The following issues were found
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
9 issues
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Also used for virtual UART.
*/
uint cbuf_idx;
char cbuf[CBUF_LEN];
};
#endif /* DEBUG */
#include <chipcommon.h>
Reported by FlawFinder.
Line: 1767
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rbuf += (bus->head_align - pad);
/* Copy the already-read portion over */
memcpy(buf, hdr, BRCMF_FIRSTREAD);
if (len <= BRCMF_FIRSTREAD)
goto gotpkt;
/* Raise rdlen to next SDIO block to avoid tail command */
rdlen = len - BRCMF_FIRSTREAD;
Reported by FlawFinder.
Line: 1810
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
brcmf_sdio_rxfail(bus, true, true);
goto done;
} else
memcpy(buf + BRCMF_FIRSTREAD, rbuf, rdlen);
gotpkt:
brcmf_dbg_hex_dump(BRCMF_BYTES_ON() && BRCMF_CTL_ON(),
buf, len, "RxCtrl:\n");
Reported by FlawFinder.
Line: 1957
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (head_read) {
skb_push(pkt, head_read);
memcpy(pkt->data, bus->rxhdr, head_read);
head_read = 0;
} else {
memcpy(bus->rxhdr, pkt->data, SDPCM_HDRLEN);
rd_new.seq_num = rd->seq_num;
sdio_claim_host(bus->sdiodev->func1);
Reported by FlawFinder.
Line: 1960
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pkt->data, bus->rxhdr, head_read);
head_read = 0;
} else {
memcpy(bus->rxhdr, pkt->data, SDPCM_HDRLEN);
rd_new.seq_num = rd->seq_num;
sdio_claim_host(bus->sdiodev->func1);
if (brcmf_sdio_hdparse(bus, bus->rxhdr, &rd_new,
BRCMF_SDIO_FT_NORMAL)) {
rd->len = 0;
Reported by FlawFinder.
Line: 2146
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree_skb(pkt_pad);
return ret;
}
memcpy(pkt_pad->data,
pkt->data + pkt->len - tail_chop,
tail_chop);
*(u16 *)(pkt_pad->cb) = ALIGN_SKB_FLAG + tail_chop;
skb_trim(pkt, pkt->len - tail_chop);
skb_trim(pkt_pad, tail_pad + tail_chop);
Reported by FlawFinder.
Line: 3081
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sdpcm_shared *sh)
{
int error = 0;
char file[80] = "?";
char expr[80] = "<???>";
if ((sh->flags & SDPCM_SHARED_ASSERT_BUILT) == 0) {
brcmf_dbg(INFO, "firmware not built with -assert\n");
return 0;
Reported by FlawFinder.
Line: 3082
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int error = 0;
char file[80] = "?";
char expr[80] = "<???>";
if ((sh->flags & SDPCM_SHARED_ASSERT_BUILT) == 0) {
brcmf_dbg(INFO, "firmware not built with -assert\n");
return 0;
} else if ((sh->flags & SDPCM_SHARED_ASSERT) == 0) {
Reported by FlawFinder.
Line: 3255
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_bh(&bus->rxctl_lock);
rxlen = bus->rxlen;
memcpy(msg, bus->rxctl, min(msglen, rxlen));
bus->rxctl = NULL;
buf = bus->rxctl_orig;
bus->rxctl_orig = NULL;
bus->rxlen = 0;
spin_unlock_bh(&bus->rxctl_lock);
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
9 issues
Line: 270
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_sp_acl_tcam_group *group)
{
struct mlxsw_sp_acl_tcam_region *region;
char pagt_pl[MLXSW_REG_PAGT_LEN];
int acl_index = 0;
mlxsw_reg_pagt_pack(pagt_pl, group->id);
list_for_each_entry(region, &group->region_list, list) {
bool multi = false;
Reported by FlawFinder.
