The following issues were found
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
2 issues
Line: 979
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* First check if firmware has any address configured by bootloader */
if (!is_zero_ether_addr(mac_addr)) {
memcpy(net_dev->dev_addr, mac_addr, net_dev->addr_len);
} else {
/* No MAC address configured, fill in net_dev->dev_addr
* with a random one
*/
eth_hw_addr_random(net_dev);
Reported by FlawFinder.
Line: 2960
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dpaa2_switch_port_init(struct ethsw_port_priv *port_priv, u16 port)
{
const char stpa[ETH_ALEN] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
struct switchdev_obj_port_vlan vlan = {
.obj.id = SWITCHDEV_OBJ_ID_PORT_VLAN,
.vid = DEFAULT_VLAN_ID,
.flags = BRIDGE_VLAN_INFO_UNTAGGED | BRIDGE_VLAN_INFO_PVID,
};
Reported by FlawFinder.
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-ethtool.c
2 issues
Line: 16
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct {
enum dpsw_counter id;
char name[ETH_GSTRING_LEN];
} dpaa2_switch_ethtool_counters[] = {
{DPSW_CNT_ING_FRAME, "rx frames"},
{DPSW_CNT_ING_BYTE, "rx bytes"},
{DPSW_CNT_ING_FLTR_FRAME, "rx filtered frames"},
{DPSW_CNT_ING_FRAME_DISCARD, "rx discarded frames"},
Reported by FlawFinder.
Line: 155
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < DPAA2_SWITCH_NUM_COUNTERS; i++)
memcpy(data + i * ETH_GSTRING_LEN,
dpaa2_switch_ethtool_counters[i].name,
ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
2 issues
Line: 17
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
argtype *arg; \
bool read_done; \
ssize_t rlen; \
char rbuf[buflen]; \
}; \
static int _iwl_dbgfs_##name##_open(struct inode *inode, \
struct file *file) \
{ \
struct dbgfs_##name##_data *data; \
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ \
argtype *arg = \
((struct dbgfs_##name##_data *)file->private_data)->arg;\
char buf[buflen] = {}; \
size_t buf_size = min(count, sizeof(buf) - 1); \
\
if (copy_from_user(buf, user_buf, buf_size)) \
return -EFAULT; \
\
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/fw/paging.c
2 issues
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
}
memcpy(page_address(fwrt->fw_paging_db[0].fw_paging_block),
image->sec[sec_idx].data,
image->sec[sec_idx].len);
dma_sync_single_for_device(fwrt->trans->dev,
fwrt->fw_paging_db[0].fw_paging_phys,
fwrt->fw_paging_db[0].fw_paging_size,
Reported by FlawFinder.
Line: 198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
}
memcpy(page_address(block->fw_paging_block),
image->sec[sec_idx].data + offset, len);
dma_sync_single_for_device(fwrt->trans->dev,
block->fw_paging_phys,
block->fw_paging_size,
DMA_BIDIRECTIONAL);
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
2 issues
Line: 830
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
node_trig = (void *)node_tlv->data;
}
memcpy(node_trig->data + offset, trig->data, trig_data_len);
node_tlv->length = cpu_to_le32(size);
if (policy & IWL_FW_INI_APPLY_POLICY_OVERRIDE_CFG) {
IWL_DEBUG_FW(fwrt,
"WRT: Overriding trigger configuration (time point %u)\n",
Reported by FlawFinder.
Line: 839
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
le32_to_cpu(trig->time_point));
/* the first 11 dwords are configuration related */
memcpy(node_trig, trig, sizeof(__le32) * 11);
}
if (policy & IWL_FW_INI_APPLY_POLICY_OVERRIDE_REGIONS) {
IWL_DEBUG_FW(fwrt,
"WRT: Overriding trigger regions (time point %u)\n",
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/iwl-devtrace-data.h
2 issues
Line: 37
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DEV_ASSIGN;
__entry->phys = phys;
if (iwl_trace_data(skb))
memcpy(__get_dynamic_array(data), data_src, data_len);
),
TP_printk("[%s] TX frame data", __get_str(dev))
);
TRACE_EVENT(iwlwifi_dev_rx_data,
Reported by FlawFinder.
Line: 56
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t offs = iwl_rx_trace_len(trans, rxbuf, len, NULL);
DEV_ASSIGN;
if (offs < len)
memcpy(__get_dynamic_array(data),
((u8 *)rxbuf) + offs, len - offs);
),
TP_printk("[%s] RX frame data", __get_str(dev))
);
#endif /* __IWLWIFI_DEVICE_TRACE_DATA */
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/iwl-devtrace-msg.h
2 issues
Line: 29
Column: 16
CWE codes:
134
Suggestion:
Use a constant for the format specification
__dynamic_array(char, msg, MAX_MSG_LEN)
),
TP_fast_assign(
WARN_ON_ONCE(vsnprintf(__get_dynamic_array(msg),
MAX_MSG_LEN, vaf->fmt,
*vaf->va) >= MAX_MSG_LEN);
),
TP_printk("%s", __get_str(msg))
);
Reported by FlawFinder.
Line: 68
Column: 16
CWE codes:
134
Suggestion:
Use a constant for the format specification
TP_fast_assign(
__entry->level = level;
__assign_str(function, function);
WARN_ON_ONCE(vsnprintf(__get_dynamic_array(msg),
MAX_MSG_LEN, vaf->fmt,
*vaf->va) >= MAX_MSG_LEN);
),
TP_printk("%s", __get_str(msg))
);
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/iwl-trans.h
2 issues
Line: 957
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 hw_rev;
u32 hw_rf_id;
u32 hw_id;
char hw_id_str[52];
u32 sku_id[3];
u8 rx_mpdu_cmd, rx_mpdu_cmd_hdr_size;
bool pm_support;
Reported by FlawFinder.
Line: 979
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* The following fields are internal only */
struct kmem_cache *dev_cmd_pool;
char dev_cmd_pool_name[50];
struct dentry *dbgfs_dir;
#ifdef CONFIG_LOCKDEP
struct lockdep_map sync_cmd_lockdep_map;
Reported by FlawFinder.
drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
2 issues
Line: 529
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_size = mbox->rx_size - msgs_offset;
/* Copy mbox messages from mbox memory to bounce buffer */
memcpy(mdev->mbase + mbox->rx_start,
hw_mbase + mbox->rx_start, msg_size + msgs_offset);
}
/* With the absence of API for 128-bit IO memory access for arm64,
* implement required operations at place.
Reported by FlawFinder.
Line: 585
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size++;
tar_addr |= ((size - 1) & 0x7) << 4;
}
memcpy(lmt_addr, ptrs, sizeof(u64) * num_ptrs);
/* Perform LMTST flush */
cn10k_lmt_flush(val, tar_addr);
}
static inline void cn10k_aura_freeptr(void *dev, int aura, u64 buf)
Reported by FlawFinder.
drivers/net/ethernet/marvell/prestera/prestera_acl.c
2 issues
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!a_entry)
return -ENOMEM;
memcpy(a_entry, entry, sizeof(*entry));
list_add(&a_entry->list, &rule->action_list);
rule->n_actions++;
return 0;
}
Reported by FlawFinder.
Line: 263
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!m_entry)
return -ENOMEM;
memcpy(m_entry, entry, sizeof(*entry));
list_add(&m_entry->list, &rule->match_list);
rule->n_matches++;
return 0;
}
Reported by FlawFinder.