The following issues were found
fs/gfs2/lock_dlm.c
13 issues
Line: 1066
CWE codes:
476
max_jid = 0;
for (i = 0; i < num_slots; i++) {
if (max_jid < slots[i].slot - 1)
max_jid = slots[i].slot - 1;
}
old_size = ls->ls_recover_size;
new_size = old_size;
Reported by Cppcheck.
Line: 263
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lm_lockstruct *ls = &gl->gl_name.ln_sbd->sd_lockstruct;
int req;
u32 lkf;
char strname[GDLM_STRNAME_BYTES] = "";
req = make_mode(gl->gl_name.ln_sbd, req_state);
lkf = make_flags(gl, flags, req);
gfs2_glstats_inc(gl, GFS2_LKS_DCOUNT);
gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT);
Reported by FlawFinder.
Line: 473
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *lvb_bits)
{
__le32 gen;
memcpy(lvb_bits, ls->ls_control_lvb, GDLM_LVB_SIZE);
memcpy(&gen, lvb_bits, sizeof(__le32));
*lvb_gen = le32_to_cpu(gen);
}
static void control_lvb_write(struct lm_lockstruct *ls, uint32_t lvb_gen,
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 gen;
memcpy(lvb_bits, ls->ls_control_lvb, GDLM_LVB_SIZE);
memcpy(&gen, lvb_bits, sizeof(__le32));
*lvb_gen = le32_to_cpu(gen);
}
static void control_lvb_write(struct lm_lockstruct *ls, uint32_t lvb_gen,
char *lvb_bits)
Reported by FlawFinder.
Line: 482
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *lvb_bits)
{
__le32 gen;
memcpy(ls->ls_control_lvb, lvb_bits, GDLM_LVB_SIZE);
gen = cpu_to_le32(lvb_gen);
memcpy(ls->ls_control_lvb, &gen, sizeof(__le32));
}
static int all_jid_bits_clear(char *lvb)
Reported by FlawFinder.
Line: 484
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__le32 gen;
memcpy(ls->ls_control_lvb, lvb_bits, GDLM_LVB_SIZE);
gen = cpu_to_le32(lvb_gen);
memcpy(ls->ls_control_lvb, &gen, sizeof(__le32));
}
static int all_jid_bits_clear(char *lvb)
{
return !memchr_inv(lvb + JID_BITMAP_OFFSET, 0,
Reported by FlawFinder.
Line: 525
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int num, struct dlm_lksb *lksb, char *name)
{
struct lm_lockstruct *ls = &sdp->sd_lockstruct;
char strname[GDLM_STRNAME_BYTES];
int error, status;
memset(strname, 0, GDLM_STRNAME_BYTES);
snprintf(strname, GDLM_STRNAME_BYTES, "%8x%16x", LM_TYPE_NONDISK, num);
Reported by FlawFinder.
Line: 1086
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
spin_lock(&ls->ls_recover_spin);
memcpy(submit, ls->ls_recover_submit, old_size * sizeof(uint32_t));
memcpy(result, ls->ls_recover_result, old_size * sizeof(uint32_t));
kfree(ls->ls_recover_submit);
kfree(ls->ls_recover_result);
ls->ls_recover_submit = submit;
ls->ls_recover_result = result;
Reported by FlawFinder.
Line: 1087
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&ls->ls_recover_spin);
memcpy(submit, ls->ls_recover_submit, old_size * sizeof(uint32_t));
memcpy(result, ls->ls_recover_result, old_size * sizeof(uint32_t));
kfree(ls->ls_recover_submit);
kfree(ls->ls_recover_result);
ls->ls_recover_submit = submit;
ls->ls_recover_result = result;
ls->ls_recover_size = new_size;
Reported by FlawFinder.
