The following issues were found
drivers/net/ethernet/marvell/octeontx2/af/mbox.h
3 issues
Line: 454
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint64_t an:1; /* AN supported or not */
uint64_t fec:2; /* FEC type if enabled else 0 */
#define LMACTYPE_STR_LEN 16
char lmac_type[LMACTYPE_STR_LEN];
};
struct cgx_link_info_msg {
struct mbox_msghdr hdr;
struct cgx_link_user_info link_info;
Reported by FlawFinder.
Line: 1213
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct flow_msg {
unsigned char dmac[6];
unsigned char smac[6];
__be16 etype;
__be16 vlan_etype;
__be16 vlan_tci;
union {
Reported by FlawFinder.
Line: 1214
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct flow_msg {
unsigned char dmac[6];
unsigned char smac[6];
__be16 etype;
__be16 vlan_etype;
__be16 vlan_tci;
union {
__be32 ip4src;
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/p2p.c
3 issues
Line: 146
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(&p2p->listen_chan, chan, sizeof(*chan));
*cookie = ++p2p->cookie;
p2p->listen_duration = duration;
mutex_lock(&wil->vif_mutex);
if (vif->scan_request) {
Reported by FlawFinder.
Line: 30
Column: 25
CWE codes:
126
goto out;
}
rc = wmi_set_ssid(vif, strlen(P2P_WILDCARD_SSID), P2P_WILDCARD_SSID);
if (rc) {
wil_err(wil, "wmi_set_ssid failed\n");
goto out_stop;
}
Reported by FlawFinder.
Line: 82
Column: 25
CWE codes:
126
goto out;
}
rc = wmi_set_ssid(vif, strlen(P2P_WILDCARD_SSID), P2P_WILDCARD_SSID);
if (rc) {
wil_err(wil, "wmi_set_ssid failed\n");
goto out_stop;
}
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/main.c
3 issues
Line: 154
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* count can be 1..3 */
u32 tmp = __raw_readl(s);
memcpy(d, &tmp, count);
}
}
void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
size_t count)
Reported by FlawFinder.
Line: 171
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* count can be 1..3 */
u32 tmp = 0;
memcpy(&tmp, s, count);
__raw_writel(tmp, d);
}
}
/* Device memory access is prohibited while reset or suspend.
Reported by FlawFinder.
Line: 1703
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wil_set_oob_mode(wil, oob_mode);
if (load_fw) {
char board_file[WIL_BOARD_FILE_MAX_NAMELEN];
if (wil->secured_boot) {
wil_err(wil, "secured boot is not supported\n");
up_write(&wil->mem_lock);
return -ENOTSUPP;
Reported by FlawFinder.
drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
3 issues
Line: 3581
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
desc_cb->reuse_flag = 1;
memcpy(frag, desc_cb->buf + frag_offset, frag_size);
skb_add_rx_frag(skb, i, virt_to_page(frag),
offset_in_page(frag), frag_size, frag_size);
u64_stats_update_begin(&ring->syncp);
ring->stats.frag_alloc++;
Reported by FlawFinder.
Line: 3854
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ring->frag_num = 0;
ring->tail_skb = NULL;
if (length <= HNS3_RX_HEAD_SIZE) {
memcpy(__skb_put(skb, length), va, ALIGN(length, sizeof(long)));
/* We can reuse buffer as-is, just make sure it is reusable */
if (dev_page_is_reusable(desc_cb->priv))
desc_cb->reuse_flag = 1;
else /* This page cannot be reused so discard it */
Reported by FlawFinder.
Line: 4139
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the head data in after other data rx completed
*/
if (skb->len > HNS3_RX_HEAD_SIZE)
memcpy(skb->data, ring->va,
ALIGN(ring->pull_len, sizeof(long)));
ret = hns3_handle_bdinfo(ring, skb);
if (unlikely(ret)) {
dev_kfree_skb_any(skb);
Reported by FlawFinder.
drivers/net/wireless/ath/wcn36xx/debug.c
3 issues
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wcn36xx *wcn = file->private_data;
struct wcn36xx_vif *vif_priv = NULL;
struct ieee80211_vif *vif = NULL;
char buf[3];
list_for_each_entry(vif_priv, &wcn->vif_list, list) {
vif = wcn36xx_priv_to_vif(vif_priv);
if (NL80211_IFTYPE_STATION == vif->type) {
if (vif_priv->pw_state == WCN36XX_BMPS)
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wcn36xx_vif *vif_priv = NULL;
struct ieee80211_vif *vif = NULL;
char buf[32];
int buf_size;
buf_size = min(count, (sizeof(buf)-1));
if (copy_from_user(buf, user_buf, buf_size))
return -EFAULT;
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct wcn36xx *wcn = file->private_data;
char buf[255], *tmp;
int buf_size;
u32 arg[WCN36xx_MAX_DUMP_ARGS];
int i;
memset(buf, 0, sizeof(buf));
Reported by FlawFinder.
