The following issues were found
drivers/net/net_failover.c
5 issues
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct net_device *slave_dev;
spin_lock(&nfo_info->stats_lock);
memcpy(stats, &nfo_info->failover_stats, sizeof(*stats));
rcu_read_lock();
slave_dev = rcu_dereference(nfo_info->primary_dev);
if (slave_dev) {
Reported by FlawFinder.
Line: 199
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (slave_dev) {
new = dev_get_stats(slave_dev, &temp);
net_failover_fold_stats(stats, new, &nfo_info->primary_stats);
memcpy(&nfo_info->primary_stats, new, sizeof(*new));
}
slave_dev = rcu_dereference(nfo_info->standby_dev);
if (slave_dev) {
new = dev_get_stats(slave_dev, &temp);
Reported by FlawFinder.
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (slave_dev) {
new = dev_get_stats(slave_dev, &temp);
net_failover_fold_stats(stats, new, &nfo_info->standby_stats);
memcpy(&nfo_info->standby_stats, new, sizeof(*new));
}
rcu_read_unlock();
memcpy(&nfo_info->failover_stats, stats, sizeof(*stats));
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_unlock();
memcpy(&nfo_info->failover_stats, stats, sizeof(*stats));
spin_unlock(&nfo_info->stats_lock);
}
static int net_failover_change_mtu(struct net_device *dev, int new_mtu)
{
Reported by FlawFinder.
Line: 751
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
failover_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL;
failover_dev->features |= failover_dev->hw_features;
memcpy(failover_dev->dev_addr, standby_dev->dev_addr,
failover_dev->addr_len);
failover_dev->min_mtu = standby_dev->min_mtu;
failover_dev->max_mtu = standby_dev->max_mtu;
Reported by FlawFinder.
drivers/net/usb/ch9200.c
5 issues
Line: 128
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
request, request_type, value, index, buf, size,
timeout);
if (err == size)
memcpy(data, buf, size);
else if (err >= 0)
err = -EINVAL;
kfree(buf);
err_out:
Reported by FlawFinder.
Line: 180
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc)
{
struct usbnet *dev = netdev_priv(netdev);
unsigned char buff[2];
netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n",
__func__, phy_id, loc);
if (phy_id != 0)
Reported by FlawFinder.
Line: 198
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int phy_id, int loc, int val)
{
struct usbnet *dev = netdev_priv(netdev);
unsigned char buff[2];
netdev_dbg(netdev, "%s() phy_id=%02x loc:%02x\n",
__func__, phy_id, loc);
if (phy_id != 0)
Reported by FlawFinder.
Line: 307
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_mac_address(struct usbnet *dev, unsigned char *data)
{
int err = 0;
unsigned char mac_addr[0x06];
int rd_mac_len = 0;
netdev_dbg(dev->net, "%s:\n\tusbnet VID:%0x PID:%0x\n", __func__,
le16_to_cpu(dev->udev->descriptor.idVendor),
le16_to_cpu(dev->udev->descriptor.idProduct));
Reported by FlawFinder.
Line: 338
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
{
int retval = 0;
unsigned char data[2];
retval = usbnet_get_endpoints(dev, intf);
if (retval)
return retval;
Reported by FlawFinder.
drivers/net/ppp/pppoe.c
5 issues
Line: 680
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_put;
}
memcpy(&po->pppoe_pa,
&sp->sa_addr.pppoe,
sizeof(struct pppoe_addr));
write_lock_bh(&pn->hash_lock);
error = __set_item(pn, po);
Reported by FlawFinder.
Line: 728
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sp.sa_family = AF_PPPOX;
sp.sa_protocol = PX_PROTO_OE;
memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa,
sizeof(struct pppoe_addr));
memcpy(uaddr, &sp, len);
return len;
Reported by FlawFinder.
Line: 731
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa,
sizeof(struct pppoe_addr));
memcpy(uaddr, &sp, len);
return len;
}
static int pppoe_ioctl(struct socket *sock, unsigned int cmd,
Reported by FlawFinder.
Line: 896
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_hard_header(skb, dev, ETH_P_PPP_SES,
po->pppoe_pa.remote, NULL, total_len);
memcpy(ph, &hdr, sizeof(struct pppoe_hdr));
ph->length = htons(total_len);
dev_queue_xmit(skb);
Reported by FlawFinder.
