The following issues were found
Kernel/Bus/USB/UHCI/UHCIRootHub.cpp
7 issues
Line: 151
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// If index == 0, the actual request is Get Hub Status
// UHCI does not provide "Local Power Source" or "Over-current" and their corresponding change flags.
// The members of hub_status are initialized to 0, so we can memcpy it straight away.
memcpy(request_data, (void*)&hub_status, length);
break;
}
// If index != 0, the actual request is Get Port Status
m_uhci_controller->get_port_status({}, request.index - 1, hub_status);
Reported by FlawFinder.
Line: 157
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// If index != 0, the actual request is Get Port Status
m_uhci_controller->get_port_status({}, request.index - 1, hub_status);
memcpy(request_data, (void*)&hub_status, length);
break;
}
case HubRequest::GET_DESCRIPTOR: {
u8 descriptor_type = request.value >> 8;
switch (descriptor_type) {
Reported by FlawFinder.
Line: 166
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case DESCRIPTOR_TYPE_DEVICE:
length = min(transfer.transfer_data_size(), sizeof(USBDeviceDescriptor));
VERIFY(length <= sizeof(USBDeviceDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_device_descriptor, length);
break;
case DESCRIPTOR_TYPE_CONFIGURATION:
length = min(transfer.transfer_data_size(), sizeof(USBConfigurationDescriptor));
VERIFY(length <= sizeof(USBConfigurationDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_configuration_descriptor, length);
Reported by FlawFinder.
Line: 171
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case DESCRIPTOR_TYPE_CONFIGURATION:
length = min(transfer.transfer_data_size(), sizeof(USBConfigurationDescriptor));
VERIFY(length <= sizeof(USBConfigurationDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_configuration_descriptor, length);
break;
case DESCRIPTOR_TYPE_INTERFACE:
length = min(transfer.transfer_data_size(), sizeof(USBInterfaceDescriptor));
VERIFY(length <= sizeof(USBInterfaceDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_interface_descriptor, length);
Reported by FlawFinder.
Line: 176
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case DESCRIPTOR_TYPE_INTERFACE:
length = min(transfer.transfer_data_size(), sizeof(USBInterfaceDescriptor));
VERIFY(length <= sizeof(USBInterfaceDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_interface_descriptor, length);
break;
case DESCRIPTOR_TYPE_ENDPOINT:
length = min(transfer.transfer_data_size(), sizeof(USBEndpointDescriptor));
VERIFY(length <= sizeof(USBEndpointDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_endpoint_descriptor, length);
Reported by FlawFinder.
Line: 181
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case DESCRIPTOR_TYPE_ENDPOINT:
length = min(transfer.transfer_data_size(), sizeof(USBEndpointDescriptor));
VERIFY(length <= sizeof(USBEndpointDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_endpoint_descriptor, length);
break;
case DESCRIPTOR_TYPE_HUB:
length = min(transfer.transfer_data_size(), sizeof(USBHubDescriptor));
VERIFY(length <= sizeof(USBHubDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_hub_descriptor, length);
Reported by FlawFinder.
Line: 186
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case DESCRIPTOR_TYPE_HUB:
length = min(transfer.transfer_data_size(), sizeof(USBHubDescriptor));
VERIFY(length <= sizeof(USBHubDescriptor));
memcpy(request_data, (void*)&uhci_root_hub_hub_descriptor, length);
break;
default:
return EINVAL;
}
break;
Reported by FlawFinder.
Tests/LibC/TestLibCMkTemp.cpp
7 issues
Line: 26
Column: 50
CWE codes:
377
if (fork() == 0) {
char path[] = "/tmp/test.mktemp.XXXXXX";
auto temp_path = String::formatted("{}", mktemp(path));
EXPECT(temp_path.characters());
unlink(path);
memcpy(&ptr[0], temp_path.characters(), temp_path.length());
Reported by FlawFinder.
Line: 39
Column: 46
CWE codes:
377
auto path1 = String::formatted("{}", reinterpret_cast<const char*>(ptr));
char path[] = "/tmp/test.mktemp.XXXXXX";
auto path2 = String::formatted("{}", mktemp(path));
EXPECT(path2.characters());
unlink(path);
EXPECT_NE(path1, path2);
}
Reported by FlawFinder.
