The following issues were found
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
3 issues
Line: 241
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
emsg.reason = be32_to_cpu(emsg_be->reason);
emsg.auth_type = be32_to_cpu(emsg_be->auth_type);
emsg.datalen = be32_to_cpu(emsg_be->datalen);
memcpy(emsg.addr, emsg_be->addr, ETH_ALEN);
memcpy(emsg.ifname, emsg_be->ifname, sizeof(emsg.ifname));
emsg.ifidx = emsg_be->ifidx;
emsg.bsscfgidx = emsg_be->bsscfgidx;
brcmf_dbg(EVENT, " version %u flags %u status %u reason %u\n",
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* use memcpy to get aligned event message */
memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
memcpy(event->data, data, datalen);
event->datalen = datalen;
memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
brcmf_fweh_queue_event(fweh, event);
}
Reported by FlawFinder.
Line: 428
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
memcpy(event->data, data, datalen);
event->datalen = datalen;
memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
brcmf_fweh_queue_event(fweh, event);
}
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c
3 issues
Line: 153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u16 rif_index = mlxsw_sp_ipip_lb_rif_index(ipip_entry->ol_lb);
u16 ul_rif_id = mlxsw_sp_ipip_lb_ul_rif_id(ipip_entry->ol_lb);
char rtdp_pl[MLXSW_REG_RTDP_LEN];
struct ip_tunnel_parm parms;
unsigned int type_check;
bool has_ikey;
u32 daddr4;
u32 ikey;
Reported by FlawFinder.
Line: 313
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_sp_ipip_ecn_encap_init_one(struct mlxsw_sp *mlxsw_sp,
u8 inner_ecn, u8 outer_ecn)
{
char tieem_pl[MLXSW_REG_TIEEM_LEN];
mlxsw_reg_tieem_pack(tieem_pl, inner_ecn, outer_ecn);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(tieem), tieem_pl);
}
Reported by FlawFinder.
Line: 339
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_sp_ipip_ecn_decap_init_one(struct mlxsw_sp *mlxsw_sp,
u8 inner_ecn, u8 outer_ecn)
{
char tidem_pl[MLXSW_REG_TIDEM_LEN];
u8 new_inner_ecn;
bool trap_en;
new_inner_ecn = mlxsw_sp_tunnel_ecn_decap(outer_ecn, inner_ecn,
&trap_en);
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
3 issues
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 driverrev;
u32 ucoderev;
u32 bus;
char chipname[12];
u32 phytype;
u32 phyrev;
u32 anarev;
u32 chippkg;
u32 nvramrev;
Reported by FlawFinder.
Line: 107
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint hdrlen; /* Total BRCMF header length (proto + bus) */
/* Dongle media info */
char fwver[BRCMF_DRIVER_FIRMWARE_VERSION_LEN];
u8 mac[ETH_ALEN]; /* MAC address obtained from dongle */
struct mac_address addresses[BRCMF_MAX_IFS];
struct brcmf_if *iflist[BRCMF_MAX_IFS];
Reported by FlawFinder.
Line: 117
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct brcmf_if *mon_if;
struct mutex proto_block;
unsigned char proto_buf[BRCMF_DCMD_MAXLEN];
struct brcmf_fweh_info fweh;
struct brcmf_ampdu_rx_reorder
*reorder_flows[BRCMF_AMPDU_RX_REORDER_MAXFLOWS];
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
3 issues
Line: 53
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param_named(feature_disable, brcmf_feature_disable, int, 0);
MODULE_PARM_DESC(feature_disable, "Disable features");
static char brcmf_firmware_path[BRCMF_FW_ALTPATH_LEN];
module_param_string(alternative_fw_path, brcmf_firmware_path,
BRCMF_FW_ALTPATH_LEN, 0400);
MODULE_PARM_DESC(alternative_fw_path, "Alternative firmware path");
static int brcmf_fcmode;
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chunk_len = datalen;
dl_flag |= DL_END;
}
memcpy(chunk_buf->data, clm->data + cumulative_len, chunk_len);
err = brcmf_c_download(ifp, dl_flag, chunk_buf, chunk_len);
dl_flag &= ~DL_BEGIN;
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto done;
}
memcpy(ifp->drvr->mac, ifp->mac_addr, sizeof(ifp->drvr->mac));
memcpy(ifp->drvr->wiphy->perm_addr, ifp->drvr->mac, ETH_ALEN);
bus = ifp->drvr->bus_if;
ri = &ifp->drvr->revinfo;
err = brcmf_fil_cmd_data_get(ifp, BRCMF_C_GET_REVINFO,
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c
3 issues
Line: 88
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void mlx5e_rep_update_flows(struct mlx5e_priv *priv,
struct mlx5e_encap_entry *e,
bool neigh_connected,
unsigned char ha[ETH_ALEN])
{
struct ethhdr *eth = (struct ethhdr *)e->encap_header;
struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
bool encap_connected;
LIST_HEAD(flow_list);
Reported by FlawFinder.
Line: 198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (type) {
case TC_SETUP_CLSFLOWER:
memcpy(&tmp, f, sizeof(*f));
if (!mlx5_chains_prios_supported(esw_chains(esw)))
return -EOPNOTSUPP;
/* Re-use tc offload path by moving the ft flow to the
Reported by FlawFinder.
Line: 379
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (type) {
case TC_SETUP_CLSFLOWER:
memcpy(&tmp, f, sizeof(*f));
/* Re-use tc offload path by moving the ft flow to the
* reserved ft chain.
