The following issues were found
drivers/infiniband/hw/mlx4/cm.c
2 issues
Line: 69
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be32 local_comm_id;
__be32 remote_comm_id;
unsigned char unused[2];
__be16 rej_reason;
};
struct cm_sidr_generic_msg {
struct ib_mad_hdr hdr;
Reported by FlawFinder.
Line: 79
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct cm_req_msg {
unsigned char unused[0x60];
union ib_gid primary_path_sgid;
};
static void set_local_comm_id(struct ib_mad *mad, u32 cm_id)
Reported by FlawFinder.
drivers/infiniband/hw/mlx4/mlx4_ib.h
2 issues
Line: 565
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kobject *kobj;
unsigned long data;
u32 entry_num;
char name[15];
struct device_attribute dentry;
struct device *dev;
};
struct mlx4_ib_iov_sysfs_attr_ar {
Reported by FlawFinder.
Line: 575
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct mlx4_ib_iov_port {
char name[100];
u8 num;
struct mlx4_ib_dev *dev;
struct list_head list;
struct mlx4_ib_iov_sysfs_attr_ar *dentr_ar;
struct ib_port_attr attr;
Reported by FlawFinder.
drivers/infiniband/hw/mlx5/cong.c
2 issues
Line: 354
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mlx5_ib_dbg_param *param = filp->private_data;
int offset = param->offset;
char lbuf[11] = { };
u32 var;
int ret;
if (count > sizeof(lbuf))
return -EINVAL;
Reported by FlawFinder.
Line: 380
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int offset = param->offset;
u32 var = 0;
int ret;
char lbuf[11];
ret = mlx5_ib_get_cc_params(param->dev, param->port_num, offset, &var);
if (ret)
return ret;
Reported by FlawFinder.
drivers/infiniband/hw/mlx5/cq.c
2 issues
Line: 1096
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest = get_cqe(cq, (prod_index + nfreed) & cq->ibcq.cqe);
dest64 = (cq->mcq.cqe_sz == 64) ? dest : dest + 64;
owner_bit = dest64->op_own & MLX5_CQE_OWNER_MASK;
memcpy(dest, cqe, cq->mcq.cqe_sz);
dest64->op_own = owner_bit |
(dest64->op_own & ~MLX5_CQE_OWNER_MASK);
}
}
Reported by FlawFinder.
Line: 1231
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(i + 1) & cq->resize_buf->nent);
dcqe64 = dsize == 64 ? dcqe : dcqe + 64;
sw_own = sw_ownership_bit(i + 1, cq->resize_buf->nent);
memcpy(dcqe, scqe, dsize);
dcqe64->op_own = (dcqe64->op_own & ~MLX5_CQE_OWNER_MASK) | sw_own;
++i;
scqe = get_sw_cqe(cq, i);
scqe64 = ssize == 64 ? scqe : scqe + 64;
Reported by FlawFinder.
drivers/infiniband/hw/mlx5/odp.c
2 issues
Line: 352
Column: 42
CWE codes:
120
20
if (MLX5_CAP_ODP(dev->mdev, rc_odp_caps.write))
caps->per_transport_caps.rc_odp_caps |= IB_ODP_SUPPORT_WRITE;
if (MLX5_CAP_ODP(dev->mdev, rc_odp_caps.read))
caps->per_transport_caps.rc_odp_caps |= IB_ODP_SUPPORT_READ;
if (MLX5_CAP_ODP(dev->mdev, rc_odp_caps.atomic))
caps->per_transport_caps.rc_odp_caps |= IB_ODP_SUPPORT_ATOMIC;
Reported by FlawFinder.
Line: 370
Column: 43
CWE codes:
120
20
if (MLX5_CAP_ODP(dev->mdev, xrc_odp_caps.write))
caps->per_transport_caps.xrc_odp_caps |= IB_ODP_SUPPORT_WRITE;
if (MLX5_CAP_ODP(dev->mdev, xrc_odp_caps.read))
caps->per_transport_caps.xrc_odp_caps |= IB_ODP_SUPPORT_READ;
if (MLX5_CAP_ODP(dev->mdev, xrc_odp_caps.atomic))
caps->per_transport_caps.xrc_odp_caps |= IB_ODP_SUPPORT_ATOMIC;
Reported by FlawFinder.
drivers/infiniband/hw/mthca/mthca_av.c
2 issues
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
av->sl_tclass_flowlabel |=
cpu_to_be32((grh->traffic_class << 20) |
grh->flow_label);
memcpy(av->dgid, grh->dgid.raw, 16);
} else {
/* Arbel workaround -- low byte of GID must be 2 */
av->dgid[3] = cpu_to_be32(2);
}
Reported by FlawFinder.