Line: 30
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EXPECT(temp_path.characters());
unlink(path);
memcpy(&ptr[0], temp_path.characters(), temp_path.length());
exit(EXIT_SUCCESS);
} else {
wait(NULL);
Reported by FlawFinder.
Line: 60
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EXPECT(temp_path.characters());
rmdir(path);
memcpy(&ptr[0], temp_path.characters(), temp_path.length());
exit(EXIT_SUCCESS);
} else {
wait(NULL);
Reported by FlawFinder.
Line: 86
Column: 19
CWE codes:
377
if (fork() == 0) {
char path[] = "/tmp/test.mkstemp.XXXXXX";
auto fd = mkstemp(path);
EXPECT_NE(fd, -1);
auto temp_path = Core::File::read_link(String::formatted("/proc/{}/fd/{}", getpid(), fd));
EXPECT(temp_path.characters());
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
close(fd);
unlink(path);
memcpy(&ptr[0], temp_path.characters(), temp_path.length());
exit(EXIT_SUCCESS);
} else {
wait(NULL);
Reported by FlawFinder.
Line: 104
Column: 19
CWE codes:
377
auto path1 = String::formatted("{}", reinterpret_cast<const char*>(ptr));
char path[] = "/tmp/test.mkstemp.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
auto path2 = Core::File::read_link(String::formatted("/proc/{}/fd/{}", getpid(), fd));
EXPECT(path2.characters());
Reported by FlawFinder.
Userland/Libraries/LibWebSocket/WebSocket.cpp
7 issues
Line: 121
Column: 43
CWE codes:
120
20
case InternalState::NotStarted:
case InternalState::EstablishingProtocolConnection:
case InternalState::SendingClientHandshake: {
auto initializing_bytes = m_impl->read(1024);
dbgln("drain_read() was called on a websocket that isn't opened yet. Read {} bytes from the socket.", initializing_bytes.size());
} break;
case InternalState::WaitingForServerHandshake: {
read_server_handshake();
} break;
Reported by FlawFinder.
Line: 133
Column: 37
CWE codes:
120
20
} break;
case InternalState::Closed:
case InternalState::Errored: {
auto closed_bytes = m_impl->read(1024);
dbgln("drain_read() was called on a closed websocket. Read {} bytes from the socket.", closed_bytes.size());
} break;
default:
VERIFY_NOT_REACHED();
}
Reported by FlawFinder.
Line: 369
Column: 31
CWE codes:
120
20
VERIFY(m_impl);
VERIFY(m_state == WebSocket::InternalState::Open || m_state == WebSocket::InternalState::Closing);
auto head_bytes = m_impl->read(2);
if (head_bytes.size() == 0) {
// The connection got closed.
m_state = WebSocket::InternalState::Closed;
notify_close(m_last_close_code, m_last_close_message, true);
discard_connection();
Reported by FlawFinder.
Line: 393
Column: 37
CWE codes:
120
20
auto payload_length_bits = head_bytes[1] & 0x7f;
if (payload_length_bits == 127) {
// A code of 127 means that the next 8 bytes contains the payload length
auto actual_bytes = m_impl->read(8);
VERIFY(actual_bytes.size() == 8);
u64 full_payload_length = (u64)((u64)(actual_bytes[0] & 0xff) << 56)
| (u64)((u64)(actual_bytes[1] & 0xff) << 48)
| (u64)((u64)(actual_bytes[2] & 0xff) << 40)
| (u64)((u64)(actual_bytes[3] & 0xff) << 32)
Reported by FlawFinder.
Line: 407
Column: 37
CWE codes:
120
20
payload_length = (size_t)full_payload_length;
} else if (payload_length_bits == 126) {
// A code of 126 means that the next 2 bytes contains the payload length
auto actual_bytes = m_impl->read(2);
VERIFY(actual_bytes.size() == 2);
payload_length = (size_t)((size_t)(actual_bytes[0] & 0xff) << 8)
| (size_t)((size_t)(actual_bytes[1] & 0xff) << 0);
} else {
payload_length = (size_t)payload_length_bits;
Reported by FlawFinder.
