The following issues were found
drivers/nvme/target/discovery.c
9 issues
Line: 119
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
e->cntlid = cpu_to_le16(NVME_CNTLID_DYNAMIC);
e->asqsz = cpu_to_le16(NVME_AQ_DEPTH);
e->subtype = type;
memcpy(e->trsvcid, port->disc_addr.trsvcid, NVMF_TRSVCID_SIZE);
memcpy(e->traddr, traddr, NVMF_TRADDR_SIZE);
memcpy(e->tsas.common, port->disc_addr.tsas.common, NVMF_TSAS_SIZE);
strncpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
}
Reported by FlawFinder.
Line: 120
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
e->asqsz = cpu_to_le16(NVME_AQ_DEPTH);
e->subtype = type;
memcpy(e->trsvcid, port->disc_addr.trsvcid, NVMF_TRSVCID_SIZE);
memcpy(e->traddr, traddr, NVMF_TRADDR_SIZE);
memcpy(e->tsas.common, port->disc_addr.tsas.common, NVMF_TSAS_SIZE);
strncpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
}
/*
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
e->subtype = type;
memcpy(e->trsvcid, port->disc_addr.trsvcid, NVMF_TRSVCID_SIZE);
memcpy(e->traddr, traddr, NVMF_TRADDR_SIZE);
memcpy(e->tsas.common, port->disc_addr.tsas.common, NVMF_TSAS_SIZE);
strncpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
}
/*
* nvmet_set_disc_traddr - set a correct discovery log entry traddr
Reported by FlawFinder.
Line: 141
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (req->ops->disc_traddr)
req->ops->disc_traddr(req, port, traddr);
else
memcpy(traddr, port->disc_addr.traddr, NVMF_TRADDR_SIZE);
}
static size_t discovery_log_entries(struct nvmet_req *req)
{
struct nvmet_ctrl *ctrl = req->sq->ctrl;
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
hdr = buffer;
list_for_each_entry(p, &req->port->subsystems, entry) {
char traddr[NVMF_TRADDR_SIZE];
if (!nvmet_host_allowed(p->subsys, ctrl->hostnqn))
continue;
nvmet_set_disc_traddr(req, req->port, traddr);
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(id->sn, ctrl->subsys->serial, NVMET_SN_MAX_SIZE);
memset(id->fr, ' ', sizeof(id->fr));
memcpy_and_pad(id->mn, sizeof(id->mn), ctrl->subsys->model_number,
strlen(ctrl->subsys->model_number), ' ');
memcpy_and_pad(id->fr, sizeof(id->fr),
UTS_RELEASE, strlen(UTS_RELEASE), ' ');
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
120
memcpy(e->trsvcid, port->disc_addr.trsvcid, NVMF_TRSVCID_SIZE);
memcpy(e->traddr, traddr, NVMF_TRADDR_SIZE);
memcpy(e->tsas.common, port->disc_addr.tsas.common, NVMF_TSAS_SIZE);
strncpy(e->subnqn, subsys_nqn, NVMF_NQN_SIZE);
}
/*
* nvmet_set_disc_traddr - set a correct discovery log entry traddr
*
Reported by FlawFinder.
Line: 267
Column: 10
CWE codes:
126
memcpy(id->sn, ctrl->subsys->serial, NVMET_SN_MAX_SIZE);
memset(id->fr, ' ', sizeof(id->fr));
memcpy_and_pad(id->mn, sizeof(id->mn), ctrl->subsys->model_number,
strlen(ctrl->subsys->model_number), ' ');
memcpy_and_pad(id->fr, sizeof(id->fr),
UTS_RELEASE, strlen(UTS_RELEASE), ' ');
/* no limit on data transfer sizes for now */
id->mdts = 0;
Reported by FlawFinder.
Line: 269
Column: 23
CWE codes:
126
memcpy_and_pad(id->mn, sizeof(id->mn), ctrl->subsys->model_number,
strlen(ctrl->subsys->model_number), ' ');
memcpy_and_pad(id->fr, sizeof(id->fr),
UTS_RELEASE, strlen(UTS_RELEASE), ' ');
/* no limit on data transfer sizes for now */
id->mdts = 0;
id->cntlid = cpu_to_le16(ctrl->cntlid);
id->ver = cpu_to_le32(ctrl->subsys->ver);
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
9 issues
Line: 499
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct host_cmd_ds_802_11_mac_address *cmd_mac_addr =
&resp->params.mac_addr;
memcpy(priv->curr_addr, cmd_mac_addr->mac_addr, ETH_ALEN);
mwifiex_dbg(priv->adapter, INFO,
"info: set mac address: %pM\n", priv->curr_addr);
return 0;
Reported by FlawFinder.
