The following issues were found
drivers/scsi/pmcraid.c
14 issues
Line: 1075
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pmcraid_info("HRRQ_IDENTIFY with hrrq:ioarcb:index => %llx:%llx:%x\n",
hrrq_addr, ioarcb->ioarcb_bus_addr, index);
memcpy(&(ioarcb->cdb[2]), &hrrq_addr, sizeof(hrrq_addr));
memcpy(&(ioarcb->cdb[10]), &hrrq_size, sizeof(hrrq_size));
/* Subsequent commands require HRRQ identification to be successful.
* Note that this gets called even during reset from SCSI mid-layer
* or tasklet
Reported by FlawFinder.
Line: 1076
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hrrq_addr, ioarcb->ioarcb_bus_addr, index);
memcpy(&(ioarcb->cdb[2]), &hrrq_addr, sizeof(hrrq_addr));
memcpy(&(ioarcb->cdb[10]), &hrrq_size, sizeof(hrrq_size));
/* Subsequent commands require HRRQ identification to be successful.
* Note that this gets called even during reset from SCSI mid-layer
* or tasklet
*/
Reported by FlawFinder.
Line: 1223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(ioarcb->cdb, 0, PMCRAID_MAX_CDB_LEN);
ioarcb->cdb[0] = PMCRAID_ABORT_CMD;
memcpy(&(ioarcb->cdb[2]), &ioarcb_addr, sizeof(ioarcb_addr));
}
/**
* pmcraid_cancel_hcam - sends ABORT task to abort a given HCAM
*
Reported by FlawFinder.
Line: 1614
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_add_tail(&res->queue, &pinstance->used_res_q);
}
memcpy(&res->cfg_entry, cfg_entry, pinstance->config_table_entry_size);
if (pinstance->ccn.hcam->notification_type ==
NOTIFICATION_TYPE_ENTRY_DELETED || hidden_entry) {
if (res->scsi_dev) {
if (fw_version <= PMCRAID_FW_VERSION_1)
Reported by FlawFinder.
Line: 2653
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int data_size = min_t(u16, sense_len,
SCSI_SENSE_BUFFERSIZE);
memcpy(scsi_cmd->sense_buffer,
ioasa->sense_data,
data_size);
sense_copied = true;
}
Reported by FlawFinder.
Line: 3368
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->scsi_cmd = scsi_cmd;
ioarcb = &(cmd->ioa_cb->ioarcb);
memcpy(ioarcb->cdb, scsi_cmd->cmnd, scsi_cmd->cmd_len);
ioarcb->resource_handle = res->cfg_entry.resource_handle;
ioarcb->request_type = REQ_TYPE_SCSI;
/* set hrrq number where the IOA should respond to. Note that all cmds
* generated internally uses hrrq_id 0, exception to this is the cmd
Reported by FlawFinder.
Line: 3664
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ioarcb->request_type = buffer->ioarcb.request_type;
ioarcb->request_flags0 = buffer->ioarcb.request_flags0;
ioarcb->request_flags1 = buffer->ioarcb.request_flags1;
memcpy(ioarcb->cdb, buffer->ioarcb.cdb, PMCRAID_MAX_CDB_LEN);
if (buffer->ioarcb.add_cmd_param_length) {
ioarcb->add_cmd_param_length =
buffer->ioarcb.add_cmd_param_length;
ioarcb->add_cmd_param_offset =
Reported by FlawFinder.
Line: 3671
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer->ioarcb.add_cmd_param_length;
ioarcb->add_cmd_param_offset =
buffer->ioarcb.add_cmd_param_offset;
memcpy(ioarcb->add_data.u.add_cmd_params,
buffer->ioarcb.add_data.u.add_cmd_params,
le16_to_cpu(buffer->ioarcb.add_cmd_param_length));
}
/* set hrrq number where the IOA should respond to. Note that all cmds
Reported by FlawFinder.
Line: 4601
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int i;
sprintf(pinstance->cmd_pool_name, "pmcraid_cmd_pool_%d",
pinstance->host->unique_id);
pinstance->cmd_cachep = kmem_cache_create(
pinstance->cmd_pool_name,
Reported by FlawFinder.