Line: 1249
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gdlm_mount(struct gfs2_sbd *sdp, const char *table)
{
struct lm_lockstruct *ls = &sdp->sd_lockstruct;
char cluster[GFS2_LOCKNAME_LEN];
const char *fsname;
uint32_t flags;
int error, ops_result;
/*
Reported by FlawFinder.
fs/gfs2/ops_fstype.c
13 issues
Line: 215
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sb->sb_root_dir.no_addr = be64_to_cpu(str->sb_root_dir.no_addr);
sb->sb_root_dir.no_formal_ino = be64_to_cpu(str->sb_root_dir.no_formal_ino);
memcpy(sb->sb_lockproto, str->sb_lockproto, GFS2_LOCKNAME_LEN);
memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
memcpy(&s->s_uuid, str->sb_uuid, 16);
}
/**
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sb->sb_root_dir.no_formal_ino = be64_to_cpu(str->sb_root_dir.no_formal_ino);
memcpy(sb->sb_lockproto, str->sb_lockproto, GFS2_LOCKNAME_LEN);
memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
memcpy(&s->s_uuid, str->sb_uuid, 16);
}
/**
* gfs2_read_super - Read the gfs2 super block from disk
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(sb->sb_lockproto, str->sb_lockproto, GFS2_LOCKNAME_LEN);
memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
memcpy(&s->s_uuid, str->sb_uuid, 16);
}
/**
* gfs2_read_super - Read the gfs2 super block from disk
* @sdp: The GFS2 super block
Reported by FlawFinder.
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct gfs2_inode *dip = GFS2_I(sdp->sd_jindex);
struct qstr name;
char buf[20];
struct gfs2_jdesc *jd;
int error;
name.name = buf;
Reported by FlawFinder.
Line: 584
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (error)
break;
name.len = sprintf(buf, "journal%u", sdp->sd_journals);
name.hash = gfs2_disk_hash(name.name, name.len);
error = gfs2_dir_check(sdp->sd_jindex, &name, NULL);
if (error == -ENOENT) {
error = 0;
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int error = 0;
struct inode *master = d_inode(sdp->sd_master_dir);
struct inode *pn = NULL;
char buf[30];
struct gfs2_jdesc *jd;
struct gfs2_inode *ip;
sdp->sd_statfs_inode = gfs2_lookup_simple(master, "statfs");
if (IS_ERR(sdp->sd_statfs_inode)) {
Reported by FlawFinder.
Line: 674
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
error = -ENOMEM;
goto free_local;
}
sprintf(buf, "statfs_change%u", jd->jd_jid);
lsi->si_sc_inode = gfs2_lookup_simple(pn, buf);
if (IS_ERR(lsi->si_sc_inode)) {
error = PTR_ERR(lsi->si_sc_inode);
fs_err(sdp, "can't find local \"sc\" file#%u: %d\n",
jd->jd_jid, error);
Reported by FlawFinder.
Line: 923
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int init_per_node(struct gfs2_sbd *sdp, int undo)
{
struct inode *pn = NULL;
char buf[30];
int error = 0;
struct gfs2_inode *ip;
struct inode *master = d_inode(sdp->sd_master_dir);
if (sdp->sd_args.ar_spectator)
Reported by FlawFinder.
Line: 941
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return error;
}
sprintf(buf, "quota_change%u", sdp->sd_jdesc->jd_jid);
sdp->sd_qc_inode = gfs2_lookup_simple(pn, buf);
if (IS_ERR(sdp->sd_qc_inode)) {
error = PTR_ERR(sdp->sd_qc_inode);
fs_err(sdp, "can't find local \"qc\" file: %d\n", error);
goto fail_ut_i;
Reported by FlawFinder.
Line: 1083
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void gfs2_online_uevent(struct gfs2_sbd *sdp)
{
struct super_block *sb = sdp->sd_vfs;
char ro[20];
char spectator[20];
char *envp[] = { ro, spectator, NULL };
sprintf(ro, "RDONLY=%d", sb_rdonly(sb));
sprintf(spectator, "SPECTATOR=%d", sdp->sd_args.ar_spectator ? 1 : 0);
kobject_uevent_env(&sdp->sd_kobj, KOBJ_ONLINE, envp);
Reported by FlawFinder.
scripts/kallsyms.c
13 issues
Line: 243
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sym->addr = addr;
sym->len = len;
sym->sym[0] = type;
strcpy(sym_name(sym), name);
sym->percpu_absolute = 0;
return sym;
}
Reported by FlawFinder.
