The following issues were found
drivers/net/wireless/ath/ar5523/ar5523.c
8 issues
Line: 83
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->res = -EOVERFLOW;
} else {
cmd->olen = olen;
memcpy(cmd->odata, &rp[1], olen);
cmd->res = 0;
}
}
out:
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START");
return;
}
memcpy(cmd->odata, hdr + 1, sizeof(u32));
cmd->olen = sizeof(u32);
cmd->res = 0;
complete(&cmd->done);
break;
Reported by FlawFinder.
Line: 259
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & AR5523_CMD_FLAG_MAGIC)
hdr->magic = cpu_to_be32(1 << 24);
if (ilen)
memcpy(hdr + 1, idata, ilen);
cmd->odata = odata;
cmd->olen = olen;
cmd->flags = flags;
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
write.reg = cpu_to_be32(reg);
write.len = cpu_to_be32(len);
memcpy(write.data, data, len);
/* properly handle the case where len is zero (reset) */
error = ar5523_cmd_write(ar, WDCMSG_TARGET_SET_CONFIG, &write,
(len == 0) ? sizeof(u32) : 2 * sizeof(u32) + len, 0);
if (error != 0)
Reported by FlawFinder.
Line: 1264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
associd.defaultrateix = cpu_to_be32(0); /* XXX */
associd.associd = cpu_to_be32(bss->aid);
associd.timoffset = cpu_to_be32(0x3b); /* XXX */
memcpy(associd.bssid, bss->bssid, ETH_ALEN);
return ar5523_cmd_write(ar, WDCMSG_WRITE_ASSOCID, &associd,
sizeof(associd), 0);
}
static void ar5523_bss_info_changed(struct ieee80211_hw *hw,
Reported by FlawFinder.
Line: 1467
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(ar->channels) != sizeof(ar5523_channels));
BUILD_BUG_ON(sizeof(ar->rates) != sizeof(ar5523_rates));
memcpy(ar->channels, ar5523_channels, sizeof(ar5523_channels));
memcpy(ar->rates, ar5523_rates, sizeof(ar5523_rates));
ar->band.band = NL80211_BAND_2GHZ;
ar->band.channels = ar->channels;
ar->band.n_channels = ARRAY_SIZE(ar5523_channels);
Reported by FlawFinder.
Line: 1468
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(ar->rates) != sizeof(ar5523_rates));
memcpy(ar->channels, ar5523_channels, sizeof(ar5523_channels));
memcpy(ar->rates, ar5523_rates, sizeof(ar5523_rates));
ar->band.band = NL80211_BAND_2GHZ;
ar->band.channels = ar->channels;
ar->band.n_channels = ARRAY_SIZE(ar5523_channels);
ar->band.bitrates = ar->rates;
Reported by FlawFinder.
Line: 1534
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* send firmware block data */
memcpy(fwbuf, fw->data + offset, mlen);
error = usb_bulk_msg(dev, ar5523_data_tx_pipe(dev),
fwbuf, mlen, &foolen,
AR5523_DATA_TIMEOUT);
if (error) {
dev_err(&dev->dev,
Reported by FlawFinder.
drivers/net/ethernet/ibm/emac/core.c
8 issues
Line: 174
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Please, keep in sync with struct ibm_emac_stats/ibm_emac_error_stats */
static const char emac_stats_keys[EMAC_ETHTOOL_STATS_COUNT][ETH_GSTRING_LEN] = {
"rx_packets", "rx_bytes", "tx_packets", "tx_bytes", "rx_packets_csum",
"tx_packets_csum", "tx_undo", "rx_dropped_stack", "rx_dropped_oom",
"rx_dropped_error", "rx_dropped_resize", "rx_dropped_mtu",
"rx_stopped", "rx_bd_errors", "rx_bd_overrun", "rx_bd_bad_packet",
"rx_bd_runt_packet", "rx_bd_short_event", "rx_bd_alignment_error",
Reported by FlawFinder.
Line: 1016
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&dev->link_lock);
memcpy(ndev->dev_addr, addr->sa_data, ndev->addr_len);
emac_rx_disable(dev);
emac_tx_disable(dev);
out_be32(&p->iahr, (ndev->dev_addr[0] << 8) | ndev->dev_addr[1]);
out_be32(&p->ialr, (ndev->dev_addr[2] << 24) |
Reported by FlawFinder.
