The following issues were found
drivers/net/ethernet/huawei/hinic/hinic_devlink.c
4 issues
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < fw_image->fw_info.fw_section_cnt; i++) {
len += fw_image->fw_section_info[i].fw_section_len;
memcpy(&host_image->image_section_info[i],
&fw_image->fw_section_info[i],
sizeof(struct fw_section_info_st));
}
if (len != fw_image->fw_len ||
Reported by FlawFinder.
Line: 214
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
send_fragment_len += MAX_FW_FRAGMENT_LEN;
}
memcpy(fw_update_msg->data,
data + UPDATEFW_IMAGE_HEAD_SIZE +
section_offset + send_pos,
fw_update_msg->ctl_info.fragment_len);
err = hinic_port_msg_cmd(priv->hwdev,
Reported by FlawFinder.
Line: 323
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int chip_fault_show(struct devlink_fmsg *fmsg,
struct hinic_fault_event *event)
{
const char * const level_str[FAULT_LEVEL_MAX + 1] = {
"fatal", "reset", "flr", "general", "suggestion", "Unknown"};
u8 fault_level;
int err;
fault_level = (event->event.chip.err_level < FAULT_LEVEL_MAX) ?
Reported by FlawFinder.
Line: 365
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int fault_report_show(struct devlink_fmsg *fmsg,
struct hinic_fault_event *event)
{
const char * const type_str[FAULT_TYPE_MAX + 1] = {
"chip", "ucode", "mem rd timeout", "mem wr timeout",
"reg rd timeout", "reg wr timeout", "phy fault", "Unknown"};
u8 fault_type;
int err;
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/pcie_bus.c
4 issues
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (jtag_id) {
case JTAG_DEV_ID_SPARROW:
memcpy(fw_mapping, sparrow_fw_mapping,
sizeof(sparrow_fw_mapping));
switch (chip_revision) {
case REVISION_ID_SPARROW_D0:
wil->hw_name = "Sparrow D0";
wil->hw_version = HW_VER_SPARROW_D0;
Reported by FlawFinder.
Line: 62
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wil_err(wil, "mac_rgf_ext section not found in fw_mapping\n");
return -EINVAL;
}
memcpy(sct, &sparrow_d0_mac_rgf_ext, sizeof(*sct));
break;
case REVISION_ID_SPARROW_B0:
wil->hw_name = "Sparrow B0";
wil->hw_version = HW_VER_SPARROW_B0;
break;
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case JTAG_DEV_ID_TALYN:
wil->hw_name = "Talyn-MA";
wil->hw_version = HW_VER_TALYN;
memcpy(fw_mapping, talyn_fw_mapping, sizeof(talyn_fw_mapping));
wil->rgf_fw_assert_code_addr = TALYN_RGF_FW_ASSERT_CODE;
wil->rgf_ucode_assert_code_addr = TALYN_RGF_UCODE_ASSERT_CODE;
if (wil_r(wil, RGF_USER_OTP_HW_RD_MACHINE_1) &
BIT_NO_FLASH_INDICATION)
set_bit(hw_capa_no_flash, wil->hw_capa);
Reported by FlawFinder.
Line: 93
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case JTAG_DEV_ID_TALYN_MB:
wil->hw_name = "Talyn-MB";
wil->hw_version = HW_VER_TALYN_MB;
memcpy(fw_mapping, talyn_mb_fw_mapping,
sizeof(talyn_mb_fw_mapping));
wil->rgf_fw_assert_code_addr = TALYN_RGF_FW_ASSERT_CODE;
wil->rgf_ucode_assert_code_addr = TALYN_RGF_UCODE_ASSERT_CODE;
set_bit(hw_capa_no_flash, wil->hw_capa);
wil->use_enhanced_dma_hw = true;
Reported by FlawFinder.
drivers/net/wan/wanxl.c
4 issues
Line: 403
Column: 24
CWE codes:
362
unsigned long timeout;
int i;
if (get_status(port)->open) {
netdev_err(dev, "port already open\n");
return -EIO;
}
i = hdlc_open(dev);
Reported by FlawFinder.
Line: 420
Column: 25
CWE codes:
362
timeout = jiffies + HZ;
do {
if (get_status(port)->open) {
netif_start_queue(dev);
return 0;
}
} while (time_after(timeout, jiffies));
Reported by FlawFinder.
Line: 445
Column: 26
CWE codes:
362
timeout = jiffies + HZ;
do {
if (!get_status(port)->open)
break;
} while (time_after(timeout, jiffies));
if (get_status(port)->open)
netdev_err(dev, "unable to close port\n");
Reported by FlawFinder.
