The following issues were found
drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
4 issues
Line: 124
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BW_VALUE_UNIT_PERCENT1_100);
}
data = &req.unused_0 + qidx * (sizeof(cos2bw) - 4);
memcpy(data, &cos2bw.queue_id, sizeof(cos2bw) - 4);
if (qidx == 0) {
req.queue_id0 = cos2bw.queue_id;
req.unused_0 = 0;
}
}
Reported by FlawFinder.
Line: 154
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < bp->max_tc; i++, data += sizeof(cos2bw) - 4) {
int tc;
memcpy(&cos2bw.queue_id, data, sizeof(cos2bw) - 4);
if (i == 0)
cos2bw.queue_id = resp->queue_id0;
tc = bnxt_queue_to_tc(bp, cos2bw.queue_id);
if (tc < 0)
Reported by FlawFinder.
Line: 547
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = bnxt_hwrm_queue_pri2cos_cfg(bp, ets);
if (rc)
return rc;
memcpy(my_ets, ets, sizeof(*my_ets));
}
return rc;
}
static int bnxt_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc)
Reported by FlawFinder.
Line: 610
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
rc = bnxt_hwrm_queue_pfc_cfg(bp, pfc);
if (!rc)
memcpy(my_pfc, pfc, sizeof(*my_pfc));
return rc;
}
static int bnxt_dcbnl_ieee_dscp_app_prep(struct bnxt *bp, struct dcb_app *app)
Reported by FlawFinder.
drivers/misc/cxl/guest.c
4 issues
Line: 114
CWE codes:
476
rc = cxl_h_collect_vpd_adapter(adapter->guest->handle,
virt_to_phys(le), entries, &out);
else
rc = cxl_h_collect_vpd(afu->guest->handle, 0,
virt_to_phys(le), entries, &out);
pr_devel("length of available (entries: %i), vpd: %#llx\n",
entries, out);
if (!rc) {
Reported by Cppcheck.
Line: 133
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tocopy = len;
else
tocopy = SG_BUFFER_SIZE;
memcpy(buf, vpd_buf[i], tocopy);
buf += tocopy;
len -= tocopy;
}
}
}
Reported by FlawFinder.
Line: 693
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (count > ERR_BUFF_MAX_COPY_SIZE)
count = ERR_BUFF_MAX_COPY_SIZE - (off & 0x7);
memcpy(buf, tbuf, count);
err:
free_page((u64)tbuf);
return rc;
}
Reported by FlawFinder.
Line: 1066
Column: 6
CWE codes:
126
/* The absence of this property means that the operational
* status is unknown or okay
*/
if (strlen(adapter->guest->status) &&
strcmp(adapter->guest->status, "okay")) {
pr_err("ABORTING:Bad operational status of the device\n");
return -EINVAL;
}
Reported by FlawFinder.
drivers/misc/cxl/fault.c
4 issues
Line: 135
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
vm_fault_t flt = 0;
int result;
unsigned long access, flags, inv_flags = 0;
/*
* Add the fault handling cpu to task mm cpumask so that we
* can do a safe lockless page table walk when inserting the
* hash page table entry. This function get called with a
Reported by FlawFinder.
Line: 165
Column: 4
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
*/
access = _PAGE_PRESENT | _PAGE_READ;
if (dsisr & CXL_PSL_DSISR_An_S)
access |= _PAGE_WRITE;
if (!mm && (get_region_id(dar) != USER_REGION_ID))
access |= _PAGE_PRIVILEGED;
if (dsisr & DSISR_NOHPTE)
Reported by FlawFinder.
Line: 168
Column: 4
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access |= _PAGE_WRITE;
if (!mm && (get_region_id(dar) != USER_REGION_ID))
access |= _PAGE_PRIVILEGED;
if (dsisr & DSISR_NOHPTE)
inv_flags |= HPTE_NOHPTE_UPDATE;
local_irq_save(flags);
Reported by FlawFinder.
Line: 174
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
inv_flags |= HPTE_NOHPTE_UPDATE;
local_irq_save(flags);
hash_page_mm(mm, dar, access, 0x300, inv_flags);
local_irq_restore(flags);
}
return 0;
}
Reported by FlawFinder.
drivers/misc/cb710/debug.c
4 issues
Line: 72
Column: 10
CWE codes:
134
Suggestion:
Make format string constant
if (j == 8/(t/8)) \
*p++ = ' '; \
if (allow_reg_read(i, j, t)) \
p += sprintf(p, format, reg[j]); \
else \
p += sprintf(p, "%s", xp); \
} \
dev_dbg(dev, "%s 0x%02X %s\n", prefix[i], i << 4, msg); \
} \
Reported by FlawFinder.