Line: 371
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_sp_port *mlxsw_sp_port,
bool ingress)
{
char ppbt_pl[MLXSW_REG_PPBT_LEN];
mlxsw_reg_ppbt_pack(ppbt_pl, ingress ? MLXSW_REG_PXBT_E_IACL :
MLXSW_REG_PXBT_E_EACL,
MLXSW_REG_PXBT_OP_BIND, mlxsw_sp_port->local_port,
group->id);
Reported by FlawFinder.
Line: 386
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_sp_port *mlxsw_sp_port,
bool ingress)
{
char ppbt_pl[MLXSW_REG_PPBT_LEN];
mlxsw_reg_ppbt_pack(ppbt_pl, ingress ? MLXSW_REG_PXBT_E_IACL :
MLXSW_REG_PXBT_E_EACL,
MLXSW_REG_PXBT_OP_UNBIND, mlxsw_sp_port->local_port,
group->id);
Reported by FlawFinder.
Line: 613
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* and just use the template.
*/
if (vgroup->tmplt_elusage_set) {
memcpy(out, &vgroup->tmplt_elusage, sizeof(*out));
WARN_ON(!mlxsw_afk_element_usage_subset(elusage, out));
return;
}
for (i = 0; i < vgroup->patterns_count; i++) {
Reported by FlawFinder.
Line: 625
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mlxsw_afk_element_usage_subset(elusage, out))
return;
}
memcpy(out, elusage, sizeof(*out));
}
static int
mlxsw_sp_acl_tcam_region_alloc(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_acl_tcam_region *region)
Reported by FlawFinder.
Line: 633
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_sp_acl_tcam_region *region)
{
struct mlxsw_afk_key_info *key_info = region->key_info;
char ptar_pl[MLXSW_REG_PTAR_LEN];
unsigned int encodings_count;
int i;
int err;
mlxsw_reg_ptar_pack(ptar_pl, MLXSW_REG_PTAR_OP_ALLOC,
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mlxsw_sp_acl_tcam_region_free(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_acl_tcam_region *region)
{
char ptar_pl[MLXSW_REG_PTAR_LEN];
mlxsw_reg_ptar_pack(ptar_pl, MLXSW_REG_PTAR_OP_FREE,
region->key_type, 0, region->id,
region->tcam_region_info);
mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(ptar), ptar_pl);
Reported by FlawFinder.
Line: 672
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mlxsw_sp_acl_tcam_region_enable(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_acl_tcam_region *region)
{
char pacl_pl[MLXSW_REG_PACL_LEN];
mlxsw_reg_pacl_pack(pacl_pl, region->id, true,
region->tcam_region_info);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(pacl), pacl_pl);
}
Reported by FlawFinder.
Line: 683
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mlxsw_sp_acl_tcam_region_disable(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_acl_tcam_region *region)
{
char pacl_pl[MLXSW_REG_PACL_LEN];
mlxsw_reg_pacl_pack(pacl_pl, region->id, false,
region->tcam_region_info);
mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(pacl), pacl_pl);
}
Reported by FlawFinder.
drivers/net/wireless/ath/ath10k/spectral.c
9 issues
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fft_sample->max_exp = get_max_exp(fft_sample->max_index, peak_mag,
bin_len, bins);
memcpy(fft_sample->data, bins, bin_len);
/* DC value (value in the middle) is the blind spot of the spectral
* sample and invalid, interpolate it.
*/
dc_pos = bin_len / 2;
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath10k *ar = file->private_data;
char buf[32];
ssize_t len;
int res;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
Reported by FlawFinder.
Line: 369
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath10k *ar = file->private_data;
char buf[32];
size_t len;
u8 spectral_count;
mutex_lock(&ar->conf_mutex);
spectral_count = ar->spectral.config.count;
Reported by FlawFinder.
Line: 377
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spectral_count = ar->spectral.config.count;
mutex_unlock(&ar->conf_mutex);
len = sprintf(buf, "%d\n", spectral_count);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
static ssize_t write_file_spectral_count(struct file *file,
const char __user *user_buf,
Reported by FlawFinder.
Line: 387
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ath10k *ar = file->private_data;
unsigned long val;
char buf[32];
ssize_t len;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
return -EFAULT;
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath10k *ar = file->private_data;
char buf[32];
unsigned int bins, fft_size, bin_scale;
size_t len;
mutex_lock(&ar->conf_mutex);
Reported by FlawFinder.