Line: 1738
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_kfree_skb(dev->rx_sg_skb);
dev->rx_sg_skb = NULL;
} else {
memcpy(skb_tail_pointer(dev->rx_sg_skb),
dev->rx_skb[slot]->data, len);
skb_put(dev->rx_sg_skb, len);
emac_recycle_rx_skb(dev, slot, len);
return 0;
}
Reported by FlawFinder.
Line: 1795
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!copy_skb))
goto oom;
memcpy(copy_skb->data - NET_IP_ALIGN,
skb->data - NET_IP_ALIGN,
len + NET_IP_ALIGN);
emac_recycle_rx_skb(dev, slot, len);
skb = copy_skb;
} else if (unlikely(emac_alloc_rx_skb_napi(dev, slot)))
Reported by FlawFinder.
Line: 2265
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 * buf)
{
if (stringset == ETH_SS_STATS)
memcpy(buf, &emac_stats_keys, sizeof(emac_stats_keys));
}
static void emac_ethtool_get_ethtool_stats(struct net_device *ndev,
struct ethtool_stats *estats,
u64 * tmp_stats)
Reported by FlawFinder.
Line: 2274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct emac_instance *dev = netdev_priv(ndev);
memcpy(tmp_stats, &dev->stats, sizeof(dev->stats));
tmp_stats += sizeof(dev->stats) / sizeof(u64);
memcpy(tmp_stats, &dev->estats, sizeof(dev->estats));
}
static void emac_ethtool_get_drvinfo(struct net_device *ndev,
Reported by FlawFinder.
Line: 2276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(tmp_stats, &dev->stats, sizeof(dev->stats));
tmp_stats += sizeof(dev->stats) / sizeof(u64);
memcpy(tmp_stats, &dev->estats, sizeof(dev->estats));
}
static void emac_ethtool_get_drvinfo(struct net_device *ndev,
struct ethtool_drvinfo *info)
{
Reported by FlawFinder.
Line: 2985
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
np);
return -ENXIO;
}
memcpy(dev->ndev->dev_addr, p, ETH_ALEN);
/* IAHT and GAHT filter parameterization */
if (emac_has_feature(dev, EMAC_FTR_EMAC4SYNC)) {
dev->xaht_slots_shift = EMAC4SYNC_XAHT_SLOTS_SHIFT;
dev->xaht_width_shift = EMAC4SYNC_XAHT_WIDTH_SHIFT;
Reported by FlawFinder.
drivers/net/wireless/ath/ath10k/debugfs_sta.c
8 issues
Line: 182
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
struct ath10k *ar = arsta->arvif->ar;
char buf[32];
int len = 0;
mutex_lock(&ar->conf_mutex);
len = scnprintf(buf, sizeof(buf) - len, "aggregation mode: %s\n",
(arsta->aggr_mode == ATH10K_DBG_AGGR_MODE_AUTO) ?
Reported by FlawFinder.
Line: 246
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k *ar = arsta->arvif->ar;
u32 tid, buf_size;
int ret;
char buf[64] = {0};
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
user_buf, count);
if (ret <= 0)
return ret;
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k *ar = arsta->arvif->ar;
u32 tid, status;
int ret;
char buf[64] = {0};
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
user_buf, count);
if (ret <= 0)
return ret;
Reported by FlawFinder.
Line: 347
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k *ar = arsta->arvif->ar;
u32 tid, initiator, reason;
int ret;
char buf[64] = {0};
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
user_buf, count);
if (ret <= 0)
return ret;
Reported by FlawFinder.
Line: 397
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
struct ath10k *ar = arsta->arvif->ar;
char buf[8];
int len = 0;
mutex_lock(&ar->conf_mutex);
len = scnprintf(buf, sizeof(buf) - len,
"Write 1 to once trigger the debug logs\n");
Reported by FlawFinder.
Line: 459
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
struct ath10k *ar = arsta->arvif->ar;
char buf[20];
int len = 0;
spin_lock_bh(&ar->data_lock);
len = scnprintf(buf, sizeof(buf) - len, "%d\n",
Reported by FlawFinder.
