The following issues were found
drivers/net/ethernet/huawei/hinic/hinic_ethtool.c
9 issues
Line: 1491
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
for (i = 0; i < nic_dev->num_qps; i++) {
for (j = 0; j < ARRAY_LEN(hinic_tx_queue_stats); j++) {
sprintf(p, hinic_tx_queue_stats[j].name, i);
p += ETH_GSTRING_LEN;
}
}
for (i = 0; i < nic_dev->num_qps; i++) {
Reported by FlawFinder.
Line: 1498
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
for (i = 0; i < nic_dev->num_qps; i++) {
for (j = 0; j < ARRAY_LEN(hinic_rx_queue_stats); j++) {
sprintf(p, hinic_rx_queue_stats[j].name, i);
p += ETH_GSTRING_LEN;
}
}
return;
Reported by FlawFinder.
Line: 464
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 set_settings, u8 autoneg, u32 speed)
{
struct hinic_link_ksettings_info settings = {0};
char set_link_str[SET_LINK_STR_MAX_LEN] = {0};
const char *autoneg_str;
struct net_device *netdev = nic_dev->netdev;
enum nic_speed_level speed_level = 0;
int err;
Reported by FlawFinder.
Line: 1067
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(nic_dev->rss_indir_user, indir,
sizeof(u32) * HINIC_RSS_INDIR_SIZE);
err = hinic_rss_set_indir_tbl(nic_dev,
nic_dev->rss_tmpl_idx, indir);
if (err)
Reported by FlawFinder.
Line: 1085
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(nic_dev->rss_hkey_user, key, HINIC_RSS_KEY_SIZE);
err = hinic_rss_set_template_tbl(nic_dev,
nic_dev->rss_tmpl_idx, key);
if (err)
return -EFAULT;
Reported by FlawFinder.
Line: 1474
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, *hinic_test_strings, sizeof(hinic_test_strings));
return;
case ETH_SS_STATS:
for (i = 0; i < ARRAY_LEN(hinic_function_stats); i++) {
memcpy(p, hinic_function_stats[i].name,
ETH_GSTRING_LEN);
Reported by FlawFinder.
Line: 1478
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
case ETH_SS_STATS:
for (i = 0; i < ARRAY_LEN(hinic_function_stats); i++) {
memcpy(p, hinic_function_stats[i].name,
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < ARRAY_LEN(hinic_port_stats); i++) {
Reported by FlawFinder.
Line: 1484
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (i = 0; i < ARRAY_LEN(hinic_port_stats); i++) {
memcpy(p, hinic_port_stats[i].name,
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < nic_dev->num_qps; i++) {
Reported by FlawFinder.
Line: 1762
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
memcpy(data, sfp_data + ee->offset, ee->len);
return 0;
}
static int
Reported by FlawFinder.
drivers/net/ethernet/mscc/ocelot.c
9 issues
Line: 40
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static void ocelot_mact_select(struct ocelot *ocelot,
const unsigned char mac[ETH_ALEN],
unsigned int vid)
{
u32 macl = 0, mach = 0;
/* Set the MAC address to handle and the vlan associated in a format
Reported by FlawFinder.
Line: 62
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
int ocelot_mact_learn(struct ocelot *ocelot, int port,
const unsigned char mac[ETH_ALEN],
unsigned int vid, enum macaccess_entry_type type)
{
u32 cmd = ANA_TABLES_MACACCESS_VALID |
ANA_TABLES_MACACCESS_DEST_IDX(port) |
ANA_TABLES_MACACCESS_ENTRYTYPE(type) |
Reported by FlawFinder.
Line: 92
Column: 25
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
EXPORT_SYMBOL(ocelot_mact_learn);
int ocelot_mact_forget(struct ocelot *ocelot,
const unsigned char mac[ETH_ALEN], unsigned int vid)
{
ocelot_mact_select(ocelot, mac, vid);
/* Issue a forget command */
ocelot_write(ocelot,
Reported by FlawFinder.
