The following issues were found
drivers/net/ethernet/dec/tulip/tulip.h
2 issues
Line: 439
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int timeout_recovery:1;
unsigned int csr0; /* CSR0 setting. */
unsigned int csr6; /* Current CSR6 control settings. */
unsigned char eeprom[EEPROM_SIZE]; /* Serial EEPROM contents. */
void (*link_change) (struct net_device * dev, int csr5);
struct ethtool_wolinfo wolinfo; /* WOL settings */
u16 sym_advertise, mii_advertise; /* NWay capabilities advertised. */
u16 lpar; /* 21143 Link partner ability. */
u16 advertising[4];
Reported by FlawFinder.
Line: 445
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 sym_advertise, mii_advertise; /* NWay capabilities advertised. */
u16 lpar; /* 21143 Link partner ability. */
u16 advertising[4];
signed char phys[4], mii_cnt; /* MII device addresses. */
struct mediatable *mtable;
int cur_index; /* Current media index. */
int saved_if_port;
struct pci_dev *pdev;
int ttimer;
Reported by FlawFinder.
drivers/misc/lkdtm/usercopy.c
2 issues
Line: 38
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static noinline unsigned char *do_usercopy_stack_callee(int value)
{
unsigned char buf[32];
int i;
/* Exercise stack to avoid everything living in registers. */
for (i = 0; i < sizeof(buf); i++) {
buf[i] = value & 0xff;
Reported by FlawFinder.
Line: 52
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
{
unsigned long user_addr;
unsigned char good_stack[32];
unsigned char *bad_stack;
int i;
/* Exercise stack to avoid everything living in registers. */
for (i = 0; i < sizeof(good_stack); i++)
Reported by FlawFinder.
drivers/net/ethernet/brocade/bna/bna_tx_rx.c
2 issues
Line: 305
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->mh.num_entries = htons(
bfi_msgq_num_cmd_entries(sizeof(struct bfi_enet_rit_req)));
req->size = htons(rxf->rit_size);
memcpy(&req->table[0], rxf->rit, rxf->rit_size);
bfa_msgq_cmd_set(&rxf->msgq_cmd, NULL, NULL,
sizeof(struct bfi_enet_rit_req), &req->mh);
bfa_msgq_cmd_post(&rxf->rx->bna->msgq, &rxf->msgq_cmd);
}
Reported by FlawFinder.
Line: 912
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct bna_mac, qe);
list_del(&mac->qe);
del_mac = bna_cam_mod_mac_get(bna_mcam_mod_del_q(rxf->rx->bna));
memcpy(del_mac, mac, sizeof(*del_mac));
list_add_tail(&del_mac->qe, &rxf->mcast_pending_del_q);
mac->handle = NULL;
list_add_tail(&mac->qe, bna_mcam_mod_free_q(rxf->rx->bna));
need_hw_config = 1;
}
Reported by FlawFinder.
drivers/media/cec/platform/cros-ec/cros-ec-cec.c
2 issues
Line: 48
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int len = cros_ec->event_size;
cros_ec_cec->rx_msg.len = len;
memcpy(cros_ec_cec->rx_msg.msg, cec_message, len);
cec_received_msg(cros_ec_cec->adap, &cros_ec_cec->rx_msg);
}
static void handle_cec_event(struct cros_ec_cec *cros_ec_cec)
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.msg.command = EC_CMD_CEC_WRITE_MSG;
msg.msg.outsize = cec_msg->len;
memcpy(msg.data.msg, cec_msg->msg, cec_msg->len);
ret = cros_ec_cmd_xfer_status(cros_ec, &msg.msg);
if (ret < 0) {
dev_err(cros_ec->dev,
"error writing CEC msg on EC: %d\n", ret);
Reported by FlawFinder.
drivers/media/tuners/m88rs6000t.c
2 issues
Line: 623
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
}
memcpy(&dev->cfg, cfg, sizeof(struct m88rs6000t_config));
dev->client = client;
dev->regmap = devm_regmap_init_i2c(client, ®map_config);
if (IS_ERR(dev->regmap)) {
ret = PTR_ERR(dev->regmap);
goto err;
Reported by FlawFinder.