Line: 433
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_unlock(&ar->conf_mutex);
len = sprintf(buf, "%d\n", bins);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
static ssize_t write_file_spectral_bins(struct file *file,
const char __user *user_buf,
Reported by FlawFinder.
Line: 443
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ath10k *ar = file->private_data;
unsigned long val;
char buf[32];
ssize_t len;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
return -EFAULT;
Reported by FlawFinder.
Line: 297
Column: 8
CWE codes:
126
break;
}
len = strlen(mode);
return simple_read_from_buffer(user_buf, count, ppos, mode, len);
}
static ssize_t write_file_spec_scan_ctl(struct file *file,
const char __user *user_buf,
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
9 issues
Line: 122
Column: 22
CWE codes:
120
20
if (ret_val)
return IXGBE_ERR_SWFW_SYNC;
if (hw->eeprom.ops.read(hw, ++data_offset, &data_value))
goto setup_sfp_err;
while (data_value != 0xffff) {
IXGBE_WRITE_REG(hw, IXGBE_CORECTL, data_value);
IXGBE_WRITE_FLUSH(hw);
if (hw->eeprom.ops.read(hw, ++data_offset, &data_value))
Reported by FlawFinder.
Line: 127
Column: 23
CWE codes:
120
20
while (data_value != 0xffff) {
IXGBE_WRITE_REG(hw, IXGBE_CORECTL, data_value);
IXGBE_WRITE_FLUSH(hw);
if (hw->eeprom.ops.read(hw, ++data_offset, &data_value))
goto setup_sfp_err;
}
/* Release the semaphore */
hw->mac.ops.release_swfw_sync(hw, IXGBE_GSSR_MAC_CSR_SM);
Reported by FlawFinder.
Line: 485
Column: 17
CWE codes:
120
20
u32 autoc2_reg;
u16 ee_ctrl_2 = 0;
hw->eeprom.ops.read(hw, IXGBE_EEPROM_CTRL_2, &ee_ctrl_2);
if (!ixgbe_mng_present(hw) && !hw->wol_enabled &&
ee_ctrl_2 & IXGBE_EEPROM_CCD_BIT) {
autoc2_reg = IXGBE_READ_REG(hw, IXGBE_AUTOC2);
autoc2_reg |= IXGBE_AUTOC2_LINK_DISABLE_ON_D3_MASK;
Reported by FlawFinder.
Line: 1882
Column: 21
CWE codes:
120
20
/* get the offset to the Firmware Module block */
offset = IXGBE_FW_PTR;
if (hw->eeprom.ops.read(hw, offset, &fw_offset))
goto fw_version_err;
if (fw_offset == 0 || fw_offset == 0xFFFF)
return IXGBE_ERR_EEPROM_VERSION;
Reported by FlawFinder.
Line: 1890
Column: 21
CWE codes:
120
20
/* get the offset to the Pass Through Patch Configuration block */
offset = fw_offset + IXGBE_FW_PASSTHROUGH_PATCH_CONFIG_PTR;
if (hw->eeprom.ops.read(hw, offset, &fw_ptp_cfg_offset))
goto fw_version_err;
if (fw_ptp_cfg_offset == 0 || fw_ptp_cfg_offset == 0xFFFF)
return IXGBE_ERR_EEPROM_VERSION;
Reported by FlawFinder.
Line: 1898
Column: 21
CWE codes:
120
20
/* get the firmware version */
offset = fw_ptp_cfg_offset + IXGBE_FW_PATCH_VERSION_4;
if (hw->eeprom.ops.read(hw, offset, &fw_version))
goto fw_version_err;
if (fw_version > 0x5)
status = 0;
Reported by FlawFinder.
Line: 1924
Column: 26
CWE codes:
120
20
s32 status;
/* get the offset to the Firmware Module block */
status = hw->eeprom.ops.read(hw, IXGBE_FW_PTR, &fw_offset);
if (status || fw_offset == 0 || fw_offset == 0xFFFF)
return false;
/* get the offset to the LESM Parameters block */
Reported by FlawFinder.