Line: 992
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ocelot_mact_entry *entry)
{
u32 val, dst, macl, mach;
char mac[ETH_ALEN];
/* Set row and column to read from */
ocelot_field_write(ocelot, ANA_TABLES_MACTINDX_M_INDEX, row);
ocelot_field_write(ocelot, ANA_TABLES_MACTINDX_BUCKET, col);
Reported by FlawFinder.
Line: 1133
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Commit back the result & save it */
memcpy(&ocelot->hwtstamp_config, &cfg, sizeof(cfg));
mutex_unlock(&ocelot->ptp_lock);
return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0;
}
EXPORT_SYMBOL(ocelot_hwstamp_set);
Reported by FlawFinder.
Line: 1148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
for (i = 0; i < ocelot->num_stats; i++)
memcpy(data + i * ETH_GSTRING_LEN, ocelot->stats_layout[i].name,
ETH_GSTRING_LEN);
}
EXPORT_SYMBOL(ocelot_get_strings);
static void ocelot_update_stats(struct ocelot *ocelot)
Reported by FlawFinder.
Line: 1498
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ocelot_port_mdb_add(struct ocelot *ocelot, int port,
const struct switchdev_obj_port_mdb *mdb)
{
unsigned char addr[ETH_ALEN];
struct ocelot_multicast *mc;
struct ocelot_pgid *pgid;
u16 vid = mdb->vid;
if (port == ocelot->npi)
Reported by FlawFinder.
Line: 1554
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ocelot_port_mdb_del(struct ocelot *ocelot, int port,
const struct switchdev_obj_port_mdb *mdb)
{
unsigned char addr[ETH_ALEN];
struct ocelot_multicast *mc;
struct ocelot_pgid *pgid;
u16 vid = mdb->vid;
if (port == ocelot->npi)
Reported by FlawFinder.
Line: 2016
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ocelot_init(struct ocelot *ocelot)
{
char queue_name[32];
int i, ret;
u32 port;
if (ocelot->ops->reset) {
ret = ocelot->ops->reset(ocelot);
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/hif_usb.c
9 issues
Line: 1149
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (first) {
if (htc_use_dev_fw) {
hif_dev->fw_minor_index = FIRMWARE_MINOR_IDX_MAX + 1;
sprintf(index, "%s", "dev");
} else {
hif_dev->fw_minor_index = FIRMWARE_MINOR_IDX_MAX;
sprintf(index, "%d", hif_dev->fw_minor_index);
}
} else {
Reported by FlawFinder.
Line: 346
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*hdr++ = cpu_to_le16(nskb->len);
*hdr++ = cpu_to_le16(ATH_USB_TX_STREAM_MODE_TAG);
buf += 4;
memcpy(buf, nskb->data, nskb->len);
tx_buf->len = nskb->len + 4;
if (i < (tx_skb_cnt - 1))
tx_buf->offset += (((tx_buf->len - 1) / 4) + 1) * 4;
Reported by FlawFinder.
Line: 562
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rx_remain_len -= hif_dev->rx_pad_len;
ptr += rx_pkt_len;
memcpy(ptr, skb->data, rx_remain_len);
rx_pkt_len += rx_remain_len;
hif_dev->rx_remain_len = 0;
skb_put(remain_skb, rx_pkt_len);
Reported by FlawFinder.
Line: 617
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(nskb, 32);
RX_STAT_INC(skb_allocated);
memcpy(nskb->data, &(skb->data[chk_idx+4]),
hif_dev->rx_transfer_len);
/* Record the buffer pointer */
hif_dev->remain_skb = nskb;
spin_unlock(&hif_dev->rx_lock);
Reported by FlawFinder.
Line: 638
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(nskb, 32);
RX_STAT_INC(skb_allocated);
memcpy(nskb->data, &(skb->data[chk_idx+4]), pkt_len);
skb_put(nskb, pkt_len);
skb_pool[pool_index++] = nskb;
}
}
Reported by FlawFinder.