Line: 603
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(priv->aes_key.key_param_set.key, 0,
sizeof(key->key_param_set.key));
priv->aes_key.key_param_set.key_len = cpu_to_le16(len);
memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len);
return 0;
}
/*
Reported by FlawFinder.
Line: 642
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(key_v2->key_param_set.key_params.aes.key));
priv->aes_key_v2.key_param_set.key_params.aes.key_len =
cpu_to_le16(len);
memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
key_v2->key_param_set.key_params.aes.key, len);
return 0;
}
Reported by FlawFinder.
Line: 713
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (version_ext) {
version_ext->version_str_sel = ver_ext->version_str_sel;
memcpy(version_ext->version_str, ver_ext->version_str,
sizeof(char) * 128);
memcpy(priv->version_str, ver_ext->version_str, 128);
}
return 0;
}
Reported by FlawFinder.
Line: 715
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
version_ext->version_str_sel = ver_ext->version_str_sel;
memcpy(version_ext->version_str, ver_ext->version_str,
sizeof(char) * 128);
memcpy(priv->version_str, ver_ext->version_str, 128);
}
return 0;
}
/*
Reported by FlawFinder.
Line: 731
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct host_cmd_ds_remain_on_chan *resp_cfg = &resp->params.roc_cfg;
if (roc_cfg)
memcpy(roc_cfg, resp_cfg, sizeof(*roc_cfg));
return 0;
}
/*
Reported by FlawFinder.
Line: 828
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eeprom->offset = le16_to_cpu(r.eeprom->offset);
eeprom->byte_count = le16_to_cpu(r.eeprom->byte_count);
if (eeprom->byte_count > 0)
memcpy(&eeprom->value, &r.eeprom->value,
min((u16)MAX_EEPROM_DATA, eeprom->byte_count));
break;
default:
return -1;
}
Reported by FlawFinder.
Line: 865
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* If BSSID is diff, modify current BSS parameters */
if (!ether_addr_equal(priv->curr_bss_params.bss_descriptor.mac_address, ibss_coal_resp->bssid)) {
/* BSSID */
memcpy(priv->curr_bss_params.bss_descriptor.mac_address,
ibss_coal_resp->bssid, ETH_ALEN);
/* Beacon Interval */
priv->curr_bss_params.bss_descriptor.beacon_period
= le16_to_cpu(ibss_coal_resp->beacon_interval);
Reported by FlawFinder.
Line: 1187
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tlv_band_channel =
(struct host_cmd_tlv_channel_band *)sta_cfg_cmd->tlv_buffer;
memcpy(&channel_band->band_config, &tlv_band_channel->band_config,
sizeof(struct mwifiex_band_config));
channel_band->channel = tlv_band_channel->channel;
return 0;
}
Reported by FlawFinder.
drivers/scsi/bnx2i/bnx2i_hwi.c
9 issues
Line: 199
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
bnx2i_conn->ep->qp.rqe_left--;
memcpy(ptr, (u8 *) bnx2i_conn->ep->qp.rq_cons_qe, len);
if (bnx2i_conn->ep->qp.rq_cons_qe == bnx2i_conn->ep->qp.rq_last_qe) {
bnx2i_conn->ep->qp.rq_cons_qe = bnx2i_conn->ep->qp.rq_first_qe;
bnx2i_conn->ep->qp.rq_cons_idx = 0;
} else {
bnx2i_conn->ep->qp.rq_cons_qe++;
Reported by FlawFinder.
Line: 432
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
default:
tmfabort_wqe->ref_itt = RESERVED_ITT;
}
memcpy(scsi_lun, &tmfabort_hdr->lun, sizeof(struct scsi_lun));
tmfabort_wqe->lun[0] = be32_to_cpu(scsi_lun[0]);
tmfabort_wqe->lun[1] = be32_to_cpu(scsi_lun[1]);
tmfabort_wqe->ref_cmd_sn = be32_to_cpu(tmfabort_hdr->refcmdsn);
Reported by FlawFinder.