Line: 67
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int token_profit[0x10000];
/* the table that holds the result of the compression */
static unsigned char best_table[256][2];
static unsigned char best_table_len[256];
static void usage(void)
{
Reported by FlawFinder.
Line: 68
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* the table that holds the result of the compression */
static unsigned char best_table[256][2];
static unsigned char best_table_len[256];
static void usage(void)
{
fprintf(stderr, "Usage: kallsyms [--all-symbols] "
Reported by FlawFinder.
Line: 200
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct sym_entry *read_symbol(FILE *in)
{
char name[500], type;
unsigned long long addr;
unsigned int len;
struct sym_entry *sym;
int rc;
Reported by FlawFinder.
Line: 392
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int i, k, off;
unsigned int best_idx[256];
unsigned int *markers;
char buf[KSYM_NAME_LEN];
printf("#include <asm/bitsperlong.h>\n");
printf("#if BITS_PER_LONG == 64\n");
printf("#define PTR .quad\n");
printf("#define ALGN .balign 8\n");
Reported by FlawFinder.
Line: 146
Column: 26
CWE codes:
126
return true;
for (p = ignored_prefixes; *p; p++)
if (!strncmp(name, *p, strlen(*p)))
return true;
for (p = ignored_suffixes; *p; p++) {
int l = strlen(name) - strlen(*p);
Reported by FlawFinder.
Line: 150
Column: 26
CWE codes:
126
return true;
for (p = ignored_suffixes; *p; p++) {
int l = strlen(name) - strlen(*p);
if (l >= 0 && !strcmp(name + l, *p))
return true;
}
Reported by FlawFinder.
Line: 150
Column: 11
CWE codes:
126
return true;
for (p = ignored_suffixes; *p; p++) {
int l = strlen(name) - strlen(*p);
if (l >= 0 && !strcmp(name + l, *p))
return true;
}
Reported by FlawFinder.
Line: 206
Column: 7
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
struct sym_entry *sym;
int rc;
rc = fscanf(in, "%llx %c %499s\n", &addr, &type, name);
if (rc != 3) {
if (rc != EOF && fgets(name, 500, in) == NULL)
fprintf(stderr, "Read error or end of file.\n");
return NULL;
}
Reported by FlawFinder.
Line: 212
Column: 6
CWE codes:
126
fprintf(stderr, "Read error or end of file.\n");
return NULL;
}
if (strlen(name) >= KSYM_NAME_LEN) {
fprintf(stderr, "Symbol %s too long for kallsyms (%zu >= %d).\n"
"Please increase KSYM_NAME_LEN both in kernel and kallsyms.c\n",
name, strlen(name), KSYM_NAME_LEN);
return NULL;
}
Reported by FlawFinder.
fs/gfs2/xattr.c
13 issues
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ei->ei_size + ea_size > er->er_data_len)
return -ERANGE;
memcpy(er->er_data + ei->ei_size, prefix, l);
memcpy(er->er_data + ei->ei_size + l, GFS2_EA2NAME(ea),
ea->ea_name_len);
er->er_data[ei->ei_size + ea_size - 1] = 0;
}
Reported by FlawFinder.
Line: 393
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
memcpy(er->er_data + ei->ei_size, prefix, l);
memcpy(er->er_data + ei->ei_size + l, GFS2_EA2NAME(ea),
ea->ea_name_len);
er->er_data[ei->ei_size + ea_size - 1] = 0;
}
ei->ei_size += ea_size;
Reported by FlawFinder.
Line: 499
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cp_size = (sdp->sd_jbsize > amount) ? amount : sdp->sd_jbsize;
if (dout) {
memcpy(dout, pos, cp_size);
dout += sdp->sd_jbsize;
}
if (din) {
gfs2_trans_add_meta(ip->i_gl, bh[x]);
Reported by FlawFinder.
Line: 505
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (din) {
gfs2_trans_add_meta(ip->i_gl, bh[x]);
memcpy(pos, din, cp_size);
din += sdp->sd_jbsize;
}
amount -= sdp->sd_jbsize;
brelse(bh[x]);
Reported by FlawFinder.