Line: 1050
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (len) {
transfer = min_t(size_t, len, 4096);
memcpy(buf, data, transfer);
err = usb_control_msg(hif_dev->udev,
usb_sndctrlpipe(hif_dev->udev, 0),
FIRMWARE_DOWNLOAD, 0x40 | USB_DIR_OUT,
addr >> 8, 0, buf, transfer,
Reported by FlawFinder.
Line: 1143
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ath9k_hif_request_firmware(struct hif_device_usb *hif_dev,
bool first)
{
char index[8], *chip;
int ret;
if (first) {
if (htc_use_dev_fw) {
hif_dev->fw_minor_index = FIRMWARE_MINOR_IDX_MAX + 1;
Reported by FlawFinder.
Line: 1152
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(index, "%s", "dev");
} else {
hif_dev->fw_minor_index = FIRMWARE_MINOR_IDX_MAX;
sprintf(index, "%d", hif_dev->fw_minor_index);
}
} else {
hif_dev->fw_minor_index--;
sprintf(index, "%d", hif_dev->fw_minor_index);
}
Reported by FlawFinder.
Line: 1156
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
} else {
hif_dev->fw_minor_index--;
sprintf(index, "%d", hif_dev->fw_minor_index);
}
/* test for FW 1.3 */
if (MAJOR_VERSION_REQ == 1 && hif_dev->fw_minor_index == 3) {
const char *filename;
Reported by FlawFinder.
drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c
9 issues
Line: 32
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reg = rvu_read64(rvu, block->addr, NPA_AF_AQ_STATUS);
head = (reg >> 4) & AQ_PTR_MASK;
memcpy((void *)(aq->inst->base + (head * aq->inst->entry_sz)),
(void *)inst, aq->inst->entry_sz);
memset(result, 0, sizeof(*result));
/* sync into memory */
wmb();
Reported by FlawFinder.
Line: 113
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case NPA_AQ_INSTOP_WRITE:
/* Copy context and write mask */
if (req->ctype == NPA_AQ_CTYPE_AURA) {
memcpy(mask, &req->aura_mask,
sizeof(struct npa_aura_s));
memcpy(ctx, &req->aura, sizeof(struct npa_aura_s));
} else {
memcpy(mask, &req->pool_mask,
sizeof(struct npa_pool_s));
Reported by FlawFinder.
Line: 115
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (req->ctype == NPA_AQ_CTYPE_AURA) {
memcpy(mask, &req->aura_mask,
sizeof(struct npa_aura_s));
memcpy(ctx, &req->aura, sizeof(struct npa_aura_s));
} else {
memcpy(mask, &req->pool_mask,
sizeof(struct npa_pool_s));
memcpy(ctx, &req->pool, sizeof(struct npa_pool_s));
}
Reported by FlawFinder.
Line: 117
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct npa_aura_s));
memcpy(ctx, &req->aura, sizeof(struct npa_aura_s));
} else {
memcpy(mask, &req->pool_mask,
sizeof(struct npa_pool_s));
memcpy(ctx, &req->pool, sizeof(struct npa_pool_s));
}
break;
case NPA_AQ_INSTOP_INIT:
Reported by FlawFinder.
Line: 119
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
memcpy(mask, &req->pool_mask,
sizeof(struct npa_pool_s));
memcpy(ctx, &req->pool, sizeof(struct npa_pool_s));
}
break;
case NPA_AQ_INSTOP_INIT:
if (req->ctype == NPA_AQ_CTYPE_AURA) {
if (req->aura.pool_addr >= pfvf->pool_ctx->qsize) {
Reported by FlawFinder.
Line: 131
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set pool's context address */
req->aura.pool_addr = pfvf->pool_ctx->iova +
(req->aura.pool_addr * pfvf->pool_ctx->entry_sz);
memcpy(ctx, &req->aura, sizeof(struct npa_aura_s));
} else { /* POOL's context */
memcpy(ctx, &req->pool, sizeof(struct npa_pool_s));
}
break;
case NPA_AQ_INSTOP_NOP:
Reported by FlawFinder.