Line: 4637
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int i;
sprintf(pinstance->ctl_pool_name, "pmcraid_control_pool_%d",
pinstance->host->unique_id);
pinstance->control_pool =
dma_pool_create(pinstance->ctl_pool_name,
&pinstance->pdev->dev,
Reported by FlawFinder.
drivers/infiniband/hw/mlx4/mad.c
14 issues
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return PTR_ERR(outmailbox);
}
memcpy(inbox, in_mad, 256);
/*
* Key check traps can't be generated unless we have in_wc to
* tell us where to send the trap.
*/
Reported by FlawFinder.
Line: 168
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ext_info->pkey = cpu_to_be16(in_wc->pkey_index);
if (in_grh)
memcpy(ext_info->grh, in_grh, 40);
op_modifier |= 0x4;
in_modifier |= ib_lid_cpu16(in_wc->slid) << 16;
}
Reported by FlawFinder.
Line: 181
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(op_modifier & 0x8) ? MLX4_CMD_NATIVE : MLX4_CMD_WRAPPED);
if (!err)
memcpy(response_mad, outmailbox->buf, 256);
mlx4_free_cmd_mailbox(dev->dev, inmailbox);
mlx4_free_cmd_mailbox(dev->dev, outmailbox);
return err;
Reported by FlawFinder.
Line: 377
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mad->mad_hdr.method == IB_MGMT_METHOD_GET_RESP &&
mad->mad_hdr.attr_id == IB_SMP_ATTR_NODE_DESC) {
spin_lock_irqsave(&to_mdev(dev)->sm_lock, flags);
memcpy(((struct ib_smp *) mad)->data, dev->node_desc,
IB_DEVICE_NODE_DESC_MAX);
spin_unlock_irqrestore(&to_mdev(dev)->sm_lock, flags);
}
}
Reported by FlawFinder.
Line: 405
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* it's OK for our devices).
*/
spin_lock_irqsave(&dev->sm_lock, flags);
memcpy(send_buf->mad, mad, sizeof *mad);
if ((send_buf->ah = dev->sm_ah[port_num - 1]))
ret = ib_post_send_mad(send_buf, NULL);
else
ret = -EINVAL;
spin_unlock_irqrestore(&dev->sm_lock, flags);
Reported by FlawFinder.
Line: 614
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy over to tunnel buffer */
if (grh)
memcpy(&tun_mad->grh, grh, sizeof *grh);
memcpy(&tun_mad->mad, mad, sizeof *mad);
/* adjust tunnel data */
tun_mad->hdr.pkey_index = cpu_to_be16(tun_pkey_ix);
tun_mad->hdr.flags_src_qp = cpu_to_be32(wc->src_qp & 0xFFFFFF);
Reported by FlawFinder.
Line: 615
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy over to tunnel buffer */
if (grh)
memcpy(&tun_mad->grh, grh, sizeof *grh);
memcpy(&tun_mad->mad, mad, sizeof *mad);
/* adjust tunnel data */
tun_mad->hdr.pkey_index = cpu_to_be16(tun_pkey_ix);
tun_mad->hdr.flags_src_qp = cpu_to_be32(wc->src_qp & 0xFFFFFF);
tun_mad->hdr.g_ml_path = (grh && (wc->wc_flags & IB_WC_GRH)) ? 0x80 : 0;
Reported by FlawFinder.
Line: 642
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
tun_mad->hdr.sl_vid = cpu_to_be16(vlan);
memcpy((char *)&tun_mad->hdr.mac_31_0, &(wc->smac[0]), 4);
memcpy((char *)&tun_mad->hdr.slid_mac_47_32, &(wc->smac[4]), 2);
} else {
tun_mad->hdr.sl_vid = cpu_to_be16(((u16)(wc->sl)) << 12);
tun_mad->hdr.slid_mac_47_32 = ib_lid_be16(wc->slid);
}
Reported by FlawFinder.