Line: 690
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_info(&dev->client->dev, "Montage M88RS6000 internal tuner successfully identified\n");
fe->tuner_priv = dev;
memcpy(&fe->ops.tuner_ops, &m88rs6000t_tuner_ops,
sizeof(struct dvb_tuner_ops));
i2c_set_clientdata(client, dev);
return 0;
err:
dev_dbg(&client->dev, "failed=%d\n", ret);
Reported by FlawFinder.
drivers/media/i2c/tda7432.c
2 issues
Line: 223
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tda7432_write(struct v4l2_subdev *sd, int subaddr, int val)
{
struct i2c_client *client = v4l2_get_subdevdata(sd);
unsigned char buffer[2];
v4l2_dbg(2, debug, sd, "In tda7432_write\n");
v4l2_dbg(1, debug, sd, "Writing %d 0x%x\n", subaddr, val);
buffer[0] = subaddr;
buffer[1] = val;
Reported by FlawFinder.
Line: 240
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tda7432_set(struct v4l2_subdev *sd)
{
struct i2c_client *client = v4l2_get_subdevdata(sd);
unsigned char buf[16];
buf[0] = TDA7432_IN;
buf[1] = TDA7432_STEREO_IN | /* Main (stereo) input */
TDA7432_BASS_SYM | /* Symmetric bass cut */
TDA7432_BASS_NORM; /* Normal bass range */
Reported by FlawFinder.
drivers/mtd/spi-nor/controllers/hisi-sfc.c
2 issues
Line: 285
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_warn(nor->dev, "DMA read timeout\n");
return ret;
}
memcpy(read_buf + offset, host->buffer, trans);
}
return len;
}
Reported by FlawFinder.
Line: 302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (offset = 0; offset < len; offset += HIFMC_DMA_MAX_LEN) {
size_t trans = min_t(size_t, HIFMC_DMA_MAX_LEN, len - offset);
memcpy(host->buffer, write_buf + offset, trans);
ret = hisi_spi_nor_dma_transfer(nor,
to + offset, host->dma_buffer, trans, FMC_OP_WRITE);
if (ret) {
dev_warn(nor->dev, "DMA write timeout\n");
return ret;
Reported by FlawFinder.
drivers/media/tuners/mt2060.c
2 issues
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
val_len = min_t(int, rem, priv->i2c_max_regs);
msg.len = 1 + val_len;
xfer_buf[0] = buf[0] + len - 1 - rem;
memcpy(&xfer_buf[1], &buf[1 + len - 1 - rem], val_len);
if (i2c_transfer(priv->i2c, &msg, 1) != 1) {
printk(KERN_WARNING "mt2060 I2C write failed (len=%i)\n", val_len);
rc = -EREMOTEIO;
break;
Reported by FlawFinder.
Line: 432
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
printk(KERN_INFO "MT2060: successfully identified (IF1 = %d)\n", if1);
memcpy(&fe->ops.tuner_ops, &mt2060_tuner_ops, sizeof(struct dvb_tuner_ops));
fe->tuner_priv = priv;
mt2060_calibrate(priv);
Reported by FlawFinder.
drivers/memory/tegra/mc.h
2 issues
Line: 154
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const struct tegra_mc_ops tegra186_mc_ops;
#endif
extern const char * const tegra_mc_status_names[32];
extern const char * const tegra_mc_error_names[8];
/*
* These IDs are for internal use of Tegra ICC drivers. The ID numbers are
* chosen such that they don't conflict with the device-tree ICC node IDs.
Reported by FlawFinder.
Line: 155
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
extern const char * const tegra_mc_status_names[32];
extern const char * const tegra_mc_error_names[8];
/*
* These IDs are for internal use of Tegra ICC drivers. The ID numbers are
* chosen such that they don't conflict with the device-tree ICC node IDs.
*/
Reported by FlawFinder.
drivers/media/tuners/fc0013.c
2 issues
Line: 216
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dtv_frontend_properties *p = &fe->dtv_property_cache;
u32 freq = p->frequency / 1000;
u32 delsys = p->delivery_system;
unsigned char reg[7], am, pm, multi, tmp;
unsigned long f_vco;
unsigned short xtal_freq_khz_2, xin, xdiv;
bool vco_select = false;
if (fe->callback) {
Reported by FlawFinder.
Line: 606
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fe->tuner_priv = priv;
memcpy(&fe->ops.tuner_ops, &fc0013_tuner_ops,
sizeof(struct dvb_tuner_ops));
return fe;
}
EXPORT_SYMBOL(fc0013_attach);
Reported by FlawFinder.