The following issues were found
drivers/misc/tifm_core.c
2 issues
Line: 23
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *tifm_media_type_name(unsigned char type, unsigned char nt)
{
const char *card_type_name[3][3] = {
{ "SmartMedia/xD", "MemoryStick", "MMC/SD" },
{ "XD", "MS", "SD"},
{ "xd", "ms", "sd"}
};
Reported by FlawFinder.
Line: 142
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct tifm_dev *sock = container_of(dev, struct tifm_dev, dev);
return sprintf(buf, "%x", sock->type);
}
static DEVICE_ATTR_RO(type);
static struct attribute *tifm_dev_attrs[] = {
&dev_attr_type.attr,
Reported by FlawFinder.
drivers/media/radio/radio-shark2.c
2 issues
Line: 212
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
INIT_WORK(&shark->led_work, shark_led_work);
for (i = 0; i < NO_LEDS; i++) {
shark->leds[i] = shark_led_templates[i];
snprintf(shark->led_names[i], sizeof(shark->led_names[0]),
shark->leds[i].name, shark->v4l2_dev.name);
shark->leds[i].name = shark->led_names[i];
retval = led_classdev_register(dev, &shark->leds[i]);
if (retval) {
v4l2_err(&shark->v4l2_dev,
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef SHARK_USE_LEDS
struct work_struct led_work;
struct led_classdev leds[NO_LEDS];
char led_names[NO_LEDS][32];
atomic_t brightness[NO_LEDS];
unsigned long brightness_new;
#endif
u8 *transfer_buffer;
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
2 issues
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
r->rspq.uld = uld_type;
}
memcpy(rxq_info->name, uld_info->name, IFNAMSIZ);
adap->sge.uld_rxq_info[uld_type] = rxq_info;
return 0;
}
Reported by FlawFinder.
Line: 812
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!uld_entry)
return;
memcpy(&uld_entry->uld_info, p, sizeof(struct cxgb4_uld_info));
mutex_lock(&uld_mutex);
list_for_each_entry(adap, &adapter_list, list_node)
cxgb4_uld_alloc_resources(adap, type, p);
uld_entry->uld_type = type;
Reported by FlawFinder.
drivers/media/radio/radio-shark.c
2 issues
Line: 246
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
INIT_WORK(&shark->led_work, shark_led_work);
for (i = 0; i < NO_LEDS; i++) {
shark->leds[i] = shark_led_templates[i];
snprintf(shark->led_names[i], sizeof(shark->led_names[0]),
shark->leds[i].name, shark->v4l2_dev.name);
shark->leds[i].name = shark->led_names[i];
retval = led_classdev_register(dev, &shark->leds[i]);
if (retval) {
v4l2_err(&shark->v4l2_dev,
Reported by FlawFinder.
Line: 69
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef SHARK_USE_LEDS
struct work_struct led_work;
struct led_classdev leds[NO_LEDS];
char led_names[NO_LEDS][32];
atomic_t brightness[NO_LEDS];
unsigned long brightness_new;
#endif
u8 *transfer_buffer;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/dibusb-common.c
2 issues
Line: 161
CWE codes:
476
sndbuf[0] = wo ? DIBUSB_REQ_I2C_WRITE : DIBUSB_REQ_I2C_READ;
sndbuf[1] = (addr << 1) | (wo ? 0 : 1);
memcpy(&sndbuf[2], wbuf, wlen);
if (!wo) {
sndbuf[wlen + 2] = (rlen >> 8) & 0xff;
sndbuf[wlen + 3] = rlen & 0xff;
}
Reported by Cppcheck.
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sndbuf[0] = wo ? DIBUSB_REQ_I2C_WRITE : DIBUSB_REQ_I2C_READ;
sndbuf[1] = (addr << 1) | (wo ? 0 : 1);
memcpy(&sndbuf[2], wbuf, wlen);
if (!wo) {
sndbuf[wlen + 2] = (rlen >> 8) & 0xff;
sndbuf[wlen + 3] = rlen & 0xff;
}
Reported by FlawFinder.
drivers/media/usb/dvb-usb/digitv.c
2 issues
Line: 44
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
st->sndbuf[2] = wo ? wlen : rlen;
if (wo) {
memcpy(&st->sndbuf[3], wbuf, wlen);
ret = dvb_usb_generic_write(d, st->sndbuf, 7);
} else {
ret = dvb_usb_generic_rw(d, st->sndbuf, 7, st->rcvbuf, 7, 10);
memcpy(rbuf, &st->rcvbuf[3], rlen);
}
Reported by FlawFinder.
