The following issues were found
drivers/media/dvb-frontends/mxl5xx.c
2 issues
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[3] = GET_BYTE(reg, 1);
buf[4] = GET_BYTE(reg, 2);
buf[5] = GET_BYTE(reg, 3);
memcpy(&buf[6], reg_data_ptr, size);
stat = i2cwrite(state, buf,
MXL_HYDRA_I2C_HDR_SIZE +
MXL_HYDRA_REG_SIZE_IN_BYTES + size);
mutex_unlock(&state->base->i2c_lock);
if (stat)
Reported by FlawFinder.
Line: 872
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = (orig_size + 4) & ~3;
w_buf_ptr = &w_msg_buffer[0];
memset((void *) w_buf_ptr, 0, size);
memcpy((void *) w_buf_ptr, (void *) data_ptr, orig_size);
convert_endian(1, size, w_buf_ptr);
status = write_firmware_block(state, mem_addr, size, w_buf_ptr);
if (status)
return status;
data_count += size;
Reported by FlawFinder.
drivers/misc/ibmasm/dot_command.c
2 issues
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
vpd_data = vpd_command + header->command_size;
vpd_data[0] = 0;
strcat(vpd_data, IBMASM_DRIVER_VPD);
vpd_data[10] = 0;
vpd_data[15] = 0;
ibmasm_exec_command(sp, command);
ibmasm_wait_for_response(command, IBMASM_CMD_TIMEOUT_NORMAL);
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct os_state_command {
struct dot_command_header header;
unsigned char command[3];
unsigned char data;
};
/*
* send the 4.3.6 dot command (os state) to the service processor
Reported by FlawFinder.
drivers/mfd/omap-usb-host.c
2 issues
Line: 490
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* get port modes */
for (i = 0; i < OMAP3_HS_USB_PORTS; i++) {
char prop[11];
const char *mode;
pdata->port_mode[i] = OMAP_USBHS_PORT_MODE_UNUSED;
snprintf(prop, sizeof(prop), "port%d-mode", i + 1);
Reported by FlawFinder.
Line: 704
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
for (i = 0; i < omap->nports; i++) {
char clkname[30];
/* clock names are indexed from 1*/
snprintf(clkname, sizeof(clkname),
"usb_host_hs_utmi_p%d_clk", i + 1);
Reported by FlawFinder.
drivers/media/pci/cx18/cx18-i2c.c
2 issues
Line: 232
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Setup adapter */
cx->i2c_adap[i] = cx18_i2c_adap_template;
cx->i2c_adap[i].algo_data = &cx->i2c_algo[i];
sprintf(cx->i2c_adap[i].name + strlen(cx->i2c_adap[i].name),
" #%d-%d", cx->instance, i);
i2c_set_adapdata(&cx->i2c_adap[i], &cx->v4l2_dev);
cx->i2c_adap[i].dev.parent = &cx->pci_dev->dev;
}
Reported by FlawFinder.
Line: 232
Column: 34
CWE codes:
126
/* Setup adapter */
cx->i2c_adap[i] = cx18_i2c_adap_template;
cx->i2c_adap[i].algo_data = &cx->i2c_algo[i];
sprintf(cx->i2c_adap[i].name + strlen(cx->i2c_adap[i].name),
" #%d-%d", cx->instance, i);
i2c_set_adapdata(&cx->i2c_adap[i], &cx->v4l2_dev);
cx->i2c_adap[i].dev.parent = &cx->pci_dev->dev;
}
Reported by FlawFinder.
drivers/media/pci/cx18/cx18-driver.h
2 issues
Line: 634
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 hw2_irq_mask;
struct workqueue_struct *in_work_queue;
char in_workq_name[11]; /* "cx18-NN-in" */
struct cx18_in_work_order in_work_order[CX18_MAX_IN_WORK_ORDERS];
char epu_debug_str[256]; /* CX18_EPU_DEBUG is rare: use shared space */
/* i2c */
struct i2c_adapter i2c_adap[2];
Reported by FlawFinder.