Line: 527
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
if (GFS2_EA_IS_STUFFED(el->el_ea)) {
memcpy(data, GFS2_EA2DATA(el->el_ea), len);
return len;
}
ret = gfs2_iter_unstuffed(ip, el->el_ea, NULL, data);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 685
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ea->ea_type = er->er_type;
ea->__pad = 0;
memcpy(GFS2_EA2NAME(ea), er->er_name, er->er_name_len);
if (GFS2_EAREQ_SIZE_STUFFED(er) <= sdp->sd_jbsize) {
ea->ea_num_ptrs = 0;
memcpy(GFS2_EA2DATA(ea), er->er_data, er->er_data_len);
} else {
Reported by FlawFinder.
Line: 689
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (GFS2_EAREQ_SIZE_STUFFED(er) <= sdp->sd_jbsize) {
ea->ea_num_ptrs = 0;
memcpy(GFS2_EA2DATA(ea), er->er_data, er->er_data_len);
} else {
__be64 *dataptr = GFS2_EA2DATAPTRS(ea);
const char *data = er->er_data;
unsigned int data_len = er->er_data_len;
unsigned int copy;
Reported by FlawFinder.
Line: 716
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy = data_len > sdp->sd_jbsize ? sdp->sd_jbsize :
data_len;
memcpy(bh->b_data + mh_size, data, copy);
if (copy < sdp->sd_jbsize)
memset(bh->b_data + mh_size + copy, 0,
sdp->sd_jbsize - copy);
*dataptr++ = cpu_to_be64(bh->b_blocknr);
Reported by FlawFinder.
Line: 207
Column: 13
CWE codes:
126
ef.type = type;
ef.name = name;
ef.namel = strlen(name);
ef.ef_el = el;
memset(el, 0, sizeof(struct gfs2_ea_location));
error = ea_foreach(ip, ea_find_i, &ef);
Reported by FlawFinder.
Line: 586
Column: 6
CWE codes:
126
if (!ip->i_eattr)
return -ENODATA;
if (strlen(name) > GFS2_EA_MAX_NAME_LEN)
return -EINVAL;
error = gfs2_ea_find(ip, type, name, &el);
if (error)
return error;
Reported by FlawFinder.
arch/arm/kernel/traps.c
13 issues
Line: 497
arm_notify_die("Oops - undefined instruction", regs,
SIGILL, ILL_ILLOPC, pc, 0, 6);
}
NOKPROBE_SYMBOL(do_undefinstr)
/*
* Handle FIQ similarly to NMI on x86 systems.
*
* The runtime environment for NMIs is extremely restrictive
Reported by Cppcheck.
Line: 182
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
bad = get_user(val, &((u32 *)addr)[i]);
if (!bad)
p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ",
width, val);
else {
p += sprintf(p, "bad PC value");
break;
}
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void dump_backtrace_stm(u32 *stack, u32 instruction, const char *loglvl)
{
char str[80], *p;
unsigned int x;
int reg;
for (reg = 10, x = 0, p = str; reg >= 0; reg--) {
if (instruction & BIT(reg)) {
Reported by FlawFinder.
Line: 90
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (reg = 10, x = 0, p = str; reg >= 0; reg--) {
if (instruction & BIT(reg)) {
p += sprintf(p, " r%d:%08x", reg, *stack--);
if (++x == 6) {
x = 0;
p = str;
printk("%s%s\n", loglvl, str);
}
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (first = bottom & ~31; first < top; first += 32) {
unsigned long p;
char str[sizeof(" 12345678") * 8 + 1];
memset(str, ' ', sizeof(str));
str[sizeof(str) - 1] = '\0';
for (p = first, i = 0; i < 8 && p < top; i++, p += 4) {
Reported by FlawFinder.
Line: 149
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (p >= bottom && p < top) {
unsigned long val;
if (__get_user(val, (unsigned long *)p) == 0)
sprintf(str + i * 9, " %08lx", val);
else
sprintf(str + i * 9, " ????????");
}
}
printk("%s%04lx:%s\n", lvl, first & 0xffff, str);
Reported by FlawFinder.