drivers/net/ethernet/netronome/nfp/devlink_param.c
3 issues
Line: 105
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return err;
}
snprintf(hwinfo, sizeof(hwinfo), arg->hwinfo_name);
err = nfp_nsp_hwinfo_lookup_optional(nsp, hwinfo, sizeof(hwinfo),
arg->default_hi_val);
if (err) {
nfp_warn(pf->cpp, "HWinfo lookup failed: %d\n", err);
goto exit_close_nsp;
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct nfp_devlink_param_u8_arg *arg;
struct nfp_pf *pf = devlink_priv(devlink);
struct nfp_nsp *nsp;
char hwinfo[32];
long value;
int err;
if (id >= ARRAY_SIZE(nfp_devlink_u8_args))
return -EOPNOTSUPP;
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct nfp_devlink_param_u8_arg *arg;
struct nfp_pf *pf = devlink_priv(devlink);
struct nfp_nsp *nsp;
char hwinfo[32];
int err;
if (id >= ARRAY_SIZE(nfp_devlink_u8_args))
return -EOPNOTSUPP;
Reported by FlawFinder.
drivers/net/ethernet/netronome/nfp/flower/conntrack.c
3 issues
Line: 469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!memcmp(&new_cookie, nft_m_entry->cookie, sizeof(new_cookie)))
return 0;
memcpy(&nft_m_entry->cookie, &new_cookie, sizeof(new_cookie));
nft_m_entry->zt = zt;
nft_m_entry->tc_m_parent = tc_m_entry;
nft_m_entry->nft_parent = nft_entry;
nft_m_entry->tc_flower_cookie = 0;
/* Copy the netdev from one the pre_ct entry. When the tc_m_entry was created
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!memcmp(&new_cookie, m_entry->cookie, sizeof(new_cookie)))
return 0;
memcpy(&m_entry->cookie, &new_cookie, sizeof(new_cookie));
m_entry->zt = zt;
m_entry->post_ct_parent = post_ct_entry;
m_entry->pre_ct_parent = pre_ct_entry;
/* Add this entry to the pre_ct and post_ct lists */
Reported by FlawFinder.
Line: 702
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct flow_action_entry *new_act;
new_act = &entry->rule->action.entries[i];
memcpy(new_act, act, sizeof(struct flow_action_entry));
/* Entunnel is a special case, need to allocate and copy
* tunnel info.
*/
if (act->id == FLOW_ACTION_TUNNEL_ENCAP) {
struct ip_tunnel_info *tun = act->tunnel;
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c
3 issues
Line: 347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->contexts[IWL_RXON_CTX_BSS].vif != vif)
goto out;
memcpy(priv->kek, data->kek, NL80211_KEK_LEN);
memcpy(priv->kck, data->kck, NL80211_KCK_LEN);
priv->replay_ctr =
cpu_to_le64(be64_to_cpup((__be64 *)&data->replay_ctr));
priv->have_rekey_data = true;
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
memcpy(priv->kek, data->kek, NL80211_KEK_LEN);
memcpy(priv->kck, data->kck, NL80211_KCK_LEN);
priv->replay_ctr =
cpu_to_le64(be64_to_cpup((__be64 *)&data->replay_ctr));
priv->have_rekey_data = true;
out:
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
IWL_ERR(priv, "rx wrong size data\n");
return true;
}
memcpy(resume_data->cmd, pkt->data, sizeof(*resume_data->cmd));
resume_data->valid = true;
return true;
}
Reported by FlawFinder.
drivers/net/wireless/ath/carl9170/rx.c
3 issues
Line: 153
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&ar->cmd_lock);
if (ar->readbuf) {
if (len >= 4)
memcpy(ar->readbuf, buffer + 4, len - 4);
ar->readbuf = NULL;
}
complete(&ar->cmd_wait);
spin_unlock(&ar->cmd_lock);
Reported by FlawFinder.
Line: 683
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!skb)
return -ENOMEM;
memcpy(IEEE80211_SKB_RXCB(skb), status, sizeof(*status));
ieee80211_rx(ar->hw, skb);
return 0;
}
/*
Reported by FlawFinder.
Line: 733
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* to share a common RX status information,
* then you have the answer right here...
*/
memcpy(&ar->rx_plcp, (void *) buf,
sizeof(struct ar9170_rx_head));
mpdu_len -= sizeof(struct ar9170_rx_head);
buf += sizeof(struct ar9170_rx_head);
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
3 issues
Line: 110
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int i;
for (i = 0; i < NUM_VPORT_REP_SW_COUNTERS; i++)
strcpy(data + (idx++) * ETH_GSTRING_LEN,
sw_rep_stats_desc[i].format);
return idx;
}
static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(sw_rep)
Reported by FlawFinder.
Line: 150
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int i;
for (i = 0; i < NUM_VPORT_REP_HW_COUNTERS; i++)
strcpy(data + (idx++) * ETH_GSTRING_LEN, vport_rep_stats_desc[i].format);
return idx;
}
static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(vport_rep)
{
Reported by FlawFinder.
Line: 488
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* update HW stats in background for next time */
mlx5e_queue_update_stats(priv);
memcpy(stats, &priv->stats.vf_vport, sizeof(*stats));
}
static int mlx5e_rep_change_mtu(struct net_device *netdev, int new_mtu)
{
return mlx5e_change_mtu(netdev, new_mtu, NULL);
Reported by FlawFinder.