Line: 133
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(req->aura.pool_addr * pfvf->pool_ctx->entry_sz);
memcpy(ctx, &req->aura, sizeof(struct npa_aura_s));
} else { /* POOL's context */
memcpy(ctx, &req->pool, sizeof(struct npa_pool_s));
}
break;
case NPA_AQ_INSTOP_NOP:
case NPA_AQ_INSTOP_READ:
case NPA_AQ_INSTOP_LOCK:
Reported by FlawFinder.
Line: 193
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy read context into mailbox */
if (req->op == NPA_AQ_INSTOP_READ) {
if (req->ctype == NPA_AQ_CTYPE_AURA)
memcpy(&rsp->aura, ctx,
sizeof(struct npa_aura_s));
else
memcpy(&rsp->pool, ctx,
sizeof(struct npa_pool_s));
}
Reported by FlawFinder.
Line: 196
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&rsp->aura, ctx,
sizeof(struct npa_aura_s));
else
memcpy(&rsp->pool, ctx,
sizeof(struct npa_pool_s));
}
}
return 0;
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/tx99.c
9 issues
Line: 71
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->frame_control = cpu_to_le16(IEEE80211_FTYPE_DATA);
hdr->duration_id = 0;
memcpy(hdr->addr1, hw->wiphy->perm_addr, ETH_ALEN);
memcpy(hdr->addr2, hw->wiphy->perm_addr, ETH_ALEN);
memcpy(hdr->addr3, hw->wiphy->perm_addr, ETH_ALEN);
if (sc->tx99_vif) {
avp = (struct ath_vif *) sc->tx99_vif->drv_priv;
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->duration_id = 0;
memcpy(hdr->addr1, hw->wiphy->perm_addr, ETH_ALEN);
memcpy(hdr->addr2, hw->wiphy->perm_addr, ETH_ALEN);
memcpy(hdr->addr3, hw->wiphy->perm_addr, ETH_ALEN);
if (sc->tx99_vif) {
avp = (struct ath_vif *) sc->tx99_vif->drv_priv;
hdr->seq_ctrl |= cpu_to_le16(avp->seq_no);
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hdr->addr1, hw->wiphy->perm_addr, ETH_ALEN);
memcpy(hdr->addr2, hw->wiphy->perm_addr, ETH_ALEN);
memcpy(hdr->addr3, hw->wiphy->perm_addr, ETH_ALEN);
if (sc->tx99_vif) {
avp = (struct ath_vif *) sc->tx99_vif->drv_priv;
hdr->seq_ctrl |= cpu_to_le16(avp->seq_no);
}
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rate->flags |= IEEE80211_TX_RC_40_MHZ_WIDTH;
}
memcpy(skb->data + sizeof(*hdr), PN9Data, sizeof(PN9Data));
return skb;
}
static void ath9k_tx99_deinit(struct ath_softc *sc)
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath_softc *sc = file->private_data;
char buf[3];
unsigned int len;
len = sprintf(buf, "%d\n", sc->tx99_state);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
Reported by FlawFinder.
Line: 166
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[3];
unsigned int len;
len = sprintf(buf, "%d\n", sc->tx99_state);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
size_t count, loff_t *ppos)
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ath_softc *sc = file->private_data;
struct ath_common *common = ath9k_hw_common(sc->sc_ah);
char buf[32];
bool start;
ssize_t len;
int r;
if (count < 1)
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct ath_softc *sc = file->private_data;
char buf[32];
unsigned int len;
len = sprintf(buf, "%d (%d dBm)\n",
sc->tx99_power,
sc->tx99_power / 2);
Reported by FlawFinder.
Line: 235
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[32];
unsigned int len;
len = sprintf(buf, "%d (%d dBm)\n",
sc->tx99_power,
sc->tx99_power / 2);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
Reported by FlawFinder.
drivers/net/usb/r8152.c
9 issues
Line: 913
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fw_name;
const struct firmware *fw;
char version[RTL_VER_SIZE];
int (*pre_fw)(struct r8152 *tp);
int (*post_fw)(struct r8152 *tp);
bool retry;
} rtl_fw;
Reported by FlawFinder.
