The following issues were found
drivers/net/wireless/ath/ath10k/core.h
4 issues
Line: 358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k_tpc_table {
u32 pream_idx[WMI_TPC_RATE_MAX];
u8 rate_code[WMI_TPC_RATE_MAX];
char tpc_value[WMI_TPC_RATE_MAX][WMI_TPC_TX_N_CHAIN * WMI_TPC_BUF_SIZE];
};
struct ath10k_tpc_stats {
u32 reg_domain;
u32 chan_freq;
Reported by FlawFinder.
Line: 379
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k_tpc_table_final {
u32 pream_idx[WMI_TPC_FINAL_RATE_MAX];
u8 rate_code[WMI_TPC_FINAL_RATE_MAX];
char tpc_value[WMI_TPC_FINAL_RATE_MAX][WMI_TPC_TX_N_CHAIN * WMI_TPC_BUF_SIZE];
};
struct ath10k_tpc_stats_final {
u32 reg_domain;
u32 chan_freq;
Reported by FlawFinder.
Line: 943
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ath10k_fw_file {
const struct firmware *firmware;
char fw_version[ETHTOOL_FWVERS_LEN];
DECLARE_BITMAP(fw_features, ATH10K_FW_FEATURE_COUNT);
enum ath10k_fw_wmi_op_version wmi_op_version;
enum ath10k_fw_htt_op_version htt_op_version;
Reported by FlawFinder.
Line: 1098
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 bmi_chip_id;
bool ext_bid_supported;
char bdf_ext[ATH10K_SMBIOS_BDF_EXT_STR_LENGTH];
} id;
int fw_api;
int bd_api;
enum ath10k_cal_mode cal_mode;
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
4 issues
Line: 350
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct brcmf_ssid_le {
__le32 SSID_len;
unsigned char SSID[IEEE80211_MAX_SSID_LEN];
};
struct brcmf_scan_params_le {
struct brcmf_ssid_le ssid_le; /* default: {0, ""} */
u8 bssid[ETH_ALEN]; /* default: bcast */
Reported by FlawFinder.
Line: 687
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct brcmf_mbss_ssid_le {
__le32 bsscfgidx;
__le32 SSID_len;
unsigned char SSID[32];
};
/**
* struct brcmf_fil_country_le - country configuration structure.
*
Reported by FlawFinder.
Line: 698
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @ccode: null-terminated built-in country code.
*/
struct brcmf_fil_country_le {
char country_abbrev[BRCMF_COUNTRY_BUF_SZ];
__le32 rev;
char ccode[BRCMF_COUNTRY_BUF_SZ];
};
/**
Reported by FlawFinder.
Line: 700
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct brcmf_fil_country_le {
char country_abbrev[BRCMF_COUNTRY_BUF_SZ];
__le32 rev;
char ccode[BRCMF_COUNTRY_BUF_SZ];
};
/**
* struct brcmf_rev_info_le - device revision info.
*
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgbe/ixgbe.h
4 issues
Line: 172
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vf_data_storage {
struct pci_dev *vfdev;
unsigned char vf_mac_addresses[ETH_ALEN];
u16 vf_mc_hashes[IXGBE_MAX_VF_MC_ENTRIES];
u16 num_vf_mc_hashes;
bool clear_to_send;
bool pf_set_mac;
u16 pf_vlan; /* When set, guest VLAN config not allowed. */
Reported by FlawFinder.
Line: 462
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
cpumask_t affinity_mask;
int numa_node;
struct rcu_head rcu; /* to avoid race with update stats on free */
char name[IFNAMSIZ + 9];
/* for dynamic allocation of rings associated with this q_vector */
struct ixgbe_ring ring[] ____cacheline_internodealigned_in_smp;
};
Reported by FlawFinder.
Line: 479
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute dev_attr;
struct ixgbe_hw *hw;
struct ixgbe_thermal_diode_data *sensor;
char name[12];
};
struct hwmon_buff {
struct attribute_group group;
const struct attribute_group *groups[2];
Reported by FlawFinder.
Line: 710
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 bridge_mode;
char eeprom_id[NVM_VER_SIZE];
u16 eeprom_cap;
u32 interrupt_event;
u32 led_reg;
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c
4 issues
Line: 134
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct neighbour *n = update_work->n;
struct mlx5e_encap_entry *e = NULL;
bool neigh_connected, same_dev;
unsigned char ha[ETH_ALEN];
u8 nud_state, dead;
rtnl_lock();
/* If these parameters are changed after we release the lock,
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* and it's hw address.
