The following issues were found
drivers/staging/media/omap4iss/iss_ipipeif.c
2 issues
Line: 410
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
format = __ipipeif_get_format(ipipeif, sd_state,
IPIPEIF_PAD_SINK,
which);
memcpy(fmt, format, sizeof(*fmt));
/* The data formatter truncates the number of horizontal output
* pixels to a multiple of 16. To avoid clipping data, allow
* callers to request an output size bigger than the input size
* up to the nearest multiple of 16.
Reported by FlawFinder.
Line: 426
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
format = __ipipeif_get_format(ipipeif, sd_state,
IPIPEIF_PAD_SINK,
which);
memcpy(fmt, format, sizeof(*fmt));
fmt->width = clamp_t(u32, width, 32, fmt->width);
fmt->height = clamp_t(u32, height, 32, fmt->height);
break;
}
Reported by FlawFinder.
drivers/spi/spi-synquacer.c
2 issues
Line: 137
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 tx_words, rx_words;
unsigned int bus_width;
unsigned int transfer_mode;
char rx_irq_name[SYNQUACER_HSSPI_IRQ_NAME_MAX];
char tx_irq_name[SYNQUACER_HSSPI_IRQ_NAME_MAX];
};
static int read_fifo(struct synquacer_spi *sspi)
{
Reported by FlawFinder.
Line: 138
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int bus_width;
unsigned int transfer_mode;
char rx_irq_name[SYNQUACER_HSSPI_IRQ_NAME_MAX];
char tx_irq_name[SYNQUACER_HSSPI_IRQ_NAME_MAX];
};
static int read_fifo(struct synquacer_spi *sspi)
{
u32 len = readl(sspi->regs + SYNQUACER_HSSPI_REG_DMSTATUS);
Reported by FlawFinder.
drivers/uio/uio_hv_generic.c
2 issues
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *recv_buf;
u32 recv_gpadl;
char recv_name[32]; /* "recv_4294967295" */
void *send_buf;
u32 send_gpadl;
char send_name[32];
};
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *send_buf;
u32 send_gpadl;
char send_name[32];
};
/*
* This is the irqcontrol callback to be registered to uio_info.
* It can be used to disable/enable interrupt from user space processes.
Reported by FlawFinder.
drivers/spi/spi-meson-spifc.c
2 issues
Line: 128
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*((u32 *)buf) = data;
buf += 4;
} else {
memcpy(buf, &data, len - i);
break;
}
i += 4;
}
}
Reported by FlawFinder.
Line: 151
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len - i >= 4)
data = *(u32 *)buf;
else
memcpy(&data, buf, len - i);
regmap_write(spifc->regmap, REG_C0 + i, data);
buf += 4;
i += 4;
Reported by FlawFinder.
drivers/spi/spi-slave-mt27xx.c
2 issues
Line: 186
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remainder = xfer->len % 4;
if (xfer->tx_buf && remainder > 0) {
reg_val = 0;
memcpy(®_val, xfer->tx_buf + cnt * 4, remainder);
writel(reg_val, mdata->base + SPIS_TX_DATA_REG);
}
ret = mtk_spi_slave_wait_for_completion(mdata);
if (ret) {
Reported by FlawFinder.
Line: 366
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remainder = trans->len % 4;
if (trans->rx_buf && remainder > 0) {
reg_val = readl(mdata->base + SPIS_RX_DATA_REG);
memcpy(trans->rx_buf + (cnt * 4),
®_val, remainder);
}
mtk_spi_slave_disable_xfer(mdata);
}
Reported by FlawFinder.
drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
2 issues
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd[8] = (height << 16) | width;
while (i < height) {
memcpy(&cmd[9 + i * step], line, step << 2);
#ifdef __LITTLE_ENDIAN
{
int k = 0;
for (k = 0; k < step; k++)
cmd[9 + i * step + k] =
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd[2] = (height << 16) | width;
while (i < height) {
memcpy(&cmd[3 + i * step], line, step);
line += bytes;
i++;
}
}
Reported by FlawFinder.
drivers/usb/common/ulpi.c
2 issues
Line: 111
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (len != -ENODEV)
return len;
return sprintf(buf, "ulpi:v%04xp%04x\n",
ulpi->id.vendor, ulpi->id.product);
}
static DEVICE_ATTR_RO(modalias);
static struct attribute *ulpi_dev_attrs[] = {
Reported by FlawFinder.
Line: 24
Column: 20
CWE codes:
120
20
int ulpi_read(struct ulpi *ulpi, u8 addr)
{
return ulpi->ops->read(ulpi->dev.parent, addr);
}
EXPORT_SYMBOL_GPL(ulpi_read);
int ulpi_write(struct ulpi *ulpi, u8 addr, u8 val)
{
Reported by FlawFinder.
drivers/soc/ixp4xx/ixp4xx-qmgr.c
2 issues
Line: 315
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
used_sram_bitmap[3] |= mask[3];
__raw_writel(cfg | (addr << 14), &qmgr_regs->sram[queue]);
#if DEBUG_QMGR
snprintf(qmgr_queue_descs[queue], sizeof(qmgr_queue_descs[0]),
desc_format, name);
printk(KERN_DEBUG "qmgr: requested queue %s(%i) addr = 0x%02X\n",
qmgr_queue_descs[queue], queue, addr);
#endif
spin_unlock_irq(&qmgr_lock);
Reported by FlawFinder.
Line: 26
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void *irq_pdevs[QUEUES];
#if DEBUG_QMGR
char qmgr_queue_descs[QUEUES][32];
#endif
void qmgr_put_entry(unsigned int queue, u32 val)
{
#if DEBUG_QMGR
Reported by FlawFinder.
drivers/sh/intc/core.c
2 issues
Line: 470
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
d = container_of(dev, struct intc_desc_int, dev);
return sprintf(buf, "%s\n", d->chip.name);
}
static DEVICE_ATTR(name, S_IRUGO, show_intc_name, NULL);
static int __init register_intc_devs(void)
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hw->subgroups[i].reg)
k+= save_reg(d, k, hw->subgroups[i].reg, 0);
memcpy(&d->chip, &intc_irq_chip, sizeof(struct irq_chip));
d->chip.name = desc->name;
if (hw->ack_regs)
for (i = 0; i < hw->nr_ack_regs; i++)
k += save_reg(d, k, hw->ack_regs[i].set_reg, 0);
Reported by FlawFinder.
drivers/scsi/pcmcia/nsp_cs.h
2 issues
Line: 265
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int FifoCount;
#define MSGBUF_SIZE 20
unsigned char MsgBuffer[MSGBUF_SIZE];
int MsgLen;
#define N_TARGET 8
sync_data Sync[N_TARGET];
Reported by FlawFinder.
Line: 271
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define N_TARGET 8
sync_data Sync[N_TARGET];
char nspinfo[110]; /* description */
spinlock_t Lock;
scsi_info_t *ScsiInfo; /* attach <-> detect glue */
Reported by FlawFinder.