Line: 511
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scsi_cmd_wqe = (struct bnx2i_cmd_request *)
bnx2i_conn->ep->qp.sq_prod_qe;
memcpy(scsi_cmd_wqe, &cmd->req, sizeof(struct bnx2i_cmd_request));
scsi_cmd_wqe->cq_index = 0; /* CQ# used for completion, 5771x only */
bnx2i_ring_dbell_update_sq_params(bnx2i_conn, 1);
return 0;
}
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nopout_wqe->op_code = nopout_hdr->opcode;
nopout_wqe->op_attr = ISCSI_FLAG_CMD_FINAL;
memcpy(nopout_wqe->lun, &nopout_hdr->lun, 8);
/* 57710 requires LUN field to be swapped */
if (test_bit(BNX2I_NX2_DEV_57710, &ep->hba->cnic_dev_type))
swap(nopout_wqe->lun[0], nopout_wqe->lun[1]);
Reported by FlawFinder.
Line: 1460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp_hdr->hlength = 0;
hton24(resp_hdr->dlength, login->data_length);
memcpy(resp_hdr->isid, &login->isid_lo, 6);
resp_hdr->tsih = cpu_to_be16(login->tsih);
resp_hdr->itt = task->hdr->itt;
resp_hdr->statsn = cpu_to_be32(login->stat_sn);
resp_hdr->exp_cmdsn = cpu_to_be32(login->exp_cmd_sn);
resp_hdr->max_cmdsn = cpu_to_be32(login->max_cmd_sn);
Reported by FlawFinder.
Line: 1674
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void bnx2i_unsol_pdu_adjust_rq(struct bnx2i_conn *bnx2i_conn)
{
char dummy_rq_data[2];
bnx2i_get_rq_buf(bnx2i_conn, dummy_rq_data, 1);
bnx2i_put_rq_buf(bnx2i_conn, 1);
}
Reported by FlawFinder.
Line: 1722
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->flags = ISCSI_FLAG_CMD_FINAL;
hdr->itt = task->hdr->itt;
hdr->ttt = cpu_to_be32(nop_in->ttt);
memcpy(&hdr->lun, nop_in->lun, 8);
}
done:
__iscsi_complete_pdu(conn, (struct iscsi_hdr *)hdr, NULL, 0);
spin_unlock(&session->back_lock);
Reported by FlawFinder.
Line: 1765
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp_hdr->opcode = async_cqe->op_code;
resp_hdr->flags = 0x80;
memcpy(&resp_hdr->lun, async_cqe->lun, 8);
resp_hdr->exp_cmdsn = cpu_to_be32(async_cqe->exp_cmd_sn);
resp_hdr->max_cmdsn = cpu_to_be32(async_cqe->max_cmd_sn);
resp_hdr->async_event = async_cqe->async_event;
resp_hdr->async_vcode = async_cqe->async_vcode;
Reported by FlawFinder.
Line: 1933
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_LIST_HEAD(&bnx2i_work->list);
bnx2i_work->session = session;
bnx2i_work->bnx2i_conn = bnx2i_conn;
memcpy(&bnx2i_work->cqe, cqe, sizeof(struct cqe));
list_add_tail(&bnx2i_work->list, &p->work_list);
atomic_inc(&bnx2i_conn->work_cnt);
wake_up_process(p->iothread);
spin_unlock(&p->p_work_lock);
goto done;
Reported by FlawFinder.
drivers/net/ethernet/marvell/skge.c
9 issues
Line: 3926
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
if (!hw)
goto err_out_free_regions;
sprintf(hw->irq_name, DRV_NAME "@pci:%s", pci_name(pdev));
hw->pdev = pdev;
spin_lock_init(&hw->hw_lock);
spin_lock_init(&hw->phy_lock);
tasklet_setup(&hw->phy_task, skge_extirq);
Reported by FlawFinder.
Line: 405
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static const struct skge_stat {
char name[ETH_GSTRING_LEN];
u16 xmac_offset;
u16 gma_offset;
} skge_stats[] = {
{ "tx_bytes", XM_TXO_OK_HI, GM_TXO_OK_HI },
{ "rx_bytes", XM_RXO_OK_HI, GM_RXO_OK_HI },
Reported by FlawFinder.