Line: 653
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
struct ath10k *ar = arsta->arvif->ar;
struct ath10k_htt_data_stats *stats;
const char *str_name[ATH10K_STATS_TYPE_MAX] = {"succ", "fail",
"retry", "ampdu"};
const char *str[ATH10K_COUNTER_TYPE_MAX] = {"bytes", "packets"};
int len = 0, i, j, k, retval = 0;
const int size = 16 * 4096;
char *buf;
Reported by FlawFinder.
Line: 655
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k_htt_data_stats *stats;
const char *str_name[ATH10K_STATS_TYPE_MAX] = {"succ", "fail",
"retry", "ampdu"};
const char *str[ATH10K_COUNTER_TYPE_MAX] = {"bytes", "packets"};
int len = 0, i, j, k, retval = 0;
const int size = 16 * 4096;
char *buf;
buf = kzalloc(size, GFP_KERNEL);
Reported by FlawFinder.
drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
8 issues
Line: 304
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
offset = (num_cpus + 1) * (DPAA_STATS_PERCPU_LEN + 1);
memcpy(data + offset, &rx_errors, sizeof(struct dpaa_rx_errors));
offset += sizeof(struct dpaa_rx_errors) / sizeof(u64);
memcpy(data + offset, &ern_cnt, sizeof(struct dpaa_ern_cnt));
/* gather congestion related counters */
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data + offset, &rx_errors, sizeof(struct dpaa_rx_errors));
offset += sizeof(struct dpaa_rx_errors) / sizeof(u64);
memcpy(data + offset, &ern_cnt, sizeof(struct dpaa_ern_cnt));
/* gather congestion related counters */
cg_num = 0;
cg_status = false;
cg_time = jiffies_to_msecs(priv->cgr_data.congested_jiffies);
Reported by FlawFinder.
Line: 331
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *data)
{
unsigned int i, j, num_cpus, size;
char string_cpu[ETH_GSTRING_LEN];
u8 *strings;
memset(string_cpu, 0, sizeof(string_cpu));
strings = data;
num_cpus = num_online_cpus();
Reported by FlawFinder.
Line: 343
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < num_cpus; j++) {
snprintf(string_cpu, ETH_GSTRING_LEN, "%s [CPU %d]",
dpaa_stats_percpu[i], j);
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
strings += ETH_GSTRING_LEN;
}
snprintf(string_cpu, ETH_GSTRING_LEN, "%s [TOTAL]",
dpaa_stats_percpu[i]);
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
Reported by FlawFinder.
Line: 348
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
snprintf(string_cpu, ETH_GSTRING_LEN, "%s [TOTAL]",
dpaa_stats_percpu[i]);
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
strings += ETH_GSTRING_LEN;
}
for (j = 0; j < num_cpus; j++) {
snprintf(string_cpu, ETH_GSTRING_LEN,
"bpool [CPU %d]", j);
Reported by FlawFinder.
Line: 354
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < num_cpus; j++) {
snprintf(string_cpu, ETH_GSTRING_LEN,
"bpool [CPU %d]", j);
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
strings += ETH_GSTRING_LEN;
}
snprintf(string_cpu, ETH_GSTRING_LEN, "bpool [TOTAL]");
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
strings += ETH_GSTRING_LEN;
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strings += ETH_GSTRING_LEN;
}
snprintf(string_cpu, ETH_GSTRING_LEN, "bpool [TOTAL]");
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
strings += ETH_GSTRING_LEN;
memcpy(strings, dpaa_stats_global, size);
}
Reported by FlawFinder.
Line: 361
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(strings, string_cpu, ETH_GSTRING_LEN);
strings += ETH_GSTRING_LEN;
memcpy(strings, dpaa_stats_global, size);
}
static int dpaa_get_hash_opts(struct net_device *dev,
struct ethtool_rxnfc *cmd)
{
Reported by FlawFinder.
drivers/net/ethernet/huawei/hinic/hinic_port.c
8 issues
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
port_mac_cmd.func_idx = HINIC_HWIF_FUNC_IDX(hwif);
port_mac_cmd.vlan_id = vlan_id;
memcpy(port_mac_cmd.mac, addr, ETH_ALEN);
err = hinic_port_msg_cmd(hwdev, cmd, &port_mac_cmd,
sizeof(port_mac_cmd),
&port_mac_cmd, &out_size);
if (err || out_size != sizeof(port_mac_cmd) ||
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
}
memcpy(addr, port_mac_cmd.mac, ETH_ALEN);
return 0;
}
/**
* hinic_port_set_mtu - set mtu
Reported by FlawFinder.
