The following issues were found
drivers/mmc/host/sdhci-s3c.c
2 issues
Line: 512
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
goto err_pdata_io_clk;
} else {
memcpy(pdata, pdev->dev.platform_data, sizeof(*pdata));
}
drv_data = sdhci_s3c_get_driver_data(pdev);
sc->host = host;
Reported by FlawFinder.
Line: 535
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
clk_prepare_enable(sc->clk_io);
for (clks = 0, ptr = 0; ptr < MAX_BUS_CLK; ptr++) {
char name[14];
snprintf(name, 14, "mmc_busclk.%d", ptr);
sc->clk_bus[ptr] = devm_clk_get(dev, name);
if (IS_ERR(sc->clk_bus[ptr]))
continue;
Reported by FlawFinder.
drivers/media/pci/cx88/cx88.h
2 issues
Line: 338
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* board name */
int nr;
char name[32];
u32 model;
/* pci stuff */
int pci_bus;
int pci_slot;
Reported by FlawFinder.
Line: 373
Column: 48
CWE codes:
362
int (*prev_set_voltage)(struct dvb_frontend *fe,
enum fe_sec_voltage voltage);
#endif
void (*gate_ctrl)(struct cx88_core *core, int open);
/* state info */
struct task_struct *kthread;
v4l2_std_id tvnorm;
unsigned int width, height;
Reported by FlawFinder.
drivers/media/usb/pwc/pwc-uncompress.c
2 issues
Line: 41
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* cmd_buf is always 4 bytes, but sometimes, only the
* first 3 bytes is filled (Nala case). We can
* determine this using the type of the webcam */
memcpy(raw_frame->cmd, pdev->cmd_buf, 4);
memcpy(raw_frame+1, yuv, pdev->frame_size);
vb2_set_plane_payload(&fbuf->vb.vb2_buf, 0,
pdev->frame_size + sizeof(struct pwc_raw_frame));
return 0;
}
Reported by FlawFinder.
Line: 42
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* first 3 bytes is filled (Nala case). We can
* determine this using the type of the webcam */
memcpy(raw_frame->cmd, pdev->cmd_buf, 4);
memcpy(raw_frame+1, yuv, pdev->frame_size);
vb2_set_plane_payload(&fbuf->vb.vb2_buf, 0,
pdev->frame_size + sizeof(struct pwc_raw_frame));
return 0;
}
Reported by FlawFinder.
drivers/mmc/host/sdricoh_cs.c
2 issues
Line: 219
Column: 59
CWE codes:
120
20
return 0;
}
static int sdricoh_blockio(struct sdricoh_host *host, int read,
u8 *buf, int len)
{
int size;
u32 data = 0;
/* wait until the data is available */
Reported by FlawFinder.
Line: 225
Column: 6
CWE codes:
120
20
int size;
u32 data = 0;
/* wait until the data is available */
if (read) {
if (sdricoh_query_status(host, STATUS_READY_TO_READ))
return -ETIMEDOUT;
sdricoh_writel(host, R21C_STATUS, 0x18);
/* read data */
while (len) {
Reported by FlawFinder.
drivers/mmc/host/tifm_sd.c
2 issues
Line: 108
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int sg_pos;
unsigned int block_pos;
struct scatterlist bounce_buf;
unsigned char bounce_buf_data[TIFM_MMCSD_MAX_BLOCK_SIZE];
};
/* for some reason, host won't respond correctly to readw/writew */
static void tifm_sd_read_fifo(struct tifm_sd *host, struct page *pg,
unsigned int off, unsigned int cnt)
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char *src_buf = kmap_atomic(src) + src_off;
unsigned char *dst_buf = kmap_atomic(dst) + dst_off;
memcpy(dst_buf, src_buf, count);
kunmap_atomic(dst_buf - dst_off);
kunmap_atomic(src_buf - src_off);
}
Reported by FlawFinder.
drivers/mfd/dln2.c
2 issues
Line: 325
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->echo = cpu_to_le16(echo);
hdr->handle = cpu_to_le16(handle);
memcpy(buf + sizeof(*hdr), obuf, *obuf_len);
*obuf_len = len;
return buf;
}
Reported by FlawFinder.
Line: 504
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (*ibuf_len > size - sizeof(*rsp))
*ibuf_len = size - sizeof(*rsp);
memcpy(ibuf, rsp + 1, *ibuf_len);
out_free_rx_slot:
free_rx_slot(dln2, handle, rx_slot);
out_decr:
spin_lock(&dln2->disconnect_lock);
Reported by FlawFinder.
drivers/media/common/tveeprom.c
2 issues
Line: 445
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tuner1 = 0, t_format1 = 0, audioic = -1;
const char *t_name1 = NULL;
const char *t_fmt_name1[8] = { " none", "", "", "", "", "", "", "" };
int tuner2 = 0, t_format2 = 0;
const char *t_name2 = NULL;
const char *t_fmt_name2[8] = { " none", "", "", "", "", "", "", "" };
Reported by FlawFinder.
Line: 449
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tuner2 = 0, t_format2 = 0;
const char *t_name2 = NULL;
const char *t_fmt_name2[8] = { " none", "", "", "", "", "", "", "" };
memset(tvee, 0, sizeof(*tvee));
tvee->tuner_type = TUNER_ABSENT;
tvee->tuner2_type = TUNER_ABSENT;
Reported by FlawFinder.
drivers/net/dsa/sja1105/sja1105_ethtool.c
2 issues
Line: 82
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sja1105_port_counter {
enum sja1105_stats_area area;
const char name[ETH_GSTRING_LEN];
int offset;
int start;
int end;
bool is_64bit;
};
Reported by FlawFinder.
Line: 622
Column: 8
CWE codes:
126
max_ctr = __MAX_SJA1105PQRS_PORT_COUNTER;
for (i = 0; i < max_ctr; i++) {
if (!strlen(sja1105_port_counters[i].name))
continue;
sset_count++;
}
Reported by FlawFinder.
drivers/media/pci/cx88/cx88-video.c
2 issues
Line: 811
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct cx88_core *core = dev->core;
strscpy(cap->driver, "cx8800", sizeof(cap->driver));
sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci));
return cx88_querycap(file, core, cap);
}
static int vidioc_enum_fmt_vid_cap(struct file *file, void *priv,
struct v4l2_fmtdesc *f)
Reported by FlawFinder.
Line: 1053
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ----------------------------------------------------------- */
static const char *cx88_vid_irqs[32] = {
"y_risci1", "u_risci1", "v_risci1", "vbi_risc1",
"y_risci2", "u_risci2", "v_risci2", "vbi_risc2",
"y_oflow", "u_oflow", "v_oflow", "vbi_oflow",
"y_sync", "u_sync", "v_sync", "vbi_sync",
"opc_err", "par_err", "rip_err", "pci_abort",
Reported by FlawFinder.
drivers/mfd/intel-lpss.c
2 issues
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *devname,
struct clk **clk)
{
char name[32];
struct clk *tmp = *clk;
snprintf(name, sizeof(name), "%s-enable", devname);
tmp = clk_register_gate(NULL, name, __clk_get_name(tmp), 0,
lpss->priv, 0, 0, NULL);
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct mfd_cell *cell = lpss->cell;
struct clk *clk;
char devname[24];
int ret;
if (!lpss->info->clk_rate)
return 0;
Reported by FlawFinder.