Line: 643
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tun_mad->hdr.sl_vid = cpu_to_be16(vlan);
memcpy((char *)&tun_mad->hdr.mac_31_0, &(wc->smac[0]), 4);
memcpy((char *)&tun_mad->hdr.slid_mac_47_32, &(wc->smac[4]), 2);
} else {
tun_mad->hdr.sl_vid = cpu_to_be16(((u16)(wc->sl)) << 12);
tun_mad->hdr.slid_mac_47_32 = ib_lid_be16(wc->slid);
}
Reported by FlawFinder.
Line: 932
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ib_class_port_info cpi = {};
cpi.capability_mask = IB_PMA_CLASS_CAP_EXT_WIDTH;
memcpy(out_mad, &cpi, sizeof(cpi));
return IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY;
}
static int iboe_process_mad(struct ib_device *ibdev, int mad_flags,
u32 port_num, const struct ib_wc *in_wc,
Reported by FlawFinder.
arch/um/drivers/cow_user.c
14 issues
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
"chars\n", from, size);
return -1;
}
strcat(to, slash);
}
else {
if (strlen(save_cwd) + 1 + strlen(from) + 1 > size) {
cow_printf("absolutize : unable to fit '%s' into %d "
"chars\n", from, size);
Reported by FlawFinder.
Line: 185
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
"chars\n", from, size);
return -1;
}
strcpy(to, save_cwd);
strcat(to, "/");
strcat(to, from);
}
if (chdir(save_cwd)) {
cow_printf("absolutize : Can't cd to '%s' - "
Reported by FlawFinder.
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
strcpy(to, save_cwd);
strcat(to, "/");
strcat(to, from);
}
if (chdir(save_cwd)) {
cow_printf("absolutize : Can't cd to '%s' - "
"errno = %d\n", save_cwd, errno);
return -1;
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cow_header_v1 {
__s32 magic;
__s32 version;
char backing_file[PATH_LEN_V1];
time32_t mtime;
__u64 size;
__s32 sectorsize;
} __attribute__((packed));
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cow_header_v2 {
__u32 magic;
__u32 version;
char backing_file[PATH_LEN_V2];
time32_t mtime;
__u64 size;
__s32 sectorsize;
} __attribute__((packed));
Reported by FlawFinder.
Line: 94
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 sectorsize;
__u32 alignment;
__u32 cow_format;
char backing_file[PATH_LEN_V3];
} __attribute__((packed));
/* This is the broken layout used by some 64-bit binaries. */
struct cow_header_v3_broken {
__u32 magic;
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 sectorsize;
__u32 alignment;
__u32 cow_format;
char backing_file[PATH_LEN_V3];
};
/* COW format definitions - for now, we have only the usual COW bitmap */
#define COW_BITMAP 0
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int absolutize(char *to, int size, char *from)
{
char save_cwd[256], *slash;
int remaining;
if (getcwd(save_cwd, sizeof(save_cwd)) == NULL) {
cow_printf("absolutize : unable to get cwd - errno = %d\n",
errno);
Reported by FlawFinder.
Line: 171
Column: 22
CWE codes:
126
"errno = %d\n", from, errno);
return -1;
}
remaining = size - strlen(to);
if (strlen(slash) + 1 > remaining) {
cow_printf("absolutize : unable to fit '%s' into %d "
"chars\n", from, size);
return -1;
}
Reported by FlawFinder.
Line: 172
Column: 7
CWE codes:
126
return -1;
}
remaining = size - strlen(to);
if (strlen(slash) + 1 > remaining) {
cow_printf("absolutize : unable to fit '%s' into %d "
"chars\n", from, size);
return -1;
}
strcat(to, slash);
Reported by FlawFinder.
arch/s390/lib/string.c
14 issues
Line: 84
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* returns a pointer to @dest
*/
#ifdef __HAVE_ARCH_STRCPY
char *strcpy(char *dest, const char *src)
{
char *ret = dest;
asm volatile(
" lghi 0,0\n"
Reported by FlawFinder.