Line: 969
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct fw_header {
u8 checksum[32];
char version[RTL_VER_SIZE];
struct fw_block blocks[];
} __packed;
enum rtl8152_fw_flags {
FW_FLAGS_USB = 0,
Reported by FlawFinder.
Line: 1209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
memset(data, 0xff, size);
else
memcpy(data, tmp, size);
kfree(tmp);
return ret;
}
Reported by FlawFinder.
Line: 1573
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&tp->control);
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
ocp_write_byte(tp, MCU_TYPE_PLA, PLA_CRWECR, CRWECR_CONFIG);
pla_ocp_write(tp, PLA_IDR, BYTE_EN_SIX_BYTES, 8, addr->sa_data);
ocp_write_byte(tp, MCU_TYPE_PLA, PLA_CRWECR, CRWECR_NORAML);
Reported by FlawFinder.
Line: 1603
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union acpi_object *obj;
int ret = -EINVAL;
u32 ocp_data;
unsigned char buf[6];
char *mac_obj_name;
acpi_object_type mac_obj_type;
int mac_strlen;
if (tp->lenovo_macpassthru) {
Reported by FlawFinder.
Line: 1664
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -EINVAL;
goto amacout;
}
memcpy(sa->sa_data, buf, 6);
netif_info(tp, probe, tp->netdev,
"Using pass-thru MAC addr %pM\n", sa->sa_data);
amacout:
kfree(obj);
Reported by FlawFinder.
Line: 2486
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
skb->ip_summed = r8152_rx_csum(tp, rx_desc);
memcpy(skb->data, rx_data, rx_frag_head_sz);
skb_put(skb, rx_frag_head_sz);
pkt_len -= rx_frag_head_sz;
rx_data += rx_frag_head_sz;
if (pkt_len) {
skb_add_rx_frag(skb, 0, agg->page,
Reported by FlawFinder.
Line: 4460
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static long rtl8152_fw_verify_checksum(struct r8152 *tp,
struct fw_header *fw_hdr, size_t size)
{
unsigned char checksum[sizeof(fw_hdr->checksum)];
struct crypto_shash *alg;
struct shash_desc *sdesc;
size_t len;
long rc;
Reported by FlawFinder.
Line: 8710
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
switch (stringset) {
case ETH_SS_STATS:
memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
break;
}
}
static int r8152_get_eee(struct r8152 *tp, struct ethtool_eee *eee)
Reported by FlawFinder.
drivers/net/wireless/broadcom/b43legacy/main.c
9 issues
Line: 67
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_PARM_DESC(bad_frames_preempt, "enable(1) / disable(0) Bad Frames"
" Preemption");
static char modparam_fwpostfix[16];
module_param_string(fwpostfix, modparam_fwpostfix, 16, 0444);
MODULE_PARM_DESC(fwpostfix, "Postfix for the firmware files to load.");
/* The following table supports BCM4301, BCM4303 and BCM4306/2 devices. */
static const struct ssb_device_id b43legacy_ssb_tbl[] = {
Reported by FlawFinder.
Line: 540
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b43legacy_macfilter_set(dev, B43legacy_MACFILTER_BSSID, bssid);
memcpy(mac_bssid, mac, ETH_ALEN);
memcpy(mac_bssid + ETH_ALEN, bssid, ETH_ALEN);
/* Write our MAC address and BSSID to template ram */
for (i = 0; i < ARRAY_SIZE(mac_bssid); i += sizeof(u32)) {
tmp = (u32)(mac_bssid[i + 0]);
Reported by FlawFinder.
