The following issues were found
drivers/net/wireless/intel/iwlwifi/dvm/scan.c
5 issues
Line: 675
CWE codes:
476
interval = 0;
break;
case IWL_SCAN_NORMAL:
interval = vif->bss_conf.beacon_int;
break;
}
scan->suspend_time = 0;
scan->max_out_time = cpu_to_le32(200 * 1024);
Reported by Cppcheck.
Line: 580
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
frame->frame_control = cpu_to_le16(IEEE80211_STYPE_PROBE_REQ);
eth_broadcast_addr(frame->da);
memcpy(frame->sa, ta, ETH_ALEN);
eth_broadcast_addr(frame->bssid);
frame->seq_ctrl = 0;
len += 24;
Reported by FlawFinder.
Line: 596
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*pos++ = WLAN_EID_SSID;
*pos++ = ssid_len;
if (ssid && ssid_len) {
memcpy(pos, ssid, ssid_len);
pos += ssid_len;
}
len += ssid_len + 2;
Reported by FlawFinder.
Line: 606
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return len;
if (ies && ie_len) {
memcpy(pos, ies, ie_len);
len += ie_len;
}
return (u16)len;
}
Reported by FlawFinder.
Line: 721
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scan->direct_scan[p].id = WLAN_EID_SSID;
scan->direct_scan[p].len =
priv->scan_request->ssids[i].ssid_len;
memcpy(scan->direct_scan[p].ssid,
priv->scan_request->ssids[i].ssid,
priv->scan_request->ssids[i].ssid_len);
n_probes++;
p++;
}
Reported by FlawFinder.
drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
5 issues
Line: 76
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ionic_get_stats_strings(lif, buf);
break;
case ETH_SS_PRIV_FLAGS:
memcpy(buf, ionic_priv_flags_strings,
IONIC_PRIV_FLAGS_COUNT * ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
Line: 733
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (key)
memcpy(key, lif->rss_hash_key, IONIC_RSS_HASH_KEY_SIZE);
if (hfunc)
*hfunc = ETH_RSS_HASH_TOP;
return 0;
Reported by FlawFinder.
Line: 826
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ionic_lif *lif = netdev_priv(netdev);
struct ionic_dev *idev = &lif->ionic->idev;
struct ionic_xcvr_status *xcvr;
char tbuf[sizeof(xcvr->sprom)];
int count = 10;
u32 len;
/* The NIC keeps the module prom up-to-date in the DMA space
* so we can simply copy the module bytes into the data buffer.
Reported by FlawFinder.
Line: 837
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = min_t(u32, sizeof(xcvr->sprom), ee->len);
do {
memcpy(data, xcvr->sprom, len);
memcpy(tbuf, xcvr->sprom, len);
/* Let's make sure we got a consistent copy */
if (!memcmp(data, tbuf, len))
break;
Reported by FlawFinder.
Line: 838
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
memcpy(data, xcvr->sprom, len);
memcpy(tbuf, xcvr->sprom, len);
/* Let's make sure we got a consistent copy */
if (!memcmp(data, tbuf, len))
break;
Reported by FlawFinder.
drivers/net/fjes/fjes_main.c
5 issues
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool is_extended_socket_device(struct acpi_device *device)
{
struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL};
char str_buf[sizeof(FJES_ACPI_SYMBOL) + 1];
union acpi_object *str;
acpi_status status;
int result;
status = acpi_evaluate_object(device->handle, "_STR", NULL, &buffer);
Reported by FlawFinder.
Line: 626
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int max_epid, my_epid, dest_epid;
enum ep_partner_status pstatus;
struct netdev_queue *cur_queue;
char shortpkt[VLAN_ETH_HLEN];
bool is_multi, vlan;
struct ethhdr *eth;
u16 queue_no = 0;
u16 vlan_id = 0;
netdev_tx_t ret;
Reported by FlawFinder.
Line: 722
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
if (len < VLAN_ETH_HLEN) {
memset(shortpkt, 0, VLAN_ETH_HLEN);
memcpy(shortpkt, skb->data, skb->len);
len = VLAN_ETH_HLEN;
data = shortpkt;
}
if (adapter->tx_retry_count == 0) {
Reported by FlawFinder.
Line: 802
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct fjes_adapter *adapter = netdev_priv(netdev);
memcpy(stats, &adapter->stats64, sizeof(struct rtnl_link_stats64));
}
static int fjes_change_mtu(struct net_device *netdev, int new_mtu)
{
struct fjes_adapter *adapter = netdev_priv(netdev);
Reported by FlawFinder.