Line: 1930
Column: 26
CWE codes:
120
20
return false;
/* get the offset to the LESM Parameters block */
status = hw->eeprom.ops.read(hw, (fw_offset +
IXGBE_FW_LESM_PARAMETERS_PTR),
&fw_lesm_param_offset);
if (status ||
fw_lesm_param_offset == 0 || fw_lesm_param_offset == 0xFFFF)
Reported by FlawFinder.
Line: 1939
Column: 26
CWE codes:
120
20
return false;
/* get the lesm state word */
status = hw->eeprom.ops.read(hw, (fw_lesm_param_offset +
IXGBE_FW_LESM_STATE_1),
&fw_lesm_state);
if (!status && (fw_lesm_state & IXGBE_FW_LESM_STATE_ENABLED))
return true;
Reported by FlawFinder.
drivers/net/hamradio/dmascc.c
9 issues
Line: 236
Column: 29
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
static inline void rx_on(struct scc_priv *priv);
static inline void rx_off(struct scc_priv *priv);
static void start_timer(struct scc_priv *priv, int t, int r15);
static inline unsigned char random(void);
static inline void z8530_isr(struct scc_info *info);
static irqreturn_t scc_isr(int irq, void *dev_id);
static void rx_isr(struct scc_priv *priv);
static void special_condition(struct scc_priv *priv, int rc);
Reported by FlawFinder.
Line: 1081
Column: 29
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
static inline unsigned char random(void)
{
/* See "Numerical Recipes in C", second edition, p. 284 */
rand = rand * 1664525L + 1013904223L;
return (unsigned char) (rand >> 24);
}
Reported by FlawFinder.
Line: 1447
Column: 9
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
} else {
priv->state = WAIT;
start_timer(priv,
random() / priv->param.persist *
priv->param.slottime, DCDIE);
}
break;
}
}
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int card_base, scc_cmd, scc_data;
int tmr_cnt, tmr_ctrl, tmr_mode;
struct scc_param param;
char rx_buf[NUM_RX_BUF][BUF_SIZE];
int rx_len[NUM_RX_BUF];
int rx_ptr;
struct work_struct rx_work;
int rx_head, rx_tail, rx_count;
int rx_over;
Reported by FlawFinder.
Line: 197
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct work_struct rx_work;
int rx_head, rx_tail, rx_count;
int rx_over;
char tx_buf[NUM_TX_BUF][BUF_SIZE];
int tx_len[NUM_TX_BUF];
int tx_ptr;
int tx_head, tx_tail, tx_count;
int state;
unsigned long tx_start;
Reported by FlawFinder.
Line: 427
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->mtu = 1500;
dev->addr_len = AX25_ADDR_LEN;
dev->tx_queue_len = 64;
memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
memcpy(dev->dev_addr, &ax25_defaddr, AX25_ADDR_LEN);
}
static const struct net_device_ops scc_netdev_ops = {
.ndo_open = scc_open,
Reported by FlawFinder.
Line: 428
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->addr_len = AX25_ADDR_LEN;
dev->tx_queue_len = 64;
memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
memcpy(dev->dev_addr, &ax25_defaddr, AX25_ADDR_LEN);
}
static const struct net_device_ops scc_netdev_ops = {
.ndo_open = scc_open,
.ndo_stop = scc_close,
Reported by FlawFinder.
Line: 961
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int scc_set_mac_address(struct net_device *dev, void *sa)
{
memcpy(dev->dev_addr, ((struct sockaddr *) sa)->sa_data,
dev->addr_len);
return 0;
}
Reported by FlawFinder.