Line: 541
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b43legacy_macfilter_set(dev, B43legacy_MACFILTER_BSSID, bssid);
memcpy(mac_bssid, mac, ETH_ALEN);
memcpy(mac_bssid + ETH_ALEN, bssid, ETH_ALEN);
/* Write our MAC address and BSSID to template ram */
for (i = 0; i < ARRAY_SIZE(mac_bssid); i += sizeof(u32)) {
tmp = (u32)(mac_bssid[i + 0]);
tmp |= (u32)(mac_bssid[i + 1]) << 8;
Reported by FlawFinder.
Line: 1077
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
/* Copy the static data and all Information Elements, except the TIM. */
memcpy(dest_data, src_data, ie_start);
src_pos = ie_start;
dest_pos = ie_start;
for ( ; src_pos < src_size - 2; src_pos += elem_size) {
elem_size = src_data[src_pos + 1] + 2;
if (src_data[src_pos] == 5) {
Reported by FlawFinder.
Line: 1086
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* This is the TIM. */
continue;
}
memcpy(dest_data + dest_pos, src_data + src_pos, elem_size);
dest_pos += elem_size;
}
*dest_size = dest_pos;
hdr = (struct ieee80211_hdr *)dest_data;
Reported by FlawFinder.
Line: 1498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *name,
const struct firmware **fw, bool async)
{
char path[sizeof(modparam_fwpostfix) + 32];
struct b43legacy_fw_header *hdr;
u32 size;
int err;
if (!name)
Reported by FlawFinder.
Line: 2521
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long flags;
spin_lock_irqsave(&wl->irq_lock, flags);
memcpy(stats, &wl->ieee_stats, sizeof(*stats));
spin_unlock_irqrestore(&wl->irq_lock, flags);
return 0;
}
Reported by FlawFinder.
Line: 2834
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b43legacy_synchronize_irq(dev);
if (conf->bssid)
memcpy(wl->bssid, conf->bssid, ETH_ALEN);
else
eth_zero_addr(wl->bssid);
}
if (b43legacy_status(dev) >= B43legacy_STAT_INITIALIZED) {
Reported by FlawFinder.
Line: 3401
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wl->operating = true;
wl->vif = vif;
wl->if_type = vif->type;
memcpy(wl->mac_addr, vif->addr, ETH_ALEN);
spin_lock_irqsave(&wl->irq_lock, flags);
b43legacy_adjust_opmode(dev);
b43legacy_set_pretbtt(dev);
b43legacy_set_synth_pu_delay(dev, 0);
Reported by FlawFinder.
drivers/net/ethernet/intel/ice/ice_fdir.c
9 issues
Line: 782
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int idx;
for (idx = 0; idx < ICE_IPV6_ADDR_LEN_AS_U32; idx++)
memcpy(pkt + offset + idx * sizeof(*addr), &addr[idx],
sizeof(*addr));
}
/**
* ice_pkt_insert_u6_qfi - insert a u6 value QFI into a memory buffer for GTPU
Reported by FlawFinder.
Line: 799
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 ret;
ret = (data & 0x3F) + (*(pkt + offset) & 0xC0);
memcpy(pkt + offset, &ret, sizeof(ret));
}
/**
* ice_pkt_insert_u8 - insert a u8 value into a memory buffer.
* @pkt: packet buffer
Reported by FlawFinder.
Line: 810
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void ice_pkt_insert_u8(u8 *pkt, int offset, u8 data)
{
memcpy(pkt + offset, &data, sizeof(data));
}
/**
* ice_pkt_insert_u8_tc - insert a u8 value into a memory buffer for TC ipv6.
* @pkt: packet buffer
Reported by FlawFinder.
Line: 829
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 high, low;
high = (data >> 4) + (*(pkt + offset) & 0xF0);
memcpy(pkt + offset, &high, sizeof(high));
low = (*(pkt + offset + 1) & 0x0F) + ((data & 0x0F) << 4);
memcpy(pkt + offset + 1, &low, sizeof(low));
}
Reported by FlawFinder.