Line: 637
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
indir_tbl->offset = cpu_to_be32(indir_size);
indir_tbl->size = cpu_to_be32(indir_size);
memcpy(&indir_tbl->entry[0], &indir_tbl->entry[indir_size], indir_size);
err = hinic_cmdq_direct_resp(&func_to_io->cmdqs, HINIC_MOD_L2NIC,
HINIC_UCODE_CMD_SET_RSS_INDIR_TABLE,
&cmd_buf, &out_param);
if (err || out_param != 0) {
Reported by FlawFinder.
Line: 796
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rss_key.func_id = HINIC_HWIF_FUNC_IDX(hwif);
rss_key.template_id = template_id;
memcpy(rss_key.key, temp, HINIC_RSS_KEY_SIZE);
err = hinic_port_msg_cmd(hwdev, HINIC_PORT_CMD_SET_RSS_TEMPLATE_TBL,
&rss_key, sizeof(rss_key),
&rss_key, &out_size);
if (err || !out_size || rss_key.status) {
Reported by FlawFinder.
Line: 839
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(temp, temp_key.key, HINIC_RSS_KEY_SIZE);
return 0;
}
int hinic_rss_set_hash_engine(struct hinic_dev *nic_dev, u8 template_id,
Reported by FlawFinder.
Line: 1005
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
}
memcpy(stats, &vport_stats.stats, sizeof(*stats));
return 0;
}
int hinic_get_phy_port_stats(struct hinic_dev *nic_dev,
struct hinic_phy_port_stats *stats)
Reported by FlawFinder.
Line: 1038
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(stats, &port_stats->stats, sizeof(*stats));
out:
kfree(port_stats);
return err;
Reported by FlawFinder.
Line: 1375
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
*len = min_t(u16, sfp_info.eeprom_len, STD_SFP_INFO_MAX_SIZE);
memcpy(data, sfp_info.sfp_info, STD_SFP_INFO_MAX_SIZE);
return 0;
}
int hinic_get_sfp_type(struct hinic_hwdev *hwdev, u8 *data0, u8 *data1)
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
8 issues
Line: 469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev_info(dev, "IPsec hw offload parameters missing 32 bit salt value\n");
*mysalt = 0;
}
memcpy(mykey, key_data, 16);
return 0;
}
/**
Reported by FlawFinder.
Line: 620
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* get ip for rx sa table */
if (xs->props.family == AF_INET6)
memcpy(rsa.ipaddr, &xs->id.daddr.a6, 16);
else
memcpy(&rsa.ipaddr[3], &xs->id.daddr.a4, 4);
/* The HW does not have a 1:1 mapping from keys to IP addrs, so
* check for a matching IP addr entry in the table. If the addr
Reported by FlawFinder.
Line: 622
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (xs->props.family == AF_INET6)
memcpy(rsa.ipaddr, &xs->id.daddr.a6, 16);
else
memcpy(&rsa.ipaddr[3], &xs->id.daddr.a4, 4);
/* The HW does not have a 1:1 mapping from keys to IP addrs, so
* check for a matching IP addr entry in the table. If the addr
* already exists, use it; else find an unused slot and add the
* addr. If one does not exist and there are no unused table
Reported by FlawFinder.
Line: 665
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* no matches, but here's an empty slot */
rsa.iptbl_ind = first;
memcpy(ipsec->ip_tbl[first].ipaddr,
rsa.ipaddr, sizeof(rsa.ipaddr));
ipsec->ip_tbl[first].ref_cnt = 1;
ipsec->ip_tbl[first].used = true;
ixgbe_ipsec_set_rx_ip(hw, rsa.iptbl_ind, rsa.ipaddr);
Reported by FlawFinder.
Line: 688
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rsa.mode |= IXGBE_RXMOD_IPV6;
/* the preparations worked, so save the info */
memcpy(&ipsec->rx_tbl[sa_idx], &rsa, sizeof(rsa));
ixgbe_ipsec_set_rx_sa(hw, sa_idx, rsa.xs->id.spi, rsa.key,
rsa.salt, rsa.mode, rsa.iptbl_ind);
xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_RX_INDEX;
Reported by FlawFinder.