Line: 115
Column: 41
CWE codes:
126
str_buf, sizeof(str_buf) - 1);
str_buf[result] = 0;
if (strncmp(FJES_ACPI_SYMBOL, str_buf, strlen(FJES_ACPI_SYMBOL)) != 0) {
kfree(buffer.pointer);
return false;
}
kfree(buffer.pointer);
Reported by FlawFinder.
drivers/net/ethernet/pensando/ionic/ionic_lif.c
5 issues
Line: 1275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev_dbg(lif->netdev, "rx_filter add ADDR %pM\n", addr);
memcpy(ctx.cmd.rx_filter_add.mac.addr, addr, ETH_ALEN);
err = ionic_adminq_post_wait(lif, &ctx);
if (err && err != -EEXIST)
return err;
return ionic_rx_filter_save(lif, 0, IONIC_RXQ_INDEX_ANY, 0, &ctx);
Reported by FlawFinder.
Line: 1368
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_device *netdev = lif->netdev;
unsigned int nfilters;
unsigned int nd_flags;
char buf[128];
u16 rx_mode;
int i;
#define REMAIN(__x) (sizeof(buf) - (__x))
mutex_lock(&lif->config_lock);
Reported by FlawFinder.
Line: 1857
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (key)
memcpy(lif->rss_hash_key, key, IONIC_RSS_HASH_KEY_SIZE);
if (indir) {
tbl_sz = le16_to_cpu(lif->ionic->ident.lif.eth.rss_ind_tbl_sz);
for (i = 0; i < tbl_sz; i++)
lif->rss_ind_tbl[i] = indir[i];
Reported by FlawFinder.
Line: 1865
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lif->rss_ind_tbl[i] = indir[i];
}
memcpy(ctx.cmd.lif_setattr.rss.key, lif->rss_hash_key,
IONIC_RSS_HASH_KEY_SIZE);
return ionic_adminq_post_wait(lif, &ctx);
}
Reported by FlawFinder.
Line: 3185
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ionic_lif_addr(lif, netdev->dev_addr, ADD_ADDR);
} else {
/* Update the netdev mac with the device's mac */
memcpy(addr.sa_data, ctx.comp.lif_getattr.mac, netdev->addr_len);
addr.sa_family = AF_INET;
err = eth_prepare_mac_addr_change(netdev, &addr);
if (err) {
netdev_warn(lif->netdev, "ignoring bad MAC addr from NIC %pM - err %d\n",
addr.sa_data, err);
Reported by FlawFinder.
drivers/net/ethernet/intel/i40e/i40e_common.c
5 issues
Line: 2965
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
**/
i40e_status i40e_aq_request_resource(struct i40e_hw *hw,
enum i40e_aq_resources_ids resource,
enum i40e_aq_resource_access_type access,
u8 sdp_number, u64 *timeout,
struct i40e_asq_cmd_details *cmd_details)
{
struct i40e_aq_desc desc;
struct i40e_aqc_request_resource *cmd_resp =
Reported by FlawFinder.
Line: 2977
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
i40e_fill_default_direct_cmd_desc(&desc, i40e_aqc_opc_request_resource);
cmd_resp->resource_id = cpu_to_le16(resource);
cmd_resp->access_type = cpu_to_le16(access);
cmd_resp->resource_number = cpu_to_le32(sdp_number);
status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details);
/* The completion specifies the maximum time in ms that the driver
* may hold the resource in the Timeout field.
Reported by FlawFinder.
Line: 288
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i40e_aq_desc *aq_desc = (struct i40e_aq_desc *)desc;
u32 effective_mask = hw->debug_mask & mask;
char prefix[27];
u16 len;
u8 *buf = (u8 *)buffer;
if (!effective_mask || !desc)
return;
Reported by FlawFinder.
Line: 5627
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy returned desc to aq_buf */
memcpy(aq->param, desc.params.raw, sizeof(desc.params.raw));
return 0;
}
/**
Reported by FlawFinder.
Line: 5843
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pinfo->track_id = track_id;
pinfo->version = profile->version;
pinfo->op = I40E_DDP_ADD_TRACKID;
memcpy(pinfo->name, profile->name, I40E_DDP_NAME_SIZE);
status = i40e_aq_write_ddp(hw, (void *)sec, sec->data_end,
track_id, &offset, &info, NULL);
return status;
Reported by FlawFinder.
drivers/net/wireless/ath/ath10k/mac.c
5 issues
Line: 6077
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vif->type == NL80211_IFTYPE_AP) {
arvif->u.ap.ssid_len = info->ssid_len;
if (info->ssid_len)
memcpy(arvif->u.ap.ssid, info->ssid, info->ssid_len);
arvif->u.ap.hidden_ssid = info->hidden_ssid;
}
if (changed & BSS_CHANGED_BSSID && !is_zero_ether_addr(info->bssid))
ether_addr_copy(arvif->bssid, info->bssid);
Reported by FlawFinder.