Line: 97
Column: 15
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
: "cc", "memory", "0");
return ret;
}
EXPORT_SYMBOL(strcpy);
#endif
/**
* strlcpy - Copy a %NUL terminated string into a sized buffer
* @dest: Where to copy the string to
Reported by FlawFinder.
Line: 154
Column: 7
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
* returns a pointer to @dest
*/
#ifdef __HAVE_ARCH_STRCAT
char *strcat(char *dest, const char *src)
{
unsigned long dummy = 0;
char *ret = dest;
asm volatile(
Reported by FlawFinder.
Line: 170
Column: 15
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
: "cc", "memory", "0");
return ret;
}
EXPORT_SYMBOL(strcat);
#endif
/**
* strlcat - Append a length-limited, %NUL-terminated string to another
* @dest: The string to be appended to
Reported by FlawFinder.
Line: 119
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size) {
size_t len = (ret >= size) ? size-1 : ret;
dest[len] = '\0';
memcpy(dest, src, len);
}
return ret;
}
EXPORT_SYMBOL(strlcpy);
#endif
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
size_t len = __strnend(src, n) - src;
memset(dest + len, 0, n - len);
memcpy(dest, src, len);
return dest;
}
EXPORT_SYMBOL(strncpy);
#endif
Reported by FlawFinder.
Line: 192
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len >= n)
len = n - 1;
dest[len] = '\0';
memcpy(dest, src, len);
}
return res;
}
EXPORT_SYMBOL(strlcat);
#endif
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *p = __strend(dest);
p[len] = '\0';
memcpy(p, src, len);
return dest;
}
EXPORT_SYMBOL(strncat);
#endif
Reported by FlawFinder.
Line: 54
Column: 8
CWE codes:
126
* returns the length of @s
*/
#ifdef __HAVE_ARCH_STRLEN
size_t strlen(const char *s)
{
return __strend(s) - s;
}
EXPORT_SYMBOL(strlen);
#endif
Reported by FlawFinder.
Line: 58
Column: 15
CWE codes:
126
{
return __strend(s) - s;
}
EXPORT_SYMBOL(strlen);
#endif
/**
* strnlen - Find the length of a length-limited string
* @s: The string to be sized
Reported by FlawFinder.
drivers/scsi/esas2r/esas2r_flash.c
14 issues
Line: 536
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
esas2r_print_flash_rev(a);
/* Update the type of boot image on the card */
memcpy(a->image_type, fi->rel_version,
sizeof(fi->rel_version));
complete_fmapi_req(a, rq, FI_STAT_SUCCESS);
return;
}
Reported by FlawFinder.
Line: 1091
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
|| month > 12
|| year < 2006
|| year > 9999) {
strcpy(a->flash_rev, "not found");
a->flash_ver = 0;
return false;
}
sprintf(a->flash_rev, "%02d/%02d/%04d", month, day, year);
Reported by FlawFinder.
Line: 1096
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return false;
}
sprintf(a->flash_rev, "%02d/%02d/%04d", month, day, year);
esas2r_hdebug("flash version: %s", a->flash_rev);
return true;
}
/*
Reported by FlawFinder.
Line: 1134
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto invalid_rev;
if (bh->code_type == CODE_TYPE_PC) {
strcpy(a->image_type, "BIOS");
return true;
} else if (bh->code_type == CODE_TYPE_EFI) {
struct esas2r_efi_image *ei;
Reported by FlawFinder.
Line: 1148
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
switch (le16_to_cpu(ei->machine_type)) {
case EFI_MACHINE_IA32:
strcpy(a->image_type, "EFI 32-bit");
return true;
case EFI_MACHINE_IA64:
strcpy(a->image_type, "EFI itanium");
return true;
Reported by FlawFinder.
Line: 1152
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return true;
case EFI_MACHINE_IA64:
strcpy(a->image_type, "EFI itanium");
return true;
case EFI_MACHINE_X64:
strcpy(a->image_type, "EFI 64-bit");
return true;
Reported by FlawFinder.