Line: 990
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
path->type = DEV_PATH_PPPOE;
path->encap.proto = htons(ETH_P_PPP_SES);
path->encap.id = be16_to_cpu(po->num);
memcpy(path->encap.h_dest, po->pppoe_pa.remote, ETH_ALEN);
path->dev = ctx->dev;
ctx->dev = dev;
return 0;
}
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/devlink.c
5 issues
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct netlink_ext_ack *extack)
{
struct mlx5_core_dev *dev = devlink_priv(devlink);
char version_str[DEVLINK_FW_STRING_LEN];
u32 running_fw, stored_fw;
int err;
err = devlink_info_driver_name_put(req, KBUILD_MODNAME);
if (err)
Reported by FlawFinder.
Line: 430
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct mlx5_core_dev *dev = devlink_priv(devlink);
if (dev->priv.steering->mode == MLX5_FLOW_STEERING_MODE_SMFS)
strcpy(ctx->val.vstr, "smfs");
else
strcpy(ctx->val.vstr, "dmfs");
return 0;
}
Reported by FlawFinder.
Line: 432
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (dev->priv.steering->mode == MLX5_FLOW_STEERING_MODE_SMFS)
strcpy(ctx->val.vstr, "smfs");
else
strcpy(ctx->val.vstr, "dmfs");
return 0;
}
static int mlx5_devlink_enable_roce_validate(struct devlink *devlink, u32 id,
union devlink_param_value val,
Reported by FlawFinder.
Line: 566
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
union devlink_param_value value;
if (dev->priv.steering->mode == MLX5_FLOW_STEERING_MODE_DMFS)
strcpy(value.vstr, "dmfs");
else
strcpy(value.vstr, "smfs");
devlink_param_driverinit_value_set(devlink,
MLX5_DEVLINK_PARAM_ID_FLOW_STEERING_MODE,
value);
Reported by FlawFinder.
Line: 568
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (dev->priv.steering->mode == MLX5_FLOW_STEERING_MODE_DMFS)
strcpy(value.vstr, "dmfs");
else
strcpy(value.vstr, "smfs");
devlink_param_driverinit_value_set(devlink,
MLX5_DEVLINK_PARAM_ID_FLOW_STEERING_MODE,
value);
value.vbool = MLX5_CAP_GEN(dev, roce);
Reported by FlawFinder.
drivers/net/ethernet/intel/igbvf/vf.c
5 issues
Line: 136
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ret_val) {
if (msgbuf[0] == (E1000_VF_RESET |
E1000_VT_MSGTYPE_ACK))
memcpy(hw->mac.perm_addr, addr, ETH_ALEN);
else
ret_val = -E1000_ERR_MAC_INIT;
}
}
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(msgbuf, 0, 12);
msgbuf[0] = E1000_VF_SET_MAC_ADDR;
memcpy(msg_addr, addr, ETH_ALEN);
ret_val = mbx->ops.write_posted(hw, msgbuf, 3);
if (!ret_val)
ret_val = mbx->ops.read_posted(hw, msgbuf, 3);
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
**/
static s32 e1000_read_mac_addr_vf(struct e1000_hw *hw)
{
memcpy(hw->mac.addr, hw->mac.perm_addr, ETH_ALEN);
return E1000_SUCCESS;
}
/**
Reported by FlawFinder.
Line: 345
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msgbuf_chk = msgbuf[0];
if (addr)
memcpy(msg_addr, addr, ETH_ALEN);
ret_val = mbx->ops.write_posted(hw, msgbuf, 3);
if (!ret_val)
ret_val = mbx->ops.read_posted(hw, msgbuf, 3);
Reported by FlawFinder.
