The following issues were found
drivers/input/joystick/iforce/iforce-packets.c
3 issues
Line: 66
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
c = CIRC_SPACE_TO_END(head, tail, XMIT_SIZE);
if (n < c) c=n;
memcpy(&iforce->xmit.buf[head],
data,
c);
if (n != c) {
memcpy(&iforce->xmit.buf[0],
data + c,
Reported by FlawFinder.
Line: 70
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data,
c);
if (n != c) {
memcpy(&iforce->xmit.buf[0],
data + c,
n - c);
}
XMIT_INC(head, n);
Reported by FlawFinder.
Line: 90
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Start or stop an effect */
int iforce_control_playback(struct iforce* iforce, u16 id, unsigned int value)
{
unsigned char data[3];
data[0] = LO(id);
data[1] = (value > 0) ? ((value > 1) ? 0x41 : 0x01) : 0;
data[2] = LO(value);
return iforce_send_packet(iforce, FF_CMD_PLAY, data);
Reported by FlawFinder.
drivers/gpu/drm/radeon/radeon_display.c
3 issues
Line: 713
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
radeon_legacy_init_crtc(dev, radeon_crtc);
}
static const char *encoder_names[38] = {
"NONE",
"INTERNAL_LVDS",
"INTERNAL_TMDS1",
"INTERNAL_TMDS2",
"INTERNAL_DAC1",
Reported by FlawFinder.
Line: 754
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"INTERNAL_UNIPHY3",
};
static const char *hpd_names[6] = {
"HPD1",
"HPD2",
"HPD3",
"HPD4",
"HPD5",
Reported by FlawFinder.
Line: 1710
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
radeon_crtc->rmx_type = RMX_OFF;
/* copy native mode */
memcpy(&radeon_crtc->native_mode,
&radeon_encoder->native_mode,
sizeof(struct drm_display_mode));
src_v = crtc->mode.vdisplay;
dst_v = radeon_crtc->native_mode.vdisplay;
src_h = crtc->mode.hdisplay;
Reported by FlawFinder.
drivers/input/joystick/iforce/iforce-usb.c
3 issues
Line: 50
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
c = CIRC_CNT_TO_END(iforce->xmit.head, iforce->xmit.tail, XMIT_SIZE);
if (n < c) c=n;
memcpy(iforce_usb->out->transfer_buffer + 1,
&iforce->xmit.buf[iforce->xmit.tail],
c);
if (n != c) {
memcpy(iforce_usb->out->transfer_buffer + 1 + c,
&iforce->xmit.buf[0],
Reported by FlawFinder.
Line: 54
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&iforce->xmit.buf[iforce->xmit.tail],
c);
if (n != c) {
memcpy(iforce_usb->out->transfer_buffer + 1 + c,
&iforce->xmit.buf[0],
n-c);
}
XMIT_INC(iforce->xmit.tail, n);
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (buf[0] != id) {
status = -EIO;
} else {
memcpy(response_data, buf, status);
*response_len = status;
status = 0;
}
kfree(buf);
Reported by FlawFinder.
drivers/input/joystick/magellan.c
3 issues
Line: 41
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct magellan {
struct input_dev *dev;
int idx;
unsigned char data[MAGELLAN_MAX_LENGTH];
char phys[32];
};
/*
* magellan_crunch_nibbles() verifies that the bytes sent from the Magellan
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *dev;
int idx;
unsigned char data[MAGELLAN_MAX_LENGTH];
char phys[32];
};
/*
* magellan_crunch_nibbles() verifies that the bytes sent from the Magellan
* have correct upper nibbles for the lower ones, if not, the packet will
Reported by FlawFinder.
Line: 54
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int magellan_crunch_nibbles(unsigned char *data, int count)
{
static unsigned char nibbles[16] = "0AB3D56GH9:K<MN?";
do {
if (data[count] == nibbles[data[count] & 0xf])
data[count] = data[count] & 0xf;
else
Reported by FlawFinder.
drivers/input/keyboard/amikbd.c
3 issues
Line: 33
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
#ifdef CONFIG_HW_CONSOLE
static unsigned char amikbd_keycode[0x78] __initdata = {
[0] = KEY_GRAVE,
[1] = KEY_1,
[2] = KEY_2,
[3] = KEY_3,
[4] = KEY_4,
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!temp_map[j])
temp_map[j] = 0xf200;
}
memcpy(key_maps[i], temp_map, sizeof(temp_map));
}
}
#else /* !CONFIG_HW_CONSOLE */
static inline void amikbd_init_console_keymaps(void) {}
#endif /* !CONFIG_HW_CONSOLE */
Reported by FlawFinder.
Line: 158
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline void amikbd_init_console_keymaps(void) {}
#endif /* !CONFIG_HW_CONSOLE */
static const char *amikbd_messages[8] = {
[0] = KERN_ALERT "amikbd: Ctrl-Amiga-Amiga reset warning!!\n",
[1] = KERN_WARNING "amikbd: keyboard lost sync\n",
[2] = KERN_WARNING "amikbd: keyboard buffer overflow\n",
[3] = KERN_WARNING "amikbd: keyboard controller failure\n",
[4] = KERN_ERR "amikbd: keyboard selftest failure\n",
Reported by FlawFinder.
drivers/hwmon/hih6130.c
3 issues
Line: 87
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = hih6130->client;
int ret = 0;
int t;
unsigned char tmp[4];
struct i2c_msg msgs[1] = {
{
.addr = client->addr,
.flags = I2C_M_RD,
.len = 4,
Reported by FlawFinder.