Line: 488
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < ARRAY_SIZE(skge_stats); i++)
memcpy(data + i * ETH_GSTRING_LEN,
skge_stats[i].name, ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
Line: 838
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 val = skge_vpd_read(pdev, cap, offset);
int n = min_t(int, length, sizeof(val));
memcpy(data, &val, n);
length -= n;
data += n;
offset += n;
}
return 0;
Reported by FlawFinder.
Line: 867
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (n < sizeof(val))
val = skge_vpd_read(pdev, cap, offset);
memcpy(&val, data, n);
skge_vpd_write(pdev, cap, offset, val);
length -= n;
data += n;
Reported by FlawFinder.
Line: 3458
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
if (!netif_running(dev)) {
memcpy_toio(hw->regs + B2_MAC_1 + port*8, dev->dev_addr, ETH_ALEN);
memcpy_toio(hw->regs + B2_MAC_2 + port*8, dev->dev_addr, ETH_ALEN);
} else {
Reported by FlawFinder.
Line: 3499
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *skge_board_name(const struct skge_hw *hw)
{
int i;
static char buf[16];
for (i = 0; i < ARRAY_SIZE(skge_chips); i++)
if (skge_chips[i].id == hw->chip_id)
return skge_chips[i].name;
Reported by FlawFinder.
Line: 3921
Column: 29
CWE codes:
126
err = -ENOMEM;
/* space for skge@pci:0000:04:00.0 */
hw = kzalloc(sizeof(*hw) + strlen(DRV_NAME "@pci:")
+ strlen(pci_name(pdev)) + 1, GFP_KERNEL);
if (!hw)
goto err_out_free_regions;
sprintf(hw->irq_name, DRV_NAME "@pci:%s", pci_name(pdev));
Reported by FlawFinder.
Line: 3922
Column: 10
CWE codes:
126
err = -ENOMEM;
/* space for skge@pci:0000:04:00.0 */
hw = kzalloc(sizeof(*hw) + strlen(DRV_NAME "@pci:")
+ strlen(pci_name(pdev)) + 1, GFP_KERNEL);
if (!hw)
goto err_out_free_regions;
sprintf(hw->irq_name, DRV_NAME "@pci:%s", pci_name(pdev));
Reported by FlawFinder.
drivers/net/ethernet/intel/i40e/i40e_txrx.c
9 issues
Line: 192
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ipv6.nexthdr = l4proto;
ipv6.version = 0x6;
memcpy(&ipv6.saddr.in6_u.u6_addr32, data->src_ip6,
sizeof(__be32) * 4);
memcpy(&ipv6.daddr.in6_u.u6_addr32, data->dst_ip6,
sizeof(__be32) * 4);
}
Reported by FlawFinder.
Line: 194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&ipv6.saddr.in6_u.u6_addr32, data->src_ip6,
sizeof(__be32) * 4);
memcpy(&ipv6.daddr.in6_u.u6_addr32, data->dst_ip6,
sizeof(__be32) * 4);
}
if (is_vlan) {
vlan.h_vlan_TCI = data->vlan_tag;
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
tmp = dummy_packet;
memcpy(tmp, ð, sizeof(eth));
tmp += sizeof(eth);
if (is_vlan) {
memcpy(tmp, &vlan, sizeof(vlan));
tmp += sizeof(vlan);
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp += sizeof(eth);
if (is_vlan) {
memcpy(tmp, &vlan, sizeof(vlan));
tmp += sizeof(vlan);
}
if (ipv4) {
memcpy(tmp, &ip, sizeof(ip));
Reported by FlawFinder.
Line: 214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (ipv4) {
memcpy(tmp, &ip, sizeof(ip));
tmp += sizeof(ip);
} else {
memcpy(tmp, &ipv6, sizeof(ipv6));
tmp += sizeof(ipv6);
}
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(tmp, &ip, sizeof(ip));
tmp += sizeof(ip);
} else {
memcpy(tmp, &ipv6, sizeof(ipv6));
tmp += sizeof(ipv6);
}
return tmp;
}
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp = i40e_create_dummy_packet(raw_packet, ipv4, IPPROTO_TCP, data);
tcp = (struct tcphdr *)tmp;
memcpy(tcp, tcp_packet, sizeof(tcp_packet));
tcp->dest = data->dst_port;
tcp->source = data->src_port;
}
/**
Reported by FlawFinder.