Line: 832
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pkt + offset, &high, sizeof(high));
low = (*(pkt + offset + 1) & 0x0F) + ((data & 0x0F) << 4);
memcpy(pkt + offset + 1, &low, sizeof(low));
}
/**
* ice_pkt_insert_u16 - insert a be16 value into a memory buffer
* @pkt: packet buffer
Reported by FlawFinder.
Line: 843
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void ice_pkt_insert_u16(u8 *pkt, int offset, __be16 data)
{
memcpy(pkt + offset, &data, sizeof(data));
}
/**
* ice_pkt_insert_u32 - insert a be32 value into a memory buffer
* @pkt: packet buffer
Reported by FlawFinder.
Line: 854
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void ice_pkt_insert_u32(u8 *pkt, int offset, __be32 data)
{
memcpy(pkt + offset, &data, sizeof(data));
}
/**
* ice_pkt_insert_mac_addr - insert a MAC addr into a memory buffer.
* @pkt: packet buffer
Reported by FlawFinder.
Line: 924
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (idx == ICE_FDIR_NUM_PKT)
return ICE_ERR_PARAM;
if (!tun) {
memcpy(pkt, ice_fdir_pkt[idx].pkt, ice_fdir_pkt[idx].pkt_len);
loc = pkt;
} else {
if (!ice_get_open_tunnel_port(hw, &tnl_port))
return ICE_ERR_DOES_NOT_EXIST;
if (!ice_fdir_pkt[idx].tun_pkt)
Reported by FlawFinder.
Line: 931
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ICE_ERR_DOES_NOT_EXIST;
if (!ice_fdir_pkt[idx].tun_pkt)
return ICE_ERR_PARAM;
memcpy(pkt, ice_fdir_pkt[idx].tun_pkt,
ice_fdir_pkt[idx].tun_pkt_len);
ice_pkt_insert_u16(pkt, ICE_IPV4_UDP_DST_PORT_OFFSET,
htons(tnl_port));
loc = &pkt[ICE_FDIR_TUN_PKT_OFF];
}
Reported by FlawFinder.
tools/wmi/dell-smbios-example.c
9 issues
Line: 61
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
FILE *f;
int ret;
ret = sprintf(value_sysfs, "%s/%04x_value", token_sysfs, token);
if (ret < 0) {
printf("sprintf value failed\n");
return 2;
}
f = fopen(value_sysfs, "rb");
Reported by FlawFinder.
Line: 75
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fclose(f);
*value = (__u16) strtol(buf, NULL, 16);
ret = sprintf(location_sysfs, "%s/%04x_location", token_sysfs, token);
if (ret < 0) {
printf("sprintf location failed\n");
return 1;
}
f = fopen(location_sysfs, "rb");
Reported by FlawFinder.
Line: 47
Column: 7
CWE codes:
362
int fd;
int ret;
fd = open(ioctl_devfs, O_NONBLOCK);
ret = ioctl(fd, DELL_WMI_SMBIOS_CMD, buffer);
close(fd);
return ret;
}
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int find_token(__u16 token, __u16 *location, __u16 *value)
{
char location_sysfs[60];
char value_sysfs[57];
char buf[4096];
FILE *f;
int ret;
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int find_token(__u16 token, __u16 *location, __u16 *value)
{
char location_sysfs[60];
char value_sysfs[57];
char buf[4096];
FILE *f;
int ret;
ret = sprintf(value_sysfs, "%s/%04x_value", token_sysfs, token);
Reported by FlawFinder.
Line: 57
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char location_sysfs[60];
char value_sysfs[57];
char buf[4096];
FILE *f;
int ret;
ret = sprintf(value_sysfs, "%s/%04x_value", token_sysfs, token);
if (ret < 0) {
Reported by FlawFinder.
Line: 66
Column: 6
CWE codes:
362
printf("sprintf value failed\n");
return 2;
}
f = fopen(value_sysfs, "rb");
if (!f) {
printf("failed to open %s\n", value_sysfs);
return 2;
}
fread(buf, 1, 4096, f);
Reported by FlawFinder.