Line: 171
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = hih6130_update_measurements(dev);
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", hih6130->temperature);
}
/**
* hih6130_show_humidity() - show humidity measurement value in sysfs
* @dev: device
Reported by FlawFinder.
Line: 192
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = hih6130_update_measurements(dev);
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", hih6130->humidity);
}
/* sysfs attributes */
static SENSOR_DEVICE_ATTR_RO(temp1_input, hih6130_temperature, 0);
static SENSOR_DEVICE_ATTR_RO(humidity1_input, hih6130_humidity, 0);
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c
3 issues
Line: 240
static const struct nvkm_oproxy_func
nv50_disp_chan_child_func_ = {
.dtor[0] = nv50_disp_chan_child_del_,
};
static int
nv50_disp_chan_child_new(const struct nvkm_oclass *oclass,
void *argv, u32 argc, struct nvkm_object **pobject)
Reported by Cppcheck.
Line: 51
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 prev = nvkm_rd32(device, list->data[i].addr + base + c);
u32 mthd = list->data[i].mthd + (list->mthd * inst);
const char *name = list->data[i].name;
char mods[16];
if (prev != next)
snprintf(mods, sizeof(mods), "-> %08x", next);
else
snprintf(mods, sizeof(mods), "%13c", ' ');
Reported by FlawFinder.
Line: 85
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (j = 0; j < mthd->data[i].nr; j++, base += list->addr) {
const char *cname = mthd->name;
const char *sname = "";
char cname_[16], sname_[16];
if (mthd->addr) {
snprintf(cname_, sizeof(cname_), "%s %d",
mthd->name, chan->chid.user);
cname = cname_;
Reported by FlawFinder.
drivers/input/keyboard/jornada680_kbd.c
3 issues
Line: 69
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *input;
unsigned short keymap[ARRAY_SIZE(jornada_scancodes)];
unsigned char length;
unsigned char old_scan[JORNADA_SCAN_SIZE];
unsigned char new_scan[JORNADA_SCAN_SIZE];
};
static void jornada_parse_kbd(struct jornadakbd *jornadakbd)
{
Reported by FlawFinder.
Line: 70
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short keymap[ARRAY_SIZE(jornada_scancodes)];
unsigned char length;
unsigned char old_scan[JORNADA_SCAN_SIZE];
unsigned char new_scan[JORNADA_SCAN_SIZE];
};
static void jornada_parse_kbd(struct jornadakbd *jornadakbd)
{
struct input_dev *input_dev = jornadakbd->input;
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
jornada_scan_keyb(jornadakbd->new_scan);
jornada_parse_kbd(jornadakbd);
memcpy(jornadakbd->old_scan, jornadakbd->new_scan, JORNADA_SCAN_SIZE);
}
static int jornada680kbd_probe(struct platform_device *pdev)
{
struct jornadakbd *jornadakbd;
Reported by FlawFinder.
drivers/gpu/drm/savage/savage_drv.h
3 issues
Line: 86
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t vbaddr;
} common;
struct {
unsigned char pad[sizeof(struct drm_savage_common_state)];
uint32_t texctrl, texaddr;
uint32_t scstart, new_scstart;
uint32_t scend, new_scend;
} s3d;
struct {
Reported by FlawFinder.
Line: 92
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t scend, new_scend;
} s3d;
struct {
unsigned char pad[sizeof(struct drm_savage_common_state)];
uint32_t texdescr, texaddr0, texaddr1;
uint32_t drawctrl0, new_drawctrl0;
uint32_t drawctrl1, new_drawctrl1;
} s4;
} drm_savage_state_t;
Reported by FlawFinder.
Line: 536
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define DMA_WRITE( val ) *dma_ptr++ = (uint32_t)(val)
#define DMA_COPY(src, n) do { \
memcpy(dma_ptr, (src), (n)*4); \
dma_ptr += n; \
} while(0)
#if SAVAGE_DMA_DEBUG
#define DMA_COMMIT() do { \
Reported by FlawFinder.
drivers/input/keyboard/lkkbd.c
3 issues
Line: 267
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lkkbd {
unsigned short keycode[LK_NUM_KEYCODES];
int ignore_bytes;
unsigned char id[LK_NUM_IGNORE_BYTES];
struct input_dev *dev;
struct serio *serio;
struct work_struct tq;
char name[64];
char phys[32];
Reported by FlawFinder.
Line: 271
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *dev;
struct serio *serio;
struct work_struct tq;
char name[64];
char phys[32];
char type;
int bell_volume;
int keyclick_volume;
int ctrlclick_volume;
Reported by FlawFinder.
Line: 272
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct serio *serio;
struct work_struct tq;
char name[64];
char phys[32];
char type;
int bell_volume;
int keyclick_volume;
int ctrlclick_volume;
};
Reported by FlawFinder.