Line: 1156
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return true;
case EFI_MACHINE_X64:
strcpy(a->image_type, "EFI 64-bit");
return true;
case EFI_MACHINE_EBC:
strcpy(a->image_type, "EFI EBC");
return true;
Reported by FlawFinder.
Line: 1160
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return true;
case EFI_MACHINE_EBC:
strcpy(a->image_type, "EFI EBC");
return true;
default:
goto invalid_rev;
}
Reported by FlawFinder.
Line: 1181
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
invalid_rev:
strcpy(a->image_type, "no boot images");
return false;
}
/*
* Read and validate current NVRAM parameters by accessing
Reported by FlawFinder.
Line: 1281
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return false;
}
memcpy(&sas_address_bytes[0], n->sas_addr, 8);
if (sas_address_bytes[0] != 0x50
|| sas_address_bytes[1] != 0x01
|| sas_address_bytes[2] != 0x08
|| (sas_address_bytes[3] & 0xF0) != 0x60
Reported by FlawFinder.
fs/afs/security.c
14 issues
Line: 131
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i < permits->nr_permits; i++) {
h += (unsigned long)permits->permits[i].key / sizeof(void *);
h += permits->permits[i].access;
}
permits->h = h;
}
Reported by FlawFinder.
Line: 168
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
continue;
if (permits->permits[i].key > key)
break;
if (permits->permits[i].access != caller_access) {
changed = true;
break;
}
if (afs_cb_is_broken(cb_break, vnode)) {
Reported by FlawFinder.
Line: 238
Column: 49
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
j++;
}
new->permits[j].key = permits->permits[i].key;
new->permits[j].access = permits->permits[i].access;
j++;
}
}
if (j == i) {
Reported by FlawFinder.
Line: 328
Column: 35
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (permits->permits[i].key > key)
break;
*_access = permits->permits[i].access;
_leave(" = %u [perm %x]", !permits->invalidated, *_access);
return !permits->invalidated;
}
}
Reported by FlawFinder.
Line: 368
Column: 36
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (permits->permits[i].key > key)
break;
*_access = permits->permits[i].access;
valid = !permits->invalidated;
break;
}
}
rcu_read_unlock();
Reported by FlawFinder.
Line: 403
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int mask)
{
struct afs_vnode *vnode = AFS_FS_I(inode);
afs_access_t access;
struct key *key;
int ret = 0;
_enter("{{%llx:%llu},%lx},%x,",
vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
Reported by FlawFinder.
Line: 417
Column: 42
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ret = -ECHILD;
if (!afs_check_validity(vnode) ||
!afs_check_permit_rcu(vnode, key, &access))
goto error;
} else {
key = afs_request_key(vnode->volume->cell);
if (IS_ERR(key)) {
_leave(" = %ld [key]", PTR_ERR(key));
Reported by FlawFinder.
Line: 431
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto error;
/* check the permits to see if we've got one yet */
ret = afs_check_permit(vnode, key, &access);
if (ret < 0)
goto error;
}
/* interpret the access mask */
Reported by FlawFinder.
Line: 438
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* interpret the access mask */
_debug("REQ %x ACC %x on %s",
mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
ret = 0;
if (S_ISDIR(inode->i_mode)) {
if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) {
if (!(access & AFS_ACE_LOOKUP))
Reported by FlawFinder.
Line: 443
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ret = 0;
if (S_ISDIR(inode->i_mode)) {
if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) {
if (!(access & AFS_ACE_LOOKUP))
goto permission_denied;
}
if (mask & MAY_WRITE) {
if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */
Reported by FlawFinder.
drivers/block/floppy.c
13 issues
Line: 338
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* globals used by 'result()'
*/
static unsigned char reply_buffer[FD_RAW_REPLY_SIZE];
static int inr; /* size of reply buffer, when called from interrupt */
#define ST0 0
#define ST1 1
#define ST2 2
#define ST3 0 /* result of GETSTATUS */
Reported by FlawFinder.