*/
read_lock_bh(&n->lock);
memcpy(ha, n->ha, ETH_ALEN);
nud_state = n->nud_state;
dead = n->dead;
same_dev = READ_ONCE(nhe->neigh_dev) == n->dev;
read_unlock_bh(&n->lock);
Reported by FlawFinder.
Line: 181
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
m_neigh.family = n->ops->family;
memcpy(&m_neigh.dst_ip, n->primary_key, n->tbl->key_len);
/* Obtain reference to nhe as last step in order not to release it in
* atomic context.
*/
rcu_read_lock();
Reported by FlawFinder.
Line: 384
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
(*nhe)->priv = priv;
memcpy(&(*nhe)->m_neigh, m_neigh, sizeof(*m_neigh));
spin_lock_init(&(*nhe)->encap_list_lock);
INIT_LIST_HEAD(&(*nhe)->encap_list);
refcount_set(&(*nhe)->refcnt, 1);
WRITE_ONCE((*nhe)->neigh_dev, neigh_dev);
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgb/ixgb_ethtool.c
4 issues
Line: 15
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum {NETDEV_STATS, IXGB_STATS};
struct ixgb_stats {
char stat_string[ETH_GSTRING_LEN];
int type;
int sizeof_stat;
int stat_offset;
};
Reported by FlawFinder.
Line: 388
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i <= (last_word - first_word); i++)
eeprom_buff[i] = ixgb_get_eeprom_word(hw, (first_word + i));
memcpy(bytes, (u8 *)eeprom_buff + (eeprom->offset & 1), eeprom->len);
kfree(eeprom_buff);
geeprom_error:
return ret_val;
}
Reported by FlawFinder.
Line: 441
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
= ixgb_read_eeprom(hw, last_word);
}
memcpy(ptr, bytes, eeprom->len);
for (i = 0; i <= (last_word - first_word); i++)
ixgb_write_eeprom(hw, first_word + i, eeprom_buff[i]);
/* Update the checksum over the first part of the EEPROM if needed */
if (first_word <= EEPROM_CHECKSUM_REG)
Reported by FlawFinder.
Line: 605
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch(stringset) {
case ETH_SS_STATS:
for (i = 0; i < IXGB_STATS_LEN; i++) {
memcpy(data + i * ETH_GSTRING_LEN,
ixgb_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
}
break;
}
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c
4 issues
Line: 419
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_sp_fid_op(struct mlxsw_sp *mlxsw_sp, u16 fid_index,
u16 fid_offset, bool valid)
{
char sfmr_pl[MLXSW_REG_SFMR_LEN];
mlxsw_reg_sfmr_pack(sfmr_pl, mlxsw_sp_sfmr_op(valid), fid_index,
fid_offset);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(sfmr), sfmr_pl);
}
Reported by FlawFinder.
Line: 430
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be32 vni, bool vni_valid, u32 nve_flood_index,
bool nve_flood_index_valid)
{
char sfmr_pl[MLXSW_REG_SFMR_LEN];
mlxsw_reg_sfmr_pack(sfmr_pl, MLXSW_REG_SFMR_OP_CREATE_FID, fid_index,
0);
mlxsw_reg_sfmr_vv_set(sfmr_pl, vni_valid);
mlxsw_reg_sfmr_vni_set(sfmr_pl, be32_to_cpu(vni));
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 local_port, u16 vid, bool valid)
{
enum mlxsw_reg_svfa_mt mt = MLXSW_REG_SVFA_MT_PORT_VID_TO_FID;
char svfa_pl[MLXSW_REG_SVFA_LEN];
mlxsw_reg_svfa_pack(svfa_pl, local_port, mt, valid, fid_index, vid);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(svfa), svfa_pl);
}
Reported by FlawFinder.
Line: 1019
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sfgc_packet_types = mlxsw_sp_packet_type_sfgc_types[packet_type];
for (i = 0; i < MLXSW_REG_SFGC_TYPE_MAX; i++) {
struct mlxsw_sp *mlxsw_sp = fid_family->mlxsw_sp;
char sfgc_pl[MLXSW_REG_SFGC_LEN];
int err;
if (!sfgc_packet_types[i])
continue;
mlxsw_reg_sfgc_pack(sfgc_pl, i, flood_table->bridge_type,
Reported by FlawFinder.
drivers/net/ethernet/pasemi/pasemi_mac.c
4 issues
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
maddr = of_get_property(dn, "local-mac-address", &len);
if (maddr && len == ETH_ALEN) {
memcpy(mac->mac_addr, maddr, ETH_ALEN);
return 0;
}
/* Some old versions of firmware mistakenly uses mac-address
* (and as a string) instead of a byte array in local-mac-address.