Line: 729
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* the preparations worked, so save the info */
memcpy(&ipsec->tx_tbl[sa_idx], &tsa, sizeof(tsa));
ixgbe_ipsec_set_tx_sa(hw, sa_idx, tsa.key, tsa.salt);
xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_TX_INDEX;
Reported by FlawFinder.
Line: 944
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xs->geniv = algo->uinfo.aead.geniv;
xs->aead->alg_icv_len = IXGBE_IPSEC_AUTH_BITS;
xs->aead->alg_key_len = IXGBE_IPSEC_KEY_BITS;
memcpy(xs->aead->alg_key, sam->key, sizeof(sam->key));
memcpy(xs->aead->alg_name, aes_gcm_name, sizeof(aes_gcm_name));
/* set up the HW offload */
err = ixgbe_ipsec_add_sa(xs);
if (err)
Reported by FlawFinder.
Line: 945
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xs->aead->alg_icv_len = IXGBE_IPSEC_AUTH_BITS;
xs->aead->alg_key_len = IXGBE_IPSEC_KEY_BITS;
memcpy(xs->aead->alg_key, sam->key, sizeof(sam->key));
memcpy(xs->aead->alg_name, aes_gcm_name, sizeof(aes_gcm_name));
/* set up the HW offload */
err = ixgbe_ipsec_add_sa(xs);
if (err)
goto err_aead;
Reported by FlawFinder.
drivers/net/wireless/ath/ath6kl/hif.c
8 issues
Line: 41
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < req->scat_entries; i++) {
if (from_dma)
memcpy(req->scat_list[i].buf, buf,
req->scat_list[i].len);
else
memcpy(buf, req->scat_list[i].buf,
req->scat_list[i].len);
Reported by FlawFinder.
Line: 44
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(req->scat_list[i].buf, buf,
req->scat_list[i].len);
else
memcpy(buf, req->scat_list[i].buf,
req->scat_list[i].len);
buf += req->scat_list[i].len;
}
Reported by FlawFinder.
Line: 231
Column: 49
CWE codes:
120
20
}
int ath6kl_hif_submit_scat_req(struct ath6kl_device *dev,
struct hif_scatter_req *scat_req, bool read)
{
int status = 0;
if (read) {
scat_req->req = HIF_RD_SYNC_BLOCK_FIX;
Reported by FlawFinder.
Line: 235
Column: 6
CWE codes:
120
20
{
int status = 0;
if (read) {
scat_req->req = HIF_RD_SYNC_BLOCK_FIX;
scat_req->addr = dev->ar->mbox_info.htc_addr;
} else {
scat_req->req = HIF_WR_ASYNC_BLOCK_INC;
Reported by FlawFinder.
Line: 250
Column: 23
CWE codes:
120
20
ath6kl_dbg(ATH6KL_DBG_HIF,
"hif submit scatter request entries %d len %d mbox 0x%x %s %s\n",
scat_req->scat_entries, scat_req->len,
scat_req->addr, !read ? "async" : "sync",
(read) ? "rd" : "wr");
if (!read && scat_req->virt_scat) {
status = ath6kl_hif_cp_scat_dma_buf(scat_req, false);
if (status) {
Reported by FlawFinder.
Line: 251
Column: 7
CWE codes:
120
20
"hif submit scatter request entries %d len %d mbox 0x%x %s %s\n",
scat_req->scat_entries, scat_req->len,
scat_req->addr, !read ? "async" : "sync",
(read) ? "rd" : "wr");
if (!read && scat_req->virt_scat) {
status = ath6kl_hif_cp_scat_dma_buf(scat_req, false);
if (status) {
scat_req->status = status;
Reported by FlawFinder.
Line: 253
Column: 7
CWE codes:
120
20
scat_req->addr, !read ? "async" : "sync",
(read) ? "rd" : "wr");
if (!read && scat_req->virt_scat) {
status = ath6kl_hif_cp_scat_dma_buf(scat_req, false);
if (status) {
scat_req->status = status;
scat_req->complete(dev->ar->htc_target, scat_req);
return 0;
Reported by FlawFinder.