Line: 423
Column: 41
CWE codes:
120
20
// But because it doesn't cost much, we can support receiving masked frames anyways.
u8 masking_key[4];
if (is_masked) {
auto masking_key_data = m_impl->read(4);
VERIFY(masking_key_data.size() == 4);
masking_key[0] = masking_key_data[0];
masking_key[1] = masking_key_data[1];
masking_key[2] = masking_key_data[2];
masking_key[3] = masking_key_data[3];
Reported by FlawFinder.
Line: 434
Column: 37
CWE codes:
120
20
auto payload = ByteBuffer::create_uninitialized(payload_length);
u64 read_length = 0;
while (read_length < payload_length) {
auto payload_part = m_impl->read(payload_length - read_length);
if (payload_part.size() == 0) {
// We got disconnected, somehow.
dbgln("Websocket: Server disconnected while sending payload ({} bytes read out of {})", read_length, payload_length);
fatal_error(WebSocket::Error::ServerClosedSocket);
return;
Reported by FlawFinder.
Kernel/Syscalls/execve.cpp
7 issues
Line: 719
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// FIXME: Also take into account things like extended filesystem permissions? That's what linux does...
auxv.append({ ELF::AuxiliaryValue::Secure, ((uid != euid) || (gid != egid)) ? 1 : 0 });
char random_bytes[16] {};
get_fast_random_bytes((u8*)random_bytes, sizeof(random_bytes));
auxv.append({ ELF::AuxiliaryValue::Random, String(random_bytes, sizeof(random_bytes)) });
auxv.append({ ELF::AuxiliaryValue::ExecFilename, executable_path });
Reported by FlawFinder.
Line: 778
Column: 55
CWE codes:
362
if (!interpreter_path.is_empty()) {
dbgln_if(EXEC_DEBUG, "exec({}): Using program interpreter {}", path, interpreter_path);
auto interp_result = VirtualFileSystem::the().open(interpreter_path, O_EXEC, 0, current_directory());
if (interp_result.is_error()) {
dbgln("exec({}): Unable to open program interpreter {}", path, interpreter_path);
return interp_result.error();
}
auto interpreter_description = interp_result.value();
Reported by FlawFinder.
Line: 793
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (interp_metadata.size < (int)sizeof(ElfW(Ehdr)))
return ENOEXEC;
char first_page[PAGE_SIZE] = {};
auto first_page_buffer = UserOrKernelBuffer::for_kernel_buffer((u8*)&first_page);
auto nread_or_error = interpreter_description->read(first_page_buffer, sizeof(first_page));
if (nread_or_error.is_error())
return ENOEXEC;
nread = nread_or_error.value();
Reported by FlawFinder.
Line: 854
Column: 51
CWE codes:
362
// * ET_EXEC binary that just gets loaded
// * ET_DYN binary that requires a program interpreter
//
auto file_or_error = VirtualFileSystem::the().open(path, O_EXEC, 0, current_directory());
if (file_or_error.is_error())
return file_or_error.error();
auto description = file_or_error.release_value();
auto metadata = description->metadata();
Reported by FlawFinder.
Line: 870
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
VERIFY(description->inode());
// Read the first page of the program into memory so we can validate the binfmt of it
char first_page[PAGE_SIZE];
auto first_page_buffer = UserOrKernelBuffer::for_kernel_buffer((u8*)&first_page);
auto nread_or_error = description->read(first_page_buffer, sizeof(first_page));
if (nread_or_error.is_error())
return ENOEXEC;
Reported by FlawFinder.
Line: 795
Column: 56
CWE codes:
120
20
char first_page[PAGE_SIZE] = {};
auto first_page_buffer = UserOrKernelBuffer::for_kernel_buffer((u8*)&first_page);
auto nread_or_error = interpreter_description->read(first_page_buffer, sizeof(first_page));
if (nread_or_error.is_error())
return ENOEXEC;
nread = nread_or_error.value();
if (nread < (int)sizeof(ElfW(Ehdr)))
Reported by FlawFinder.
