The following issues were found
drivers/media/usb/hackrf/hackrf.c
3 issues
Line: 214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* write request */
if (!(requesttype & USB_DIR_IN))
memcpy(dev->buf, data, size);
ret = usb_control_msg(dev->udev, pipe, request, requesttype, value,
index, dev->buf, size, 1000);
hackrf_dbg_usb_control_msg(dev->dev, request, requesttype, value,
index, dev->buf, size);
Reported by FlawFinder.
Line: 228
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request */
if (requesttype & USB_DIR_IN)
memcpy(data, dev->buf, size);
return 0;
err:
return ret;
}
Reported by FlawFinder.
Line: 457
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void hackrf_copy_stream(struct hackrf_dev *dev, void *dst, void *src,
unsigned int src_len)
{
memcpy(dst, src, src_len);
/* calculate sample rate and output it in 10 seconds intervals */
if (unlikely(time_is_before_jiffies(dev->jiffies_next))) {
#define MSECS 10000UL
unsigned int msecs = jiffies_to_msecs(jiffies -
Reported by FlawFinder.
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
3 issues
Line: 66
Column: 14
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdw->cmd_buffer[0] = FX2CMD_I2C_WRITE; /* write prefix */
hdw->cmd_buffer[1] = i2c_addr; /* i2c addr of chip */
hdw->cmd_buffer[2] = length; /* length of what follows */
if (length) memcpy(hdw->cmd_buffer + 3, data, length);
/* Do the operation */
ret = pvr2_send_request(hdw,
hdw->cmd_buffer,
length + 3,
Reported by FlawFinder.
Line: 127
Column: 12
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdw->cmd_buffer[2] = rlen; /* answer length. Device will send one
more byte (status). */
hdw->cmd_buffer[3] = i2c_addr; /* i2c addr of chip */
if (dlen) memcpy(hdw->cmd_buffer + 4, data, dlen);
/* Do the operation */
ret = pvr2_send_request(hdw,
hdw->cmd_buffer,
4 + dlen,
Reported by FlawFinder.
Line: 151
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Error, just blank out the return buffer */
memset(res, 0, rlen);
} else {
memcpy(res, hdw->cmd_buffer + 1, rlen);
}
}
LOCK_GIVE(hdw->ctl_lock);
Reported by FlawFinder.
drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
3 issues
Line: 398
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct pvr2_hdw *hdw = fh->channel.mc_head->hdw;
int val;
memcpy(vf, &pvr_format[PVR_FORMAT_PIX], sizeof(struct v4l2_format));
val = 0;
pvr2_ctrl_get_value(
pvr2_hdw_get_ctrl_by_id(hdw, PVR2_CID_HRES),
&val);
vf->fmt.pix.width = val;
Reported by FlawFinder.
Line: 443
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (h > lmax)
h = lmax;
memcpy(vf, &pvr_format[PVR_FORMAT_PIX],
sizeof(struct v4l2_format));
vf->fmt.pix.width = w;
vf->fmt.pix.height = h;
return 0;
}
Reported by FlawFinder.
Line: 832
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct pvr2_hdw *hdw = dip->v4lp->channel.mc_head->hdw;
enum pvr2_config cfg = dip->config;
char msg[80];
unsigned int mcnt;
/* Construct the unregistration message *before* we actually
perform the unregistration step. By doing it this way we don't
have to worry about potentially touching deleted resources. */
Reported by FlawFinder.
drivers/media/usb/siano/smsusb.c
3 issues
Line: 123
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* move buffer pointer and
* copy header to its new location */
memcpy((char *) phdr + surb->cb->offset,
phdr, sizeof(struct sms_msg_hdr));
} else
surb->cb->offset = 0;
pr_debug("received %s(%d) size: %d\n",
Reported by FlawFinder.
Line: 282
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fw_buffer = kmalloc(fw->size, GFP_KERNEL);
if (fw_buffer) {
memcpy(fw_buffer, fw->data, fw->size);
rc = usb_bulk_msg(udev, usb_sndbulkpipe(udev, 2),
fw_buffer, fw->size, &dummy, 1000);
pr_debug("sent %zu(%d) bytes, rc %d\n", fw->size, dummy, rc);
Reported by FlawFinder.