Line: 1270
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill buffer */
data = skb_put(skb, cb + 1);
data[0] = 0;
memcpy(&data[1], priv->rx_buf[i], cb);
skb->protocol = ax25_type_trans(skb, priv->dev);
netif_rx(skb);
priv->dev->stats.rx_packets++;
priv->dev->stats.rx_bytes += cb;
}
Reported by FlawFinder.
drivers/net/ethernet/i825xx/82596.c
9 issues
Line: 250
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mc_cmd {
struct i596_cmd cmd;
short mc_cnt;
char mc_addrs[MAX_MC_CNT*6];
};
struct sa_cmd {
struct i596_cmd cmd;
char eth_addr[8];
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sa_cmd {
struct i596_cmd cmd;
char eth_addr[8];
};
struct cf_cmd {
struct i596_cmd cmd;
char i596_config[16];
Reported by FlawFinder.
Line: 260
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cf_cmd {
struct i596_cmd cmd;
char i596_config[16];
};
struct i596_rfd {
unsigned short stat;
unsigned short cmd;
Reported by FlawFinder.
Line: 709
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DEB(DEB_INIT,printk(KERN_DEBUG "%s: queuing CmdConfigure\n", dev->name));
memcpy(lp->cf_cmd.i596_config, init_setup, 14);
lp->cf_cmd.cmd.command = CmdConfigure;
i596_add_cmd(dev, &lp->cf_cmd.cmd);
DEB(DEB_INIT,printk(KERN_DEBUG "%s: queuing CmdSASetup\n", dev->name));
memcpy(lp->sa_cmd.eth_addr, dev->dev_addr, ETH_ALEN);
Reported by FlawFinder.
Line: 714
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i596_add_cmd(dev, &lp->cf_cmd.cmd);
DEB(DEB_INIT,printk(KERN_DEBUG "%s: queuing CmdSASetup\n", dev->name));
memcpy(lp->sa_cmd.eth_addr, dev->dev_addr, ETH_ALEN);
lp->sa_cmd.cmd.command = CmdSASetup;
i596_add_cmd(dev, &lp->sa_cmd.cmd);
DEB(DEB_INIT,printk(KERN_DEBUG "%s: queuing CmdTDR\n", dev->name));
lp->tdr_cmd.cmd.command = CmdTDR;
Reported by FlawFinder.
Line: 1131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_device *dev;
int i;
struct i596_private *lp;
char eth_addr[8];
static int probed;
int err;
if (probed)
return ERR_PTR(-ENODEV);
Reported by FlawFinder.
Line: 1144
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ERR_PTR(-ENOMEM);
if (unit >= 0) {
sprintf(dev->name, "eth%d", unit);
netdev_boot_setup_check(dev);
} else {
dev->base_addr = io;
dev->irq = irq;
}
Reported by FlawFinder.
Line: 1158
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -ENODEV;
goto out;
}
memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */
dev->base_addr = MVME_I596_BASE;
dev->irq = (unsigned) MVME16x_IRQ_I596;
goto found;
}
#endif
Reported by FlawFinder.
Line: 1508
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev_for_each_mc_addr(ha, dev) {
if (!cnt--)
break;
memcpy(cp, ha->addr, ETH_ALEN);
if (i596_debug > 1)
DEB(DEB_MULTI,printk(KERN_INFO "%s: Adding address %pM\n",
dev->name, cp));
cp += ETH_ALEN;
}
Reported by FlawFinder.
drivers/net/wireless/ath/ath11k/debugfs_sta.c
9 issues
Line: 218
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
struct ath11k *ar = arsta->arvif->ar;
struct ath11k_htt_data_stats *stats;
static const char *str_name[ATH11K_STATS_TYPE_MAX] = {"succ", "fail",
"retry", "ampdu"};
static const char *str[ATH11K_COUNTER_TYPE_MAX] = {"bytes", "packets"};
int len = 0, i, j, k, retval = 0;
const int size = 2 * 4096;
char *buf;
Reported by FlawFinder.
Line: 220
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath11k_htt_data_stats *stats;
static const char *str_name[ATH11K_STATS_TYPE_MAX] = {"succ", "fail",
"retry", "ampdu"};
static const char *str[ATH11K_COUNTER_TYPE_MAX] = {"bytes", "packets"};
int len = 0, i, j, k, retval = 0;
const int size = 2 * 4096;
char *buf;
if (!arsta->tx_stats)
Reported by FlawFinder.