Line: 872
Column: 40
CWE codes:
120
20
// Read the first page of the program into memory so we can validate the binfmt of it
char first_page[PAGE_SIZE];
auto first_page_buffer = UserOrKernelBuffer::for_kernel_buffer((u8*)&first_page);
auto nread_or_error = description->read(first_page_buffer, sizeof(first_page));
if (nread_or_error.is_error())
return ENOEXEC;
// 1) #! interpreted file
auto shebang_result = find_shebang_interpreter_for_executable(first_page, nread_or_error.value());
Reported by FlawFinder.
Userland/Utilities/cal.cpp
7 issues
Line: 17
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int line_count = 8;
const int column_width = 22;
char print_buffer[line_width * line_count];
char temp_buffer[line_width * 8];
int target_day;
int current_year;
Reported by FlawFinder.
Line: 18
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int column_width = 22;
char print_buffer[line_width * line_count];
char temp_buffer[line_width * 8];
int target_day;
int current_year;
int current_month;
Reported by FlawFinder.
Line: 39
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int printing_row = 0;
// FIXME: Both the month name and month header text should be provided by a locale
sprintf(temp_buffer, " %02u - %04u ", month, year);
append_to_print(print_buffer, printing_row, printing_column, temp_buffer);
printing_row++;
sprintf(temp_buffer, "Su Mo Tu We Th Fr Sa");
append_to_print(print_buffer, printing_row, printing_column, temp_buffer);
Reported by FlawFinder.
Line: 43
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
append_to_print(print_buffer, printing_row, printing_column, temp_buffer);
printing_row++;
sprintf(temp_buffer, "Su Mo Tu We Th Fr Sa");
append_to_print(print_buffer, printing_row, printing_column, temp_buffer);
printing_row++;
int day_to_print = 1;
auto date_time = Core::DateTime::create(year, month, 1);
int first_day_of_week_for_month = date_time.weekday();
Reported by FlawFinder.
Line: 53
Column: 35
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int last_written_chars = 0;
for (int i = 1; day_to_print <= days_in_the_month; ++i) {
if (i - 1 < first_day_of_week_for_month) {
last_written_chars += sprintf(temp_buffer + last_written_chars, " ");
} else {
if (year == current_year && month == current_month && target_day == day_to_print) {
// FIXME: To replicate Unix cal it would be better to use "\x1b[30;47m%2d\x1b[0m " in here instead of *.
// However, doing that messes up the layout.
last_written_chars += sprintf(temp_buffer + last_written_chars, "%2d*", day_to_print);
Reported by FlawFinder.
Line: 58
Column: 39
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (year == current_year && month == current_month && target_day == day_to_print) {
// FIXME: To replicate Unix cal it would be better to use "\x1b[30;47m%2d\x1b[0m " in here instead of *.
// However, doing that messes up the layout.
last_written_chars += sprintf(temp_buffer + last_written_chars, "%2d*", day_to_print);
} else {
last_written_chars += sprintf(temp_buffer + last_written_chars, "%2d ", day_to_print);
}
day_to_print++;
}
Reported by FlawFinder.
Line: 60
Column: 39
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
// However, doing that messes up the layout.
last_written_chars += sprintf(temp_buffer + last_written_chars, "%2d*", day_to_print);
} else {
last_written_chars += sprintf(temp_buffer + last_written_chars, "%2d ", day_to_print);
}
day_to_print++;
}
append_to_print(print_buffer, printing_row, printing_column, temp_buffer);
Reported by FlawFinder.
Userland/Utilities/run-tests.cpp
7 issues
Line: 70
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
Vector<String> paths;
Test::iterate_directory_recursively(m_test_root, [&](const String& file_path) {
if (access(file_path.characters(), R_OK | X_OK) != 0)
return;
auto result = m_exclude_regex.match(file_path, PosixFlags::Global);
if (!result.success) // must NOT match the regex to be a valid test file
paths.append(file_path);
});
Reported by FlawFinder.
Line: 308
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
test_glob = String::formatted("*{}*", test_glob);
if (getenv("DISABLE_DBG_OUTPUT")) {
AK::set_debug_enabled(false);
}
String test_root;
Reported by FlawFinder.