Line: 398
Column: 15
CWE codes:
120
20
/* if the read failed it could just be a mailbox collision, best wait
* until we are called again and don't report an error
*/
if (mbx->ops.read(hw, &in_msg, 1))
goto out;
/* if incoming message isn't clear to send we are waiting on response */
if (!(in_msg & E1000_VT_MSGTYPE_CTS)) {
/* msg is not CTS and is NACK we must have lost CTS status */
Reported by FlawFinder.
drivers/net/ethernet/google/gve/gve_ethtool.c
5 issues
Line: 91
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < priv->rx_cfg.num_queues; i++) {
for (j = 0; j < NUM_GVE_RX_CNTS; j++) {
snprintf(s, ETH_GSTRING_LEN,
gve_gstrings_rx_stats[j], i);
s += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 99
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < priv->tx_cfg.num_queues; i++) {
for (j = 0; j < NUM_GVE_TX_CNTS; j++) {
snprintf(s, ETH_GSTRING_LEN,
gve_gstrings_tx_stats[j], i);
s += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 85
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
memcpy(s, *gve_gstrings_main_stats,
sizeof(gve_gstrings_main_stats));
s += sizeof(gve_gstrings_main_stats);
for (i = 0; i < priv->rx_cfg.num_queues; i++) {
for (j = 0; j < NUM_GVE_RX_CNTS; j++) {
Reported by FlawFinder.
Line: 105
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(s, *gve_gstrings_adminq_stats,
sizeof(gve_gstrings_adminq_stats));
s += sizeof(gve_gstrings_adminq_stats);
break;
case ETH_SS_PRIV_FLAGS:
Reported by FlawFinder.
Line: 111
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case ETH_SS_PRIV_FLAGS:
memcpy(s, *gve_gstrings_priv_flags,
sizeof(gve_gstrings_priv_flags));
s += sizeof(gve_gstrings_priv_flags);
break;
default:
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
5 issues
Line: 448
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
pool->xa_num_irqs.min = start;
pool->xa_num_irqs.max = start + size - 1;
if (name)
snprintf(pool->name, MLX5_MAX_IRQ_NAME - MLX5_MAX_IRQ_IDX_CHARS,
name);
pool->min_threshold = min_threshold * MLX5_EQ_REFS_PER_IRQ;
pool->max_threshold = max_threshold * MLX5_EQ_REFS_PER_IRQ;
mlx5_core_dbg(dev, "pool->name = %s, pool->size = %d, pool->start = %d",
name, size, start);
Reported by FlawFinder.
Line: 34
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 index;
struct atomic_notifier_head nh;
cpumask_var_t mask;
char name[MLX5_MAX_IRQ_NAME];
struct kref kref;
int irqn;
struct mlx5_irq_pool *pool;
};
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct mlx5_irq_pool {
char name[MLX5_MAX_IRQ_NAME - MLX5_MAX_IRQ_IDX_CHARS];
struct xa_limit xa_num_irqs;
struct mutex lock; /* sync IRQs creations */
struct xarray irqs;
u32 max_threshold;
u32 min_threshold;
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
cap = MLX5_ADDR_OF(set_hca_cap_in, hca_cap, capability);
memcpy(cap, MLX5_ADDR_OF(query_hca_cap_out, query_cap, capability),
MLX5_UN_SZ_BYTES(hca_cap_union));
MLX5_SET(cmd_hca_cap, cap, dynamic_msix_table_size, msix_vec_count);
MLX5_SET(set_hca_cap_in, hca_cap, opcode, MLX5_CMD_OP_SET_HCA_CAP);
MLX5_SET(set_hca_cap_in, hca_cap, other_function, 1);
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct mlx5_irq *irq_request(struct mlx5_irq_pool *pool, int i)
{
struct mlx5_core_dev *dev = pool->dev;
char name[MLX5_MAX_IRQ_NAME];
struct mlx5_irq *irq;
int err;
irq = kzalloc(sizeof(*irq), GFP_KERNEL);
if (!irq)
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgb/ixgb_main.c
5 issues
Line: 478
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
INIT_WORK(&adapter->tx_timeout_task, ixgb_tx_timeout_task);
strcpy(netdev->name, "eth%d");
err = register_netdev(netdev);
if (err)
goto err_register;
/* carrier off reporting is important to ethtool even BEFORE open */
Reported by FlawFinder.
Line: 1033
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
ixgb_rar_set(&adapter->hw, addr->sa_data, 0);
return 0;
}
Reported by FlawFinder.
Line: 1094
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
addr = mta;
netdev_for_each_mc_addr(ha, netdev) {
memcpy(addr, ha->addr, ETH_ALEN);
addr += ETH_ALEN;
}
ixgb_mc_addr_list_update(hw, mta, netdev_mc_count(netdev), 0);
kfree(mta);
Reported by FlawFinder.