Line: 2281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct request *req = current_req;
int block;
char msg[sizeof("request done ") + sizeof(int) * 3];
probing = 0;
snprintf(msg, sizeof(msg), "request done %d", uptodate);
reschedule_timeout(MAXTIMEOUT, msg);
Reported by FlawFinder.
Line: 2996
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
raw_cmd->reply_count = inr;
if (raw_cmd->reply_count > FD_RAW_REPLY_SIZE)
raw_cmd->reply_count = 0;
memcpy(raw_cmd->reply, reply_buffer, raw_cmd->reply_count);
if (raw_cmd->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
unsigned long flags;
flags = claim_dma_lock();
raw_cmd->length = fd_get_dma_residue();
Reported by FlawFinder.
Line: 3447
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct floppy_struct **)&outparam);
if (ret)
return ret;
memcpy(&inparam.g, outparam,
offsetof(struct floppy_struct, name));
outparam = &inparam.g;
break;
case FDMSGON:
drive_params[drive].flags |= FTD_MSG;
Reported by FlawFinder.
Line: 3615
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int perp_mode:2;
unsigned int has_fifo:1;
unsigned int driver_version;
unsigned char track[4];
};
struct compat_floppy_write_errors {
unsigned int write_errors;
compat_ulong_t first_error_sector;
Reported by FlawFinder.
Line: 3677
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&floppy_mutex);
return err;
}
memcpy(&v, p, offsetof(struct floppy_struct, name));
mutex_unlock(&floppy_mutex);
if (copy_to_user(arg, &v, sizeof(struct compat_floppy_struct)))
return -EFAULT;
return 0;
}
Reported by FlawFinder.
Line: 3712
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
drive_params[drive].max_errors = v.max_errors;
drive_params[drive].flags = v.flags;
drive_params[drive].read_track = v.read_track;
memcpy(drive_params[drive].autodetect, v.autodetect,
sizeof(v.autodetect));
drive_params[drive].checkfreq = v.checkfreq;
drive_params[drive].native_format = v.native_format;
mutex_unlock(&floppy_mutex);
return 0;
Reported by FlawFinder.
Line: 3816
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v32.perp_mode = v.perp_mode;
v32.has_fifo = v.has_fifo;
v32.driver_version = v.driver_version;
memcpy(v32.track, v.track, 4);
if (copy_to_user(arg, &v32, sizeof(struct compat_floppy_fdc_state)))
return -EFAULT;
return 0;
}
Reported by FlawFinder.
Line: 3911
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int type = drive_params[drive].cmos;
struct floppy_drive_params *params;
const char *name = NULL;
char temparea[32];
if (type < ARRAY_SIZE(default_drive_params)) {
params = &default_drive_params[type].params;
if (type) {
name = default_drive_params[type].name;
Reported by FlawFinder.
Line: 4435
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int drive;
drive = p->id;
return sprintf(buf, "%X\n", drive_params[drive].cmos);
}
static DEVICE_ATTR(cmos, 0444, floppy_cmos_show, NULL);
static struct attribute *floppy_dev_attrs[] = {
Reported by FlawFinder.
fs/jfs/jfs_dtree.c
13 issues
Line: 984
CWE codes:
562
pxd = &pxdlist.pxd[0];
PXDaddress(pxd, xaddr);
PXDlength(pxd, xlen);
split->pxdlist = &pxdlist;
rc = dtSplitRoot(tid, ip, split, &rmp);
if (rc)
dbFree(ip, xaddr, xlen);
else
Reported by Cppcheck.
Line: 1033
CWE codes:
562
pxd = &pxdlist.pxd[0];
PXDaddress(pxd, nxaddr);
PXDlength(pxd, xlen + n);
split->pxdlist = &pxdlist;
if ((rc = dtExtendPage(tid, ip, split, btstack))) {
nxaddr = addressPXD(pxd);
if (xaddr != nxaddr) {
/* free relocated extent */
xlen = lengthPXD(pxd);
Reported by Cppcheck.