Line: 2152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
I40E_RX_HDR_SIZE);
/* align pull length to size of long to optimize memcpy performance */
memcpy(__skb_put(skb, headlen), xdp->data,
ALIGN(headlen, sizeof(long)));
/* update all of the pointers */
size -= headlen;
if (size) {
Reported by FlawFinder.
Line: 1735
Column: 12
CWE codes:
120
20
/* Refresh the desc even if buffer_addrs didn't change
* because each write-back erases this info.
*/
rx_desc->read.pkt_addr = cpu_to_le64(bi->dma + bi->page_offset);
rx_desc++;
bi++;
ntu++;
if (unlikely(ntu == rx_ring->count)) {
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/spectrum_router_xm.c
9 issues
Line: 52
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum mlxsw_sp_l3proto proto;
u16 virtual_router;
u8 prefix_len;
unsigned char addr[sizeof(struct in6_addr)];
};
struct mlxsw_sp_router_xm_fib_entry {
bool committed;
struct mlxsw_sp_router_xm_ltable_node *ltable_node; /* Parent node */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_sp_fib_entry_op_ctx_xm {
bool initialized;
char xmdr_pl[MLXSW_REG_XMDR_LEN];
unsigned int trans_offset; /* Offset of the current command within one
* transaction of XMDR register.
*/
unsigned int trans_item_len; /* The current command length. This is used
* to advance 'trans_offset' when the next
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_sp_router_ll_xm_init(struct mlxsw_sp *mlxsw_sp, u16 vr_id,
enum mlxsw_sp_l3proto proto)
{
char rxlte_pl[MLXSW_REG_RXLTE_LEN];
mlxsw_reg_rxlte_pack(rxlte_pl, vr_id,
(enum mlxsw_reg_rxlte_protocol) proto, true);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(rxlte), rxlte_pl);
}
Reported by FlawFinder.
Line: 281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_sp_router_xm_ltable_lvalue_set(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_router_xm_ltable_node *ltable_node)
{
char xrmt_pl[MLXSW_REG_XRMT_LEN];
mlxsw_reg_xrmt_pack(xrmt_pl, ltable_node->mindex, ltable_node->current_lvalue);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(xrmt), xrmt_pl);
}
Reported by FlawFinder.
Line: 366
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char *mlxsw_sp_router_xm_flush_mask6(u8 prefix_len)
{
static unsigned char mask[sizeof(struct in6_addr)];
memset(mask, 0, sizeof(mask));
memset(mask, 0xff, prefix_len / 8);
mask[prefix_len / 8] = GENMASK(8, 8 - prefix_len % 8);
return mask;
Reported by FlawFinder.
Line: 383
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mlxsw_sp_router_xm_flush_info *flush_info;
struct mlxsw_sp_router_xm_flush_node *flush_node;
char rlcmld_pl[MLXSW_REG_RLCMLD_LEN];
enum mlxsw_reg_rlcmld_select select;
struct mlxsw_sp *mlxsw_sp;
u32 addr4;
int err;
Reported by FlawFinder.
Line: 395
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
flush_info = &flush_node->flush_info;
if (flush_info->all) {
char rlpmce_pl[MLXSW_REG_RLPMCE_LEN];
mlxsw_reg_rlpmce_pack(rlpmce_pl, true, false);
err = mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(rlpmce),
rlpmce_pl);
if (err)
Reported by FlawFinder.
Line: 735
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int mlxsw_sp_router_xm_init(struct mlxsw_sp *mlxsw_sp)
{
struct mlxsw_sp_router_xm *router_xm;
char rxltm_pl[MLXSW_REG_RXLTM_LEN];
char xltq_pl[MLXSW_REG_XLTQ_LEN];
u32 mindex_size;
u16 device_id;
int err;
Reported by FlawFinder.
Line: 736
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mlxsw_sp_router_xm *router_xm;
char rxltm_pl[MLXSW_REG_RXLTM_LEN];
char xltq_pl[MLXSW_REG_XLTQ_LEN];
u32 mindex_size;
u16 device_id;
int err;
if (!mlxsw_sp->bus_info->xm_exists)
Reported by FlawFinder.
drivers/net/ethernet/intel/i40e/i40e_nvm.c
9 issues
Line: 56
Column: 46
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* via the proper Admin Command.
