The following issues were found
drivers/misc/vmw_vmci/vmci_datagram.c
2 issues
Line: 237
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dg_info->in_dg_host_queue = true;
dg_info->entry = dst_entry;
memcpy(&dg_info->msg, dg, dg_size);
INIT_WORK(&dg_info->work, dg_delayed_dispatch);
schedule_work(&dg_info->work);
retval = VMCI_SUCCESS;
Reported by FlawFinder.
Line: 380
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dg_info->in_dg_host_queue = false;
dg_info->entry = dst_entry;
memcpy(&dg_info->msg, dg, VMCI_DG_SIZE(dg));
INIT_WORK(&dg_info->work, dg_delayed_dispatch);
schedule_work(&dg_info->work);
} else {
dst_entry->recv_cb(dst_entry->client_data, dg);
Reported by FlawFinder.
drivers/net/can/dev/netlink.c
2 issues
Line: 96
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(&priv->bittiming, &bt, sizeof(bt));
if (priv->do_set_bittiming) {
/* Finally, set the bit-timing registers */
err = priv->do_set_bittiming(dev);
if (err)
Reported by FlawFinder.
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(&priv->data_bittiming, &dbt, sizeof(dbt));
can_calc_tdco(dev);
if (priv->do_set_data_bittiming) {
/* Finally, set the bit-timing registers */
Reported by FlawFinder.
drivers/media/dvb-frontends/zl10353.c
2 issues
Line: 607
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* setup the state */
state->i2c = i2c;
memcpy(&state->config, config, sizeof(struct zl10353_config));
/* check if the demod is there */
id = zl10353_read_register(state, CHIP_ID);
if ((id != ID_ZL10353) && (id != ID_CE6230) && (id != ID_CE6231))
goto error;
Reported by FlawFinder.
Line: 615
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &zl10353_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
kfree(state);
Reported by FlawFinder.
drivers/media/platform/coda/coda.h
2 issues
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct coda_video_device;
struct coda_devtype {
char *firmware[3];
enum coda_product product;
const struct coda_codec *codecs;
unsigned int num_codecs;
const struct coda_video_device **vdevs;
unsigned int num_vdevs;
Reported by FlawFinder.
Line: 259
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int gopcounter;
int runcounter;
int jpeg_ecs_offset;
char vpu_header[3][64];
int vpu_header_size[3];
struct kfifo bitstream_fifo;
struct mutex bitstream_mutex;
struct coda_aux_buf bitstream;
bool hold;
Reported by FlawFinder.
drivers/media/dvb-frontends/zl10039.c
2 issues
Line: 108
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dprintk("%s\n", __func__);
/* Write register address and data in one go */
buf[0] = reg;
memcpy(&buf[1], src, count);
if (i2c_transfer(state->i2c, &msg, 1) != 1) {
dprintk("%s: i2c write error\n", __func__);
return -EREMOTEIO;
}
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
}
memcpy(&fe->ops.tuner_ops, &zl10039_ops, sizeof(struct dvb_tuner_ops));
fe->tuner_priv = state;
dprintk("Tuner attached @ i2c address 0x%02x\n", i2c_addr);
return fe;
error:
kfree(state);
Reported by FlawFinder.
drivers/media/platform/coda/coda-common.c
2 issues
Line: 376
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *coda_product_name(int product)
{
static char buf[9];
switch (product) {
case CODA_DX6:
return "CodaDx6";
case CODA_HX4:
Reported by FlawFinder.
Line: 2930
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else {
/* Copy the already reordered firmware image */
memcpy(dev->codebuf.vaddr, src, size);
}
}
static void coda_fw_callback(const struct firmware *fw, void *context);
Reported by FlawFinder.
drivers/media/radio/radio-cadet.c
2 issues
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wait_queue_head_t read_queue;
struct timer_list readtimer;
u8 rdsin, rdsout, rdsstat;
unsigned char rdsbuf[RDS_BUFFER];
struct mutex lock;
int reading;
};
static struct cadet cadet_card;
Reported by FlawFinder.
Line: 329
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t cadet_read(struct file *file, char __user *data, size_t count, loff_t *ppos)
{
struct cadet *dev = video_drvdata(file);
unsigned char readbuf[RDS_BUFFER];
int i = 0;
mutex_lock(&dev->lock);
if (dev->rdsstat == 0)
cadet_start_rds(dev);
Reported by FlawFinder.
drivers/media/platform/rockchip/rkisp1/rkisp1-params.c
2 issues
Line: 487
CWE codes:
476
reg_val &= RKISP1_CIF_ISP_AWB_MODE_MASK_NONE;
if (en) {
if (arg->awb_mode == RKISP1_CIF_ISP_AWB_MODE_RGB)
reg_val |= RKISP1_CIF_ISP_AWB_MODE_RGB_EN;
else
reg_val |= RKISP1_CIF_ISP_AWB_MODE_YCBCR_EN;
rkisp1_write(params->rkisp1, reg_val, RKISP1_CIF_ISP_AWB_PROP);
Reported by Cppcheck.
Line: 637
CWE codes:
476
RKISP1_CIF_ISP_HIST_PROP);
hist_prop &= ~RKISP1_CIF_ISP_HIST_PROP_MODE_MASK;
hist_prop |= arg->mode;
rkisp1_param_set_bits(params, RKISP1_CIF_ISP_HIST_PROP,
hist_prop);
} else {
rkisp1_param_clear_bits(params, RKISP1_CIF_ISP_HIST_PROP,
RKISP1_CIF_ISP_HIST_PROP_MODE_MASK);
Reported by Cppcheck.
drivers/media/platform/sti/delta/delta.h
2 issues
Line: 261
Column: 8
CWE codes:
362
/*
* decoder ops
*/
int (*open)(struct delta_ctx *ctx);
int (*close)(struct delta_ctx *ctx);
/*
* setup_frame() - setup frame to be used by decoder
* @ctx: (in) instance
Reported by FlawFinder.
Line: 455
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 decode_errors;
u32 sys_errors;
struct list_head dts;
char name[100];
struct work_struct run_work;
struct mutex lock;
bool aborting;
void *priv;
};
Reported by FlawFinder.
drivers/net/can/peak_canfd/peak_canfd.c
2 issues
Line: 316
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rx_msg_flags & PUCAN_MSG_RTR)
cf->can_id |= CAN_RTR_FLAG;
else
memcpy(cf->data, msg->d, cf->len);
stats->rx_bytes += cf->len;
stats->rx_packets++;
pucan_netif_rx(skb, msg->ts_low, msg->ts_high);
Reported by FlawFinder.
Line: 711
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->flags = cpu_to_le16(msg_flags);
msg->channel_dlc = PUCAN_MSG_CHANNEL_DLC(priv->index, len);
memcpy(msg->d, cf->data, cf->len);
/* struct msg client field is used as an index in the echo skbs ring */
msg->client = priv->echo_idx;
spin_lock_irqsave(&priv->echo_lock, flags);
Reported by FlawFinder.