Line: 167
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret = lseek(test_result.stdout_err_fd, 0, SEEK_SET);
VERIFY(ret == 0);
for (;;) {
char buf[32768];
ssize_t nread = read(test_result.stdout_err_fd, buf, sizeof(buf));
if (nread == 0)
break;
if (nread < 0) {
perror("read");
Reported by FlawFinder.
Line: 203
Column: 30
CWE codes:
377
posix_spawn_file_actions_t file_actions;
posix_spawn_file_actions_init(&file_actions);
char child_out_err_path[] = "/tmp/run-tests.XXXXXX";
int child_out_err_file = mkstemp(child_out_err_path);
VERIFY(child_out_err_file >= 0);
String dirname = path_for_test.dirname();
String basename = path_for_test.basename();
Reported by FlawFinder.
Line: 262
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef SIGINFO
signal(SIGINFO, [](int) {
static char buffer[4096];
auto& counts = ::Test::TestRunner::the()->counts();
int len = snprintf(buffer, sizeof(buffer), "Pass: %d, Fail: %d, Skip: %d\nCurrent test: %s\n", counts.tests_passed, counts.tests_failed, counts.tests_skipped, g_currently_running_test.characters());
write(STDOUT_FILENO, buffer, len);
});
#endif
Reported by FlawFinder.
Line: 332
Column: 103
CWE codes:
362
return 1;
}
auto config = config_file.is_empty() ? Core::ConfigFile::get_for_app("Tests") : Core::ConfigFile::open(config_file);
if (config->num_groups() == 0)
warnln("Empty configuration file ({}) loaded!", config_file.is_empty() ? "User config for Tests" : config_file.characters());
if (exclude_pattern.is_empty())
exclude_pattern = config->read_entry("Global", "NotTestsPattern", "$^"); // default is match nothing (aka match end then beginning)
Reported by FlawFinder.
Line: 168
Column: 29
CWE codes:
120
20
VERIFY(ret == 0);
for (;;) {
char buf[32768];
ssize_t nread = read(test_result.stdout_err_fd, buf, sizeof(buf));
if (nread == 0)
break;
if (nread < 0) {
perror("read");
break;
Reported by FlawFinder.
Kernel/Net/IPv4Socket.cpp
7 issues
Line: 96
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void IPv4Socket::get_local_address(sockaddr* address, socklen_t* address_size)
{
sockaddr_in local_address = { AF_INET, htons(m_local_port), { m_local_address.to_in_addr_t() }, { 0 } };
memcpy(address, &local_address, min(static_cast<size_t>(*address_size), sizeof(sockaddr_in)));
*address_size = sizeof(sockaddr_in);
}
void IPv4Socket::get_peer_address(sockaddr* address, socklen_t* address_size)
{
Reported by FlawFinder.
Line: 103
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void IPv4Socket::get_peer_address(sockaddr* address, socklen_t* address_size)
{
sockaddr_in peer_address = { AF_INET, htons(m_peer_port), { m_peer_address.to_in_addr_t() }, { 0 } };
memcpy(address, &peer_address, min(static_cast<size_t>(*address_size), sizeof(sockaddr_in)));
*address_size = sizeof(sockaddr_in);
}
KResult IPv4Socket::bind(Userspace<const sockaddr*> user_address, socklen_t address_size)
{
Reported by FlawFinder.
Line: 367
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dbgln_if(IPV4_SOCKET_DEBUG, "Incoming packet is from: {}:{}", packet.peer_address, packet.peer_port);
sockaddr_in out_addr {};
memcpy(&out_addr.sin_addr, &packet.peer_address, sizeof(IPv4Address));
out_addr.sin_port = htons(packet.peer_port);
out_addr.sin_family = AF_INET;
Userspace<sockaddr_in*> dest_addr = addr.ptr();
if (!copy_to_user(dest_addr, &out_addr))
return set_so_error(EFAULT);
Reported by FlawFinder.
Line: 656
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!copy_from_user(&ifr, user_ifr))
return EFAULT;
char namebuf[IFNAMSIZ + 1];
memcpy(namebuf, ifr.ifr_name, IFNAMSIZ);
namebuf[sizeof(namebuf) - 1] = '\0';
auto adapter = NetworkingManagement::the().lookup_by_name(namebuf);
if (!adapter)
Reported by FlawFinder.