Line: 1083
CWE codes:
562
goto splitOut;
}
split->pxdlist = &pxdlist;
if ((rc = dtSplitPage(tid, ip, split, &rmp, &rp, &rpxd))) {
DT_PUTPAGE(smp);
/* undo allocation */
goto splitOut;
Reported by Cppcheck.
Line: 1225
CWE codes:
562
split->mp = smp;
split->index = skip; /* index at insert */
split->nslot = n;
split->key = &key;
/* split->data = data; */
/* unpin right child page */
DT_PUTPAGE(rmp);
Reported by Cppcheck.
Line: 396
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (xtInsert(tid, ip, 0, 0, sbi->nbperpage, &xaddr, 0)) {
/* This really shouldn't fail */
jfs_warn("add_index: xtInsert failed!");
memcpy(&jfs_ip->i_dirtable, temp_table,
sizeof (temp_table));
dbFree(ip, xaddr, sbi->nbperpage);
dquot_free_block(ip, sbi->nbperpage);
goto clean_up;
}
Reported by FlawFinder.
Line: 408
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!mp) {
jfs_err("add_index: get_metapage failed!");
xtTruncate(tid, ip, 0, COMMIT_PWMAP);
memcpy(&jfs_ip->i_dirtable, temp_table,
sizeof (temp_table));
goto clean_up;
}
tlck = txLock(tid, ip, mp, tlckDATA);
llck = (struct linelock *) & tlck->lock;
Reported by FlawFinder.
Line: 421
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lv->length = 6; /* tlckDATA slot size is 16 bytes */
llck->index++;
memcpy(mp->data, temp_table, sizeof(temp_table));
mark_metapage_dirty(mp);
release_metapage(mp);
/*
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(dirtab_slot, slot, sizeof(struct dir_table_slot));
if (mp)
release_metapage(mp);
return 0;
Reported by FlawFinder.
Line: 1737
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
newstblindex = sp->header.maxslot;
n = xsize >> L2DTSLOTSIZE;
newstblsize = (n + 31) >> L2DTSLOTSIZE;
memcpy(&sp->slot[newstblindex], &sp->slot[oldstblindex],
sp->header.nextindex);
/*
* in-line extension: linelock old area of extended page
*/
Reported by FlawFinder.
Line: 1947
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy old stbl to new stbl at start of extended area */
rp->header.stblindex = DTROOTMAXSLOT;
stbl = (s8 *) & rp->slot[DTROOTMAXSLOT];
memcpy(stbl, sp->header.stbl, sp->header.nextindex);
rp->header.nextindex = sp->header.nextindex;
/* copy old data area to start of new data area */
memcpy(&rp->slot[1], &sp->slot[1], IDATASIZE);
Reported by FlawFinder.
kernel/time/clocksource.c
13 issues
Line: 126
CWE codes:
908
static inline void clocksource_watchdog_lock(unsigned long *flags)
{
spin_lock_irqsave(&watchdog_lock, *flags);
}
static inline void clocksource_watchdog_unlock(unsigned long *flags)
{
spin_unlock_irqrestore(&watchdog_lock, *flags);
Reported by Cppcheck.
Line: 94
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct clocksource *suspend_clocksource;
static LIST_HEAD(clocksource_list);
static DEFINE_MUTEX(clocksource_mutex);
static char override_name[CS_NAME_LEN];
static int finished_booting;
static u64 suspend_start;
/*
* Threshold: 0.0312s, when doubled: 0.0625s.
Reported by FlawFinder.
Line: 1268
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf[cnt-1] == '\n')
cnt--;
if (cnt > 0)
memcpy(dst, buf, cnt);
dst[cnt] = 0;
return ret;
}
/**
Reported by FlawFinder.
Line: 1315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t count)
{
struct clocksource *cs;
char name[CS_NAME_LEN];
ssize_t ret;
ret = sysfs_get_uname(buf, name, count);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 216
Column: 22
CWE codes:
120
20
for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
wd_end = watchdog->read(watchdog);
local_irq_enable();
wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
Reported by FlawFinder.
Line: 217
Column: 16
CWE codes:
120
20
for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
wd_end = watchdog->read(watchdog);
local_irq_enable();
wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
Reported by FlawFinder.
