The following issues were found
drivers/net/wireless/ath/ath10k/htt_tx.c
4 issues
Line: 655
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* currently we support only max 24 bit masks so no need to worry
* about endian support
*/
memcpy(req->upload_types, &mask, 3);
memcpy(req->reset_types, &reset_mask, 3);
req->stat_type = HTT_STATS_REQ_CFG_STAT_TYPE_INVALID;
req->cookie_lsb = cpu_to_le32(cookie & 0xffffffff);
req->cookie_msb = cpu_to_le32((cookie & 0xffffffff00000000ULL) >> 32);
Reported by FlawFinder.
Line: 656
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* about endian support
*/
memcpy(req->upload_types, &mask, 3);
memcpy(req->reset_types, &reset_mask, 3);
req->stat_type = HTT_STATS_REQ_CFG_STAT_TYPE_INVALID;
req->cookie_lsb = cpu_to_le32(cookie & 0xffffffff);
req->cookie_msb = cpu_to_le32((cookie & 0xffffffff00000000ULL) >> 32);
ret = ath10k_htc_send(&htt->ar->htc, htt->eid, skb);
Reported by FlawFinder.
Line: 1152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->tx_fetch_resp.num_records = cpu_to_le16(num_records);
cmd->tx_fetch_resp.token = token;
memcpy(cmd->tx_fetch_resp.records, records,
sizeof(records[0]) * num_records);
ret = ath10k_htc_send(&ar->htc, ar->htt.eid, skb);
if (ret) {
ath10k_warn(ar, "failed to submit htc command: %d\n", ret);
Reported by FlawFinder.
Line: 1262
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->mgmt_tx.len = __cpu_to_le32(msdu->len);
cmd->mgmt_tx.desc_id = __cpu_to_le32(msdu_id);
cmd->mgmt_tx.vdev_id = __cpu_to_le32(vdev_id);
memcpy(cmd->mgmt_tx.hdr, msdu->data,
min_t(int, msdu->len, HTT_MGMT_FRM_HDR_DOWNLOAD_LEN));
res = ath10k_htc_send(&htt->ar->htc, htt->eid, txdesc);
if (res)
goto err_unmap_msdu;
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/wow.c
4 issues
Line: 108
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
byte_cnt += 6;
/* copy the source mac address */
memcpy((dis_deauth_pattern + byte_cnt), common->curbssid, ETH_ALEN);
byte_cnt += 6;
/* copy the bssid, its same as the source mac address */
memcpy((dis_deauth_pattern + byte_cnt), common->curbssid, ETH_ALEN);
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
byte_cnt += 6;
/* copy the bssid, its same as the source mac address */
memcpy((dis_deauth_pattern + byte_cnt), common->curbssid, ETH_ALEN);
/* Create Disassociate pattern mask */
dis_deauth_mask[0] = 0xfe;
dis_deauth_mask[1] = 0x03;
dis_deauth_mask[2] = 0xc0;
Reported by FlawFinder.
Line: 152
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mask_len = DIV_ROUND_UP(patterns[i].pattern_len, 8);
memset(wow_pattern, 0, MAX_PATTERN_SIZE);
memset(wow_mask, 0, MAX_PATTERN_SIZE);
memcpy(wow_pattern, patterns[i].pattern, patterns[i].pattern_len);
memcpy(wow_mask, patterns[i].mask, mask_len);
ret = ath9k_hw_wow_apply_pattern(ah,
wow_pattern,
wow_mask,
Reported by FlawFinder.
Line: 153
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(wow_pattern, 0, MAX_PATTERN_SIZE);
memset(wow_mask, 0, MAX_PATTERN_SIZE);
memcpy(wow_pattern, patterns[i].pattern, patterns[i].pattern_len);
memcpy(wow_mask, patterns[i].mask, mask_len);
ret = ath9k_hw_wow_apply_pattern(ah,
wow_pattern,
wow_mask,
i + 2,
Reported by FlawFinder.
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
4 issues
Line: 436
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(tc_info, 0, sizeof(*tc_info));
tc_info->num_tc = mqprio_qopt->qopt.num_tc;
memcpy(tc_info->prio_tc, mqprio_qopt->qopt.prio_tc_map,
sizeof_field(struct hnae3_tc_info, prio_tc));
memcpy(tc_info->tqp_count, mqprio_qopt->qopt.count,
sizeof_field(struct hnae3_tc_info, tqp_count));
memcpy(tc_info->tqp_offset, mqprio_qopt->qopt.offset,
sizeof_field(struct hnae3_tc_info, tqp_offset));
Reported by FlawFinder.