Line: 48
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = dvb_usb_generic_write(d, st->sndbuf, 7);
} else {
ret = dvb_usb_generic_rw(d, st->sndbuf, 7, st->rcvbuf, 7, 10);
memcpy(rbuf, &st->rcvbuf[3], rlen);
}
return ret;
}
/* I2C */
Reported by FlawFinder.
drivers/media/usb/dvb-usb/digitv.h
2 issues
Line: 11
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct digitv_state {
int is_nxt6000;
unsigned char sndbuf[7];
unsigned char rcvbuf[7];
};
/* protocol (from usblogging and the SDK:
*
Reported by FlawFinder.
Line: 12
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int is_nxt6000;
unsigned char sndbuf[7];
unsigned char rcvbuf[7];
};
/* protocol (from usblogging and the SDK:
*
* Always 7 bytes bulk message(s) for controlling
Reported by FlawFinder.
drivers/media/i2c/ad9389b.c
2 issues
Line: 680
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -E2BIG;
if (edid->blocks + edid->start_block >= state->edid.segments * 2)
edid->blocks = state->edid.segments * 2 - edid->start_block;
memcpy(edid->edid, &state->edid.data[edid->start_block * 128],
128 * edid->blocks);
return 0;
}
static const struct v4l2_subdev_pad_ops ad9389b_pad_ops = {
Reported by FlawFinder.
Line: 801
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i == 128)
v4l2_dbg(lvl, debug, sd, "\n");
for (j = i; j < i + 16; j++) {
sprintf(bp, "0x%02x, ", buf[j]);
bp += 6;
}
bp[0] = '\0';
v4l2_dbg(lvl, debug, sd, "%s\n", b);
}
Reported by FlawFinder.
drivers/media/pci/saa7134/saa7134-alsa.c
2 issues
Line: 1173
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* End of "creation" */
strscpy(card->shortname, "SAA7134", sizeof(card->shortname));
sprintf(card->longname, "%s at 0x%lx irq %d",
chip->dev->name, chip->iobase, chip->irq);
pr_info("%s/alsa: %s registered as card %d\n",
dev->name, card->longname, index[devnum]);
Reported by FlawFinder.
Line: 35
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static int enable[SNDRV_CARDS] = {1, [1 ... (SNDRV_CARDS - 1)] = 1};
module_param_array(index, int, NULL, 0444);
module_param_array(enable, int, NULL, 0444);
MODULE_PARM_DESC(index, "Index value for SAA7134 capture interface(s).");
Reported by FlawFinder.
drivers/net/can/cc770/cc770.c
2 issues
Line: 76
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* and structure below allows to configure and assign them to the real
* message object.
*/
static unsigned char cc770_obj_flags[CC770_OBJ_MAX] = {
[CC770_OBJ_RX0] = CC770_OBJ_FLAG_RX,
[CC770_OBJ_RX1] = CC770_OBJ_FLAG_RX | CC770_OBJ_FLAG_EFF,
[CC770_OBJ_RX_RTR0] = CC770_OBJ_FLAG_RX | CC770_OBJ_FLAG_RTR,
[CC770_OBJ_RX_RTR1] = CC770_OBJ_FLAG_RX | CC770_OBJ_FLAG_RTR |
CC770_OBJ_FLAG_EFF,
Reported by FlawFinder.
Line: 822
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->can.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES;
priv->tx_skb = NULL;
memcpy(priv->obj_flags, cc770_obj_flags, sizeof(cc770_obj_flags));
if (sizeof_priv)
priv->priv = (void *)priv + sizeof(struct cc770_priv);
return dev;
Reported by FlawFinder.