Line: 264
Column: 6
CWE codes:
120
20
status = ath6kl_hif_scat_req_rw(dev->ar, scat_req);
if (read) {
/* in sync mode, we can touch the scatter request */
scat_req->status = status;
if (!status && scat_req->virt_scat)
scat_req->status =
ath6kl_hif_cp_scat_dma_buf(scat_req, true);
Reported by FlawFinder.
drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
8 issues
Line: 12
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "hns3_enet.h"
struct hns3_stats {
char stats_string[ETH_GSTRING_LEN];
int stats_offset;
};
struct hns3_sfp_type {
u8 type;
Reported by FlawFinder.
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct hns3_pflag_desc {
char name[ETH_GSTRING_LEN];
void (*handler)(struct net_device *netdev, bool enable);
};
/* tqp related stats */
#define HNS3_TQP_STAT(_string, _member) { \
Reported by FlawFinder.
Line: 174
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ethh = skb_put(skb, sizeof(struct ethhdr));
packet = skb_put(skb, HNS3_NIC_LB_TEST_PACKET_SIZE);
memcpy(ethh->h_dest, ndev->dev_addr, ETH_ALEN);
/* The dst mac addr of loopback packet is the same as the host'
* mac addr, the SSU component may loop back the packet to host
* before the packet reaches mac or serdes, which will defect
* the purpose of mac or serdes selftest.
Reported by FlawFinder.
Line: 983
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
for (i = 0; i < handle->kinfo.num_tqps * 2; i++) {
memcpy(&tmp_rings[i], &priv->ring[i],
sizeof(struct hns3_enet_ring));
tmp_rings[i].skb = NULL;
}
return tmp_rings;
Reported by FlawFinder.
Line: 1061
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hns3_change_all_ring_bd_num(priv, old_tx_desc_num,
old_rx_desc_num);
for (i = 0; i < h->kinfo.num_tqps * 2; i++)
memcpy(&priv->ring[i], &tmp_rings[i],
sizeof(struct hns3_enet_ring));
} else {
for (i = 0; i < h->kinfo.num_tqps * 2; i++)
hns3_fini_ring(&tmp_rings[i]);
}
Reported by FlawFinder.
Line: 470
Column: 4
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
size_left = (ETH_GSTRING_LEN - 1) - n1;
/* now, concatenate the stats string to it */
strncat(data, stats[j].stats_string, size_left);
data += ETH_GSTRING_LEN;
}
}
return data;
Reported by FlawFinder.
Line: 596
Column: 2
CWE codes:
120
return;
}
strncpy(drvinfo->driver, h->pdev->driver->name,
sizeof(drvinfo->driver));
drvinfo->driver[sizeof(drvinfo->driver) - 1] = '\0';
strncpy(drvinfo->bus_info, pci_name(h->pdev),
sizeof(drvinfo->bus_info));
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
sizeof(drvinfo->driver));
drvinfo->driver[sizeof(drvinfo->driver) - 1] = '\0';
strncpy(drvinfo->bus_info, pci_name(h->pdev),
sizeof(drvinfo->bus_info));
drvinfo->bus_info[ETHTOOL_BUSINFO_LEN - 1] = '\0';
fw_version = priv->ae_handle->ae_algo->ops->get_fw_version(h);
Reported by FlawFinder.
drivers/net/ethernet/marvell/prestera/prestera_flower.c
8 issues
Line: 169
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* add ethernet dst key,mask */
memset(&m_entry, 0, sizeof(m_entry));
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_ETH_DMAC;
memcpy(&m_entry.keymask.mac.key,
&match.key->dst, sizeof(match.key->dst));
memcpy(&m_entry.keymask.mac.mask,
&match.mask->dst, sizeof(match.mask->dst));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
Reported by FlawFinder.
Line: 171
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_ETH_DMAC;
memcpy(&m_entry.keymask.mac.key,
&match.key->dst, sizeof(match.key->dst));
memcpy(&m_entry.keymask.mac.mask,
&match.mask->dst, sizeof(match.mask->dst));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
return err;
Reported by FlawFinder.
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* add ethernet src key,mask */
memset(&m_entry, 0, sizeof(m_entry));
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_ETH_SMAC;
memcpy(&m_entry.keymask.mac.key,
&match.key->src, sizeof(match.key->src));
memcpy(&m_entry.keymask.mac.mask,
&match.mask->src, sizeof(match.mask->src));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
Reported by FlawFinder.
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_ETH_SMAC;
memcpy(&m_entry.keymask.mac.key,
&match.key->src, sizeof(match.key->src));
memcpy(&m_entry.keymask.mac.mask,
&match.mask->src, sizeof(match.mask->src));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
return err;
}
Reported by FlawFinder.