Line: 438
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tc_info->num_tc = mqprio_qopt->qopt.num_tc;
memcpy(tc_info->prio_tc, mqprio_qopt->qopt.prio_tc_map,
sizeof_field(struct hnae3_tc_info, prio_tc));
memcpy(tc_info->tqp_count, mqprio_qopt->qopt.count,
sizeof_field(struct hnae3_tc_info, tqp_count));
memcpy(tc_info->tqp_offset, mqprio_qopt->qopt.offset,
sizeof_field(struct hnae3_tc_info, tqp_offset));
for (i = 0; i < HNAE3_MAX_USER_PRIO; i++)
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof_field(struct hnae3_tc_info, prio_tc));
memcpy(tc_info->tqp_count, mqprio_qopt->qopt.count,
sizeof_field(struct hnae3_tc_info, tqp_count));
memcpy(tc_info->tqp_offset, mqprio_qopt->qopt.offset,
sizeof_field(struct hnae3_tc_info, tqp_offset));
for (i = 0; i < HNAE3_MAX_USER_PRIO; i++)
set_bit(tc_info->prio_tc[i], &tc_info->tc_en);
}
Reported by FlawFinder.
Line: 511
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err_out:
/* roll-back */
memcpy(&kinfo->tc_info, &old_tc_info, sizeof(old_tc_info));
if (hclge_config_tc(hdev, &kinfo->tc_info))
dev_err(&hdev->pdev->dev,
"failed to roll back tc configuration\n");
hclge_notify_init_up(hdev);
Reported by FlawFinder.
drivers/net/ethernet/sfc/falcon/net_driver.h
4 issues
Line: 460
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ef4_msi_context {
struct ef4_nic *efx;
unsigned int index;
char name[IFNAMSIZ + 6];
};
/**
* struct ef4_channel_type - distinguishes traffic and extra channels
* @handle_no_channel: Handle failure to allocate an extra channel
Reported by FlawFinder.
Line: 766
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ef4_nic {
/* The following fields should be written very rarely */
char name[IFNAMSIZ];
struct list_head node;
struct ef4_nic *primary;
struct list_head secondary_list;
struct pci_dev *pci_dev;
unsigned int port_num;
Reported by FlawFinder.
Line: 776
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int legacy_irq;
bool eeh_disabled_legacy_irq;
struct workqueue_struct *workqueue;
char workqueue_name[16];
struct work_struct reset_work;
resource_size_t membase_phys;
void __iomem *membase;
enum ef4_int_mode interrupt_mode;
Reported by FlawFinder.
Line: 919
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mtd_info mtd;
const char *dev_type_name;
const char *type_name;
char name[IFNAMSIZ + 20];
};
/**
* struct ef4_nic_type - Efx device type definition
* @mem_bar: Get the memory BAR
Reported by FlawFinder.
drivers/net/ethernet/intel/igb/e1000_mbx.c
4 issues
drivers/net/ethernet/sfc/mcdi.c
4 issues
Line: 1002
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
async->quiet = quiet;
async->complete = complete;
async->cookie = cookie;
memcpy(async + 1, inbuf, inlen);
spin_lock_bh(&mcdi->async_lock);
if (mcdi->mode == MCDI_MODE_EVENTS) {
list_add_tail(&async->list, &mcdi->async_list);
Reported by FlawFinder.
Line: 1645
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*number = MCDI_DWORD(outbuf, NVRAM_PARTITIONS_OUT_NUM_PARTITIONS);
memcpy(nvram_types, MCDI_PTR(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID),
*number * sizeof(u32));
fail:
kfree(outbuf);
return rc;
Reported by FlawFinder.
Line: 2175
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc)
return rc;
memcpy(buffer, MCDI_PTR(outbuf, NVRAM_READ_OUT_READ_BUFFER), length);
return 0;
}
static int efx_mcdi_nvram_write(struct efx_nic *efx, unsigned int type,
loff_t offset, const u8 *buffer, size_t length)
Reported by FlawFinder.
Line: 2189
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MCDI_SET_DWORD(inbuf, NVRAM_WRITE_IN_TYPE, type);
MCDI_SET_DWORD(inbuf, NVRAM_WRITE_IN_OFFSET, offset);
MCDI_SET_DWORD(inbuf, NVRAM_WRITE_IN_LENGTH, length);
memcpy(MCDI_PTR(inbuf, NVRAM_WRITE_IN_WRITE_BUFFER), buffer, length);
BUILD_BUG_ON(MC_CMD_NVRAM_WRITE_OUT_LEN != 0);
rc = efx_mcdi_rpc(efx, MC_CMD_NVRAM_WRITE, inbuf,
ALIGN(MC_CMD_NVRAM_WRITE_IN_LEN(length), 4),
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
4 issues
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Write data to NVM */
memcpy(data + offset, resp_data, bytes_read);
ret = bytes_read;
exit:
iwl_free_resp(&cmd);
return ret;
Reported by FlawFinder.
Line: 474
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp_cp->time = mcc_resp_v3->time;
resp_cp->geo_info = mcc_resp_v3->geo_info;
resp_cp->n_channels = mcc_resp_v3->n_channels;
memcpy(resp_cp->channels, mcc_resp_v3->channels,
n_channels * sizeof(__le32));
}
status = le32_to_cpu(resp_cp->status);
Reported by FlawFinder.
Line: 503
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool nvm_lar;
int retval;
struct ieee80211_regdomain *regd;
char mcc[3];
if (mvm->cfg->nvm_type == IWL_NVM_EXT) {
tlv_lar = fw_has_capa(&mvm->fw->ucode_capa,
IWL_UCODE_TLV_CAPA_LAR_SUPPORT);
nvm_lar = mvm->nvm_data->lar_enabled;
Reported by FlawFinder.
