The following issues were found
drivers/net/slip/slip.c
5 issues
Line: 270
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
if (sl->xleft) {
if (sl->xleft <= len) {
memcpy(sl->xbuff, sl->xhead, sl->xleft);
} else {
sl->xleft = 0;
dev->stats.tx_dropped++;
}
}
Reported by FlawFinder.
Line: 280
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sl->rcount) {
if (sl->rcount <= len) {
memcpy(sl->rbuff, rbuff, sl->rcount);
} else {
sl->rcount = 0;
dev->stats.rx_over_errors++;
set_bit(SLF_ERROR, &sl->flags);
}
Reported by FlawFinder.
Line: 741
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct slip *sl_alloc(void)
{
int i;
char name[IFNAMSIZ];
struct net_device *dev = NULL;
struct slip *sl;
for (i = 0; i < slip_maxdev; i++) {
dev = slip_devs[i];
Reported by FlawFinder.
Line: 754
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i >= slip_maxdev)
return NULL;
sprintf(name, "sl%d", i);
dev = alloc_netdev(sizeof(*sl), name, NET_NAME_UNKNOWN, sl_setup);
if (!dev)
return NULL;
dev->base_addr = i;
Reported by FlawFinder.
Line: 1088
Column: 9
CWE codes:
126
switch (cmd) {
case SIOCGIFNAME:
tmp = strlen(sl->dev->name) + 1;
if (copy_to_user((void __user *)arg, sl->dev->name, tmp))
return -EFAULT;
return 0;
case SIOCGIFENCAP:
Reported by FlawFinder.
drivers/net/ethernet/intel/ice/ice_main.c
5 issues
Line: 1188
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (task->state || task->opcode != opcode)
continue;
memcpy(&task->event->desc, &event->desc, sizeof(event->desc));
task->event->msg_len = event->msg_len;
/* Only copy the data buffer if a destination was set */
if (task->event->msg_buf &&
task->event->buf_len > event->buf_len) {
Reported by FlawFinder.
Line: 1194
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Only copy the data buffer if a destination was set */
if (task->event->msg_buf &&
task->event->buf_len > event->buf_len) {
memcpy(task->event->msg_buf, event->msg_buf,
event->buf_len);
task->event->buf_len = event->buf_len;
}
task->state = ICE_AQ_TASK_COMPLETE;
Reported by FlawFinder.
Line: 5176
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* change the netdev's MAC address */
memcpy(netdev->dev_addr, mac, netdev->addr_len);
netif_addr_unlock_bh(netdev);
netdev_dbg(vsi->netdev, "updated MAC address to %pM\n",
netdev->dev_addr);
/* write new MAC address to the firmware */
Reported by FlawFinder.
Line: 6106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int ice_vsi_open_ctrl(struct ice_vsi *vsi)
{
char int_name[ICE_INT_NAME_STR_LEN];
struct ice_pf *pf = vsi->back;
struct device *dev;
int err;
dev = ice_pf_to_dev(pf);
Reported by FlawFinder.
Line: 6162
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int ice_vsi_open(struct ice_vsi *vsi)
{
char int_name[ICE_INT_NAME_STR_LEN];
struct ice_pf *pf = vsi->back;
int err;
/* allocate descriptors */
err = ice_vsi_setup_tx_rings(vsi);
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/tracepoint.h
5 issues
Line: 40
Column: 16
CWE codes:
134
Suggestion:
Use a constant for the format specification
),
TP_fast_assign(
__assign_str(func, func);
WARN_ON_ONCE(vsnprintf(__get_dynamic_array(msg),
MAX_MSG_LEN, vaf->fmt,
*vaf->va) >= MAX_MSG_LEN);
),
TP_printk("%s: %s", __get_str(func), __get_str(msg))
);
Reported by FlawFinder.
Line: 58
Column: 16
CWE codes:
134
Suggestion:
Use a constant for the format specification
TP_fast_assign(
__entry->level = level;
__assign_str(func, func);
WARN_ON_ONCE(vsnprintf(__get_dynamic_array(msg),
MAX_MSG_LEN, vaf->fmt,
*vaf->va) >= MAX_MSG_LEN);
),
TP_printk("%s: %s", __get_str(func), __get_str(msg))
);
Reported by FlawFinder.
Line: 76
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__entry->len = len;
__entry->addr = (unsigned long)data;
memcpy(__get_dynamic_array(hdata), data, len);
),
TP_printk("hexdump [addr=%lx, length=%lu]", __entry->addr, __entry->len)
);
TRACE_EVENT(brcmf_bcdchdr,
Reported by FlawFinder.