**/
i40e_status i40e_acquire_nvm(struct i40e_hw *hw,
enum i40e_aq_resource_access_type access)
{
i40e_status ret_code = 0;
u64 gtime, timeout;
u64 time_left = 0;
Reported by FlawFinder.
Line: 65
Column: 64
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (hw->nvm.blank_nvm_mode)
goto i40e_i40e_acquire_nvm_exit;
ret_code = i40e_aq_request_resource(hw, I40E_NVM_RESOURCE_ID, access,
0, &time_left, NULL);
/* Reading the Global Device Timer */
gtime = rd32(hw, I40E_GLVFGEN_TIMER);
/* Store the timeout */
Reported by FlawFinder.
Line: 76
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (ret_code)
i40e_debug(hw, I40E_DEBUG_NVM,
"NVM acquire type %d failed time_left=%llu ret=%d aq_err=%d\n",
access, time_left, ret_code, hw->aq.asq_last_status);
if (ret_code && time_left) {
/* Poll until the current NVM owner timeouts */
timeout = I40E_MS_TO_GTIME(I40E_MAX_NVM_TIMEOUT) + gtime;
while ((gtime < timeout) && time_left) {
Reported by FlawFinder.
Line: 86
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
gtime = rd32(hw, I40E_GLVFGEN_TIMER);
ret_code = i40e_aq_request_resource(hw,
I40E_NVM_RESOURCE_ID,
access, 0, &time_left,
NULL);
if (!ret_code) {
hw->nvm.hw_semaphore_timeout =
I40E_MS_TO_GTIME(time_left) + gtime;
break;
Reported by FlawFinder.
Line: 1263
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 aq_desc_len = sizeof(struct i40e_aq_desc);
if (opcode == hw->nvm_wait_opcode) {
memcpy(&hw->nvm_aq_event_desc, desc, aq_desc_len);
i40e_nvmupd_clear_wait_state(hw);
}
}
/**
Reported by FlawFinder.
Line: 1419
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hw->nvm_buff.va) {
buff = hw->nvm_buff.va;
memcpy(buff, &bytes[aq_desc_len], aq_data_len);
}
}
if (cmd->offset)
memset(&hw->nvm_aq_event_desc, 0, aq_desc_len);
Reported by FlawFinder.
Line: 1496
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, cmd->offset, cmd->offset + len);
buff = ((u8 *)&hw->nvm_wb_desc) + cmd->offset;
memcpy(bytes, buff, len);
bytes += len;
remainder -= len;
buff = hw->nvm_buff.va;
} else {
Reported by FlawFinder.
Line: 1510
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i40e_debug(hw, I40E_DEBUG_NVM, "%s: databuf bytes %d to %d\n",
__func__, start_byte, start_byte + remainder);
memcpy(bytes, buff, remainder);
}
return 0;
}
Reported by FlawFinder.
Line: 1545
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->data_size = aq_total_len;
}
memcpy(bytes, &hw->nvm_aq_event_desc, cmd->data_size);
return 0;
}
/**
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/iwl-devtrace-iwlwifi.h
9 issues
Line: 43
__entry->flags = cmd->flags;
memcpy(__get_dynamic_array(hcmd), hdr, offset);
for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
if (!cmd->len[i])
continue;
memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
cmd->data[i], cmd->len[i]);
offset += cmd->len[i];
Reported by Cppcheck.
Line: 43
__entry->flags = cmd->flags;
memcpy(__get_dynamic_array(hcmd), hdr, offset);
for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
if (!cmd->len[i])
continue;
memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
cmd->data[i], cmd->len[i]);
offset += cmd->len[i];
Reported by Cppcheck.
Line: 43
__entry->flags = cmd->flags;
memcpy(__get_dynamic_array(hcmd), hdr, offset);
for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
if (!cmd->len[i])
continue;
memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
cmd->data[i], cmd->len[i]);
offset += cmd->len[i];
Reported by Cppcheck.
Line: 43
__entry->flags = cmd->flags;
memcpy(__get_dynamic_array(hcmd), hdr, offset);
for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
if (!cmd->len[i])
continue;
memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
cmd->data[i], cmd->len[i]);
offset += cmd->len[i];
Reported by Cppcheck.