Line: 196
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&m_entry, 0, sizeof(m_entry));
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_IP_SRC;
memcpy(&m_entry.keymask.u32.key,
&match.key->src, sizeof(match.key->src));
memcpy(&m_entry.keymask.u32.mask,
&match.mask->src, sizeof(match.mask->src));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
Reported by FlawFinder.
Line: 198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_IP_SRC;
memcpy(&m_entry.keymask.u32.key,
&match.key->src, sizeof(match.key->src));
memcpy(&m_entry.keymask.u32.mask,
&match.mask->src, sizeof(match.mask->src));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
return err;
Reported by FlawFinder.
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&m_entry, 0, sizeof(m_entry));
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_IP_DST;
memcpy(&m_entry.keymask.u32.key,
&match.key->dst, sizeof(match.key->dst));
memcpy(&m_entry.keymask.u32.mask,
&match.mask->dst, sizeof(match.mask->dst));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
Reported by FlawFinder.
Line: 208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m_entry.type = PRESTERA_ACL_RULE_MATCH_ENTRY_TYPE_IP_DST;
memcpy(&m_entry.keymask.u32.key,
&match.key->dst, sizeof(match.key->dst));
memcpy(&m_entry.keymask.u32.mask,
&match.mask->dst, sizeof(match.mask->dst));
err = prestera_acl_rule_match_add(rule, &m_entry);
if (err)
return err;
}
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/mvm/rs.c
8 issues
Line: 1034
CWE codes:
908
i = index - 1;
if (i >= 0)
mask = BIT(i);
for (; i >= 0; i--, mask >>= 1) {
if (rate_mask & mask) {
low = i;
break;
}
}
Reported by Cppcheck.
Line: 560
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
rate_str = "BAD_RATE";
sprintf(buf, "(%s|%s|%s)", rs_pretty_lq_type(rate->type),
rs_pretty_ant(rate->ant), rate_str);
return buf;
}
static inline void rs_dump_rate(struct iwl_mvm *mvm, const struct rs_rate *rate,
Reported by FlawFinder.
Line: 3928
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < LQ_SIZE; i++) {
tbl = &(lq_sta->lq_info[i]);
rate = &tbl->rate;
desc += sprintf(buff+desc,
"%s type=%d SGI=%d BW=%s DUP=0\n"
"index=%d\n",
lq_sta->active_tbl == i ? "*" : "x",
rate->type,
rate->sgi,
Reported by FlawFinder.
Line: 522
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *rs_pretty_rate(const struct rs_rate *rate)
{
static char buf[40];
static const char * const legacy_rates[] = {
[IWL_RATE_1M_INDEX] = "1M",
[IWL_RATE_2M_INDEX] = "2M",
[IWL_RATE_5M_INDEX] = "5.5M",
[IWL_RATE_11M_INDEX] = "11M",
Reported by FlawFinder.
Line: 1730
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long rate_mask = 0;
u32 rate_idx = 0;
memcpy(search_tbl, tbl, offsetof(struct iwl_scale_tbl_info, win));
rate->sgi = column->sgi;
rate->ant = column->ant;
if (column->mode == RS_LEGACY) {
Reported by FlawFinder.
Line: 3783
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_lq_sta *lq_sta = file->private_data;
struct iwl_mvm *mvm;
char buf[64];
size_t buf_size;
u32 parsed_rate;
mvm = lq_sta->pers.drv;
memset(buf, 0, sizeof(buf));
Reported by FlawFinder.
Line: 3940
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
is_ht160(rate) ? "160MHz" : "ERR",
rate->index);
for (j = 0; j < IWL_RATE_COUNT; j++) {
desc += sprintf(buff+desc,
"counter=%d success=%d %%=%d\n",
tbl->win[j].counter,
tbl->win[j].success_counter,
tbl->win[j].success_ratio);
}
Reported by FlawFinder.
Line: 4053
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_lq_sta *lq_sta = file->private_data;
char buf[12];
int bufsz = sizeof(buf);
int pos = 0;
static const char * const ss_force_name[] = {
[RS_SS_FORCE_NONE] = "none",
[RS_SS_FORCE_STBC] = "stbc",
Reported by FlawFinder.