The following issues were found
drivers/media/dvb-frontends/itd1000.c
2 issues
Line: 57
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buf[0] = reg;
memcpy(&buf[1], v, len);
/* itd_dbg("wr %02x: %02x\n", reg, v[0]); */
if (i2c_transfer(state->i2c, &msg, 1) != 1) {
printk(KERN_WARNING "itd1000 I2C write failed\n");
Reported by FlawFinder.
Line: 386
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0x65; i < 0x9c; i++)
state->shadow[i] = itd1000_read_reg(state, i);
memcpy(&fe->ops.tuner_ops, &itd1000_tuner_ops, sizeof(struct dvb_tuner_ops));
fe->tuner_priv = state;
return fe;
}
Reported by FlawFinder.
drivers/media/pci/bt8xx/bttv-i2c.c
2 issues
Line: 287
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bttv_I2CWrite(struct bttv *btv, unsigned char addr, unsigned char b1,
unsigned char b2, int both)
{
unsigned char buffer[2];
int bytes = both ? 2 : 1;
if (0 != btv->i2c_rc)
return -1;
btv->i2c_client.addr = addr >> 1;
Reported by FlawFinder.
Line: 310
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
tveeprom_read(&btv->i2c_client, eedata, 256);
}
static char *i2c_devs[128] = {
[ 0x1c >> 1 ] = "lgdt330x",
[ 0x30 >> 1 ] = "IR (hauppauge)",
[ 0x80 >> 1 ] = "msp34xx",
[ 0x86 >> 1 ] = "tda9887",
[ 0xa0 >> 1 ] = "eeprom",
Reported by FlawFinder.
drivers/media/dvb-frontends/horus3a.c
2 issues
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
horus3a_i2c_debug(priv, reg, 1, data, len);
buf[0] = reg;
memcpy(&buf[1], data, len);
ret = i2c_transfer(priv->i2c, msg, 1);
if (ret >= 0 && ret != 1)
ret = -EREMOTEIO;
if (ret < 0) {
dev_warn(&priv->i2c->dev,
Reported by FlawFinder.
Line: 390
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fe->ops.i2c_gate_ctrl)
fe->ops.i2c_gate_ctrl(fe, 0);
memcpy(&fe->ops.tuner_ops, &horus3a_tuner_ops,
sizeof(struct dvb_tuner_ops));
fe->tuner_priv = priv;
dev_info(&priv->i2c->dev,
"Sony HORUS3A attached on addr=%x at I2C adapter %p\n",
priv->i2c_address, priv->i2c);
Reported by FlawFinder.
drivers/misc/isl29020.c
2 issues
Line: 34
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (val < 0)
return val;
return sprintf(buf, "%d000\n", 1 << (2 * (val & 3)));
}
static ssize_t als_lux_input_data_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 71
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (val < 0)
return val;
lux = ((((1 << (2 * (val & 3))))*1000) * ret_val) / 65536;
return sprintf(buf, "%ld\n", lux);
}
static ssize_t als_sensing_range_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/md/dm-stripe.c
2 issues
Line: 438
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
blk_status_t *error)
{
unsigned i;
char major_minor[16];
struct stripe_c *sc = ti->private;
if (!*error)
return DM_ENDIO_DONE; /* I/O complete */
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return DM_ENDIO_DONE;
memset(major_minor, 0, sizeof(major_minor));
sprintf(major_minor, "%d:%d", MAJOR(bio_dev(bio)), MINOR(bio_dev(bio)));
/*
* Test to see which stripe drive triggered the event
* and increment error count for all stripes on that device.
* If the error count for a given device exceeds the threshold
Reported by FlawFinder.
drivers/media/dvb-frontends/ec100.c
2 issues
Line: 285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* setup the state */
state->i2c = i2c;
memcpy(&state->config, config, sizeof(struct ec100_config));
/* check if the demod is there */
ret = ec100_read_reg(state, 0x33, &tmp);
if (ret || tmp != 0x0b)
goto error;
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &ec100_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
Reported by FlawFinder.
drivers/mfd/sprd-sc27xx-spi.c
2 issues
Line: 120
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
/* Copy address to read from into first element of SPI buffer. */
memcpy(rx_buf, reg, sizeof(u32));
ret = spi_read(spi, rx_buf, 1);
if (ret < 0)
return ret;
memcpy(val, rx_buf, val_size);
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
memcpy(val, rx_buf, val_size);
return 0;
}
static struct regmap_bus sprd_pmic_regmap = {
.write = sprd_pmic_spi_write,
Reported by FlawFinder.
drivers/mtd/nand/raw/sh_flctl.c
2 issues
Line: 963
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sh_flctl *flctl = mtd_to_flctl(nand_to_mtd(chip));
memcpy(&flctl->done_buff[flctl->index], buf, len);
flctl->index += len;
}
static uint8_t flctl_read_byte(struct nand_chip *chip)
{
Reported by FlawFinder.
Line: 981
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sh_flctl *flctl = mtd_to_flctl(nand_to_mtd(chip));
memcpy(buf, &flctl->done_buff[flctl->index], len);
flctl->index += len;
}
static int flctl_chip_attach_chip(struct nand_chip *chip)
{
Reported by FlawFinder.
drivers/media/dvb-frontends/ds3000.c
2 issues
Line: 279
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.len = 33;
for (i = 0; i < len; i += 32) {
memcpy(buf + 1, data + i, 32);
dprintk("%s: write reg 0x%02x, len = %d\n", __func__, reg, len);
ret = i2c_transfer(state->i2c, &msg, 1);
if (ret != 1) {
Reported by FlawFinder.
Line: 850
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ds3000_readreg(state, 0x02),
ds3000_readreg(state, 0x01));
memcpy(&state->frontend.ops, &ds3000_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
/*
* Some devices like T480 starts with voltage on. Be sure
Reported by FlawFinder.
drivers/mfd/ssbi.c
2 issues
Line: 71
Column: 8
CWE codes:
120
20
void __iomem *base;
spinlock_t lock;
enum ssbi_controller_type controller_type;
int (*read)(struct ssbi *, u16 addr, u8 *buf, int len);
int (*write)(struct ssbi *, u16 addr, const u8 *buf, int len);
};
static inline u32 ssbi_readl(struct ssbi *ssbi, u32 reg)
{
Reported by FlawFinder.
Line: 241
Column: 14
CWE codes:
120
20
int ret;
spin_lock_irqsave(&ssbi->lock, flags);
ret = ssbi->read(ssbi, addr, buf, len);
spin_unlock_irqrestore(&ssbi->lock, flags);
return ret;
}
EXPORT_SYMBOL_GPL(ssbi_read);
Reported by FlawFinder.