The following issues were found
drivers/staging/media/av7110/av7110_ca.c
3 issues
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CA_CI_LINK : CA_CI) | CA_DESCR;
cap.descr_num = 16;
cap.descr_type = CA_ECD;
memcpy(parg, &cap, sizeof(cap));
break;
}
case CA_GET_SLOT_INFO:
{
Reported by FlawFinder.
Line: 275
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av7110->ci_slot[info->num].num = info->num;
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
CA_CI_LINK : CA_CI;
memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info));
break;
}
case CA_GET_MSG:
break;
Reported by FlawFinder.
Line: 291
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.num = 16;
info.type = CA_ECD;
memcpy(parg, &info, sizeof (info));
break;
}
case CA_SET_DESCR:
{
Reported by FlawFinder.
drivers/staging/media/av7110/av7110_ipack.c
3 issues
Line: 128
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 headr[3] = { 0x00, 0x00, 0x01 };
if (p->count < 6) {
memcpy(p->buf, headr, 3);
p->count = 6;
}
if (p->count + count < p->size){
memcpy(p->buf+p->count, data, count);
Reported by FlawFinder.
Line: 133
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (p->count + count < p->size){
memcpy(p->buf+p->count, data, count);
p->count += count;
} else {
int rest = p->size - p->count;
memcpy(p->buf+p->count, data, rest);
p->count += rest;
Reported by FlawFinder.
Line: 137
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p->count += count;
} else {
int rest = p->size - p->count;
memcpy(p->buf+p->count, data, rest);
p->count += rest;
send_ipack(p);
if (count - rest > 0)
write_ipack(p, data + rest, count - rest);
}
Reported by FlawFinder.
drivers/video/fbdev/mmp/fb/mmpfb.c
3 issues
Line: 508
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
info->flags = FBINFO_DEFAULT | FBINFO_PARTIAL_PAN_OK |
FBINFO_HWACCEL_XPAN | FBINFO_HWACCEL_YPAN;
info->node = -1;
strcpy(info->fix.id, fbi->name);
info->fix.type = FB_TYPE_PACKED_PIXELS;
info->fix.type_aux = 0;
info->fix.xpanstep = 0;
info->fix.ypanstep = info->var.yres;
info->fix.ywrapstep = 0;
Reported by FlawFinder.
Line: 369
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&info->modelist);
fb_videomode_to_var(var, m);
}
memcpy(&fbi->mode, m, sizeof(struct fb_videomode));
/* fix to 2* yres */
var->yres_virtual = var->yres * 2;
info->fix.visual = (pix_fmt == PIXFMT_PSEUDOCOLOR) ?
FB_VISUAL_PSEUDOCOLOR : FB_VISUAL_TRUECOLOR;
Reported by FlawFinder.
Line: 491
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fb_videomode_to_modelist(videomodes, videomode_num, &info->modelist);
/* set videomode[0] as default mode */
memcpy(&fbi->mode, &videomodes[0], sizeof(struct fb_videomode));
fbi->output_fmt = mmp_modes[0].pix_fmt_out;
fb_videomode_to_var(&info->var, &fbi->mode);
mmp_path_set_mode(fbi->path, &mmp_modes[0]);
kfree(videomodes);
Reported by FlawFinder.
drivers/staging/greybus/light.c
3 issues
Line: 194
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct led_classdev *cdev = dev_get_drvdata(dev); \
struct gb_channel *channel = get_channel_from_cdev(cdev); \
\
return sprintf(buf, "%u\n", channel->fade_##__dir); \
} \
\
static ssize_t fade_##__dir##_store(struct device *dev, \
struct device_attribute *attr, \
const char *buf, size_t size) \
Reported by FlawFinder.
Line: 241
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct led_classdev *cdev = dev_get_drvdata(dev);
struct gb_channel *channel = get_channel_from_cdev(cdev);
return sprintf(buf, "0x%08x\n", channel->color);
}
static ssize_t color_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t size)
{
Reported by FlawFinder.
Line: 1023
Column: 7
CWE codes:
126
if (!conf.channel_count)
return -EINVAL;
if (!strlen(conf.name))
return -EINVAL;
light->channels_count = conf.channel_count;
light->name = kstrndup(conf.name, NAMES_MAX, GFP_KERNEL);
if (!light->name)
Reported by FlawFinder.
drivers/spi/spi-npcm-fiu.c
3 issues
Line: 389
CWE codes:
476
NPCM_FIU_UMA_CMD_CMD, cmd);
if (data_size) {
memcpy(data_reg, data, data_size);
for (i = 0; i < DIV_ROUND_UP(data_size, 4); i++)
regmap_write(fiu->regmap, NPCM_FIU_UMA_DW0 + (i * 4),
data_reg[i]);
}
Reported by Cppcheck.
Line: 363
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < DIV_ROUND_UP(data_size, 4); i++)
regmap_read(fiu->regmap, NPCM_FIU_UMA_DR0 + (i * 4),
&data_reg[i]);
memcpy(data, data_reg, data_size);
}
return 0;
}
Reported by FlawFinder.
Line: 389
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
NPCM_FIU_UMA_CMD_CMD, cmd);
if (data_size) {
memcpy(data_reg, data, data_size);
for (i = 0; i < DIV_ROUND_UP(data_size, 4); i++)
regmap_write(fiu->regmap, NPCM_FIU_UMA_DW0 + (i * 4),
data_reg[i]);
}
Reported by FlawFinder.
drivers/staging/rtl8723bs/include/wlan_bssdef.h
3 issues
Line: 18
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NDIS_802_11_LENGTH_RATES 8
#define NDIS_802_11_LENGTH_RATES_EX 16
typedef unsigned char NDIS_802_11_MAC_ADDRESS[6];
typedef unsigned char NDIS_802_11_RATES[NDIS_802_11_LENGTH_RATES]; /* Set of 8 data rates */
typedef unsigned char NDIS_802_11_RATES_EX[NDIS_802_11_LENGTH_RATES_EX]; /* Set of 16 data rates */
struct ndis_802_11_ssid {
u32 SsidLength;
Reported by FlawFinder.