Line: 74
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (allow_reg_read(i, j, t)) \
p += sprintf(p, format, reg[j]); \
else \
p += sprintf(p, "%s", xp); \
} \
dev_dbg(dev, "%s 0x%02X %s\n", prefix[i], i << 4, msg); \
} \
}
Reported by FlawFinder.
Line: 17
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0xFFF0, 0xFFFF, 0xFFFF, 0xFFFF,
0xFFF0, 0xFFFF, 0xFFFF, 0xFFFF,
};
static const char *const prefix[ARRAY_SIZE(allow)] = {
"MMC", "MMC", "MMC", "MMC",
"MS?", "MS?", "SM?", "SM?"
};
static inline int allow_reg_read(unsigned block, unsigned offset, unsigned bits)
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *const xp = &cb710_xes[8 - t/4]; \
const char *const format = cb710_regf_##t; \
\
char msg[100], *p; \
unsigned i, j; \
\
for (i = 0; i < ARRAY_SIZE(allow); ++i, reg += 16/(t/8)) { \
if (!(select & (1 << i))) \
continue; \
Reported by FlawFinder.
drivers/media/usb/go7007/go7007-usb.c
4 issues
Line: 977
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = 0x01;
buf[1] = msgs[i].len + 1;
buf[2] = msgs[i].addr << 1;
memcpy(&buf[3], msgs[i].buf, msgs[i].len);
buf_len = msgs[i].len + 3;
buf[buf_len++] = msgs[++i].len;
} else if (msgs[i].flags & I2C_M_RD) {
#ifdef GO7007_I2C_DEBUG
pr_debug("i2c read %d bytes on %02x\n",
Reported by FlawFinder.
Line: 998
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = 0x00;
buf[1] = msgs[i].len + 1;
buf[2] = msgs[i].addr << 1;
memcpy(&buf[3], msgs[i].buf, msgs[i].len);
buf_len = msgs[i].len + 3;
buf[buf_len++] = 0;
}
if (go7007_usb_vendor_request(go, 0x24, 0, 0,
buf, buf_len, 0) < 0)
Reported by FlawFinder.
Line: 1010
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (go7007_usb_vendor_request(go, 0x25, 0, 0, buf,
msgs[i].len + 1, 1) < 0)
goto i2c_done;
memcpy(msgs[i].buf, buf + 1, msgs[i].len);
}
}
ret = num;
i2c_done:
Reported by FlawFinder.
Line: 1167
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Register the EZ-USB I2C adapter, if we're using it */
if (board->flags & GO7007_USB_EZUSB_I2C) {
memcpy(&go->i2c_adapter, &go7007_usb_adap_templ,
sizeof(go7007_usb_adap_templ));
mutex_init(&usb->i2c_lock);
go->i2c_adapter.dev.parent = go->dev;
i2c_set_adapdata(&go->i2c_adapter, go);
if (i2c_add_adapter(&go->i2c_adapter) < 0) {
Reported by FlawFinder.
drivers/media/dvb-frontends/drx39xyj/drxj.c
4 issues
Line: 1320
CWE codes:
476
if (w_dev_addr == NULL) {
/* Read only */
state = r_dev_addr->user_data;
msg[0].addr = r_dev_addr->i2c_addr >> 1;
msg[0].flags = I2C_M_RD;
msg[0].buf = r_data;
msg[0].len = r_count;
num_msgs = 1;
Reported by Cppcheck.
Line: 1321
CWE codes:
476
if (w_dev_addr == NULL) {
/* Read only */
state = r_dev_addr->user_data;
msg[0].addr = r_dev_addr->i2c_addr >> 1;
msg[0].flags = I2C_M_RD;
msg[0].buf = r_data;
msg[0].len = r_count;
num_msgs = 1;
} else if (r_dev_addr == NULL) {
Reported by Cppcheck.
Line: 1688
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(data_block_size <
datasize ? data_block_size : datasize);
}
memcpy(&buf[bufx], data, todo);
/* write (address if can do and) data */
st = drxbsp_i2c_write_read(dev_addr,
(u16) (bufx + todo),
buf,
(struct i2c_device_addr *)(NULL),
Reported by FlawFinder.
Line: 12335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* create dvb_frontend */
memcpy(&state->frontend.ops, &drx39xxj_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
/* Initialize stats - needed for DVBv5 stats to work */
Reported by FlawFinder.
drivers/net/ethernet/broadcom/cnic_if.h
4 issues
Line: 127
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cmd;
union {
struct cnic_ctl_completion comp;
char bytes[MAX_CNIC_CTL_DATA];
} data;
};
struct drv_ctl_spq_credit {
u32 credit_count;
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct drv_ctl_l2_ring ring;
int ulp_type;
struct drv_ctl_register_data register_data;
char bytes[MAX_DRV_CTL_DATA];
} data;
};
#define MAX_NPIV_ENTRIES 64
#define FC_NPIV_WWN_SIZE 8
Reported by FlawFinder.