Line: 96
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->prio = *((u8 *)data + 1);
__entry->flags2 = *((u8 *)data + 2);
__entry->siglen = *((u8 *)data + 3) * 4;
memcpy(__get_dynamic_array(signal),
(u8 *)data + 4, __entry->siglen);
),
TP_printk("bcdc: prio=%d siglen=%d", __entry->prio, __entry->siglen)
);
Reported by FlawFinder.
Line: 121
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__dynamic_array(u8, hdr, dir == SDPCM_GLOM ? 20 : 12)
),
TP_fast_assign(
memcpy(__get_dynamic_array(hdr), data, dir == SDPCM_GLOM ? 20 : 12);
__entry->len = *(u8 *)data | (*((u8 *)data + 1) << 8);
__entry->dir = dir;
),
TP_printk("sdpcm: %s len %u, seq %d",
__entry->dir == SDPCM_RX ? "RX" : "TX",
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
5 issues
Line: 265
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
switch (stringset) {
case ETH_SS_PRIV_FLAGS:
for (i = 0; i < MLX5E_NUM_PFLAGS; i++)
strcpy(data + i * ETH_GSTRING_LEN,
mlx5e_priv_flags[i].name);
break;
case ETH_SS_TEST:
for (i = 0; i < mlx5e_self_test_num(priv); i++)
Reported by FlawFinder.
Line: 271
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
case ETH_SS_TEST:
for (i = 0; i < mlx5e_self_test_num(priv); i++)
strcpy(data + i * ETH_GSTRING_LEN,
mlx5e_self_tests[i]);
break;
case ETH_SS_STATS:
mlx5e_stats_fill_strings(priv, data);
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef int (*mlx5e_pflag_handler)(struct net_device *netdev, bool enable);
struct pflag_desc {
char name[ETH_GSTRING_LEN];
mlx5e_pflag_handler handler;
};
static const struct pflag_desc mlx5e_priv_flags[MLX5E_NUM_PFLAGS];
Reported by FlawFinder.
Line: 1204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mlx5e_rss_params *rss = &priv->rss_params;
if (indir)
memcpy(indir, rss->indirection_rqt,
sizeof(rss->indirection_rqt));
if (key)
memcpy(key, rss->toeplitz_hash_key,
sizeof(rss->toeplitz_hash_key));
Reported by FlawFinder.
Line: 1208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(rss->indirection_rqt));
if (key)
memcpy(key, rss->toeplitz_hash_key,
sizeof(rss->toeplitz_hash_key));
if (hfunc)
*hfunc = rss->hfunc;
Reported by FlawFinder.
drivers/net/wan/hdlc.c
5 issues
Line: 126
Column: 13
CWE codes:
362
hdlc->carrier = on;
if (!hdlc->open)
goto carrier_exit;
if (hdlc->carrier) {
netdev_info(dev, "Carrier detected\n");
hdlc_proto_start(dev);
Reported by FlawFinder.
Line: 148
Column: 30
CWE codes:
362
hdlc_device *hdlc = dev_to_hdlc(dev);
#ifdef DEBUG_LINK
printk(KERN_DEBUG "%s: hdlc_open() carrier %i open %i\n", dev->name,
hdlc->carrier, hdlc->open);
#endif
if (!hdlc->proto)
return -ENOSYS; /* no protocol attached */
Reported by FlawFinder.
Line: 154
Column: 19
CWE codes:
362
if (!hdlc->proto)
return -ENOSYS; /* no protocol attached */
if (hdlc->proto->open) {
int result = hdlc->proto->open(dev);
if (result)
return result;
}
Reported by FlawFinder.
Line: 155
Column: 29
CWE codes:
362
return -ENOSYS; /* no protocol attached */
if (hdlc->proto->open) {
int result = hdlc->proto->open(dev);
if (result)
return result;
}
Reported by FlawFinder.
Line: 183
Column: 30
CWE codes:
362
hdlc_device *hdlc = dev_to_hdlc(dev);
#ifdef DEBUG_LINK
printk(KERN_DEBUG "%s: hdlc_close() carrier %i open %i\n", dev->name,
hdlc->carrier, hdlc->open);
#endif
spin_lock_irq(&hdlc->state_lock);
hdlc->open = 0;
Reported by FlawFinder.
drivers/net/wireless/broadcom/b43/phy_n.c
5 issues
Line: 4381
CWE codes:
908
struct b43_phy_n_iq_comp *pcomp)
{
if (write) {
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPA0, pcomp->a0);
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPB0, pcomp->b0);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPA1, pcomp->a1);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPB1, pcomp->b1);
} else {
pcomp->a0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPA0);
Reported by Cppcheck.
