} else
printk(KERN_ERR "Failed to get timer for cpu %d\n", i);
adev->count = 0;
- sprintf(adev->name, "apbt%d", i);
+ snprintf(adev->name, sizeof(adev->name), "apbt%d", i);
}
#endif
char base_pin_name[SFI_NAME_LEN + 1];
char intr_pin_name[SFI_NAME_LEN + 1];
- if (nr == MAX7315_NUM) {
+ if (nr >= MAX7315_NUM) {
pr_err("too many max7315s, we only support %d\n",
MAX7315_NUM);
return NULL;
*/
strcpy(i2c_info->type, "max7315");
if (nr++) {
- sprintf(base_pin_name, "max7315_%d_base", nr);
- sprintf(intr_pin_name, "max7315_%d_int", nr);
+ snprintf(base_pin_name, sizeof(base_pin_name), \
+ "max7315_%d_base", nr);
+ snprintf(intr_pin_name, sizeof(intr_pin_name), \
+ "max7315_%d_int", nr);
} else {
strcpy(base_pin_name, "max7315_base");
strcpy(intr_pin_name, "max7315_int");
INIT_LIST_HEAD(&property->enum_blob_list);
if (name)
- strncpy(property->name, name, DRM_PROP_NAME_LEN);
+ strncpy(property->name, name, DRM_PROP_NAME_LEN-1);
list_add_tail(&property->head, &dev->mode_config.property_list);
return property;
if (!list_empty(&property->enum_blob_list)) {
list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
if (prop_enum->value == value) {
- strncpy(prop_enum->name, name, DRM_PROP_NAME_LEN);
+ strncpy(prop_enum->name, name, \
+ DRM_PROP_NAME_LEN-1);
prop_enum->name[DRM_PROP_NAME_LEN-1] = '\0';
return 0;
}
cpuidle_state_table[cstate].target_residency =
get_target_residency(cstate);
- dev->states[dev->state_count] = /* structure copy */
- cpuidle_state_table[cstate];
-
- dev->state_count += 1;
+ if (dev->state_count >= \
+ (sizeof(dev->states)/sizeof(dev->states[0]))) {
+ BUG();
+ } else {
+ /* structure copy */
+ dev->states[dev->state_count] = \
+ cpuidle_state_table[cstate];
+
+ dev->state_count += 1;
+ }
}
dev->cpu = i;
string_length = strlen(buffer);
if (string_length < MAX_USB_TIMEOUT_LEN) {
- snprintf(timeout, string_length, "%s", buffer);
+ snprintf(timeout, sizeof(timeout), "%s", buffer);
} else {
pr_err("Invalid value written."
"Check the Availabe values that can be used\n");
{
if (err_str) {
memset(err_buf, 0, sizeof(err_buf));
- strncpy(err_buf, err_str, strlen(err_str));
+ strncpy(err_buf, err_str, sizeof(err_buf)-1);
}
}
msic_debug_reg_addr, ret);
return -EFAULT;
}
- len = sprintf(buf, "msic[%3.3x]=0x%x\n", msic_debug_reg_addr, data);
+ len = snprintf(buf, sizeof(buf), "msic[%3.3x]=0x%x\n", \
+ msic_debug_reg_addr, data);
if (copy_to_user(buffer, buf, len))
return -EFAULT;
*off = len;
uport->port.membase = hsu->reg + HSU_PORT_REG_OFFSET
+ offset * HSU_PORT_REG_LENGTH;
- sprintf(uport->name, "hsu_port%d", i);
+ snprintf(uport->name, sizeof(uport->name), "hsu_port%d", i);
uport->port.fifosize = 64;
uport->port.ops = &serial_hsu_pops;
uport->port.line = i;
if (val == KVAL(K_CAPSSHIFT))
val = KVAL(K_SHIFT);
+ /* fix a KW error */
+ if (val >= (sizeof(shift_down) \
+ / sizeof(shift_down[0]))) {
+ BUG();
+ continue;
+ }
shift_down[val]++;
shift_state |= (1 << val);
}
{
struct inode *inode = file->f_path.dentry->d_inode;
int fbidx = iminor(inode);
- struct fb_info *info = registered_fb[fbidx];
+ struct fb_info *info = (struct fb_info *)NULL;
+
+ if (fbidx >= (sizeof(registered_fb) / sizeof(registered_fb[0])))
+ return (struct fb_info *)NULL;
+
+ info = registered_fb[fbidx];
if (info != file->private_data)
info = NULL;
fb_var_to_videomode(&mode, &fb_info->var);
fb_add_videomode(&mode, &fb_info->modelist);
+
+ /* KW issue 115161 */
+ if (i >= (sizeof(registered_fb) / sizeof(registered_fb[0]))) {
+ return -EINVAL;
+ } else {
registered_fb[i] = fb_info;
event.info = fb_info;
return -ENODEV;
fb_notifier_call_chain(FB_EVENT_FB_REGISTERED, &event);
unlock_fb_info(fb_info);
+ }
return 0;
}
put_page(skb_shinfo(skb)->frags[i].page);
eat -= skb_shinfo(skb)->frags[i].size;
} else {
- skb_shinfo(skb)->frags[k] = skb_shinfo(skb)->frags[i];
+ /* KW issue 116144 */
+ if ((k < sizeof(skb_shinfo(skb)->frags) \
+ / sizeof(skb_shinfo(skb)->frags[0])) &&
+ (i < sizeof(skb_shinfo(skb)->frags) \
+ / sizeof(skb_shinfo(skb)->frags[0])))
+ skb_shinfo(skb)->frags[k] = \
+ skb_shinfo(skb)->frags[i];
if (eat) {
skb_shinfo(skb)->frags[k].page_offset += eat;
skb_shinfo(skb)->frags[k].size -= eat;
skb->data_len = len - pos;
for (i = 0; i < nfrags; i++) {
- int size = skb_shinfo(skb)->frags[i].size;
+ int size = 0;
+ if (i < sizeof(skb_shinfo(skb)->frags) \
+ / sizeof(skb_shinfo(skb)->frags[0]))
+ skb_shinfo(skb)->frags[i].size;
if (pos + size > len) {
skb_shinfo(skb1)->frags[k] = skb_shinfo(skb)->frags[i];
/* Reposition in the original skb */
to = 0;
- while (from < skb_shinfo(skb)->nr_frags)
+ /* KW issue 116146 */
+ while (from < skb_shinfo(skb)->nr_frags &&
+ (from < sizeof(skb_shinfo(skb)->frags) \
+ / sizeof(skb_shinfo(skb)->frags[0])) &&
+ (to < sizeof(skb_shinfo(skb)->frags)
+ / sizeof(skb_shinfo(skb)->frags[0])))
skb_shinfo(skb)->frags[to++] = skb_shinfo(skb)->frags[from++];
skb_shinfo(skb)->nr_frags = to;
skbinfo->nr_frags = 0;
frag = pinfo->frags + nr_frags;
- frag2 = skbinfo->frags + i;
+ /* KW issue 116147 */
+ if (i < sizeof(skbinfo->frags) / sizeof(skbinfo->frags[0]))
+ frag2 = skbinfo->frags + i;
do {
*--frag = *--frag2;
} while (--i);
projects / kernel / kernel-mfld-blackbay.git / commitdiff