Line: 218
Column: 22
CWE codes:
120
20
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
wd_end = watchdog->read(watchdog);
local_irq_enable();
wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
watchdog->shift);
Reported by FlawFinder.
Line: 295
Column: 18
CWE codes:
120
20
{
struct clocksource *cs = (struct clocksource *)csin;
csnow_mid = cs->read(cs);
}
void clocksource_verify_percpu(struct clocksource *cs)
{
int64_t cs_nsec, cs_nsec_max = 0, cs_nsec_min = LLONG_MAX;
Reported by FlawFinder.
Line: 323
Column: 21
CWE codes:
120
20
for_each_cpu(cpu, &cpus_chosen) {
if (cpu == testcpu)
continue;
csnow_begin = cs->read(cs);
smp_call_function_single(cpu, clocksource_verify_one_cpu, cs, 1);
csnow_end = cs->read(cs);
delta = (s64)((csnow_mid - csnow_begin) & cs->mask);
if (delta < 0)
cpumask_set_cpu(cpu, &cpus_behind);
Reported by FlawFinder.
Line: 325
Column: 19
CWE codes:
120
20
continue;
csnow_begin = cs->read(cs);
smp_call_function_single(cpu, clocksource_verify_one_cpu, cs, 1);
csnow_end = cs->read(cs);
delta = (s64)((csnow_mid - csnow_begin) & cs->mask);
if (delta < 0)
cpumask_set_cpu(cpu, &cpus_behind);
delta = (csnow_end - csnow_mid) & cs->mask;
if (delta < 0)
Reported by FlawFinder.
scripts/mod/sumversion.c
13 issues
Line: 316
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (base) {
base++;
dirlen = base - objfile;
sprintf(cmd, "%.*s.%s.cmd", dirlen, objfile, base);
} else {
dirlen = 0;
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
Reported by FlawFinder.
Line: 319
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(cmd, "%.*s.%s.cmd", dirlen, objfile, base);
} else {
dirlen = 0;
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
strncpy(dir, objfile, dirlen);
dir[dirlen] = '\0';
Reported by FlawFinder.
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mctx->byte_count += len;
if (avail > len) {
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
data, len);
return;
}
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
data, avail);
md4_transform_helper(mctx);
data += avail;
len -= avail;
Reported by FlawFinder.
Line: 196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len -= sizeof(mctx->block);
}
memcpy(mctx->block, data, len);
}
static void md4_final_ascii(struct md4_ctx *mctx, char *out, unsigned int len)
{
const unsigned int offset = mctx->byte_count & 0x3f;
Reported by FlawFinder.
Line: 393
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *buf, *pos, *firstline;
struct md4_ctx md;
char *fname;
char filelist[PATH_MAX + 1];
int postfix_len = 1;
if (strends(modname, ".lto.o"))
postfix_len = 5;
Reported by FlawFinder.
Line: 262
Column: 8
CWE codes:
126
unsigned long i, len;
file = read_text_file(fname);
len = strlen(file);
for (i = 0; i < len; i++) {
/* Collapse and ignore \ and CR. */
if (file[i] == '\\' && (i+1 < len) && file[i+1] == '\n') {
i++;
Reported by FlawFinder.
Line: 295
Column: 12
CWE codes:
126
/* Check whether the file is a static library or not */
static int is_static_library(const char *objfile)
{
int len = strlen(objfile);
if (objfile[len - 2] == '.' && objfile[len - 1] == 'a')
return 1;
else
return 0;
}
Reported by FlawFinder.
Line: 310
Column: 22
CWE codes:
126
const char *base;
int dirlen, ret = 0, check_files = 0;
cmd = NOFAIL(malloc(strlen(objfile) + sizeof("..cmd")));
base = strrchr(objfile, '/');
if (base) {
base++;
dirlen = base - objfile;
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
strncpy(dir, objfile, dirlen);
dir[dirlen] = '\0';
file = read_text_file(cmd);
pos = file;
Reported by FlawFinder.