Line: 6326
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (req->ie_len) {
arg.ie_len = req->ie_len;
memcpy(arg.ie, req->ie, arg.ie_len);
}
if (req->n_ssids) {
arg.n_ssids = req->n_ssids;
for (i = 0; i < arg.n_ssids; i++) {
Reported by FlawFinder.
Line: 8105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ath10k_mac_update_bss_chan_survey(ar, &sband->channels[idx]);
spin_lock_bh(&ar->data_lock);
memcpy(survey, ar_survey, sizeof(*survey));
spin_unlock_bh(&ar->data_lock);
survey->channel = &sband->channels[idx];
if (ar->rx_channel == survey->channel)
Reported by FlawFinder.
Line: 9767
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct acpi_buffer wrdd = {ACPI_ALLOCATE_BUFFER, NULL};
acpi_status status;
u32 alpha2_code;
char alpha2[3];
root_handle = ACPI_HANDLE(ar->dev);
if (!root_handle)
return -EOPNOTSUPP;
Reported by FlawFinder.
Line: 6045
Column: 4
CWE codes:
120
if (ieee80211_vif_is_mesh(vif)) {
/* mesh doesn't use SSID but firmware needs it */
strncpy(arvif->u.ap.ssid, "mesh",
sizeof(arvif->u.ap.ssid));
arvif->u.ap.ssid_len = 4;
}
}
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
5 issues
Line: 218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
skb_reserve(skb, bi->xdp->data - bi->xdp->data_hard_start);
memcpy(__skb_put(skb, datasize), bi->xdp->data, datasize);
if (metasize)
skb_metadata_set(skb, metasize);
xsk_buff_free(bi->xdp);
bi->xdp = NULL;
Reported by FlawFinder.
Line: 169
Column: 12
CWE codes:
120
20
/* Refresh the desc even if buffer_addrs didn't change
* because each write-back erases this info.
*/
rx_desc->read.pkt_addr = cpu_to_le64(dma);
rx_desc++;
bi++;
i++;
if (unlikely(!i)) {
Reported by FlawFinder.
Line: 409
Column: 12
CWE codes:
120
20
tx_bi->gso_segs = 1;
tx_desc = IXGBE_TX_DESC(xdp_ring, xdp_ring->next_to_use);
tx_desc->read.buffer_addr = cpu_to_le64(dma);
/* put descriptor type bits */
cmd_type = IXGBE_ADVTXD_DTYP_DATA |
IXGBE_ADVTXD_DCMD_DEXT |
IXGBE_ADVTXD_DCMD_IFCS;
Reported by FlawFinder.
Line: 416
Column: 12
CWE codes:
120
20
IXGBE_ADVTXD_DCMD_DEXT |
IXGBE_ADVTXD_DCMD_IFCS;
cmd_type |= desc.len | IXGBE_TXD_CMD;
tx_desc->read.cmd_type_len = cpu_to_le32(cmd_type);
tx_desc->read.olinfo_status =
cpu_to_le32(desc.len << IXGBE_ADVTXD_PAYLEN_SHIFT);
xdp_ring->next_to_use++;
if (xdp_ring->next_to_use == xdp_ring->count)
Reported by FlawFinder.
Line: 417
Column: 12
CWE codes:
120
20
IXGBE_ADVTXD_DCMD_IFCS;
cmd_type |= desc.len | IXGBE_TXD_CMD;
tx_desc->read.cmd_type_len = cpu_to_le32(cmd_type);
tx_desc->read.olinfo_status =
cpu_to_le32(desc.len << IXGBE_ADVTXD_PAYLEN_SHIFT);
xdp_ring->next_to_use++;
if (xdp_ring->next_to_use == xdp_ring->count)
xdp_ring->next_to_use = 0;
Reported by FlawFinder.
drivers/net/ethernet/socionext/sni_ave.c
5 issues
Line: 377
CWE codes:
786
{
struct ave_private *priv = netdev_priv(ndev);
writel(mac_addr[0] | mac_addr[1] << 8 |
mac_addr[2] << 16 | mac_addr[3] << 24, priv->base + reg1);
writel(mac_addr[4] | mac_addr[5] << 8, priv->base + reg2);
}
static void ave_hw_read_version(struct net_device *ndev, char *buf, int len)
Reported by Cppcheck.
Line: 290
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ave_soc_data {
bool is_desc_64bit;
const char *clock_names[AVE_MAX_CLKS];
const char *reset_names[AVE_MAX_RSTS];
int (*get_pinmode)(struct ave_private *priv,
phy_interface_t phy_mode, u32 arg);
};
Reported by FlawFinder.