*
* FT offload can use prio range [0, INT_MAX], so we normalize
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
3 issues
Line: 472
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tclass_num, u32 min, u32 max,
u32 probability, bool is_wred, bool is_ecn)
{
char cwtpm_cmd[MLXSW_REG_CWTPM_LEN];
char cwtp_cmd[MLXSW_REG_CWTP_LEN];
struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
int err;
mlxsw_reg_cwtp_pack(cwtp_cmd, mlxsw_sp_port->local_port, tclass_num);
Reported by FlawFinder.
Line: 473
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 probability, bool is_wred, bool is_ecn)
{
char cwtpm_cmd[MLXSW_REG_CWTPM_LEN];
char cwtp_cmd[MLXSW_REG_CWTP_LEN];
struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
int err;
mlxsw_reg_cwtp_pack(cwtp_cmd, mlxsw_sp_port->local_port, tclass_num);
mlxsw_reg_cwtp_profile_pack(cwtp_cmd, MLXSW_REG_CWTP_DEFAULT_PROFILE,
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tclass_num)
{
struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
char cwtpm_cmd[MLXSW_REG_CWTPM_LEN];
mlxsw_reg_cwtpm_pack(cwtpm_cmd, mlxsw_sp_port->local_port, tclass_num,
MLXSW_REG_CWTPM_RESET_PROFILE, false, false);
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(cwtpm), cwtpm_cmd);
}
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
3 issues
Line: 94
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 reqid;
u8 bus_header[BUS_HEADER_LEN];
struct brcmf_proto_bcdc_dcmd msg;
unsigned char buf[BRCMF_DCMD_MAXLEN];
struct brcmf_fws_info *fws;
};
struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr)
Reported by FlawFinder.
Line: 128
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->flags = cpu_to_le32(flags);
if (buf)
memcpy(bcdc->buf, buf, len);
len += sizeof(*msg);
if (len > BRCMF_TX_IOCTL_MAX_MSG_SIZE)
len = BRCMF_TX_IOCTL_MAX_MSG_SIZE;
Reported by FlawFinder.
Line: 201
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf) {
if (ret < (int)len)
len = ret;
memcpy(buf, info, len);
}
ret = 0;
/* Check the ERROR flag */
Reported by FlawFinder.
drivers/net/wireless/broadcom/b43legacy/xmit.c
3 issues
Line: 205
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rate_fb_ofdm = b43legacy_is_ofdm_rate(rate_fb->hw_value);
txhdr->mac_frame_ctl = wlhdr->frame_control;
memcpy(txhdr->tx_receiver, wlhdr->addr1, ETH_ALEN);
/* Calculate duration for fallback rate */
if ((rate_fb->hw_value == rate) ||
(wlhdr->duration_id & cpu_to_le16(0x8000)) ||
(wlhdr->duration_id == cpu_to_le16(0))) {
Reported by FlawFinder.
Line: 246
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wlhdr_len = ieee80211_hdrlen(wlhdr->frame_control);
iv_len = min_t(size_t, info->control.hw_key->iv_len,
ARRAY_SIZE(txhdr->iv));
memcpy(txhdr->iv, ((u8 *)wlhdr) + wlhdr_len, iv_len);
} else {
/* This key is invalid. This might only happen
* in a short timeframe after machine resume before
* we were able to reconfigure keys.
* Drop this packet completely. Do not transmit it
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto drop;
}
memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status));
ieee80211_rx_irqsafe(dev->wl->hw, skb);
return;
drop:
b43legacydbg(dev->wl, "RX: Packet dropped\n");
Reported by FlawFinder.
drivers/net/ethernet/marvell/mvneta_bm.c
3 issues
Line: 287
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct device_node *dn = priv->pdev->dev.of_node;
struct mvneta_bm_pool *bm_pool;
char prop[15];
u32 size;
int i;
/* Activate BM unit */
mvneta_bm_write(priv, MVNETA_BM_COMMAND_REG, MVNETA_BM_START_MASK);
Reported by FlawFinder.
Line: 307
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mvneta_bm_write(priv, MVNETA_BM_POOL_WRITE_PTR_REG(i), 0);
/* Configure pool size according to DT or use default value */
sprintf(prop, "pool%d,capacity", i);
if (of_property_read_u32(dn, prop, &size)) {
size = MVNETA_BM_POOL_CAP_DEF;
} else if (size > MVNETA_BM_POOL_CAP_MAX) {
dev_warn(&priv->pdev->dev,
"Illegal pool %d capacity %d, set to %d\n",
Reported by FlawFinder.
Line: 333
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bm_pool->hwbm_pool.size);
/* Obtain custom pkt_size from DT */
sprintf(prop, "pool%d,pkt-size", i);
if (of_property_read_u32(dn, prop, &bm_pool->pkt_size))
bm_pool->pkt_size = 0;
}
}
Reported by FlawFinder.
drivers/net/ethernet/micrel/ks8842.c
3 issues
Line: 1067
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(netdev->dev_addr, mac, netdev->addr_len);
ks8842_write_mac_addr(adapter, mac);
return 0;
}
Reported by FlawFinder.
Line: 1194
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i < netdev->addr_len)
/* an address was passed, use it */
memcpy(netdev->dev_addr, pdata->macaddr,
netdev->addr_len);
}
if (i == netdev->addr_len) {
ks8842_read_mac_addr(adapter, netdev->dev_addr);
Reported by FlawFinder.
Line: 1207
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
id = ks8842_read16(adapter, 32, REG_SW_ID_AND_ENABLE);
strcpy(netdev->name, "eth%d");
err = register_netdev(netdev);
if (err)
goto err_register;
platform_set_drvdata(pdev, netdev);
Reported by FlawFinder.