The following issues were found
drivers/net/wireless/ath/ath6kl/main.c
5 issues
Line: 72
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
free_slot = aid - 1;
sta = &ar->sta_list[free_slot];
memcpy(sta->mac, mac, ETH_ALEN);
if (ielen <= ATH6KL_MAX_IE)
memcpy(sta->wpa_ie, wpaie, ielen);
sta->aid = aid;
sta->keymgmt = keymgmt;
sta->ucipher = ucipher;
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sta = &ar->sta_list[free_slot];
memcpy(sta->mac, mac, ETH_ALEN);
if (ielen <= ATH6KL_MAX_IE)
memcpy(sta->wpa_ie, wpaie, ielen);
sta->aid = aid;
sta->keymgmt = keymgmt;
sta->ucipher = ucipher;
sta->auth = auth;
sta->apsd_info = apsd_info;
Reported by FlawFinder.
Line: 533
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct ath6kl *ar = devt;
memcpy(ar->mac_addr, datap, ETH_ALEN);
ath6kl_dbg(ATH6KL_DBG_BOOT,
"ready event mac addr %pM sw_ver 0x%x abi_ver 0x%x cap 0x%x\n",
ar->mac_addr, sw_ver, abi_ver, cap);
Reported by FlawFinder.
Line: 1259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(mc_filter->hw_addr, ha->addr,
ATH6KL_MCAST_FILTER_MAC_ADDR_SIZE);
/* Set the multicast filter */
ath6kl_dbg(ATH6KL_DBG_TRC,
"Adding %pM to multicast filter list\n",
mc_filter->hw_addr);
Reported by FlawFinder.
Line: 543
Column: 6
CWE codes:
126
ar->version.abi_ver = abi_ver;
ar->hw.cap = cap;
if (strlen(ar->wiphy->fw_version) == 0) {
snprintf(ar->wiphy->fw_version,
sizeof(ar->wiphy->fw_version),
"%u.%u.%u.%u",
(ar->version.wlan_ver & 0xf0000000) >> 28,
(ar->version.wlan_ver & 0x0f000000) >> 24,
Reported by FlawFinder.
drivers/net/ethernet/sgi/ioc3-eth.c
5 issues
Line: 199
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ioc3eth_get_mac_addr(struct resource *res, u8 mac_addr[6])
{
struct nvmem_device *nvmem;
char prefix[24];
u8 prom[16];
int ret;
int i;
snprintf(prefix, sizeof(prefix), "ioc3-%012llx-",
Reported by FlawFinder.
Line: 246
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ioc3_private *ip = netdev_priv(dev);
struct sockaddr *sa = addr;
memcpy(dev->dev_addr, sa->sa_data, dev->addr_len);
spin_lock_irq(&ip->ioc3_lock);
__ioc3_set_mac_address(dev);
spin_unlock_irq(&ip->ioc3_lock);
Reported by FlawFinder.
Line: 923
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ioc3_mii_start(ip);
ioc3_ssram_disc(ip);
memcpy(dev->dev_addr, mac_addr, ETH_ALEN);
/* The IOC3-specific entries in the device structure. */
dev->watchdog_timeo = 5 * HZ;
dev->netdev_ops = &ioc3_netdev_ops;
dev->ethtool_ops = &ioc3_ethtool_ops;
Reported by FlawFinder.
Line: 176
Column: 15
CWE codes:
126
const char *prefix = data;
int prefix_len;
prefix_len = strlen(prefix);
if (strlen(name) < (prefix_len + 3))
return 0;
if (memcmp(prefix, name, prefix_len) != 0)
return 0;
Reported by FlawFinder.
Line: 177
Column: 6
CWE codes:
126
int prefix_len;
prefix_len = strlen(prefix);
if (strlen(name) < (prefix_len + 3))
return 0;
if (memcmp(prefix, name, prefix_len) != 0)
return 0;
Reported by FlawFinder.
drivers/net/ethernet/huawei/hinic/hinic_debugfs.c
5 issues
Line: 134
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos)
{
struct hinic_debug_priv *dbg;
char ret_buf[20];
int *desc;
u64 out;
int ret;
desc = filp->private_data;
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct hinic_sq *sq;
struct dentry *root;
char sub_dir[16];
sq = dev->txqs[sq_id].sq;
sprintf(sub_dir, "0x%x", sq_id);
Reported by FlawFinder.