Line: 2254
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return PCI_ERS_RESULT_DISCONNECT;
}
ixgb_get_ee_mac_addr(&adapter->hw, netdev->dev_addr);
memcpy(netdev->perm_addr, netdev->dev_addr, netdev->addr_len);
if (!is_valid_ether_addr(netdev->perm_addr)) {
netif_err(adapter, probe, adapter->netdev,
"After reset, invalid MAC address\n");
return PCI_ERS_RESULT_DISCONNECT;
Reported by FlawFinder.
Line: 425
Column: 2
CWE codes:
120
netdev->watchdog_timeo = 5 * HZ;
netif_napi_add(netdev, &adapter->napi, ixgb_clean, 64);
strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
adapter->bd_number = cards_found;
adapter->link_speed = 0;
adapter->link_duplex = 0;
Reported by FlawFinder.
drivers/net/wireless/broadcom/b43/debugfs.c
5 issues
Line: 673
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct b43_dfsentry *e;
struct b43_txstatus_log *log;
char devdir[16];
B43_WARN_ON(!dev);
e = kzalloc(sizeof(*e), GFP_KERNEL);
if (!e) {
b43err(dev->wl, "debugfs: add device OOM\n");
Reported by FlawFinder.
Line: 760
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = 0;
log->end = i;
cur = &(log->log[i]);
memcpy(cur, status, sizeof(*cur));
}
void b43_debugfs_init(void)
{
rootdir = debugfs_create_dir(KBUILD_MODNAME, NULL);
Reported by FlawFinder.
Line: 31
Column: 12
CWE codes:
120
20
static struct dentry *rootdir;
struct b43_debugfs_fops {
ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
struct file_operations fops;
/* Offset of struct b43_dfs_file in struct b43_dfsentry */
size_t file_struct_offset;
};
Reported by FlawFinder.
Line: 516
Column: 14
CWE codes:
120
20
dfops = container_of(debugfs_real_fops(file),
struct b43_debugfs_fops, fops);
if (!dfops->read) {
err = -ENOSYS;
goto out_unlock;
}
dfile = fops_to_dfs_file(dev, dfops);
Reported by FlawFinder.
Line: 529
Column: 16
CWE codes:
120
20
goto out_unlock;
}
memset(buf, 0, bufsize);
ret = dfops->read(dev, buf, bufsize);
if (ret <= 0) {
free_pages((unsigned long)buf, buforder);
err = ret;
goto out_unlock;
}
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
5 issues
Line: 189
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void mlx5_fpga_tls_flow_to_cmd(void *flow, void *cmd)
{
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, src_port), flow,
MLX5_BYTE_OFF(tls_flow, ipv6));
MLX5_SET(tls_cmd, cmd, ipv6, MLX5_GET(tls_flow, flow, ipv6));
MLX5_SET(tls_cmd, cmd, direction_sx,
MLX5_GET(tls_flow, flow, direction_sx));
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct tls12_crypto_info_aes_gcm_128 *crypto_info =
(struct tls12_crypto_info_aes_gcm_128 *)info;
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, tls_rcd_sn), crypto_info->rec_seq,
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, tls_implicit_iv),
crypto_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, encryption_key),
Reported by FlawFinder.
Line: 520
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, tls_rcd_sn), crypto_info->rec_seq,
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, tls_implicit_iv),
crypto_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, encryption_key),
crypto_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
/* in AES-GCM 128 we need to write the key twice */
Reported by FlawFinder.
Line: 522
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, tls_implicit_iv),
crypto_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, encryption_key),
crypto_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
/* in AES-GCM 128 we need to write the key twice */
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, encryption_key) +
TLS_CIPHER_AES_GCM_128_KEY_SIZE,
Reported by FlawFinder.
Line: 526
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
crypto_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
/* in AES-GCM 128 we need to write the key twice */
memcpy(MLX5_ADDR_OF(tls_cmd, cmd, encryption_key) +
TLS_CIPHER_AES_GCM_128_KEY_SIZE,
crypto_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
MLX5_SET(tls_cmd, cmd, alg, MLX5_TLS_ALG_AES_GCM_128);
}
Reported by FlawFinder.