Line: 559
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iwl_rx_packet *pkt = rxb_addr(rxb);
struct iwl_mcc_chub_notif *notif = (void *)pkt->data;
enum iwl_mcc_source src;
char mcc[3];
struct ieee80211_regdomain *regd;
int wgds_tbl_idx;
lockdep_assert_held(&mvm->mutex);
Reported by FlawFinder.
drivers/net/ethernet/sfc/net_driver.h
4 issues
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct efx_msi_context {
struct efx_nic *efx;
unsigned int index;
char name[IFNAMSIZ + 6];
};
/**
* struct efx_channel_type - distinguishes traffic and extra channels
* @handle_no_channel: Handle failure to allocate an extra channel
Reported by FlawFinder.
Line: 946
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct efx_nic {
/* The following fields should be written very rarely */
char name[IFNAMSIZ];
struct list_head node;
struct efx_nic *primary;
struct list_head secondary_list;
struct pci_dev *pci_dev;
unsigned int port_num;
Reported by FlawFinder.
Line: 956
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int legacy_irq;
bool eeh_disabled_legacy_irq;
struct workqueue_struct *workqueue;
char workqueue_name[16];
struct work_struct reset_work;
resource_size_t membase_phys;
void __iomem *membase;
unsigned int vi_stride;
Reported by FlawFinder.
Line: 1138
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mtd_info mtd;
const char *dev_type_name;
const char *type_name;
char name[IFNAMSIZ + 20];
};
struct efx_udp_tunnel {
#define TUNNEL_ENCAP_UDP_PORT_ENTRY_INVALID 0xffff
u16 type; /* TUNNEL_ENCAP_UDP_PORT_ENTRY_foo, see mcdi_pcol.h */
Reported by FlawFinder.
drivers/net/wireless/ath/ath10k/htc.c
4 issues
Line: 295
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
report->pre_valid, report->post_valid);
/* look ahead bytes are valid, copy them over */
memcpy((u8 *)next_lookaheads, report->lookahead, 4);
*next_lookaheads_len = 1;
}
return 0;
Reported by FlawFinder.
Line: 324
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i;
for (i = 0; i < bundle_cnt; i++) {
memcpy(((u8 *)next_lookaheads) + 4 * i,
report->lookahead, 4);
report++;
}
*next_lookaheads_len = bundle_cnt;
Reported by FlawFinder.
Line: 542
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
min_t(int, skb->len,
ATH10K_HTC_MAX_CTRL_MSG_LEN);
memcpy(htc->control_resp_buffer, skb->data,
htc->control_resp_len);
complete(&htc->ctl_resp);
break;
case ATH10K_HTC_MSG_SEND_SUSPEND_COMPLETE:
Reported by FlawFinder.
Line: 773
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_push(skb, sizeof(struct ath10k_htc_hdr));
ath10k_htc_prepare_tx_skb(ep, skb);
memcpy(bundle_buf, skb->data, skb->len);
hdr = (struct ath10k_htc_hdr *)bundle_buf;
hdr->flags |= ATH10K_HTC_FLAG_SEND_BUNDLE;
hdr->pad_len = __cpu_to_le16(credit_pad);
bundle_buf += trans_len;
bundles_left -= trans_len;
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/health.c
4 issues
Line: 818
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
goto out_err;
strcpy(name, "mlx5_health");
strcat(name, dev_name(dev->device));
health->wq = create_singlethread_workqueue(name);
kfree(name);
if (!health->wq)
goto out_err;
spin_lock_init(&health->wq_lock);
Reported by FlawFinder.
Line: 381
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mlx5_core_health *health = &dev->priv.health;
struct health_buffer __iomem *h = health->health;
char fw_str[18];
u32 fw;
int i;
/* If the syndrome is 0, the device is OK and no need to print buffer */
if (!ioread8(&h->synd))
Reported by FlawFinder.
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ioread32be(&h->assert_exit_ptr));
mlx5_core_err(dev, "assert_callra 0x%08x\n",
ioread32be(&h->assert_callra));
sprintf(fw_str, "%d.%d.%d", fw_rev_maj(dev), fw_rev_min(dev), fw_rev_sub(dev));
mlx5_core_err(dev, "fw_ver %s\n", fw_str);
mlx5_core_err(dev, "hw_id 0x%08x\n", ioread32be(&h->hw_id));
mlx5_core_err(dev, "irisc_index %d\n", ioread8(&h->irisc_index));
mlx5_core_err(dev, "synd 0x%x: %s\n", ioread8(&h->synd),
hsynd_str(ioread8(&h->synd)));
Reported by FlawFinder.
Line: 817
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!name)
goto out_err;
strcpy(name, "mlx5_health");
strcat(name, dev_name(dev->device));
health->wq = create_singlethread_workqueue(name);
kfree(name);
if (!health->wq)
goto out_err;
Reported by FlawFinder.