Line: 151
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (__get_user(val, (unsigned long *)p) == 0)
sprintf(str + i * 9, " %08lx", val);
else
sprintf(str + i * 9, " ????????");
}
}
printk("%s%04lx:%s\n", lvl, first & 0xffff, str);
}
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long addr = instruction_pointer(regs);
const int thumb = thumb_mode(regs);
const int width = thumb ? 4 : 8;
char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
int i;
/*
* Note that we now dump the code first, just in case the backtrace
* kills us.
Reported by FlawFinder.
Line: 185
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ",
width, val);
else {
p += sprintf(p, "bad PC value");
break;
}
}
printk("%sCode: %s\n", lvl, str);
}
Reported by FlawFinder.
Line: 795
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
extern char __kuser_helper_start[], __kuser_helper_end[];
int kuser_sz = __kuser_helper_end - __kuser_helper_start;
memcpy(vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
/*
* vectors + 0xfe0 = __kuser_get_tls
* vectors + 0xfe8 = hardware TLS instruction at 0xffff0fe8
*/
Reported by FlawFinder.
drivers/net/wan/hdlc_ppp.c
13 issues
Line: 476
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* HDLC and CP headers stripped from skb */
#if DEBUG_CP
if (cp->code < CP_CODES)
sprintf(debug_buffer, "[%s id 0x%X]", code_names[cp->code],
cp->id);
else
sprintf(debug_buffer, "[code %u id 0x%X]", cp->code, cp->id);
ptr = debug_buffer + strlen(debug_buffer);
for (i = 0; i < min_t(unsigned int, len, DEBUG_CP); i++) {
Reported by FlawFinder.
Line: 40
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CP_TERM_ACK, CP_CODE_REJ, LCP_PROTO_REJ, LCP_ECHO_REQ, LCP_ECHO_REPLY,
LCP_DISC_REQ, CP_CODES};
#if DEBUG_CP
static const char *const code_names[CP_CODES] = {
"0", "ConfReq", "ConfAck", "ConfNak", "ConfRej", "TermReq",
"TermAck", "CodeRej", "ProtoRej", "EchoReq", "EchoReply", "Discard"
};
static char debug_buffer[64 + 3 * DEBUG_CP];
Reported by FlawFinder.
Line: 45
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"TermAck", "CodeRej", "ProtoRej", "EchoReq", "EchoReply", "Discard"
};
static char debug_buffer[64 + 3 * DEBUG_CP];
#endif
enum {LCP_OPTION_MRU = 1, LCP_OPTION_ACCM, LCP_OPTION_MAGIC = 5};
struct hdlc_header {
Reported by FlawFinder.
Line: 90
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SCN = 0x200, STR = 0x400, STA = 0x800, SCJ = 0x1000};
#if DEBUG_STATE
static const char *const state_names[STATES] = {
"Closed", "Stopped", "Stopping", "ReqSent", "AckRecv", "AckSent",
"Opened"
};
static const char *const event_names[EVENTS] = {
Reported by FlawFinder.
Line: 95
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Opened"
};
static const char *const event_names[EVENTS] = {
"Start", "Stop", "TO+", "TO-", "RCR+", "RCR-", "RCA", "RCN",
"RTR", "RTA", "RUC", "RXJ+", "RXJ-"
};
#endif
Reported by FlawFinder.
Line: 242
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ptr = debug_buffer;
*ptr = '\x0';
for (i = 0; i < min_t(unsigned int, magic_len + len, DEBUG_CP); i++) {
sprintf(ptr, " %02X", skb->data[sizeof(struct cp_header) + i]);
ptr += strlen(ptr);
}
printk(KERN_DEBUG "%s: TX %s [%s id 0x%X]%s\n", dev->name,
proto_name(pid), code_names[code], id, debug_buffer);
#endif
Reported by FlawFinder.
Line: 399
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(valid_accm)))
continue;
if (!rej_len) { /* NAK it */
memcpy(out + nak_len, valid_accm,
sizeof(valid_accm));
nak_len += sizeof(valid_accm);
continue;
}
break;
Reported by FlawFinder.