Line: 41
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DEV_ASSIGN;
__entry->flags = cmd->flags;
memcpy(__get_dynamic_array(hcmd), hdr, offset);
for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
if (!cmd->len[i])
continue;
memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
Reported by FlawFinder.
Line: 46
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
if (!cmd->len[i])
continue;
memcpy((u8 *)__get_dynamic_array(hcmd) + offset,
cmd->data[i], cmd->len[i]);
offset += cmd->len[i];
}
),
TP_printk("[%s] hcmd %#.2x.%#.2x (%ssync)",
Reported by FlawFinder.
Line: 73
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DEV_ASSIGN;
__entry->cmd = WIDE_ID(pkt->hdr.group_id, pkt->hdr.cmd);
memcpy(__get_dynamic_array(rxbuf), pkt,
iwl_rx_trace_len(trans, pkt, len, &hdr_offset));
__entry->hdr_offset = hdr_offset;
),
TP_printk("[%s] RX cmd %#.2x",
__get_str(dev), __entry->cmd)
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->framelen = buf0_len;
if (hdr_len > 0)
__entry->framelen += skb->len - hdr_len;
memcpy(__get_dynamic_array(tfd), tfd, tfdlen);
memcpy(__get_dynamic_array(buf0), buf0, buf0_len);
if (hdr_len > 0 && !iwl_trace_data(skb))
skb_copy_bits(skb, hdr_len,
__get_dynamic_array(buf1),
skb->len - hdr_len);
Reported by FlawFinder.
Line: 109
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdr_len > 0)
__entry->framelen += skb->len - hdr_len;
memcpy(__get_dynamic_array(tfd), tfd, tfdlen);
memcpy(__get_dynamic_array(buf0), buf0, buf0_len);
if (hdr_len > 0 && !iwl_trace_data(skb))
skb_copy_bits(skb, hdr_len,
__get_dynamic_array(buf1),
skb->len - hdr_len);
),
Reported by FlawFinder.
drivers/net/macsec.c
9 issues
Line: 257
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
sci_t sci;
memcpy(&sci, addr, ETH_ALEN);
memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
return sci;
}
Reported by FlawFinder.
Line: 258
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sci_t sci;
memcpy(&sci, addr, ETH_ALEN);
memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
return sci;
}
static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
Reported by FlawFinder.
Line: 268
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sci_t sci;
if (sci_present)
memcpy(&sci, hdr->secure_channel_id,
sizeof(hdr->secure_channel_id));
else
sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
return sci;
Reported by FlawFinder.
Line: 1821
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx.sa.assoc_num = assoc_num;
ctx.sa.rx_sa = rx_sa;
ctx.secy = secy;
memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
secy->key_len);
err = macsec_offload(ops->mdo_add_rxsa, &ctx);
if (err)
goto cleanup;
Reported by FlawFinder.
Line: 2063
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx.sa.assoc_num = assoc_num;
ctx.sa.tx_sa = tx_sa;
ctx.secy = secy;
memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
secy->key_len);
err = macsec_offload(ops->mdo_add_txsa, &ctx);
if (err)
goto cleanup;
Reported by FlawFinder.
Line: 3460
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_zero_ether_addr(dev->dev_addr))
eth_hw_addr_inherit(dev, real_dev);
if (is_zero_ether_addr(dev->broadcast))
memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
return 0;
}
static void macsec_dev_uninit(struct net_device *dev)
Reported by FlawFinder.
Line: 3841
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
cleanup:
memcpy(&macsec->secy.tx_sc, &tx_sc, sizeof(tx_sc));
memcpy(&macsec->secy, &secy, sizeof(secy));
return ret;
}
Reported by FlawFinder.
Line: 3842
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cleanup:
memcpy(&macsec->secy.tx_sc, &tx_sc, sizeof(tx_sc));
memcpy(&macsec->secy, &secy, sizeof(secy));
return ret;
}
static void macsec_del_dev(struct macsec_dev *macsec)
Reported by FlawFinder.
Line: 4121
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (data[IFLA_MACSEC_ICV_LEN]) {
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
if (icv_len != DEFAULT_ICV_LEN) {
char dummy_key[DEFAULT_SAK_LEN] = { 0 };
struct crypto_aead *dummy_tfm;
dummy_tfm = macsec_alloc_tfm(dummy_key,
DEFAULT_SAK_LEN,
icv_len);
Reported by FlawFinder.