Line: 291
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ave_soc_data {
bool is_desc_64bit;
const char *clock_names[AVE_MAX_CLKS];
const char *reset_names[AVE_MAX_RSTS];
int (*get_pinmode)(struct ave_private *priv,
phy_interface_t phy_mode, u32 arg);
};
static u32 ave_desc_read(struct net_device *ndev, enum desc_id id, int entry,
Reported by FlawFinder.
Line: 1069
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ave_pfsel_init(struct net_device *ndev)
{
unsigned char bcast_mac[ETH_ALEN];
int i;
eth_broadcast_addr(bcast_mac);
for (i = 0; i < AVE_PF_SIZE; i++)
Reported by FlawFinder.
Line: 1556
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct ave_soc_data *data;
struct device *dev = &pdev->dev;
char buf[ETHTOOL_FWVERS_LEN];
struct of_phandle_args args;
phy_interface_t phy_mode;
struct ave_private *priv;
struct net_device *ndev;
struct device_node *np;
Reported by FlawFinder.
drivers/net/ethernet/huawei/hinic/hinic_hw_mgmt.c
5 issues
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(mgmt_cmd, 0, MGMT_MSG_RSVD_FOR_DEV);
mgmt_cmd += MGMT_MSG_RSVD_FOR_DEV;
memcpy(mgmt_cmd, header, sizeof(*header));
mgmt_cmd += sizeof(*header);
memcpy(mgmt_cmd, msg, msg_len);
}
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(mgmt_cmd, header, sizeof(*header));
mgmt_cmd += sizeof(*header);
memcpy(mgmt_cmd, msg, msg_len);
}
/**
* mgmt_msg_len - calculate the total message length
* @msg_data_len: the length of the message data
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (buf_out && recv_msg->msg_len <= MAX_PF_MGMT_BUF_SIZE) {
memcpy(buf_out, recv_msg->msg, recv_msg->msg_len);
*out_size = recv_msg->msg_len;
}
unlock_sync_msg:
up(&pf_to_mgmt->sync_msg_lock);
Reported by FlawFinder.
Line: 458
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mgmt_work->pf_to_mgmt = pf_to_mgmt;
mgmt_work->msg_len = recv_msg->msg_len;
memcpy(mgmt_work->msg, recv_msg->msg, recv_msg->msg_len);
mgmt_work->msg_id = recv_msg->msg_id;
mgmt_work->mod = recv_msg->mod;
mgmt_work->cmd = recv_msg->cmd;
mgmt_work->async_mgmt_to_pf = recv_msg->async_mgmt_to_pf;
Reported by FlawFinder.
Line: 504
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
msg_body = (u8 *)header + sizeof(*header);
memcpy(recv_msg->msg + seq_id * SEGMENT_LEN, msg_body, seg_len);
if (!HINIC_MSG_HEADER_GET(*header, LAST))
return;
recv_msg->cmd = HINIC_MSG_HEADER_GET(*header, CMD);
Reported by FlawFinder.
drivers/net/ethernet/intel/iavf/iavf_client.c
5 issues
Line: 117
Column: 27
CWE codes:
362
int ret;
if (!cinst || !cinst->client || !cinst->client->ops ||
!cinst->client->ops->open) {
dev_dbg(&vsi->back->pdev->dev,
"Cannot locate client instance open function\n");
return;
}
if (!(test_bit(__IAVF_CLIENT_INSTANCE_OPENED, &cinst->state))) {
Reported by FlawFinder.
Line: 123
Column: 29
CWE codes:
362
return;
}
if (!(test_bit(__IAVF_CLIENT_INSTANCE_OPENED, &cinst->state))) {
ret = cinst->client->ops->open(&cinst->lan_info, cinst->client);
if (!ret)
set_bit(__IAVF_CLIENT_INSTANCE_OPENED, &cinst->state);
}
}
Reported by FlawFinder.
Line: 275
Column: 35
CWE codes:
362
if (!test_bit(__IAVF_CLIENT_INSTANCE_OPENED, &cinst->state)) {
/* Send an Open request to the client */
if (client->ops && client->ops->open)
ret = client->ops->open(&cinst->lan_info, client);
if (!ret)
set_bit(__IAVF_CLIENT_INSTANCE_OPENED,
&cinst->state);
else
Reported by FlawFinder.
Line: 276
Column: 23
CWE codes:
362
/* Send an Open request to the client */
if (client->ops && client->ops->open)
ret = client->ops->open(&cinst->lan_info, client);
if (!ret)
set_bit(__IAVF_CLIENT_INSTANCE_OPENED,
&cinst->state);
else
/* remove client instance */
Reported by FlawFinder.
Line: 515
Column: 6
CWE codes:
126
goto out;
}
if (strlen(client->name) == 0) {
pr_info("iavf: Failed to register client with no name\n");
ret = -EIO;
goto out;
}
Reported by FlawFinder.