filename[256];
/* process arguments */
while ((opt = getopt(argc, argv, "F:h")) != -1) {
switch (opt) {
case 'F':
freq = atoi(optarg);
break;
case 'h':
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_object *obj = NULL;
struct bpf_program *prog;
struct bpf_link **links;
char filename[256];
/* process arguments */
while ((opt = getopt(argc, argv, "F:h")) != -1) {
switch (opt) {
case 'F':
Reported by FlawFinder.
Line: 151
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
while ((opt = getopt(argc, argv, "F:h")) != -1) {
switch (opt) {
case 'F':
freq = atoi(optarg);
break;
case 'h':
default:
usage();
return 0;
Reported by FlawFinder.
Line: 160
Column: 10
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
}
if (argc - optind == 1)
secs = atoi(argv[optind]);
if (freq == 0 || secs == 0) {
usage();
return 1;
}
Reported by FlawFinder.
sound/isa/sb/jazz16.c
4 issues
Line: 35
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE; /* Enable this card */
static unsigned long port[SNDRV_CARDS] = SNDRV_DEFAULT_PORT;
static unsigned long mpu_port[SNDRV_CARDS] = SNDRV_DEFAULT_PORT;
static int irq[SNDRV_CARDS] = SNDRV_DEFAULT_IRQ;
static int mpu_irq[SNDRV_CARDS] = SNDRV_DEFAULT_IRQ;
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
jazz16->chip = chip;
strcpy(card->driver, "jazz16");
strcpy(card->shortname, "Media Vision Jazz16");
sprintf(card->longname,
"Media Vision Jazz16 at 0x%lx, irq %d, dma8 %d, dma16 %d",
port[dev], xirq, xdma8, xdma16);
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
jazz16->chip = chip;
strcpy(card->driver, "jazz16");
strcpy(card->shortname, "Media Vision Jazz16");
sprintf(card->longname,
"Media Vision Jazz16 at 0x%lx, irq %d, dma8 %d, dma16 %d",
port[dev], xirq, xdma8, xdma16);
err = snd_sb8dsp_pcm(chip, 0);
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcpy(card->driver, "jazz16");
strcpy(card->shortname, "Media Vision Jazz16");
sprintf(card->longname,
"Media Vision Jazz16 at 0x%lx, irq %d, dma8 %d, dma16 %d",
port[dev], xirq, xdma8, xdma16);
err = snd_sb8dsp_pcm(chip, 0);
if (err < 0)
Reported by FlawFinder.
samples/bpf/offwaketime_user.c
4 issues
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define TASK_COMM_LEN 16
struct key_t {
char waker[TASK_COMM_LEN];
char target[TASK_COMM_LEN];
__u32 wret;
__u32 tret;
};
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct key_t {
char waker[TASK_COMM_LEN];
char target[TASK_COMM_LEN];
__u32 wret;
__u32 tret;
};
static void print_stack(struct key_t *key, __u64 count)
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_link *links[2];
struct bpf_program *prog;
int delay = 1, i = 0;
char filename[256];
if (load_kallsyms()) {
printf("failed to process /proc/kallsyms\n");
return 2;
}
Reported by FlawFinder.
Line: 144
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
if (argc > 1)
delay = atoi(argv[1]);
sleep(delay);
print_stacks(map_fd[0]);
cleanup:
for (i--; i >= 0; i--)
Reported by FlawFinder.