Line: 268
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 src_port;
u16 dst_port;
u16 vlan_id;
unsigned char old_ha[ETH_ALEN];
unsigned char ha[ETH_ALEN];
u32 mtu;
u32 cid;
u32 l5_cid;
u32 pg_cid;
Reported by FlawFinder.
Line: 269
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 dst_port;
u16 vlan_id;
unsigned char old_ha[ETH_ALEN];
unsigned char ha[ETH_ALEN];
u32 mtu;
u32 cid;
u32 l5_cid;
u32 pg_cid;
int ulp_type;
Reported by FlawFinder.
drivers/net/ethernet/broadcom/genet/bcmgenet.c
4 issues
Line: 945
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct bcmgenet_stats {
char stat_string[ETH_GSTRING_LEN];
int stat_sizeof;
int stat_offset;
enum bcmgenet_stat_type type;
/* reg offset from UMAC base for misc counters */
u16 reg_offset;
Reported by FlawFinder.
Line: 1124
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < BCMGENET_STATS_LEN; i++) {
memcpy(data + i * ETH_GSTRING_LEN,
bcmgenet_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
}
break;
}
Reported by FlawFinder.
Line: 1435
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bcmgenet_hfb_clear_filter(priv, cmd->fs.location);
}
loc_rule->state = BCMGENET_RXNFC_STATE_UNUSED;
memcpy(&loc_rule->fs, &cmd->fs,
sizeof(struct ethtool_rx_flow_spec));
bcmgenet_hfb_create_rxnfc_filter(priv, loc_rule);
list_add_tail(&loc_rule->list, &priv->rxnfc_list);
Reported by FlawFinder.
Line: 1509
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rule->state == BCMGENET_RXNFC_STATE_UNUSED)
err = -ENOENT;
else
memcpy(&cmd->fs, &rule->fs,
sizeof(struct ethtool_rx_flow_spec));
return err;
}
Reported by FlawFinder.
drivers/net/ethernet/broadcom/genet/bcmmii.c
4 issues
Line: 553
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
UNIMAC_MDIO_DRV_NAME, priv->pdev->id);
if (pd->phy_interface != PHY_INTERFACE_MODE_MOCA && pd->mdio_enabled) {
snprintf(phy_name, MII_BUS_ID_SIZE, PHY_ID_FMT,
mdio_bus_id, pd->phy_address);
/*
* Internal or external PHY with MDIO access
*/
Reported by FlawFinder.
Line: 312
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
} else {
if (has_acpi_companion(kdev)) {
char mdio_bus_id[MII_BUS_ID_SIZE];
struct mii_bus *unimacbus;
snprintf(mdio_bus_id, MII_BUS_ID_SIZE, "%s-%d",
UNIMAC_MDIO_DRV_NAME, priv->pdev->id);
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct device *kdev = &priv->pdev->dev;
struct bcmgenet_platform_data *pd = kdev->platform_data;
char phy_name[MII_BUS_ID_SIZE + 3];
char mdio_bus_id[MII_BUS_ID_SIZE];
struct phy_device *phydev;
snprintf(mdio_bus_id, MII_BUS_ID_SIZE, "%s-%d",
UNIMAC_MDIO_DRV_NAME, priv->pdev->id);
Reported by FlawFinder.
Line: 546
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *kdev = &priv->pdev->dev;
struct bcmgenet_platform_data *pd = kdev->platform_data;
char phy_name[MII_BUS_ID_SIZE + 3];
char mdio_bus_id[MII_BUS_ID_SIZE];
struct phy_device *phydev;
snprintf(mdio_bus_id, MII_BUS_ID_SIZE, "%s-%d",
UNIMAC_MDIO_DRV_NAME, priv->pdev->id);
Reported by FlawFinder.
drivers/media/dvb-frontends/cx24120.c
4 issues
Line: 236
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (len) {
msg.buf[0] = reg;
msg.len = len > max ? max : len;
memcpy(&msg.buf[1], values, msg.len);
len -= msg.len; /* data length revers counter */
values += msg.len; /* incr data pointer */
if (incr)
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* create dvb_frontend */
state->cold_init = 0;
memcpy(&state->frontend.ops, &cx24120_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
info("Conexant cx24120/cx24118 attached.\n");
return &state->frontend;
Reported by FlawFinder.
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd.arg[4] = 0x00;
cmd.arg[5] = d->msg_len;
memcpy(&cmd.arg[6], &d->msg, d->msg_len);
if (cx24120_message_send(state, &cmd)) {
err("send 2nd message(0x%x) failed\n", cmd.id);
return -EREMOTEIO;
}
Reported by FlawFinder.
Line: 1275
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cx24120_cmd cmd;
u8 reg;
int ret, i;
unsigned char vers[4];
if (state->cold_init)
return 0;
/* ???? */
Reported by FlawFinder.