Line: 431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&ar->conf_mutex);
ar->debug.htt_stats.stats_req = stats_req;
stats_req->type = ATH11K_DBG_HTT_EXT_STATS_PEER_INFO;
memcpy(stats_req->peer_addr, sta->addr, ETH_ALEN);
ret = ath11k_debugfs_htt_stats_req(ar);
mutex_unlock(&ar->conf_mutex);
if (ret < 0)
goto out;
Reported by FlawFinder.
Line: 502
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
ar->debug.pktlog_peer_valid = enable;
memcpy(ar->debug.pktlog_peer_addr, sta->addr, ETH_ALEN);
/* Send peer based pktlog enable/disable */
ret = ath11k_wmi_pdev_peer_pktlog_filter(ar, sta->addr, enable);
if (ret) {
ath11k_warn(ar->ab, "failed to set peer pktlog filter %pM: %d\n",
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
struct ath11k *ar = arsta->arvif->ar;
char buf[32] = {0};
int len;
mutex_lock(&ar->conf_mutex);
len = scnprintf(buf, sizeof(buf), "%08x %pM\n",
ar->debug.pktlog_peer_valid,
Reported by FlawFinder.
Line: 557
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath11k *ar = arsta->arvif->ar;
u32 tid, initiator, reason;
int ret;
char buf[64] = {0};
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
user_buf, count);
if (ret <= 0)
return ret;
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath11k *ar = arsta->arvif->ar;
u32 tid, status;
int ret;
char buf[64] = {0};
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
user_buf, count);
if (ret <= 0)
return ret;
Reported by FlawFinder.
Line: 658
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath11k *ar = arsta->arvif->ar;
u32 tid, buf_size;
int ret;
char buf[64] = {0};
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
user_buf, count);
if (ret <= 0)
return ret;
Reported by FlawFinder.
Line: 707
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
struct ath11k *ar = arsta->arvif->ar;
char buf[64];
int len = 0;
mutex_lock(&ar->conf_mutex);
len = scnprintf(buf, sizeof(buf) - len,
"aggregation mode: %s\n\n%s\n%s\n",
Reported by FlawFinder.
drivers/net/wireless/ath/ath11k/hw.c
9 issues
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void ath11k_hw_ipq8074_rx_desc_copy_attn_end(struct hal_rx_desc *fdesc,
struct hal_rx_desc *ldesc)
{
memcpy((u8 *)&fdesc->u.ipq8074.msdu_end, (u8 *)&ldesc->u.ipq8074.msdu_end,
sizeof(struct rx_msdu_end_ipq8074));
memcpy((u8 *)&fdesc->u.ipq8074.attention, (u8 *)&ldesc->u.ipq8074.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.ipq8074.mpdu_end, (u8 *)&ldesc->u.ipq8074.mpdu_end,
sizeof(struct rx_mpdu_end));
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy((u8 *)&fdesc->u.ipq8074.msdu_end, (u8 *)&ldesc->u.ipq8074.msdu_end,
sizeof(struct rx_msdu_end_ipq8074));
memcpy((u8 *)&fdesc->u.ipq8074.attention, (u8 *)&ldesc->u.ipq8074.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.ipq8074.mpdu_end, (u8 *)&ldesc->u.ipq8074.mpdu_end,
sizeof(struct rx_mpdu_end));
}
Reported by FlawFinder.
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct rx_msdu_end_ipq8074));
memcpy((u8 *)&fdesc->u.ipq8074.attention, (u8 *)&ldesc->u.ipq8074.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.ipq8074.mpdu_end, (u8 *)&ldesc->u.ipq8074.mpdu_end,
sizeof(struct rx_mpdu_end));
}
static u32 ath11k_hw_ipq8074_rx_desc_get_mpdu_start_tag(struct hal_rx_desc *desc)
{
Reported by FlawFinder.