Line: 19
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NDIS_802_11_LENGTH_RATES_EX 16
typedef unsigned char NDIS_802_11_MAC_ADDRESS[6];
typedef unsigned char NDIS_802_11_RATES[NDIS_802_11_LENGTH_RATES]; /* Set of 8 data rates */
typedef unsigned char NDIS_802_11_RATES_EX[NDIS_802_11_LENGTH_RATES_EX]; /* Set of 16 data rates */
struct ndis_802_11_ssid {
u32 SsidLength;
u8 Ssid[32];
Reported by FlawFinder.
Line: 20
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef unsigned char NDIS_802_11_MAC_ADDRESS[6];
typedef unsigned char NDIS_802_11_RATES[NDIS_802_11_LENGTH_RATES]; /* Set of 8 data rates */
typedef unsigned char NDIS_802_11_RATES_EX[NDIS_802_11_LENGTH_RATES_EX]; /* Set of 16 data rates */
struct ndis_802_11_ssid {
u32 SsidLength;
u8 Ssid[32];
};
Reported by FlawFinder.
drivers/video/fbdev/mmp/hw/mmp_ctrl.c
3 issues
Line: 134
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct lcd_regs *regs = path_regs(overlay->path);
/* assert win supported */
memcpy(&overlay->win, win, sizeof(struct mmp_win));
mutex_lock(&overlay->access_ok);
if (overlay_is_vid(overlay)) {
writel_relaxed(win->pitch[0],
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct lcd_regs *regs = path_regs(overlay->path);
/* FIXME: assert addr supported */
memcpy(&overlay->addr, addr, sizeof(struct mmp_addr));
if (overlay_is_vid(overlay)) {
writel_relaxed(addr->phys[0], (void __iomem *)®s->v_y0);
writel_relaxed(addr->phys[1], (void __iomem *)®s->v_u0);
writel_relaxed(addr->phys[2], (void __iomem *)®s->v_v0);
Reported by FlawFinder.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dsi_rbswap = path_to_path_plat(path)->link_config;
/* FIXME: assert videomode supported */
memcpy(&path->mode, mode, sizeof(struct mmp_mode));
mutex_lock(&path->access_ok);
/* polarity of timing signals */
tmp = readl_relaxed(ctrl_regs(path) + intf_ctrl(path->id)) & 0x1;
Reported by FlawFinder.
drivers/usb/cdns3/cdnsp-debug.h
3 issues
Line: 417
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
s = "UNKNOWN speed";
}
ret = sprintf(str, "%s Ctx Entries %d",
s, (info & LAST_CTX_MASK) >> 27);
ret += sprintf(str + ret, " [Intr %ld] Addr %ld State %s",
GET_INTR_TARGET(int_target), state & DEV_ADDR_MASK,
cdnsp_slot_state_string(GET_SLOT_STATE(state)));
Reported by FlawFinder.
Line: 420
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(str, "%s Ctx Entries %d",
s, (info & LAST_CTX_MASK) >> 27);
ret += sprintf(str + ret, " [Intr %ld] Addr %ld State %s",
GET_INTR_TARGET(int_target), state & DEV_ADDR_MASK,
cdnsp_slot_state_string(GET_SLOT_STATE(state)));
return str;
}
Reported by FlawFinder.
Line: 393
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline const char *cdnsp_decode_slot_context(u32 info, u32 info2,
u32 int_target, u32 state)
{
static char str[1024];
int ret = 0;
u32 speed;
char *s;
speed = info & DEV_SPEED;
Reported by FlawFinder.
drivers/usb/chipidea/debug.c
3 issues
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ci_hdrc *ci = s->private;
unsigned long flags;
unsigned mode;
char buf[32];
int ret;
count = min_t(size_t, sizeof(buf) - 1, count);
if (copy_from_user(buf, ubuf, count))
return -EFAULT;
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *s = file->private_data;
struct ci_hdrc *ci = s->private;
enum ci_role role;
char buf[8];
int ret;
if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
Line: 275
Column: 9
CWE codes:
126
for (role = CI_ROLE_HOST; role < CI_ROLE_END; role++)
if (ci->roles[role] &&
!strncmp(buf, ci->roles[role]->name,
strlen(ci->roles[role]->name)))
break;
if (role == CI_ROLE_END || role == ci->role)
return -EINVAL;
Reported by FlawFinder.
drivers/spi/spi-mt65xx.c
3 issues
Line: 435
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remainder = xfer->len % 4;
if (remainder > 0) {
reg_val = 0;
memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
writel(reg_val, mdata->base + SPI_TX_DATA_REG);
}
}
mtk_spi_enable_transfer(master);
Reported by FlawFinder.
Line: 590
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remainder = mdata->xfer_len % 4;
if (remainder > 0) {
reg_val = readl(mdata->base + SPI_RX_DATA_REG);
memcpy(trans->rx_buf +
mdata->num_xfered +
(cnt * 4),
®_val,
remainder);
}
Reported by FlawFinder.
Line: 615
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remainder = mdata->xfer_len % 4;
if (remainder > 0) {
reg_val = 0;
memcpy(®_val,
trans->tx_buf + (cnt * 4) + mdata->num_xfered,
remainder);
writel(reg_val, mdata->base + SPI_TX_DATA_REG);
}
Reported by FlawFinder.