The following issues were found
drivers/media/usb/au0828/au0828-video.c
3 issues
Line: 349
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (lencopy <= 0)
return;
memcpy(startwrite, startread, lencopy);
remain -= lencopy;
while (remain > 0) {
startwrite += lencopy + bytesperline;
Reported by FlawFinder.
Line: 372
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (lencopy <= 0)
break;
memcpy(startwrite, startread, lencopy);
remain -= lencopy;
}
if (offset > 1440) {
Reported by FlawFinder.
Line: 1948
Column: 28
CWE codes:
362
return -ENODEV;
}
init_waitqueue_head(&dev->open);
spin_lock_init(&dev->slock);
/* init video dma queues */
INIT_LIST_HEAD(&dev->vidq.active);
INIT_LIST_HEAD(&dev->vbiq.active);
Reported by FlawFinder.
drivers/media/usb/au0828/au0828.h
3 issues
Line: 241
Column: 20
CWE codes:
362
unsigned int ctrl_input;
long unsigned int dev_state; /* defined at enum au0828_dev_state */;
enum au0828_stream_state stream_state;
wait_queue_head_t open;
struct mutex lock;
/* Isoc control struct */
struct au0828_dmaqueue vidq;
Reported by FlawFinder.
Line: 257
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int num_alt; /* Number of alternative settings */
unsigned int *alt_max_pkt_size; /* array of wMaxPacketSize */
struct urb *urb[AU0828_MAX_ISO_BUFS]; /* urb for isoc transfers */
char *transfer_buffer[AU0828_MAX_ISO_BUFS];/* transfer buffers for isoc
transfer */
/* DVB USB / URB Related */
bool urb_streaming, need_urb_start;
struct urb *urbs[URB_COUNT];
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Preallocated transfer digital transfer buffers */
char *dig_transfer_buffer[URB_COUNT];
#ifdef CONFIG_MEDIA_CONTROLLER
struct media_device *media_dev;
struct media_pad video_pad, vbi_pad;
struct media_entity *decoder;
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/az6007.c
3 issues
Line: 47
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dvb_ca_en50221 ca;
unsigned warm:1;
int (*gate_ctrl) (struct dvb_frontend *, int);
unsigned char data[4096];
};
static struct drxk_config terratec_h7_drxk = {
.adr = 0x29,
.parallel_ts = true,
Reported by FlawFinder.
Line: 515
Column: 80
CWE codes:
362
return ret;
}
static int az6007_ci_poll_slot_status(struct dvb_ca_en50221 *ca, int slot, int open)
{
struct dvb_usb_device *d = (struct dvb_usb_device *)ca->data;
struct az6007_device_state *state = d_to_priv(d);
int ret;
u8 req;
Reported by FlawFinder.
Line: 618
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret;
ret = az6007_read(d, AZ6007_READ_DATA, 6, 0, st->data, 6);
memcpy(mac, st->data, 6);
if (ret > 0)
pr_debug("%s: mac is %pM\n", __func__, mac);
return ret;
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/rtl28xxu.c
3 issues
Line: 34
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (req->index & CMD_WR_FLAG) {
/* write */
memcpy(dev->buf, req->data, req->size);
requesttype = (USB_TYPE_VENDOR | USB_DIR_OUT);
pipe = usb_sndctrlpipe(d->udev, 0);
} else {
/* read */
requesttype = (USB_TYPE_VENDOR | USB_DIR_IN);
Reported by FlawFinder.
Line: 61
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request, copy returned data to return buf */
if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN))
memcpy(req->data, dev->buf, req->size);
mutex_unlock(&d->usb_mutex);
return 0;
err_mutex_unlock:
Reported by FlawFinder.
Line: 1340
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (adap->fe[1]) {
adap->fe[1]->tuner_priv =
adap->fe[0]->tuner_priv;
memcpy(&adap->fe[1]->ops.tuner_ops,
&adap->fe[0]->ops.tuner_ops,
sizeof(struct dvb_tuner_ops));
}
}
break;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/dtt200u-fe.c
3 issues
Line: 19
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dtv_frontend_properties fep;
struct dvb_frontend frontend;
unsigned char data[80];
struct mutex data_mutex;
};
static int dtt200u_fe_read_status(struct dvb_frontend *fe,
enum fe_status *stat)
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct dtt200u_fe_state *state = fe->demodulator_priv;
memcpy(fep, &state->fep, sizeof(struct dtv_frontend_properties));
return 0;
}
static void dtt200u_fe_release(struct dvb_frontend* fe)
{
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->d = d;
mutex_init(&state->data_mutex);
memcpy(&state->frontend.ops,&dtt200u_fe_ops,sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
return NULL;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/dtv5100.c
3 issues
Line: 58
CWE codes:
476
}
index = (addr << 8) + wbuf[0];
memcpy(st->data, rbuf, rlen);
msleep(1); /* avoid I2C errors */
return usb_control_msg(d->udev, pipe, request,
type, value, index, st->data, rlen,
DTV5100_USB_TIMEOUT);
}
Reported by Cppcheck.