Line: 449
Column: 24
CWE codes:
362
break;
} while (time_after(timeout, jiffies));
if (get_status(port)->open)
netdev_err(dev, "unable to close port\n");
netif_stop_queue(dev);
for (i = 0; i < TX_BUFFERS; i++) {
Reported by FlawFinder.
drivers/net/ethernet/intel/igb/igb_hwmon.c
4 issues
Line: 29
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hwmon_attr *igb_attr = container_of(attr, struct hwmon_attr,
dev_attr);
return sprintf(buf, "loc%u\n",
igb_attr->sensor->location);
}
static ssize_t igb_hwmon_show_temp(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 49
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* display millidegree */
value *= 1000;
return sprintf(buf, "%u\n", value);
}
static ssize_t igb_hwmon_show_cautionthresh(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 63
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* display millidegree */
value *= 1000;
return sprintf(buf, "%u\n", value);
}
static ssize_t igb_hwmon_show_maxopthresh(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 77
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* display millidegree */
value *= 1000;
return sprintf(buf, "%u\n", value);
}
/* igb_add_hwmon_attr - Create hwmon attr table for a hwmon sysfs file.
* @ adapter: pointer to the adapter structure
* @ offset: offset in the eeprom sensor data table
Reported by FlawFinder.
drivers/net/ppp/ppp_generic.c
4 issues
Line: 1320
Column: 58
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* the PPP unit identifer as suffix (i.e. ppp<unit_id>). This allows
* userspace to infer the device name using to the PPPIOCGUNIT ioctl.
*/
if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME]))
conf.ifname_is_set = false;
err = ppp_dev_configure(src_net, dev, &conf);
out_unlock:
Reported by FlawFinder.
Line: 2104
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
q[5] = ppp->nxseq;
}
memcpy(q + hdrlen, p, flen);
/* try to send it down the channel */
chan = pch->chan;
if (!skb_queue_empty(&pch->file.xq) ||
!chan->ops->start_xmit(chan, frag))
Reported by FlawFinder.
Line: 3014
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int err = -EFAULT;
struct compressor *cp, *ocomp;
void *state, *ostate;
unsigned char ccp_option[CCP_MAX_OPTION_LENGTH];
if (data->length > CCP_MAX_OPTION_LENGTH)
goto out;
if (copy_from_user(ccp_option, data->ptr, data->length))
goto out;
Reported by FlawFinder.
Line: 1496
Column: 32
CWE codes:
126
case SIOCGPPPVER:
vers = PPP_VERSION;
if (copy_to_user(addr, vers, strlen(vers) + 1))
break;
err = 0;
break;
default:
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/port.c
4 issues
Line: 53
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
data = MLX5_ADDR_OF(access_register_in, in, register_data);
memcpy(data, data_in, size_in);
MLX5_SET(access_register_in, in, opcode, MLX5_CMD_OP_ACCESS_REG);
MLX5_SET(access_register_in, in, op_mod, !write);
MLX5_SET(access_register_in, in, argument, arg);
MLX5_SET(access_register_in, in, register_id, reg_id);
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
data = MLX5_ADDR_OF(access_register_out, out, register_data);
memcpy(data_out, data, size_out);
out:
kvfree(out);
kvfree(in);
return err;
Reported by FlawFinder.
Line: 387
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
memcpy(data, ptr, size);
return size;
}
int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
Reported by FlawFinder.
Line: 1036
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
goto out;
memcpy(in, out, sz);
MLX5_SET(qpdpm_reg, in, local_port, 1);
/* Update the corresponding dscp entry */
qpdpm_dscp = MLX5_ADDR_OF(qpdpm_reg, in, dscp[dscp]);
MLX5_SET16(qpdpm_dscp_reg, qpdpm_dscp, prio, prio);
Reported by FlawFinder.
drivers/net/ethernet/neterion/vxge/vxge-main.h
4 issues
Line: 161
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct macInfo {
unsigned char macaddr[ETH_ALEN];
unsigned char macmask[ETH_ALEN];
unsigned int vpath_no;
enum vxge_mac_addr_state state;
};
Reported by FlawFinder.
Line: 162
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct macInfo {
unsigned char macaddr[ETH_ALEN];
unsigned char macmask[ETH_ALEN];
unsigned int vpath_no;
enum vxge_mac_addr_state state;
};
struct vxge_config {
Reported by FlawFinder.
Line: 368
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
#define VXGE_MAX_REQUESTED_MSIX 68
#define VXGE_INTR_STRLEN 80
char desc[VXGE_MAX_REQUESTED_MSIX][VXGE_INTR_STRLEN];
enum vxge_hw_event cric_err_event;
int max_vpath_supported;
int no_of_vpath;
Reported by FlawFinder.
Line: 399
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 intr_cnt;
u32 level_err;
u32 level_trace;
char fw_version[VXGE_HW_FW_STRLEN];
struct work_struct reset_task;
};
struct vxge_rx_priv {
struct sk_buff *skb;
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qed/qed_nvmetcp_fw_funcs.c
4 issues
Line: 88
CWE codes:
476
if (task_params->send_write_incapsule)
buf_size = calc_rw_task_size(task_params, task_type);
if (nvmetcp_is_slow_sgl(sgl_task_params->num_sges,
sgl_task_params->small_mid_sge))
num_sges = NVMETCP_WQE_NUM_SGES_SLOWIO;
else
num_sges = min((u16)sgl_task_params->num_sges,
(u16)SCSI_NUM_SGES_SLOW_SGL_THR);
Reported by Cppcheck.