Line: 414
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
/* reject this option */
memcpy(out + rej_len, opt, opt[1]);
rej_len += opt[1];
}
if (rej_len)
ppp_cp_event(dev, pid, RCR_BAD, CP_CONF_REJ, id, rej_len, out);
Reported by FlawFinder.
Line: 479
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(debug_buffer, "[%s id 0x%X]", code_names[cp->code],
cp->id);
else
sprintf(debug_buffer, "[code %u id 0x%X]", cp->code, cp->id);
ptr = debug_buffer + strlen(debug_buffer);
for (i = 0; i < min_t(unsigned int, len, DEBUG_CP); i++) {
sprintf(ptr, " %02X", skb->data[i]);
ptr += strlen(ptr);
}
Reported by FlawFinder.
Line: 482
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(debug_buffer, "[code %u id 0x%X]", cp->code, cp->id);
ptr = debug_buffer + strlen(debug_buffer);
for (i = 0; i < min_t(unsigned int, len, DEBUG_CP); i++) {
sprintf(ptr, " %02X", skb->data[i]);
ptr += strlen(ptr);
}
printk(KERN_DEBUG "%s: RX %s %s\n", dev->name, proto_name(pid),
debug_buffer);
#endif
Reported by FlawFinder.
drivers/hid/uhid.c
13 issues
Line: 204
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!uhid->report_running)
goto unlock;
memcpy(&uhid->report_buf, ev, sizeof(*ev));
uhid->report_running = false;
wake_up_interruptible(&uhid->report_wait);
unlock:
spin_unlock_irqrestore(&uhid->qlock, flags);
Reported by FlawFinder.
Line: 247
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -EIO;
} else {
ret = min3(count, (size_t)req->size, (size_t)UHID_DATA_MAX);
memcpy(buf, req->data, ret);
}
unlock:
mutex_unlock(&uhid->report_lock);
return ret;
Reported by FlawFinder.
Line: 273
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ev->u.set_report.rnum = rnum;
ev->u.set_report.rtype = rtype;
ev->u.set_report.size = count;
memcpy(ev->u.set_report.data, buf, count);
ret = mutex_lock_interruptible(&uhid->report_lock);
if (ret) {
kfree(ev);
return ret;
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ev->type = UHID_OUTPUT;
ev->u.output.size = count;
ev->u.output.rtype = rtype;
memcpy(ev->u.output.data, buf, count);
spin_lock_irqsave(&uhid->qlock, flags);
uhid_queue(uhid, ev);
spin_unlock_irqrestore(&uhid->qlock, flags);
Reported by FlawFinder.
Line: 431
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Shuffle the data over to proper structure */
event->type = type;
memcpy(event->u.create.name, compat->name,
sizeof(compat->name));
memcpy(event->u.create.phys, compat->phys,
sizeof(compat->phys));
memcpy(event->u.create.uniq, compat->uniq,
sizeof(compat->uniq));
Reported by FlawFinder.
Line: 433
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(event->u.create.name, compat->name,
sizeof(compat->name));
memcpy(event->u.create.phys, compat->phys,
sizeof(compat->phys));
memcpy(event->u.create.uniq, compat->uniq,
sizeof(compat->uniq));
event->u.create.rd_data = compat_ptr(compat->rd_data);
Reported by FlawFinder.
Line: 435
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(compat->name));
memcpy(event->u.create.phys, compat->phys,
sizeof(compat->phys));
memcpy(event->u.create.uniq, compat->uniq,
sizeof(compat->uniq));
event->u.create.rd_data = compat_ptr(compat->rd_data);
event->u.create.rd_size = compat->rd_size;
Reported by FlawFinder.
Line: 544
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (copy_from_user(&ev->u.create2.rd_data, orig.rd_data, orig.rd_size))
return -EFAULT;
memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
ev->u.create2.rd_size = orig.rd_size;
ev->u.create2.bus = orig.bus;
ev->u.create2.vendor = orig.vendor;
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
ev->u.create2.rd_size = orig.rd_size;
ev->u.create2.bus = orig.bus;
ev->u.create2.vendor = orig.vendor;
ev->u.create2.product = orig.product;
Reported by FlawFinder.