Line: 214
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sq = dev->txqs[sq_id].sq;
sprintf(sub_dir, "0x%x", sq_id);
root = debugfs_create_dir(sub_dir, dev->sq_dbgfs);
return create_dbg_files(dev, HINIC_DBG_SQ_INFO, sq, root, &sq->dbg, sq_fields,
ARRAY_SIZE(sq_fields));
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct hinic_rq *rq;
struct dentry *root;
char sub_dir[16];
rq = dev->rxqs[rq_id].rq;
sprintf(sub_dir, "0x%x", rq_id);
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
rq = dev->rxqs[rq_id].rq;
sprintf(sub_dir, "0x%x", rq_id);
root = debugfs_create_dir(sub_dir, dev->rq_dbgfs);
return create_dbg_files(dev, HINIC_DBG_RQ_INFO, rq, root, &rq->dbg, rq_fields,
ARRAY_SIZE(rq_fields));
Reported by FlawFinder.
drivers/net/wireless/ath/carl9170/debug.c
5 issues
Line: 339
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fc = 0;
skb_queue_walk(&iter->queue, skb) {
char prefix[32];
snprintf(prefix, sizeof(prefix), "\t\t%3d :", fc);
carl9170_debugfs_format_frame(ar, skb, prefix, buf,
len, bufsize);
Reported by FlawFinder.
Line: 360
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t *len, size_t bufsize, struct sk_buff_head *queue)
{
struct sk_buff *skb;
char prefix[16];
int fc = 0;
spin_lock_bh(&queue->lock);
skb_queue_walk(queue, skb) {
snprintf(prefix, sizeof(prefix), "%3d :", fc);
Reported by FlawFinder.
Line: 54
Column: 10
CWE codes:
120
20
struct carl9170_debugfs_fops {
unsigned int read_bufsize;
umode_t attr;
char *(*read)(struct ar9170 *ar, char *buf, size_t bufsize,
ssize_t *len);
ssize_t (*write)(struct ar9170 *aru, const char *buf, size_t size);
const struct file_operations fops;
enum carl9170_device_state req_dev_state;
Reported by FlawFinder.
Line: 81
Column: 14
CWE codes:
120
20
dfops = container_of(debugfs_real_fops(file),
struct carl9170_debugfs_fops, fops);
if (!dfops->read)
return -ENOSYS;
if (dfops->read_bufsize) {
buf = vmalloc(dfops->read_bufsize);
if (!buf)
Reported by FlawFinder.
Line: 97
Column: 19
CWE codes:
120
20
goto out_free;
}
res_buf = dfops->read(ar, buf, dfops->read_bufsize, &ret);
if (ret > 0)
err = simple_read_from_buffer(userbuf, count, ppos,
res_buf, ret);
else
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx4/fw.c
5 issues
Line: 2435
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_ERR(mailbox))
return PTR_ERR(mailbox);
memcpy(mailbox->buf, config_dev, sizeof(*config_dev));
err = mlx4_cmd(dev, mailbox->dma, 0, 0, MLX4_CMD_CONFIG_DEV,
MLX4_CMD_TIME_CLASS_B, MLX4_CMD_NATIVE);
mlx4_free_cmd_mailbox(dev, mailbox);
Reported by FlawFinder.
Line: 2457
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX4_CMD_TIME_CLASS_A, MLX4_CMD_NATIVE);
if (!err)
memcpy(config_dev, mailbox->buf, sizeof(*config_dev));
mlx4_free_cmd_mailbox(dev, mailbox);
return err;
}
Reported by FlawFinder.
Line: 2946
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_be16(((reg_len/4 + 1) & MLX4_ACCESS_REG_LEN_MASK) |
((0x3) << 12));
memcpy(inbuf->reg_data, reg_data, reg_len);
err = mlx4_cmd_box(dev, inbox->dma, outbox->dma, 0, 0,
MLX4_CMD_ACCESS_REG, MLX4_CMD_TIME_CLASS_C,
MLX4_CMD_WRAPPED);
if (err)
goto out;
Reported by FlawFinder.
Line: 2961
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(reg_data, outbuf->reg_data, reg_len);
out:
mlx4_free_cmd_mailbox(dev, inbox);
mlx4_free_cmd_mailbox(dev, outbox);
return err;
}
Reported by FlawFinder.
Line: 1970
Column: 3
CWE codes:
120
if (dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_DRIVER_VERSION_TO_FW) {
u8 *dst = (u8 *)(inbox + INIT_HCA_DRIVER_VERSION_OFFSET / 4);
strncpy(dst, DRV_NAME_FOR_FW, INIT_HCA_DRIVER_VERSION_SZ - 1);
mlx4_dbg(dev, "Reporting Driver Version to FW: %s\n", dst);
}
/* QPC/EEC/CQC/EQC/RDMARC attributes */
Reported by FlawFinder.
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
5 issues
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fq = &priv->fq[queue_id];
dest_fd = &fq->xdp_tx_fds.fds[fq->xdp_tx_fds.num++];
memcpy(dest_fd, fd, sizeof(*dest_fd));
if (fq->xdp_tx_fds.num < DEV_MAP_BULK_SIZE)
return;
dpaa2_eth_xdp_tx_flush(priv, ch, fq);
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(skb, dpaa2_eth_needed_headroom(NULL));
skb_put(skb, fd_length);
memcpy(skb->data, fd_vaddr + fd_offset, fd_length);
dpaa2_eth_recycle_buf(priv, ch, dpaa2_fd_get_addr(fd));
return skb;
}
Reported by FlawFinder.