Line: 4382
CWE codes:
908
{
if (write) {
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPA0, pcomp->a0);
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPB0, pcomp->b0);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPA1, pcomp->a1);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPB1, pcomp->b1);
} else {
pcomp->a0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPA0);
pcomp->b0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPB0);
Reported by Cppcheck.
Line: 4383
CWE codes:
908
if (write) {
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPA0, pcomp->a0);
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPB0, pcomp->b0);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPA1, pcomp->a1);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPB1, pcomp->b1);
} else {
pcomp->a0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPA0);
pcomp->b0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPB0);
pcomp->a1 = b43_phy_read(dev, B43_NPHY_C2_RXIQ_COMPA1);
Reported by Cppcheck.
Line: 4384
CWE codes:
908
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPA0, pcomp->a0);
b43_phy_write(dev, B43_NPHY_C1_RXIQ_COMPB0, pcomp->b0);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPA1, pcomp->a1);
b43_phy_write(dev, B43_NPHY_C2_RXIQ_COMPB1, pcomp->b1);
} else {
pcomp->a0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPA0);
pcomp->b0 = b43_phy_read(dev, B43_NPHY_C1_RXIQ_COMPB0);
pcomp->a1 = b43_phy_read(dev, B43_NPHY_C2_RXIQ_COMPA1);
pcomp->b1 = b43_phy_read(dev, B43_NPHY_C2_RXIQ_COMPB1);
Reported by Cppcheck.
Line: 5579
Column: 7
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
}
}
if (!equal) {
b43_ntab_write_bulk(dev, B43_NTAB16(15, 80), 4,
nphy->txiqlocal_bestc);
for (i = 0; i < 4; i++)
buffer[i] = 0;
b43_ntab_write_bulk(dev, B43_NTAB16(15, 88), 4,
Reported by FlawFinder.
drivers/net/ethernet/synopsys/dwc-xlgmac.h
5 issues
Line: 356
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} ____cacheline_aligned;
struct xlgmac_channel {
char name[16];
/* Address of private data area for device */
struct xlgmac_pdata *pdata;
/* Queue index and base address of queue's DMA registers */
Reported by FlawFinder.
Line: 367
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Per channel interrupt irq number */
int dma_irq;
char dma_irq_name[IFNAMSIZ + 32];
/* Netdev related settings */
struct napi_struct napi;
unsigned int saved_ier;
Reported by FlawFinder.
Line: 608
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int channel_irq[XLGMAC_MAX_DMA_CHANNELS];
/* Netdev related settings */
unsigned char mac_addr[ETH_ALEN];
netdev_features_t netdev_features;
struct napi_struct napi;
/* Filtering support */
unsigned long active_vlans[BITS_TO_LONGS(VLAN_N_VID)];
Reported by FlawFinder.
Line: 628
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int phy_speed;
char drv_name[32];
char drv_ver[32];
};
void xlgmac_init_desc_ops(struct xlgmac_desc_ops *desc_ops);
void xlgmac_init_hw_ops(struct xlgmac_hw_ops *hw_ops);
Reported by FlawFinder.
Line: 629
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int phy_speed;
char drv_name[32];
char drv_ver[32];
};
void xlgmac_init_desc_ops(struct xlgmac_desc_ops *desc_ops);
void xlgmac_init_hw_ops(struct xlgmac_hw_ops *hw_ops);
const struct net_device_ops *xlgmac_get_netdev_ops(void);
Reported by FlawFinder.
drivers/net/ethernet/freescale/enetc/enetc_cbdr.c
5 issues
Line: 196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dma_align = ALIGN(dma, RFSE_ALIGN);
tmp_align = PTR_ALIGN(tmp, RFSE_ALIGN);
memcpy(tmp_align, rfse, sizeof(*rfse));
cbd.addr[0] = cpu_to_le32(lower_32_bits(dma_align));
cbd.addr[1] = cpu_to_le32(upper_32_bits(dma_align));
err = enetc_send_cmd(si, &cbd);
Reported by FlawFinder.
Line: 213
Column: 16
CWE codes:
120
20
#define RSSE_ALIGN 64
static int enetc_cmd_rss_table(struct enetc_si *si, u32 *table, int count,
bool read)
{
struct enetc_cbdr *ring = &si->cbd_ring;
struct enetc_cbd cbd = {.cmd = 0};
dma_addr_t dma, dma_align;
u8 *tmp, *tmp_align;
Reported by FlawFinder.