Line: 285
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ah->av->sl_tclass_flowlabel & cpu_to_be32(0xfffff);
header->grh.hop_limit = ah->av->hop_limit;
header->grh.source_gid = ah->ibah.sgid_attr->gid;
memcpy(header->grh.destination_gid.raw,
ah->av->dgid, 16);
}
return 0;
}
Reported by FlawFinder.
drivers/infiniband/hw/mthca/mthca_cq.c
2 issues
Line: 310
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mthca_free_srq_wqe(srq, be32_to_cpu(cqe->wqe));
++nfreed;
} else if (nfreed)
memcpy(get_cqe(cq, (prod_index + nfreed) & cq->ibcq.cqe),
cqe, MTHCA_CQ_ENTRY_SIZE);
}
if (nfreed) {
for (i = 0; i < nfreed; ++i)
Reported by FlawFinder.
Line: 343
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (i = cq->cons_index; cqe_sw(get_cqe(cq, i & cq->ibcq.cqe)); ++i)
memcpy(get_cqe_from_buf(&cq->resize_buf->buf,
i & cq->resize_buf->cqe),
get_cqe(cq, i & cq->ibcq.cqe), MTHCA_CQ_ENTRY_SIZE);
}
int mthca_alloc_cq_buf(struct mthca_dev *dev, struct mthca_cq_buf *buf, int nent)
Reported by FlawFinder.
drivers/infiniband/hw/mthca/mthca_mad.c
2 issues
Line: 158
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mad->mad_hdr.method == IB_MGMT_METHOD_GET_RESP &&
mad->mad_hdr.attr_id == IB_SMP_ATTR_NODE_DESC) {
mutex_lock(&to_mdev(dev)->cap_mask_mutex);
memcpy(((struct ib_smp *) mad)->data, dev->node_desc,
IB_DEVICE_NODE_DESC_MAX);
mutex_unlock(&to_mdev(dev)->cap_mask_mutex);
}
}
Reported by FlawFinder.
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* it's OK for our devices).
*/
spin_lock_irqsave(&dev->sm_lock, flags);
memcpy(send_buf->mad, mad, sizeof *mad);
if ((send_buf->ah = dev->sm_ah[port_num - 1]))
ret = ib_post_send_mad(send_buf, NULL);
else
ret = -EINVAL;
spin_unlock_irqrestore(&dev->sm_lock, flags);
Reported by FlawFinder.
drivers/infiniband/hw/mthca/mthca_qp.c
2 issues
Line: 547
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_be32((rdma_ah_get_sl(ah) << 28) |
(grh->traffic_class << 20) |
(grh->flow_label));
memcpy(path->rgid, grh->dgid.raw, 16);
} else {
path->sl_tclass_flowlabel = cpu_to_be32(rdma_ah_get_sl(ah) <<
28);
}
Reported by FlawFinder.
Line: 1620
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void set_arbel_ud_seg(struct mthca_arbel_ud_seg *useg,
const struct ib_ud_wr *wr)
{
memcpy(useg->av, to_mah(wr->ah)->av, MTHCA_AV_SIZE);
useg->dqpn = cpu_to_be32(wr->remote_qpn);
useg->qkey = cpu_to_be32(wr->remote_qkey);
}
int mthca_tavor_post_send(struct ib_qp *ibqp, const struct ib_send_wr *wr,
Reported by FlawFinder.
drivers/infiniband/hw/ocrdma/ocrdma_hw.h
2 issues
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (; i < (len / sizeof(u32)); i++)
*(dst_ptr + i) = cpu_to_le32p(src_ptr + i);
#else
memcpy(dst, src, len);
#endif
}
static inline void ocrdma_copy_le32_to_cpu(void *dst, void *src, u32 len)
{
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (; i < len / sizeof(u32); i++)
*(dst_ptr + i) = le32_to_cpu(*(src_ptr + i));
#else
memcpy(dst, src, len);
#endif
}
static inline u64 ocrdma_get_db_addr(struct ocrdma_dev *dev, u32 pdid)
{
Reported by FlawFinder.