Line: 657
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return EFAULT;
char namebuf[IFNAMSIZ + 1];
memcpy(namebuf, ifr.ifr_name, IFNAMSIZ);
namebuf[sizeof(namebuf) - 1] = '\0';
auto adapter = NetworkingManagement::the().lookup_by_name(namebuf);
if (!adapter)
return ENODEV;
Reported by FlawFinder.
Line: 247
Column: 19
CWE codes:
120
20
return set_so_error(ENOMEM);
routing_decision.adapter->fill_in_ipv4_header(*packet, local_address(), routing_decision.next_hop,
m_peer_address, (IPv4Protocol)protocol(), data_length, m_ttl);
if (!data.read(packet->buffer->data() + ipv4_payload_offset, data_length)) {
routing_decision.adapter->release_packet_buffer(*packet);
return set_so_error(EFAULT);
}
routing_decision.adapter->send_packet(packet->bytes());
routing_decision.adapter->release_packet_buffer(*packet);
Reported by FlawFinder.
Line: 289
Column: 48
CWE codes:
120
20
if (flags & MSG_PEEK)
nreceived_or_error = m_receive_buffer->peek(buffer, buffer_length);
else
nreceived_or_error = m_receive_buffer->read(buffer, buffer_length);
if (!nreceived_or_error.is_error() && nreceived_or_error.value() > 0 && !(flags & MSG_PEEK))
Thread::current()->did_ipv4_socket_read(nreceived_or_error.value());
set_can_read(!m_receive_buffer->is_empty());
Reported by FlawFinder.
Tests/Kernel/TestProcFS.cpp
7 issues
Line: 46
Column: 24
CWE codes:
362
20
Suggestion:
Reconsider approach
char buf[MAXPATHLEN];
// Read the symlink for stdin, stdout and stderr
auto link_length = readlink("/proc/self/fd/0", expected_link, sizeof(expected_link));
expected_link[link_length] = '\0';
// 255 is the first broken file descriptor that was discovered and might be used by other software (e.g. bash)
auto new_fd = dup2(0, 255);
EXPECT_EQ(new_fd, 255);
Reported by FlawFinder.
Line: 52
Column: 19
CWE codes:
362
20
Suggestion:
Reconsider approach
// 255 is the first broken file descriptor that was discovered and might be used by other software (e.g. bash)
auto new_fd = dup2(0, 255);
EXPECT_EQ(new_fd, 255);
link_length = readlink("/proc/self/fd/255", buf, sizeof(buf));
buf[link_length] = '\0';
EXPECT_EQ(0, strcmp(buf, expected_link));
// 215 is the last fd before we have to encode the fd using more than one byte (due to the offset by FI_MaxStaticFileIndex)
new_fd = dup2(0, 215);
Reported by FlawFinder.
Line: 59
Column: 19
CWE codes:
362
20
Suggestion:
Reconsider approach
// 215 is the last fd before we have to encode the fd using more than one byte (due to the offset by FI_MaxStaticFileIndex)
new_fd = dup2(0, 215);
EXPECT_EQ(new_fd, 215);
link_length = readlink("/proc/self/fd/215", buf, sizeof(buf));
buf[link_length] = '\0';
EXPECT_EQ(0, strcmp(buf, expected_link));
// 216 is the first fd that is encoded using more than one byte
new_fd = dup2(0, 216);
Reported by FlawFinder.
Line: 66
Column: 19
CWE codes:
362
20
Suggestion:
Reconsider approach
// 216 is the first fd that is encoded using more than one byte
new_fd = dup2(0, 216);
EXPECT_EQ(new_fd, 216);
link_length = readlink("/proc/self/fd/216", buf, sizeof(buf));
buf[link_length] = '\0';
EXPECT_EQ(0, strcmp(buf, expected_link));
// 1023 is the largest possible file descriptor
new_fd = dup2(0, 1023);
Reported by FlawFinder.