Line: 500
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct usb_device_id *id)
{
struct usb_device *udev = interface_to_usbdev(intf);
char devpath[32];
int i, rc;
pr_info("board id=%lu, interface number %d\n",
id->driver_info,
intf->cur_altsetting->desc.bInterfaceNumber);
Reported by FlawFinder.
drivers/media/usb/tm6000/tm6000-core.c
3 issues
Line: 41
CWE codes:
476
pipe = usb_rcvctrlpipe(dev->udev, 0);
else {
pipe = usb_sndctrlpipe(dev->udev, 0);
memcpy(data, buf, len);
}
if (tm6000_debug & V4L2_DEBUG_I2C) {
printk(KERN_DEBUG "(dev %p, pipe %08x): ", dev->udev, pipe);
Reported by Cppcheck.
Line: 41
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pipe = usb_rcvctrlpipe(dev->udev, 0);
else {
pipe = usb_sndctrlpipe(dev->udev, 0);
memcpy(data, buf, len);
}
if (tm6000_debug & V4L2_DEBUG_I2C) {
printk(KERN_DEBUG "(dev %p, pipe %08x): ", dev->udev, pipe);
Reported by FlawFinder.
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data, len, USB_TIMEOUT);
if (req_type & USB_DIR_IN)
memcpy(buf, data, len);
if (tm6000_debug & V4L2_DEBUG_I2C) {
if (ret < 0) {
if (req_type & USB_DIR_IN)
printk(KERN_DEBUG "<<< (len=%d)\n", len);
Reported by FlawFinder.
drivers/media/usb/usbtv/usbtv-audio.c
3 issues
Line: 138
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buffer_pos + chunk_length >= runtime->buffer_size) {
size_t cnt = (runtime->buffer_size - buffer_pos) *
frame_bytes;
memcpy(runtime->dma_area + buffer_pos * frame_bytes,
urb_current, cnt);
memcpy(runtime->dma_area, urb_current + cnt,
chunk_length * frame_bytes - cnt);
} else {
memcpy(runtime->dma_area + buffer_pos * frame_bytes,
Reported by FlawFinder.
Line: 140
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
frame_bytes;
memcpy(runtime->dma_area + buffer_pos * frame_bytes,
urb_current, cnt);
memcpy(runtime->dma_area, urb_current + cnt,
chunk_length * frame_bytes - cnt);
} else {
memcpy(runtime->dma_area + buffer_pos * frame_bytes,
urb_current, chunk_length * frame_bytes);
}
Reported by FlawFinder.
Line: 143
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, urb_current + cnt,
chunk_length * frame_bytes - cnt);
} else {
memcpy(runtime->dma_area + buffer_pos * frame_bytes,
urb_current, chunk_length * frame_bytes);
}
buffer_pos += chunk_length;
period_pos += chunk_length;
Reported by FlawFinder.
drivers/media/v4l2-core/tuner-core.c
3 issues
Line: 304
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tuner *t = to_tuner(i2c_get_clientdata(c));
struct dvb_tuner_ops *fe_tuner_ops = &t->fe.ops.tuner_ops;
struct analog_demod_ops *analog_ops = &t->fe.ops.analog_ops;
unsigned char buffer[4];
int tune_now = 1;
if (type == UNSET || type == TUNER_ABSENT) {
dprintk("tuner 0x%02x: Tuner type absent\n", c->addr);
return;
Reported by FlawFinder.
Line: 461
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
t->name = fe_tuner_ops->info.name;
t->fe.analog_demod_priv = t;
memcpy(analog_ops, &tuner_analog_ops,
sizeof(struct analog_demod_ops));
if (fe_tuner_ops->get_rf_strength)
analog_ops->has_signal = fe_tuner_ops->get_rf_strength;
if (fe_tuner_ops->get_afc)
Reported by FlawFinder.