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
9 issues
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
err = (enum iavf_status)le32_to_cpu(event.desc.cookie_low);
memcpy(adapter->vf_res, event.msg_buf, min(event.msg_len, len));
/* some PFs send more queues than we should have so validate that
* we aren't getting too many queues
*/
if (!err)
Reported by FlawFinder.
Line: 862
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
vrk->vsi_id = adapter->vsi.id;
vrk->key_len = adapter->rss_key_size;
memcpy(vrk->key, adapter->rss_key, adapter->rss_key_size);
adapter->current_op = VIRTCHNL_OP_CONFIG_RSS_KEY;
adapter->aq_required &= ~IAVF_FLAG_AQ_SET_RSS_KEY;
iavf_send_pf_msg(adapter, VIRTCHNL_OP_CONFIG_RSS_KEY, (u8 *)vrk, len);
kfree(vrk);
Reported by FlawFinder.
Line: 894
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
vrl->vsi_id = adapter->vsi.id;
vrl->lut_entries = adapter->rss_lut_size;
memcpy(vrl->lut, adapter->rss_lut, adapter->rss_lut_size);
adapter->current_op = VIRTCHNL_OP_CONFIG_RSS_LUT;
adapter->aq_required &= ~IAVF_FLAG_AQ_SET_RSS_LUT;
iavf_send_pf_msg(adapter, VIRTCHNL_OP_CONFIG_RSS_LUT, (u8 *)vrl, len);
kfree(vrl);
}
Reported by FlawFinder.
Line: 1186
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_for_each_entry(cf, &adapter->cloud_filter_list, list) {
if (cf->add) {
memcpy(f, &cf->f, sizeof(struct virtchnl_filter));
cf->add = false;
cf->state = __IAVF_CF_ADD_PENDING;
iavf_send_pf_msg(adapter, VIRTCHNL_OP_ADD_CLOUD_FILTER,
(u8 *)f, len);
}
Reported by FlawFinder.
Line: 1234
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_for_each_entry_safe(cf, cftmp, &adapter->cloud_filter_list, list) {
if (cf->del) {
memcpy(f, &cf->f, sizeof(struct virtchnl_filter));
cf->del = false;
cf->state = __IAVF_CF_DEL_PENDING;
iavf_send_pf_msg(adapter, VIRTCHNL_OP_DEL_CLOUD_FILTER,
(u8 *)f, len);
}
Reported by FlawFinder.
Line: 1275
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fdir->state == IAVF_FDIR_FLTR_ADD_REQUEST) {
process_fltr = true;
fdir->state = IAVF_FDIR_FLTR_ADD_PENDING;
memcpy(f, &fdir->vc_add_msg, len);
break;
}
}
spin_unlock_bh(&adapter->fdir_fltr_lock);
Reported by FlawFinder.
Line: 1370
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rss->state == IAVF_ADV_RSS_ADD_REQUEST) {
process_rss = true;
rss->state = IAVF_ADV_RSS_ADD_PENDING;
memcpy(rss_cfg, &rss->cfg_msg, len);
iavf_print_adv_rss_cfg(adapter, rss,
"Input set change for",
"is pending");
break;
}
Reported by FlawFinder.
Line: 1421
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rss->state == IAVF_ADV_RSS_DEL_REQUEST) {
process_rss = true;
rss->state = IAVF_ADV_RSS_DEL_PENDING;
memcpy(rss_cfg, &rss->cfg_msg, len);
break;
}
}
spin_unlock_bh(&adapter->adv_rss_lock);
Reported by FlawFinder.
Line: 1711
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u16 len = sizeof(struct virtchnl_vf_resource) +
IAVF_MAX_VF_VSI *
sizeof(struct virtchnl_vsi_resource);
memcpy(adapter->vf_res, msg, min(msglen, len));
iavf_validate_num_queues(adapter);
iavf_vf_parse_hw_config(&adapter->hw, adapter->vf_res);
if (is_zero_ether_addr(adapter->hw.mac.addr)) {
/* restore current mac address */
ether_addr_copy(adapter->hw.mac.addr, netdev->dev_addr);
Reported by FlawFinder.