Line: 73
Column: 19
CWE codes:
362
20
Suggestion:
Reconsider approach
// 1023 is the largest possible file descriptor
new_fd = dup2(0, 1023);
EXPECT_EQ(new_fd, 1023);
link_length = readlink("/proc/self/fd/1023", buf, sizeof(buf));
buf[link_length] = '\0';
EXPECT_EQ(0, strcmp(buf, expected_link));
}
Reported by FlawFinder.
Line: 42
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// Create a new file descriptor that is a dup of 0 with various big values in order to reproduce issue #7820.
// We should get the same link value for each fd that was duplicated.
char expected_link[MAXPATHLEN];
char buf[MAXPATHLEN];
// Read the symlink for stdin, stdout and stderr
auto link_length = readlink("/proc/self/fd/0", expected_link, sizeof(expected_link));
expected_link[link_length] = '\0';
Reported by FlawFinder.
Line: 43
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// Create a new file descriptor that is a dup of 0 with various big values in order to reproduce issue #7820.
// We should get the same link value for each fd that was duplicated.
char expected_link[MAXPATHLEN];
char buf[MAXPATHLEN];
// Read the symlink for stdin, stdout and stderr
auto link_length = readlink("/proc/self/fd/0", expected_link, sizeof(expected_link));
expected_link[link_length] = '\0';
Reported by FlawFinder.
Userland/Applications/IRCClient/IRCWindow.h
7 issues
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Line: 18
class IRCLogBuffer;
class IRCWindow : public GUI::Widget {
C_OBJECT(IRCWindow)
public:
enum Type {
Server,
Channel,
Query,
Reported by Cppcheck.
Userland/Libraries/LibGfx/PNGLoader.cpp
7 issues
Line: 146
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (m_size_remaining < count)
return false;
memcpy(buffer, m_data_ptr, count);
m_data_ptr += count;
m_size_remaining -= count;
return true;
}
Reported by FlawFinder.
Line: 393
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 6:
if (context.bit_depth == 8) {
for (int y = 0; y < context.height; ++y) {
memcpy(context.bitmap->scanline(y), context.scanlines[y].data.data(), context.scanlines[y].data.size());
}
} else if (context.bit_depth == 16) {
for (int y = 0; y < context.height; ++y) {
auto* triplets = reinterpret_cast<const Quad<u16>*>(context.scanlines[y].data.data());
for (int i = 0; i < context.width; ++i) {
Reported by FlawFinder.
Line: 132
Column: 10
CWE codes:
120
20
}
template<typename T>
bool read(T& value)
{
if (m_size_remaining < sizeof(T))
return false;
value = *((const NetworkOrdered<T>*)m_data_ptr);
m_data_ptr += sizeof(T);
Reported by FlawFinder.
Line: 586
Column: 23
CWE codes:
120
20
for (int y = 0; y < context.height; ++y) {
u8 filter;
if (!streamer.read(filter)) {
context.state = PNGLoadingContext::State::Error;
return false;
}
if (filter > 4) {
Reported by FlawFinder.
Line: 688
Column: 23
CWE codes:
120
20
subimage_context.scanlines.clear_with_capacity();
for (int y = 0; y < subimage_context.height; ++y) {
u8 filter;
if (!streamer.read(filter)) {
context.state = PNGLoadingContext::State::Error;
return false;
}
if (filter > 4) {
Reported by FlawFinder.
Line: 907
Column: 19
CWE codes:
120
20
static bool process_chunk(Streamer& streamer, PNGLoadingContext& context)
{
u32 chunk_size;
if (!streamer.read(chunk_size)) {
dbgln_if(PNG_DEBUG, "Bail at chunk_size");
return false;
}
u8 chunk_type[5];
chunk_type[4] = '\0';
Reported by FlawFinder.
Line: 923
Column: 19
CWE codes:
120
20
return false;
}
u32 chunk_crc;
if (!streamer.read(chunk_crc)) {
dbgln_if(PNG_DEBUG, "Bail at chunk_crc");
return false;
}
dbgln_if(PNG_DEBUG, "Chunk type: '{}', size: {}, crc: {:x}", chunk_type, chunk_size, chunk_crc);
Reported by FlawFinder.