The following issues were found
drivers/md/dm-verity-fec.c
2 issues
Line: 408
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct dm_verity_fec_io *fio = fec_io(io);
memcpy(data, &fio->output[fio->output_pos], len);
fio->output_pos += len;
return 0;
}
Reported by FlawFinder.
Line: 471
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (dest)
memcpy(dest, fio->output, 1 << v->data_dev_block_bits);
else if (iter) {
fio->output_pos = 0;
r = verity_for_bv_block(v, io, iter, fec_bv_copy);
}
Reported by FlawFinder.
drivers/net/dsa/dsa_loop.c
2 issues
Line: 93
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int i;
for (i = 0; i < ds->num_ports; i++)
memcpy(ps->ports[i].mib, dsa_loop_mibs,
sizeof(dsa_loop_mibs));
dev_dbg(ds->dev, "%s\n", __func__);
return dsa_loop_setup_devlink_resources(ds);
Reported by FlawFinder.
Line: 124
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
for (i = 0; i < __DSA_LOOP_CNT_MAX; i++)
memcpy(data + i * ETH_GSTRING_LEN,
ps->ports[port].mib[i].name, ETH_GSTRING_LEN);
}
static void dsa_loop_get_ethtool_stats(struct dsa_switch *ds, int port,
uint64_t *data)
Reported by FlawFinder.
drivers/media/platform/sti/bdisp/bdisp-hw.c
2 issues
Line: 522
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < NB_H_FILTER; i++) {
bdisp_h_filter[i].min = bdisp_h_spec[i].min;
bdisp_h_filter[i].max = bdisp_h_spec[i].max;
memcpy(base, bdisp_h_spec[i].coef, BDISP_HF_NB);
bdisp_h_filter[i].virt = base;
bdisp_h_filter[i].paddr = paddr;
base += BDISP_HF_NB;
paddr += BDISP_HF_NB;
}
Reported by FlawFinder.
Line: 532
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < NB_V_FILTER; i++) {
bdisp_v_filter[i].min = bdisp_v_spec[i].min;
bdisp_v_filter[i].max = bdisp_v_spec[i].max;
memcpy(base, bdisp_v_spec[i].coef, BDISP_VF_NB);
bdisp_v_filter[i].virt = base;
bdisp_v_filter[i].paddr = paddr;
base += BDISP_VF_NB;
paddr += BDISP_VF_NB;
}
Reported by FlawFinder.
drivers/md/dm-uevent.c
2 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum kobject_action action;
struct kobj_uevent_env ku_env;
struct list_head elist;
char name[DM_NAME_LEN];
char uuid[DM_UUID_LEN];
};
static void dm_uevent_free(struct dm_uevent *event)
{
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kobj_uevent_env ku_env;
struct list_head elist;
char name[DM_NAME_LEN];
char uuid[DM_UUID_LEN];
};
static void dm_uevent_free(struct dm_uevent *event)
{
kmem_cache_free(_dm_event_cache, event);
Reported by FlawFinder.
drivers/mmc/host/rtsx_pci_sdmmc.c
2 issues
Line: 166
Column: 60
CWE codes:
120
20
}
if (pre || data->host_cookie != host->cookie) {
count = rtsx_pci_dma_map_sg(pcr, data->sg, data->sg_len, read);
} else {
count = host->cookie_sg_count;
using_cookie = 1;
}
Reported by FlawFinder.
Line: 208
Column: 53
CWE codes:
120
20
struct mmc_data *data = mrq->data;
int read = data->flags & MMC_DATA_READ;
rtsx_pci_dma_unmap_sg(pcr, data->sg, data->sg_len, read);
data->host_cookie = 0;
}
static void sd_send_cmd_get_rsp(struct realtek_pci_sdmmc *host,
struct mmc_command *cmd)
Reported by FlawFinder.
drivers/misc/eeprom/eeprom.c
2 issues
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[i] = data->data[off + i];
}
} else {
memcpy(buf, &data->data[off], count);
}
return count;
}
Reported by FlawFinder.
Line: 164
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
We use the "PCG-" or "VGN-" prefix as the signature. */
if (client->addr == 0x57
&& i2c_check_functionality(adapter, I2C_FUNC_SMBUS_READ_BYTE_DATA)) {
char name[4];
name[0] = i2c_smbus_read_byte_data(client, 0x80);
name[1] = i2c_smbus_read_byte_data(client, 0x81);
name[2] = i2c_smbus_read_byte_data(client, 0x82);
name[3] = i2c_smbus_read_byte_data(client, 0x83);
Reported by FlawFinder.
drivers/mmc/host/s3cmci.h
2 issues
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bus_width;
char dbgmsg_cmd[301];
char dbgmsg_dat[301];
char *status;
unsigned int ccnt, dcnt;
struct tasklet_struct pio_tasklet;
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bus_width;
char dbgmsg_cmd[301];
char dbgmsg_dat[301];
char *status;
unsigned int ccnt, dcnt;
struct tasklet_struct pio_tasklet;
Reported by FlawFinder.
drivers/media/usb/pwc/pwc-if.c
2 issues
Line: 367
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pdev->frame_total_size);
pdev->vsync = 0; /* Let's wait for an EOF */
} else {
memcpy(fbuf->data + fbuf->filled, iso_buf,
flen);
fbuf->filled += flen;
}
}
if (flen < pdev->vlast_packet_size) {
Reported by FlawFinder.
Line: 783
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int features = 0;
int compression = 0;
int my_power_save = power_save;
char serial_number[30], *name;
vendor_id = le16_to_cpu(udev->descriptor.idVendor);
product_id = le16_to_cpu(udev->descriptor.idProduct);
/* Check if we can handle this device */
Reported by FlawFinder.
drivers/media/usb/gspca/se401.c
2 issues
Line: 493
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = 4 - sd->packet_read;
if (count > len - i)
count = len - i;
memcpy(&sd->packet[sd->packet_read], &data[i], count);
sd->packet_read += count;
i += count;
if (sd->packet_read < 4)
break;
}
Reported by FlawFinder.
Line: 518
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = plen - sd->packet_read;
if (count > len - i)
count = len - i;
memcpy(&sd->packet[sd->packet_read], &data[i], count);
sd->packet_read += count;
i += count;
if (sd->packet_read < plen)
break;
Reported by FlawFinder.
drivers/media/dvb-frontends/tda10021.c
2 issues
Line: 493
.frequency_stepsize_hz = 62500,
.symbol_rate_min = (XIN / 2) / 64, /* SACLK/64 == (XIN/2)/64 */
.symbol_rate_max = (XIN / 2) / 4, /* SACLK/4 */
#if 0
.frequency_tolerance = ???,
.symbol_rate_tolerance = ???, /* ppm */ /* == 8% (spec p. 5) */
#endif
.caps = 0x400 | //FE_CAN_QAM_4
FE_CAN_QAM_16 | FE_CAN_QAM_32 | FE_CAN_QAM_64 |
Reported by Cppcheck.
Line: 475
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->config->demod_address, id);
/* create dvb_frontend */
memcpy(&state->frontend.ops, &tda10021_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
kfree(state);
Reported by FlawFinder.