Line: 546
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ev->u.create2.name, orig.name, sizeof(orig.name));
memcpy(ev->u.create2.phys, orig.phys, sizeof(orig.phys));
memcpy(ev->u.create2.uniq, orig.uniq, sizeof(orig.uniq));
ev->u.create2.rd_size = orig.rd_size;
ev->u.create2.bus = orig.bus;
ev->u.create2.vendor = orig.vendor;
ev->u.create2.product = orig.product;
ev->u.create2.version = orig.version;
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
13 issues
Line: 465
Column: 2
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
return rc;
buf[0] = 0;
strncat(buf, ver_resp->active_pkg_name, HWRM_FW_VER_STR_LEN);
rc = bnxt_dl_info_put(bp, req, BNXT_VERSION_RUNNING,
DEVLINK_INFO_VERSION_GENERIC_FW, buf);
if (rc)
return rc;
Reported by FlawFinder.
Line: 535
Column: 2
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
return 0;
buf[0] = 0;
strncat(buf, nvm_dev_info.pkg_name, HWRM_FW_VER_STR_LEN);
rc = bnxt_dl_info_put(bp, req, BNXT_VERSION_STORED,
DEVLINK_INFO_VERSION_GENERIC_FW, buf);
if (rc)
return rc;
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bnxt *bp = bnxt_get_bp_from_dl(dl);
union devlink_param_value nvm_cfg_ver;
struct hwrm_ver_get_output *ver_resp;
char mgmt_ver[FW_VER_STR_LEN];
char roce_ver[FW_VER_STR_LEN];
char ncsi_ver[FW_VER_STR_LEN];
char buf[32];
int rc;
Reported by FlawFinder.
Line: 415
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union devlink_param_value nvm_cfg_ver;
struct hwrm_ver_get_output *ver_resp;
char mgmt_ver[FW_VER_STR_LEN];
char roce_ver[FW_VER_STR_LEN];
char ncsi_ver[FW_VER_STR_LEN];
char buf[32];
int rc;
rc = devlink_info_driver_name_put(req, DRV_MODULE_NAME);
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hwrm_ver_get_output *ver_resp;
char mgmt_ver[FW_VER_STR_LEN];
char roce_ver[FW_VER_STR_LEN];
char ncsi_ver[FW_VER_STR_LEN];
char buf[32];
int rc;
rc = devlink_info_driver_name_put(req, DRV_MODULE_NAME);
if (rc)
Reported by FlawFinder.
Line: 417
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char mgmt_ver[FW_VER_STR_LEN];
char roce_ver[FW_VER_STR_LEN];
char ncsi_ver[FW_VER_STR_LEN];
char buf[32];
int rc;
rc = devlink_info_driver_name_put(req, DRV_MODULE_NAME);
if (rc)
return rc;
Reported by FlawFinder.
Line: 425
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return rc;
if (BNXT_PF(bp) && (bp->flags & BNXT_FLAG_DSN_VALID)) {
sprintf(buf, "%02X-%02X-%02X-%02X-%02X-%02X-%02X-%02X",
bp->dsn[7], bp->dsn[6], bp->dsn[5], bp->dsn[4],
bp->dsn[3], bp->dsn[2], bp->dsn[1], bp->dsn[0]);
rc = devlink_info_serial_number_put(req, buf);
if (rc)
return rc;
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rc)
return rc;
sprintf(buf, "%X", bp->chip_num);
rc = bnxt_dl_info_put(bp, req, BNXT_VERSION_FIXED,
DEVLINK_INFO_VERSION_GENERIC_ASIC_ID, buf);
if (rc)
return rc;
Reported by FlawFinder.
Line: 452
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return rc;
ver_resp = &bp->ver_resp;
sprintf(buf, "%X", ver_resp->chip_rev);
rc = bnxt_dl_info_put(bp, req, BNXT_VERSION_FIXED,
DEVLINK_INFO_VERSION_GENERIC_ASIC_REV, buf);
if (rc)
return rc;
Reported by FlawFinder.