Line: 3724
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ARRAY_SIZE(dist_fields); i++) {
size = dist_fields[i].size;
if (dist_fields[i].id & fields) {
memcpy(key_mem + new_off, key_mem + off, size);
new_off += size;
}
off += size;
}
}
Reported by FlawFinder.
Line: 4016
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
}
}
memcpy(net_dev->dev_addr, mac_addr, net_dev->addr_len);
} else if (is_zero_ether_addr(dpni_mac_addr)) {
/* No MAC address configured, fill in net_dev->dev_addr
* with a random one
*/
eth_hw_addr_random(net_dev);
Reported by FlawFinder.
Line: 4041
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* NET_ADDR_PERM is default, all we have to do is
* fill in the device addr.
*/
memcpy(net_dev->dev_addr, dpni_mac_addr, net_dev->addr_len);
}
return 0;
}
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
5 issues
Line: 114
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* is already written to the hw.
*/
if (ste_info->size == DR_STE_SIZE_CTRL)
memcpy(ste_info->ste->hw_ste, ste_info->data, DR_STE_SIZE_CTRL);
else
memcpy(ste_info->ste->hw_ste, ste_info->data, DR_STE_SIZE_REDUCED);
ret = mlx5dr_send_postsend_ste(dmn, ste_info->ste, ste_info->data,
ste_info->size, ste_info->offset);
Reported by FlawFinder.
Line: 116
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ste_info->size == DR_STE_SIZE_CTRL)
memcpy(ste_info->ste->hw_ste, ste_info->data, DR_STE_SIZE_CTRL);
else
memcpy(ste_info->ste->hw_ste, ste_info->data, DR_STE_SIZE_REDUCED);
ret = mlx5dr_send_postsend_ste(dmn, ste_info->ste, ste_info->data,
ste_info->size, ste_info->offset);
if (ret)
goto out;
Reported by FlawFinder.
Line: 249
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mlx5dr_ste_set_bit_mask(hw_ste, nic_matcher->ste_builder[sb_idx].bit_mask);
/* Copy STE control and tag */
memcpy(hw_ste, cur_ste->hw_ste, DR_STE_SIZE_REDUCED);
mlx5dr_ste_set_miss_addr(dmn->ste_ctx, hw_ste,
nic_matcher->e_anchor->chunk->icm_addr);
new_idx = mlx5dr_ste_calc_hash_index(hw_ste, new_htbl);
new_ste = &new_htbl->ste_arr[new_idx];
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
use_update_list = true;
}
memcpy(new_ste->hw_ste, hw_ste, DR_STE_SIZE_REDUCED);
new_htbl->ctrl.num_of_valid_entries++;
if (use_update_list) {
ste_info = kzalloc(sizeof(*ste_info), GFP_KERNEL);
Reported by FlawFinder.
Line: 1183
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy match_param since they will be consumed during the first
* nic_rule insertion.
*/
memcpy(©_param, param, sizeof(struct mlx5dr_match_param));
ret = dr_rule_create_rule_nic(rule, &rule->rx, param,
num_actions, actions);
if (ret)
return ret;
Reported by FlawFinder.
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_hwinfo.c
5 issues
Line: 111
Column: 19
CWE codes:
126
const char *key, *val, *end = hwinfo->data + size;
for (key = hwinfo->data; *key && key < end;
key = val + strlen(val) + 1) {
val = key + strlen(key) + 1;
if (val >= end) {
nfp_warn(cpp, "Bad HWINFO - overflowing key\n");
return -EINVAL;
Reported by FlawFinder.
Line: 113
Column: 15
CWE codes:
126
for (key = hwinfo->data; *key && key < end;
key = val + strlen(val) + 1) {
val = key + strlen(key) + 1;
if (val >= end) {
nfp_warn(cpp, "Bad HWINFO - overflowing key\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 119
Column: 13
CWE codes:
126
return -EINVAL;
}
if (val + strlen(val) + 1 > end) {
nfp_warn(cpp, "Bad HWINFO - overflowing value\n");
return -EINVAL;
}
}
Reported by FlawFinder.
Line: 265
Column: 19
CWE codes:
126
end = hwinfo->data + le32_to_cpu(hwinfo->size) - sizeof(u32);
for (key = hwinfo->data; *key && key < end;
key = val + strlen(val) + 1) {
val = key + strlen(key) + 1;
if (strcmp(key, lookup) == 0)
return val;
Reported by FlawFinder.