Line: 651
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
t->tv_freq = 400 * 16; /* Sets freq to VHF High - needed for some PLL's to properly start */
if (show_i2c) {
unsigned char buffer[16];
int rc;
memset(buffer, 0, sizeof(buffer));
rc = i2c_master_recv(client, buffer, sizeof(buffer));
if (rc >= 0)
Reported by FlawFinder.
drivers/media/v4l2-core/v4l2-h264.c
3 issues
Line: 225
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v4l2_h264_build_p_ref_list(const struct v4l2_h264_reflist_builder *builder,
u8 *reflist)
{
memcpy(reflist, builder->unordered_reflist,
sizeof(builder->unordered_reflist[0]) * builder->num_valid);
sort_r(reflist, builder->num_valid, sizeof(*reflist),
v4l2_h264_p_ref_list_cmp, NULL, builder);
}
EXPORT_SYMBOL_GPL(v4l2_h264_build_p_ref_list);
Reported by FlawFinder.
Line: 250
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v4l2_h264_build_b_ref_lists(const struct v4l2_h264_reflist_builder *builder,
u8 *b0_reflist, u8 *b1_reflist)
{
memcpy(b0_reflist, builder->unordered_reflist,
sizeof(builder->unordered_reflist[0]) * builder->num_valid);
sort_r(b0_reflist, builder->num_valid, sizeof(*b0_reflist),
v4l2_h264_b0_ref_list_cmp, NULL, builder);
memcpy(b1_reflist, builder->unordered_reflist,
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sort_r(b0_reflist, builder->num_valid, sizeof(*b0_reflist),
v4l2_h264_b0_ref_list_cmp, NULL, builder);
memcpy(b1_reflist, builder->unordered_reflist,
sizeof(builder->unordered_reflist[0]) * builder->num_valid);
sort_r(b1_reflist, builder->num_valid, sizeof(*b1_reflist),
v4l2_h264_b1_ref_list_cmp, NULL, builder);
if (builder->num_valid > 1 &&
Reported by FlawFinder.
drivers/media/v4l2-core/v4l2-ioctl.c
3 issues
Line: 3201
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ev32.timestamp.tv_nsec = ev->timestamp.tv_nsec;
ev32.id = ev->id;
memcpy(&ev32.u, &ev->u, sizeof(ev->u));
memcpy(&ev32.reserved, &ev->reserved, sizeof(ev->reserved));
if (copy_to_user(arg, &ev32, sizeof(ev32)))
return -EFAULT;
break;
Reported by FlawFinder.
Line: 3202
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ev32.id = ev->id;
memcpy(&ev32.u, &ev->u, sizeof(ev->u));
memcpy(&ev32.reserved, &ev->reserved, sizeof(ev->reserved));
if (copy_to_user(arg, &ev32, sizeof(ev32)))
return -EFAULT;
break;
}
Reported by FlawFinder.
Line: 3245
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg,
v4l2_kioctl func)
{
char sbuf[128];
void *mbuf = NULL, *array_buf = NULL;
void *parg = (void *)arg;
long err = -EINVAL;
bool has_array_args;
bool always_copy = false;
Reported by FlawFinder.
drivers/memory/tegra/mc.c
3 issues
Line: 527
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *direction, *secure;
phys_addr_t addr = 0;
unsigned int i;
char perm[7];
u8 id, type;
u32 value;
value = mc_readl(mc, MC_ERR_STATUS);
Reported by FlawFinder.
Line: 613
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#endif
const char *const tegra_mc_status_names[32] = {
[ 1] = "External interrupt",
[ 6] = "EMEM address decode error",
[ 7] = "GART page fault",
[ 8] = "Security violation",
[ 9] = "EMEM arbitration error",
Reported by FlawFinder.
Line: 626
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[16] = "MTS carveout violation",
};
const char *const tegra_mc_error_names[8] = {
[2] = "EMEM decode error",
[3] = "TrustZone violation",
[4] = "Carveout violation",
[6] = "SMMU translation error",
};
Reported by FlawFinder.