Line: 89
CWE codes:
476
buf_size = calc_rw_task_size(task_params, task_type);
if (nvmetcp_is_slow_sgl(sgl_task_params->num_sges,
sgl_task_params->small_mid_sge))
num_sges = NVMETCP_WQE_NUM_SGES_SLOWIO;
else
num_sges = min((u16)sgl_task_params->num_sges,
(u16)SCSI_NUM_SGES_SLOW_SGL_THR);
}
Reported by Cppcheck.
Line: 167
CWE codes:
476
dw_index < QED_NVMETCP_CMD_HDR_SIZE / sizeof(u32);
dw_index++)
context->ystorm_st_context.pdu_hdr.task_hdr.reg[dw_index] =
cpu_to_le32(__swab32(((u32 *)nvme_cmd)[dw_index - 2]));
} else {
for (dw_index = 0;
dw_index < QED_NVMETCP_NON_IO_HDR_SIZE / sizeof(u32);
dw_index++)
context->ystorm_st_context.pdu_hdr.task_hdr.reg[dw_index] =
Reported by Cppcheck.
Line: 167
CWE codes:
476
dw_index < QED_NVMETCP_CMD_HDR_SIZE / sizeof(u32);
dw_index++)
context->ystorm_st_context.pdu_hdr.task_hdr.reg[dw_index] =
cpu_to_le32(__swab32(((u32 *)nvme_cmd)[dw_index - 2]));
} else {
for (dw_index = 0;
dw_index < QED_NVMETCP_NON_IO_HDR_SIZE / sizeof(u32);
dw_index++)
context->ystorm_st_context.pdu_hdr.task_hdr.reg[dw_index] =
Reported by Cppcheck.
drivers/net/ethernet/intel/i40e/i40e_lan_hmc.c
4 issues
Line: 761
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest_byte |= src_byte; /* add in the new bits */
/* put it all back */
memcpy(dest, &dest_byte, sizeof(dest_byte));
}
/**
* i40e_write_word - replace HMC context word
* @hmc_bits: pointer to the HMC memory
Reported by FlawFinder.
Line: 805
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest_word |= cpu_to_le16(src_word); /* add in the new bits */
/* put it all back */
memcpy(dest, &dest_word, sizeof(dest_word));
}
/**
* i40e_write_dword - replace HMC context dword
* @hmc_bits: pointer to the HMC memory
Reported by FlawFinder.
Line: 857
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest_dword |= cpu_to_le32(src_dword); /* add in the new bits */
/* put it all back */
memcpy(dest, &dest_dword, sizeof(dest_dword));
}
/**
* i40e_write_qword - replace HMC context qword
* @hmc_bits: pointer to the HMC memory
Reported by FlawFinder.
Line: 909
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest_qword |= cpu_to_le64(src_qword); /* add in the new bits */
/* put it all back */
memcpy(dest, &dest_qword, sizeof(dest_qword));
}
/**
* i40e_clear_hmc_context - zero out the HMC context bits
* @hw: the hardware struct
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/xmit.c
4 issues
Line: 402
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tbf->bf_mpdu = bf->bf_mpdu;
tbf->bf_buf_addr = bf->bf_buf_addr;
memcpy(tbf->bf_desc, bf->bf_desc, sc->sc_ah->caps.tx_desc_len);
tbf->bf_state = bf->bf_state;
tbf->bf_state.stale = false;
return tbf;
}
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
isaggr = bf_isaggr(bf);
if (isaggr) {
seq_st = ts->ts_seqnum;
memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
}
while (bf) {
ba_index = ATH_BA_INDEX(seq_st, bf->bf_state.seqno);
Reported by FlawFinder.
Line: 507
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (isaggr && txok) {
if (ts->ts_flags & ATH9K_TX_BA) {
seq_st = ts->ts_seqnum;
memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
} else {
/*
* AR5416 can become deaf/mute when BA
* issue happens. Chip needs to be reset.
* But AP code may have sychronization issues
Reported by FlawFinder.
Line: 579
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ath_tx_update_baw(sc, tid, bf);
if (rc_update && (acked_cnt == 1 || txfail_cnt == 1)) {
memcpy(tx_info->control.rates, rates, sizeof(rates));
ath_tx_rc_status(sc, bf, ts, nframes, nbad, txok);
rc_update = false;
if (bf == bf->bf_lastbf)
ath_dynack_sample_tx_ts(sc->sc_ah,
bf->bf_mpdu,
Reported by FlawFinder.