Line: 234
Column: 7
CWE codes:
120
20
dma_align = ALIGN(dma, RSSE_ALIGN);
tmp_align = PTR_ALIGN(tmp, RSSE_ALIGN);
if (!read)
for (i = 0; i < count; i++)
tmp_align[i] = (u8)(table[i]);
/* fill up the descriptor */
cbd.cmd = read ? 2 : 1;
Reported by FlawFinder.
Line: 239
Column: 12
CWE codes:
120
20
tmp_align[i] = (u8)(table[i]);
/* fill up the descriptor */
cbd.cmd = read ? 2 : 1;
cbd.cls = 3;
cbd.length = cpu_to_le16(count);
cbd.addr[0] = cpu_to_le32(lower_32_bits(dma_align));
cbd.addr[1] = cpu_to_le32(upper_32_bits(dma_align));
Reported by FlawFinder.
Line: 250
Column: 6
CWE codes:
120
20
if (err)
dev_err(ring->dma_dev, "RSS cmd failed (%d)!", err);
if (read)
for (i = 0; i < count; i++)
table[i] = tmp_align[i];
dma_free_coherent(ring->dma_dev, count + RSSE_ALIGN, tmp, dma);
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
5 issues
Line: 178
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct qlcnic_cmd_args cmd;
u32 arg1, arg2, arg3;
char drv_string[12];
int err = 0;
memset(drv_string, 0, sizeof(drv_string));
snprintf(drv_string, sizeof(drv_string), "%d"".""%d"".""%d",
_QLCNIC_LINUX_MAJOR, _QLCNIC_LINUX_MINOR,
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
memcpy(&arg1, drv_string, sizeof(u32));
memcpy(&arg2, drv_string + 4, sizeof(u32));
memcpy(&arg3, drv_string + 8, sizeof(u32));
cmd.req.arg[1] = arg1;
cmd.req.arg[2] = arg2;
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
memcpy(&arg1, drv_string, sizeof(u32));
memcpy(&arg2, drv_string + 4, sizeof(u32));
memcpy(&arg3, drv_string + 8, sizeof(u32));
cmd.req.arg[1] = arg1;
cmd.req.arg[2] = arg2;
cmd.req.arg[3] = arg3;
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&arg1, drv_string, sizeof(u32));
memcpy(&arg2, drv_string + 4, sizeof(u32));
memcpy(&arg3, drv_string + 8, sizeof(u32));
cmd.req.arg[1] = arg1;
cmd.req.arg[2] = arg2;
cmd.req.arg[3] = arg3;
Reported by FlawFinder.
Line: 997
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
le16_to_cpu(npar->tx_min_bw);
pci_info->tx_max_bw =
le16_to_cpu(npar->tx_max_bw);
memcpy(pci_info->mac, npar->mac, ETH_ALEN);
}
} else {
dev_err(&adapter->pdev->dev,
"Failed to get PCI Info%d\n", err);
err = -EIO;
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
5 issues
Line: 362
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
mbx_out = cmd.rsp.arg[1];
if (buf)
memcpy(buf, &mbx_out, sizeof(u32));
}
qlcnic_free_mbx_args(&cmd);
return err;
Reported by FlawFinder.
Line: 482
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rsp.app[i] = le32_to_cpu(prsp_le->app[i]);
if (buf)
memcpy(buf, &rsp, size);
out:
qlcnic_free_mbx_args(&cmd);
out_free_rsp:
dma_free_coherent(dev, size, addr, cardrsp_phys_addr);
Reported by FlawFinder.
Line: 592
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
mbx_out.prio_tc_map = cmd.rsp.arg[1];
p = memcpy(buf, &mbx_out, sizeof(u32));
k = 2;
p += sizeof(u32);
for (j = 0; j < QLC_DCB_NUM_PARAM; j++) {
each = &mbx_out.type[j];
Reported by FlawFinder.
Line: 614
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
each->app[i] = cmd.rsp.arg[i + k];
size = 16 * sizeof(u32);
memcpy(p, &each->hdr_prio_pfc_map[0], size);
p += size;
if (j == 0)
k = 18;
else
k = 34;
Reported by FlawFinder.
Line: 788
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void qlcnic_dcb_get_perm_hw_addr(struct net_device *netdev, u8 *addr)
{
memcpy(addr, netdev->perm_addr, netdev->addr_len);
}
static void
qlcnic_dcb_get_pg_tc_cfg_tx(struct net_device *netdev, int tc, u8 *prio,
u8 *pgid, u8 *bw_per, u8 *up_tc_map)
Reported by FlawFinder.