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(mac->mac_addr, addr, ETH_ALEN);
return 0;
}
static int pasemi_mac_set_mac_addr(struct net_device *dev, void *p)
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
adr0 = dev->dev_addr[2] << 24 |
dev->dev_addr[3] << 16 |
dev->dev_addr[4] << 8 |
dev->dev_addr[5];
Reported by FlawFinder.
Line: 1725
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -ENODEV;
goto out;
}
memcpy(dev->dev_addr, mac->mac_addr, sizeof(mac->mac_addr));
ret = mac_to_intf(mac);
if (ret < 0) {
dev_err(&mac->pdev->dev, "Can't map DMA interface\n");
err = -ENODEV;
Reported by FlawFinder.
drivers/net/ethernet/via/via-velocity.c
4 issues
Line: 3050
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
arp->type = htons(ETH_P_ARP);
arp->ar_op = htons(1);
memcpy(arp->ar_tip, vptr->ip_addr, 4);
crc = wol_calc_crc((sizeof(struct arp_packet) + 7) / 8, buf,
(u8 *) & mask_pattern[0][0]);
writew(crc, ®s->PatternCRC[0]);
Reported by FlawFinder.
Line: 3445
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wol->wolopts |= WAKE_UCAST;
if (vptr->wol_opts & VELOCITY_WOL_ARP)
wol->wolopts |= WAKE_ARP;
memcpy(&wol->sopass, vptr->wol_passwd, 6);
}
static int velocity_ethtool_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
{
struct velocity_info *vptr = netdev_priv(dev);
Reported by FlawFinder.
Line: 3475
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vptr->wol_opts |= VELOCITY_WOL_ARP;
vptr->flags |= VELOCITY_FLAGS_WOL_ENABLED;
}
memcpy(vptr->wol_passwd, wol->sopass, 6);
return 0;
}
static int get_pending_timer_val(int val)
{
Reported by FlawFinder.
Line: 3615
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
switch (sset) {
case ETH_SS_STATS:
memcpy(data, *velocity_gstrings, sizeof(velocity_gstrings));
break;
}
}
static int velocity_get_sset_count(struct net_device *dev, int sset)
Reported by FlawFinder.
drivers/net/wireless/ath/carl9170/main.c
4 issues
Line: 570
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(common->macaddr, vif->addr, ETH_ALEN);
/* We have to fall back to software crypto, whenever
* the user choose to participates in an IBSS. HW
* offload for IBSS RSN is not supported by this driver.
*
Reported by FlawFinder.
Line: 1112
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (changed & BSS_CHANGED_BSSID) {
memcpy(common->curbssid, bss_conf->bssid, ETH_ALEN);
err = carl9170_set_operating_mode(ar);
if (err)
goto out;
}
Reported by FlawFinder.
Line: 1376
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret;
mutex_lock(&ar->mutex);
memcpy(&ar->edcf[ar9170_qmap(queue)], param, sizeof(*param));
ret = carl9170_set_qos(ar);
mutex_unlock(&ar->mutex);
return ret;
}
Reported by FlawFinder.
Line: 1665
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOENT;
found:
memcpy(survey, &ar->survey[idx], sizeof(*survey));
survey->channel = chan;
survey->filled = SURVEY_INFO_NOISE_DBM;
if (ar->channel == chan)
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/fw/pnvm.c
4 issues
Line: 129
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pnvm_data = tmp;
memcpy(pnvm_data + size, section->data, data_len);
size += data_len;
break;
}
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int iwl_pnvm_get_from_fs(struct iwl_trans *trans, u8 **data, size_t *len)
{
const struct firmware *pnvm;
char pnvm_name[64];
int ret;
/*
* The prefix unfortunately includes a hyphen at the end, so
* don't add the dot here...
Reported by FlawFinder.
Line: 244
Column: 6
CWE codes:
126
trans->cfg->fw_name_pre);
/* ...but replace the hyphen with the dot here. */
if (strlen(trans->cfg->fw_name_pre) < sizeof(pnvm_name))
pnvm_name[strlen(trans->cfg->fw_name_pre) - 1] = '.';
ret = firmware_request_nowarn(&pnvm, pnvm_name, trans->dev);
if (ret) {
IWL_DEBUG_FW(trans, "PNVM file %s not found %d\n",
Reported by FlawFinder.
Line: 245
Column: 13
CWE codes:
126
/* ...but replace the hyphen with the dot here. */
if (strlen(trans->cfg->fw_name_pre) < sizeof(pnvm_name))
pnvm_name[strlen(trans->cfg->fw_name_pre) - 1] = '.';
ret = firmware_request_nowarn(&pnvm, pnvm_name, trans->dev);
if (ret) {
IWL_DEBUG_FW(trans, "PNVM file %s not found %d\n",
pnvm_name, ret);
Reported by FlawFinder.