Line: 506
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void ath11k_hw_qcn9074_rx_desc_copy_attn_end(struct hal_rx_desc *fdesc,
struct hal_rx_desc *ldesc)
{
memcpy((u8 *)&fdesc->u.qcn9074.msdu_end, (u8 *)&ldesc->u.qcn9074.msdu_end,
sizeof(struct rx_msdu_end_qcn9074));
memcpy((u8 *)&fdesc->u.qcn9074.attention, (u8 *)&ldesc->u.qcn9074.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.qcn9074.mpdu_end, (u8 *)&ldesc->u.qcn9074.mpdu_end,
sizeof(struct rx_mpdu_end));
Reported by FlawFinder.
Line: 508
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy((u8 *)&fdesc->u.qcn9074.msdu_end, (u8 *)&ldesc->u.qcn9074.msdu_end,
sizeof(struct rx_msdu_end_qcn9074));
memcpy((u8 *)&fdesc->u.qcn9074.attention, (u8 *)&ldesc->u.qcn9074.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.qcn9074.mpdu_end, (u8 *)&ldesc->u.qcn9074.mpdu_end,
sizeof(struct rx_mpdu_end));
}
Reported by FlawFinder.
Line: 510
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct rx_msdu_end_qcn9074));
memcpy((u8 *)&fdesc->u.qcn9074.attention, (u8 *)&ldesc->u.qcn9074.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.qcn9074.mpdu_end, (u8 *)&ldesc->u.qcn9074.mpdu_end,
sizeof(struct rx_mpdu_end));
}
static u32 ath11k_hw_qcn9074_rx_desc_get_mpdu_start_tag(struct hal_rx_desc *desc)
{
Reported by FlawFinder.
Line: 666
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void ath11k_hw_wcn6855_rx_desc_copy_attn_end(struct hal_rx_desc *fdesc,
struct hal_rx_desc *ldesc)
{
memcpy((u8 *)&fdesc->u.wcn6855.msdu_end, (u8 *)&ldesc->u.wcn6855.msdu_end,
sizeof(struct rx_msdu_end_wcn6855));
memcpy((u8 *)&fdesc->u.wcn6855.attention, (u8 *)&ldesc->u.wcn6855.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.wcn6855.mpdu_end, (u8 *)&ldesc->u.wcn6855.mpdu_end,
sizeof(struct rx_mpdu_end));
Reported by FlawFinder.
Line: 668
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy((u8 *)&fdesc->u.wcn6855.msdu_end, (u8 *)&ldesc->u.wcn6855.msdu_end,
sizeof(struct rx_msdu_end_wcn6855));
memcpy((u8 *)&fdesc->u.wcn6855.attention, (u8 *)&ldesc->u.wcn6855.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.wcn6855.mpdu_end, (u8 *)&ldesc->u.wcn6855.mpdu_end,
sizeof(struct rx_mpdu_end));
}
Reported by FlawFinder.
Line: 670
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct rx_msdu_end_wcn6855));
memcpy((u8 *)&fdesc->u.wcn6855.attention, (u8 *)&ldesc->u.wcn6855.attention,
sizeof(struct rx_attention));
memcpy((u8 *)&fdesc->u.wcn6855.mpdu_end, (u8 *)&ldesc->u.wcn6855.mpdu_end,
sizeof(struct rx_mpdu_end));
}
static u32 ath11k_hw_wcn6855_rx_desc_get_mpdu_start_tag(struct hal_rx_desc *desc)
{
Reported by FlawFinder.
drivers/net/wireless/ath/ath11k/spectral.c
9 issues
Line: 298
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath11k *ar = file->private_data;
char buf[32];
ssize_t len;
int ret;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
Reported by FlawFinder.
Line: 363
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath11k *ar = file->private_data;
char buf[32];
size_t len;
u16 spectral_count;
mutex_lock(&ar->conf_mutex);
spectral_count = ar->spectral.count;
Reported by FlawFinder.
Line: 371
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spectral_count = ar->spectral.count;
mutex_unlock(&ar->conf_mutex);
len = sprintf(buf, "%d\n", spectral_count);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
static ssize_t ath11k_write_file_spectral_count(struct file *file,
const char __user *user_buf,
Reported by FlawFinder.