Line: 636
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct workqueue_struct *in_work_queue;
char in_workq_name[11]; /* "cx18-NN-in" */
struct cx18_in_work_order in_work_order[CX18_MAX_IN_WORK_ORDERS];
char epu_debug_str[256]; /* CX18_EPU_DEBUG is rare: use shared space */
/* i2c */
struct i2c_adapter i2c_adap[2];
struct i2c_algo_bit_data i2c_algo[2];
struct cx18_i2c_algo_callback_data i2c_algo_cb_data[2];
Reported by FlawFinder.
drivers/mtd/nand/raw/cafe_nand.c
2 issues
Line: 125
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cafe_priv *cafe = nand_get_controller_data(chip);
if (cafe->usedma)
memcpy(cafe->dmabuf + cafe->datalen, buf, len);
else
memcpy_toio(cafe->mmio + CAFE_NAND_WRITE_DATA + cafe->datalen, buf, len);
cafe->datalen += len;
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cafe_priv *cafe = nand_get_controller_data(chip);
if (cafe->usedma)
memcpy(buf, cafe->dmabuf + cafe->datalen, len);
else
memcpy_fromio(buf, cafe->mmio + CAFE_NAND_READ_DATA + cafe->datalen, len);
cafe_dev_dbg(&cafe->pdev->dev, "Copy 0x%x bytes from position 0x%x in read buffer.\n",
len, cafe->datalen);
Reported by FlawFinder.
drivers/misc/ibmasm/heartbeat.c
2 issues
Line: 63
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ibmasm_heartbeat_exit(struct service_processor *sp)
{
char tsbuf[32];
dbg("%s:%d at %s\n", __func__, __LINE__, get_timestamp(tsbuf));
ibmasm_wait_for_response(sp->heartbeat, IBMASM_CMD_TIMEOUT_NORMAL);
dbg("%s:%d at %s\n", __func__, __LINE__, get_timestamp(tsbuf));
suspend_heartbeats = 1;
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct command *cmd = sp->heartbeat;
struct dot_command_header *header = (struct dot_command_header *)cmd->buffer;
char tsbuf[32];
dbg("%s:%d at %s\n", __func__, __LINE__, get_timestamp(tsbuf));
if (suspend_heartbeats)
return;
Reported by FlawFinder.
drivers/mfd/pcf50633-core.c
2 issues
Line: 104
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else
dump[n1] = pcf50633_reg_read(pcf, n + n1);
buf1 += sprintf(buf1, "%*ph\n", (int)sizeof(dump), dump);
}
return buf1 - buf;
}
static DEVICE_ATTR_ADMIN_RO(dump_regs);
Reported by FlawFinder.
Line: 117
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct pcf50633 *pcf = dev_get_drvdata(dev);
int n;
n = sprintf(buf, "%02x%02x%02x%02x%02x\n",
pcf->resume_reason[0],
pcf->resume_reason[1],
pcf->resume_reason[2],
pcf->resume_reason[3],
pcf->resume_reason[4]);
Reported by FlawFinder.
drivers/net/ethernet/atheros/ag71xx.c
2 issues
Line: 240
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ag71xx_statistic {
unsigned short offset;
u32 mask;
const char name[ETH_GSTRING_LEN];
};
static const struct ag71xx_statistic ag71xx_statistics[] = {
{ 0x0080, GENMASK(17, 0), "Tx/Rx 64 Byte", },
{ 0x0084, GENMASK(17, 0), "Tx/Rx 65-127 Byte", },
Reported by FlawFinder.
Line: 506
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (sset) {
case ETH_SS_STATS:
for (i = 0; i < ARRAY_SIZE(ag71xx_statistics); i++)
memcpy(data + i * ETH_GSTRING_LEN,
ag71xx_statistics[i].name, ETH_GSTRING_LEN);
break;
case ETH_SS_TEST:
net_selftest_get_strings(data);
break;
Reported by FlawFinder.
drivers/media/pci/cobalt/cobalt-i2c.c
2 issues
Line: 355
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
adap->algo = &cobalt_algo;
adap->algo_data = &cobalt->i2c_data[i];
adap->retries = 3;
sprintf(adap->name + strlen(adap->name),
" #%d-%d", cobalt->instance, i);
i2c_set_adapdata(adap, &cobalt->v4l2_dev);
adap->dev.parent = &cobalt->pci_dev->dev;
err = i2c_add_adapter(adap);
if (err) {
Reported by FlawFinder.
Line: 355
Column: 24
CWE codes:
126
adap->algo = &cobalt_algo;
adap->algo_data = &cobalt->i2c_data[i];
adap->retries = 3;
sprintf(adap->name + strlen(adap->name),
" #%d-%d", cobalt->instance, i);
i2c_set_adapdata(adap, &cobalt->v4l2_dev);
adap->dev.parent = &cobalt->pci_dev->dev;
err = i2c_add_adapter(adap);
if (err) {
Reported by FlawFinder.