Line: 80
Column: 6
CWE codes:
362
printf("sprintf location failed\n");
return 1;
}
f = fopen(location_sysfs, "rb");
if (!f) {
printf("failed to open %s\n", location_sysfs);
return 2;
}
fread(buf, 1, 4096, f);
Reported by FlawFinder.
Line: 147
Column: 6
CWE codes:
362
{
FILE *f;
f = fopen(ioctl_devfs, "rb");
if (!f)
return -EINVAL;
fread(buffer_size, sizeof(__u64), 1, f);
fclose(f);
return EXIT_SUCCESS;
Reported by FlawFinder.
virt/kvm/kvm_main.c
9 issues
Line: 897
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static DEFINE_MUTEX(kvm_debugfs_lock);
struct dentry *dent;
char dir_name[ITOA_MAX_LEN * 2];
struct kvm_stat_data *stat_data;
const struct _kvm_stats_desc *pdesc;
int i;
int kvm_debugfs_num_entries = kvm_vm_stats_header.num_desc +
kvm_vcpu_stats_header.num_desc;
Reported by FlawFinder.
Line: 1411
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void kvm_copy_memslots(struct kvm_memslots *to,
struct kvm_memslots *from)
{
memcpy(to, from, kvm_memslots_size(from->used_slots));
}
/*
* Note, at a minimum, the current number of used slots must be allocated, even
* when deleting a memslot, as we need a complete duplicate of the memslots for
Reported by FlawFinder.
Line: 3431
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int create_vcpu_fd(struct kvm_vcpu *vcpu)
{
char name[8 + 1 + ITOA_MAX_LEN + 1];
snprintf(name, sizeof(name), "kvm-vcpu:%d", vcpu->vcpu_id);
return anon_inode_getfd(name, &kvm_vcpu_fops, vcpu, O_RDWR | O_CLOEXEC);
}
Reported by FlawFinder.
Line: 3441
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
#ifdef __KVM_HAVE_ARCH_VCPU_DEBUGFS
struct dentry *debugfs_dentry;
char dir_name[ITOA_MAX_LEN * 2];
if (!debugfs_initialized())
return;
snprintf(dir_name, sizeof(dir_name), "vcpu%d", vcpu->vcpu_id);
Reported by FlawFinder.
Line: 3587
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int fd;
struct file *file;
char name[15 + ITOA_MAX_LEN + 1];
snprintf(name, sizeof(name), "kvm-vcpu-stats:%d", vcpu->vcpu_id);
fd = get_unused_fd_flags(O_CLOEXEC);
if (fd < 0)
Reported by FlawFinder.
Line: 4894
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (kvm_io_bus_cmp(&bus->range[i], &range) > 0)
break;
memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
new_bus->dev_count++;
new_bus->range[i] = range;
memcpy(new_bus->range + i + 1, bus->range + i,
(bus->dev_count - i) * sizeof(struct kvm_io_range));
rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
Reported by FlawFinder.
Line: 4897
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
new_bus->dev_count++;
new_bus->range[i] = range;
memcpy(new_bus->range + i + 1, bus->range + i,
(bus->dev_count - i) * sizeof(struct kvm_io_range));
rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
synchronize_srcu_expedited(&kvm->srcu);
kfree(bus);
Reported by FlawFinder.
Line: 4930
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_bus = kmalloc(struct_size(bus, range, bus->dev_count - 1),
GFP_KERNEL_ACCOUNT);
if (new_bus) {
memcpy(new_bus, bus, struct_size(bus, range, i));
new_bus->dev_count--;
memcpy(new_bus->range + i, bus->range + i + 1,
flex_array_size(new_bus, range, new_bus->dev_count - i));
}
Reported by FlawFinder.
Line: 4932
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (new_bus) {
memcpy(new_bus, bus, struct_size(bus, range, i));
new_bus->dev_count--;
memcpy(new_bus->range + i, bus->range + i + 1,
flex_array_size(new_bus, range, new_bus->dev_count - i));
}
rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
synchronize_srcu_expedited(&kvm->srcu);
Reported by FlawFinder.