Line: 381
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ath11k *ar = file->private_data;
unsigned long val;
char buf[32];
ssize_t len;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
return -EFAULT;
Reported by FlawFinder.
Line: 415
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath11k *ar = file->private_data;
char buf[32];
unsigned int bins, fft_size;
size_t len;
mutex_lock(&ar->conf_mutex);
Reported by FlawFinder.
Line: 426
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_unlock(&ar->conf_mutex);
len = sprintf(buf, "%d\n", bins);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
static ssize_t ath11k_write_file_spectral_bins(struct file *file,
const char __user *user_buf,
Reported by FlawFinder.
Line: 436
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ath11k *ar = file->private_data;
unsigned long val;
char buf[32];
ssize_t len;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
return -EFAULT;
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
report->gain_change = FIELD_GET(SPECTRAL_SUMMARY_INFO2_GAIN_CHANGE,
__le32_to_cpu(summary->info2));
memcpy(&report->meta, meta, sizeof(*meta));
return 0;
}
static int ath11k_spectral_pull_search(struct ath11k *ar,
Reported by FlawFinder.
Line: 289
Column: 8
CWE codes:
126
break;
}
len = strlen(mode);
return simple_read_from_buffer(user_buf, count, ppos, mode, len);
}
static ssize_t ath11k_write_file_spec_scan_ctl(struct file *file,
const char __user *user_buf,
Reported by FlawFinder.
drivers/net/ethernet/pensando/ionic/ionic_if.h
9 issues
Line: 248
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
__le32 os_type;
__le32 os_dist;
char os_dist_str[128];
__le32 kernel_ver;
char kernel_ver_str[32];
char driver_ver_str[32];
};
__le32 words[478];
Reported by FlawFinder.
Line: 250
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 os_dist;
char os_dist_str[128];
__le32 kernel_ver;
char kernel_ver_str[32];
char driver_ver_str[32];
};
__le32 words[478];
};
Reported by FlawFinder.
Line: 251
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char os_dist_str[128];
__le32 kernel_ver;
char kernel_ver_str[32];
char driver_ver_str[32];
};
__le32 words[478];
};
/**
Reported by FlawFinder.
Line: 456
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
u8 state;
u8 rsvd[3];
char name[IONIC_IFNAMSIZ];
__le32 mtu;
u8 mac[6];
__le16 vlan;
__le64 features;
__le32 queue_count[IONIC_QTYPE_MAX];
Reported by FlawFinder.
Line: 1644
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le16 rsvd;
union {
u8 state;
char name[IONIC_IFNAMSIZ];
__le64 features;
u8 rsvd2[60];
} __packed;
};
Reported by FlawFinder.
Line: 1752
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le16 index;
union {
u8 state;
char name[IONIC_IFNAMSIZ];
__le32 mtu;
u8 mac[6];
__le64 features;
struct {
__le16 types;
Reported by FlawFinder.
Line: 2150
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 sched_type;
u8 class_type;
u8 pause_type;
char name[IONIC_QOS_CLASS_NAME_SZ];
__le32 mtu;
/* flow control */
u8 pfc_cos;
/* scheduler */
union {
Reported by FlawFinder.
Line: 2955
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define IONIC_FW_STS_F_RUNNING 0x1
u8 fw_status;
u32 fw_heartbeat;
char fw_version[IONIC_DEVINFO_FWVERS_BUFLEN];
char serial_num[IONIC_DEVINFO_SERIAL_BUFLEN];
u8 rsvd_pad1024[948];
struct ionic_hwstamp_regs hwstamp;
};
u32 words[512];
Reported by FlawFinder.
Line: 2956
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 fw_status;
u32 fw_heartbeat;
char fw_version[IONIC_DEVINFO_FWVERS_BUFLEN];
char serial_num[IONIC_DEVINFO_SERIAL_BUFLEN];
u8 rsvd_pad1024[948];
struct ionic_hwstamp_regs hwstamp;
};
u32 words[512];
};
Reported by FlawFinder.