Line: 22
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
struct dtv5100_state {
unsigned char data[80];
};
static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr,
u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen)
{
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
index = (addr << 8) + wbuf[0];
memcpy(st->data, rbuf, rlen);
msleep(1); /* avoid I2C errors */
return usb_control_msg(d->udev, pipe, request,
type, value, index, st->data, rlen,
DTV5100_USB_TIMEOUT);
}
Reported by FlawFinder.
drivers/media/usb/dvb-usb/dvb-usb-init.c
3 issues
Line: 36
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
adap->dev = d;
adap->id = n;
memcpy(&adap->props, &d->props.adapter[n], sizeof(struct dvb_usb_adapter_properties));
for (o = 0; o < adap->props.num_frontends; o++) {
struct dvb_usb_adapter_fe_properties *props = &adap->props.fe[o];
/* speed - when running at FULL speed we need a HW PID filter */
if (d->udev->speed == USB_SPEED_FULL && !(props->caps & DVB_USB_ADAP_HAS_PID_FILTER)) {
Reported by FlawFinder.
Line: 285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(&d->props, props, sizeof(struct dvb_usb_device_properties));
desc = dvb_usb_find_device(udev, &d->props, &cold);
if (!desc) {
deb_err("something went very wrong, device was not found in current device list - let's see what comes next.\n");
ret = -ENODEV;
Reported by FlawFinder.
Line: 331
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dvb_usb_device *d = usb_get_intfdata(intf);
const char *default_name = "generic DVB-USB module";
char name[40];
usb_set_intfdata(intf, NULL);
if (d != NULL && d->desc != NULL) {
strscpy(name, d->desc->name, sizeof(name));
dvb_usb_exit(d);
Reported by FlawFinder.
drivers/media/usb/dvb-usb/opera1.c
3 issues
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
if (flags == OPERA_WRITE_MSG)
memcpy(buf, data, len);
ret = usb_control_msg(dev, pipe, request,
request_type | USB_TYPE_VENDOR, value, 0x0,
buf, len, 2000);
if (request == OPERA_TUNER_REQ) {
Reported by FlawFinder.
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = tmp;
}
if (flags == OPERA_READ_MSG)
memcpy(data, buf, len);
out:
kfree(buf);
return ret;
}
Reported by FlawFinder.
Line: 462
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (p != NULL && testval != 0x67) {
u8 reset = 0, fpga_command = 0;
memcpy(p, fw->data, fw->size);
/* clear fpga ? */
opera1_xilinx_rw(dev, 0xbc, 0xaa, &fpga_command, 1,
OPERA_WRITE_MSG);
for (i = 0; i < fw->size;) {
if ( (fw->size - i) <fpgasize){
Reported by FlawFinder.
drivers/media/usb/dvb-usb/technisat-usb2.c
3 issues
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b[1] |= 1;
}
memcpy(&b[2], tx, txlen);
ret = usb_bulk_msg(udev,
usb_sndbulkpipe(udev, 0x01),
b, 2 + txlen,
NULL, 1000);
Reported by FlawFinder.
Line: 148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
deb_i2c("status: %d, ", b[0]);
if (rx != NULL) {
memcpy(rx, &b[2], rxlen);
deb_i2c("rx (%d): ", rxlen);
debug_dump(rx, rxlen, deb_i2c);
}
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf, EEPROM_MAC_TOTAL, 4) != 0)
return -ENODEV;
memcpy(mac, buf, 6);
return 0;
}
static struct stv090x_config technisat_usb2_stv090x_config;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/vp702x.c
3 issues
Line: 141
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = 0x00;
buf[1] = cmd;
memcpy(&buf[2], o, olen);
ret = vp702x_usb_inout_op(d, buf, olen+2, buf, ilen+1, msec);
if (ret == 0)
memcpy(i, &buf[1], ilen);
Reported by FlawFinder.
Line: 146
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = vp702x_usb_inout_op(d, buf, olen+2, buf, ilen+1, msec);
if (ret == 0)
memcpy(i, &buf[1], ilen);
mutex_unlock(&st->buf_mutex);
return ret;
}
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 6; i < 12; i++)
vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, &buf[i - 6], 1);
memcpy(mac, buf, 6);
mutex_unlock(&st->buf_mutex);
return 0;
}
static int vp702x_frontend_attach(struct dvb_usb_adapter *adap)
Reported by FlawFinder.