Line: 267
Column: 15
CWE codes:
126
for (key = hwinfo->data; *key && key < end;
key = val + strlen(val) + 1) {
val = key + strlen(key) + 1;
if (strcmp(key, lookup) == 0)
return val;
}
Reported by FlawFinder.
drivers/net/wireless/intel/iwlegacy/3945.c
5 issues
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rxb->page = NULL;
}
il_update_stats(il, false, fc, len);
memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats));
ieee80211_rx(il->hw, skb);
}
#define IL_DELAY_NEXT_SCAN_AFTER_ASSOC (HZ*6)
Reported by FlawFinder.
Line: 1749
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
}
memcpy(active_rxon, staging_rxon, sizeof(*active_rxon));
/*
* We do not commit tx power settings while channel changing,
* do it now if tx power changed.
*/
il_set_tx_power(il, il->tx_power_next, false);
Reported by FlawFinder.
Line: 1808
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
}
memcpy(active_rxon, staging_rxon, sizeof(*active_rxon));
if (!new_assoc) {
il_clear_ucode_stations(il);
il_restore_stations(il);
}
Reported by FlawFinder.
Line: 2242
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct il3945_addsta_cmd *addsta = (struct il3945_addsta_cmd *)data;
addsta->mode = cmd->mode;
memcpy(&addsta->sta, &cmd->sta, sizeof(struct sta_id_modify));
memcpy(&addsta->key, &cmd->key, sizeof(struct il4965_keyinfo));
addsta->station_flags = cmd->station_flags;
addsta->station_flags_msk = cmd->station_flags_msk;
addsta->tid_disable_tx = cpu_to_le16(0);
addsta->rate_n_flags = cmd->rate_n_flags;
Reported by FlawFinder.
Line: 2243
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct il3945_addsta_cmd *addsta = (struct il3945_addsta_cmd *)data;
addsta->mode = cmd->mode;
memcpy(&addsta->sta, &cmd->sta, sizeof(struct sta_id_modify));
memcpy(&addsta->key, &cmd->key, sizeof(struct il4965_keyinfo));
addsta->station_flags = cmd->station_flags;
addsta->station_flags_msk = cmd->station_flags_msk;
addsta->tid_disable_tx = cpu_to_le16(0);
addsta->rate_n_flags = cmd->rate_n_flags;
addsta->add_immediate_ba_tid = cmd->add_immediate_ba_tid;
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/en_main.c
5 issues
Line: 656
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rqc = MLX5_ADDR_OF(create_rq_in, in, ctx);
wq = MLX5_ADDR_OF(rqc, rqc, wq);
memcpy(rqc, param->rqc, sizeof(param->rqc));
MLX5_SET(rqc, rqc, cqn, rq->cq.mcq.cqn);
MLX5_SET(rqc, rqc, state, MLX5_RQC_STATE_RST);
MLX5_SET(rqc, rqc, ts_format, ts_format);
MLX5_SET(wq, wq, log_wq_pg_sz, rq->wq_ctrl.buf.page_shift -
Reported by FlawFinder.
Line: 1200
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sqc = MLX5_ADDR_OF(create_sq_in, in, ctx);
wq = MLX5_ADDR_OF(sqc, sqc, wq);
memcpy(sqc, param->sqc, sizeof(param->sqc));
MLX5_SET(sqc, sqc, tis_lst_sz, csp->tis_lst_sz);
MLX5_SET(sqc, sqc, tis_num_0, csp->tisn);
MLX5_SET(sqc, sqc, cqn, csp->cqn);
MLX5_SET(sqc, sqc, ts_cqe_to_dest_cqn, csp->ts_cqe_to_dest_cqn);
MLX5_SET(sqc, sqc, ts_format, ts_format);
Reported by FlawFinder.
Line: 1616
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cqc = MLX5_ADDR_OF(create_cq_in, in, cq_context);
memcpy(cqc, param->cqc, sizeof(param->cqc));
mlx5_fill_page_frag_array(&cq->wq_ctrl.buf,
(__be64 *)MLX5_ADDR_OF(create_cq_in, in, pas));
MLX5_SET(cqc, cqc, cq_period_mode, param->cq_period_mode);
Reported by FlawFinder.
Line: 2495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rx_hash_toeplitz_key);
MLX5_SET(tirc, tirc, rx_hash_symmetric, 1);
memcpy(rss_key, rss_params->toeplitz_hash_key, len);
}
MLX5_SET(rx_hash_field_select, hfso, l3_prot_type,
ttconfig->l3_prot_type);
MLX5_SET(rx_hash_field_select, hfso, l4_prot_type,
ttconfig->l4_prot_type);
Reported by FlawFinder.
Line: 4092
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
goto err_unlock;
memcpy(&priv->tstamp, &config, sizeof(config));
mutex_unlock(&priv->state_lock);
/* might need to fix some features */
netdev_update_features(priv->netdev);
Reported by FlawFinder.