Line: 474
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (BNXT_PF(bp) && !bnxt_hwrm_get_nvm_cfg_ver(bp, &nvm_cfg_ver)) {
u32 ver = nvm_cfg_ver.vu32;
sprintf(buf, "%d.%d.%d", (ver >> 16) & 0xf, (ver >> 8) & 0xf,
ver & 0xf);
rc = bnxt_dl_info_put(bp, req, BNXT_VERSION_STORED,
DEVLINK_INFO_VERSION_GENERIC_FW_PSID,
buf);
if (rc)
Reported by FlawFinder.
scripts/kconfig/conf.c
13 issues
Line: 111
CWE codes:
908
seed = (now.tv_sec + 1) * (now.tv_usec + 1);
}
printf("KCONFIG_SEED=0x%X\n", seed);
srand(seed);
}
static bool randomize_choice_values(struct symbol *csym)
{
Reported by Cppcheck.
Line: 112
CWE codes:
908
}
printf("KCONFIG_SEED=0x%X\n", seed);
srand(seed);
}
static bool randomize_choice_values(struct symbol *csym)
{
struct property *prop;
Reported by Cppcheck.
Line: 91
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
char *env;
bool seed_set = false;
env = getenv("KCONFIG_SEED");
if (env && *env) {
char *endp;
seed = strtol(env, &endp, 0);
if (*endp == '\0')
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
printf("KCONFIG_SEED=0x%X\n", seed);
srand(seed);
}
static bool randomize_choice_values(struct symbol *csym)
{
struct property *prop;
Reported by FlawFinder.
Line: 187
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (mode == def_random) {
int n, p[3];
char *env = getenv("KCONFIG_PROBABILITY");
n = 0;
while (env && *env) {
char *endp;
int tmp = strtol(env, &endp, 10);
Reported by FlawFinder.
Line: 739
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
tty_stdio = isatty(0) && isatty(1);
while ((opt = getopt_long(ac, av, "hs", long_opts, NULL)) != -1) {
switch (opt) {
case 'h':
conf_usage(progname);
exit(1);
break;
Reported by FlawFinder.
Line: 809
Column: 10
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
case allmodconfig:
case alldefconfig:
case randconfig:
name = getenv("KCONFIG_ALLCONFIG");
if (!name)
break;
if ((strcmp(name, "") != 0) && (strcmp(name, "1") != 0)) {
if (conf_read_simple(name, S_DEF_USER)) {
fprintf(stderr,
Reported by FlawFinder.
Line: 842
Column: 10
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
if (sync_kconfig) {
name = getenv("KCONFIG_NOSILENTUPDATE");
if (name && *name) {
if (conf_get_changed()) {
fprintf(stderr,
"\n*** The configuration requires explicit update.\n\n");
return 1;
Reported by FlawFinder.
Line: 45
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tty_stdio;
static int sync_kconfig;
static int conf_cnt;
static char line[PATH_MAX];
static struct menu *rootEntry;
static void print_help(struct menu *menu)
{
struct gstr help = str_new();
Reported by FlawFinder.
Line: 536
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!line[0])
cnt = def;
else if (isdigit(line[0]))
cnt = atoi(line);
else
continue;
break;
default:
break;
Reported by FlawFinder.
fs/f2fs/namei.c
13 issues
Line: 255
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (set)
return -EINVAL;
memcpy(extlist[i], extlist[i + 1],
F2FS_EXTENSION_LEN * (total_count - i - 1));
memset(extlist[total_count - 1], 0, F2FS_EXTENSION_LEN);
if (hot)
sbi->raw_super->hot_ext_count = hot_count - 1;
else
Reported by FlawFinder.
Line: 270
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
if (hot) {
memcpy(extlist[count], name, strlen(name));
sbi->raw_super->hot_ext_count = hot_count + 1;
} else {
char buf[F2FS_MAX_EXTENSION][F2FS_EXTENSION_LEN];
memcpy(buf, &extlist[cold_count],
Reported by FlawFinder.
Line: 273
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
memcpy(extlist[count], name, strlen(name));
sbi->raw_super->hot_ext_count = hot_count + 1;
} else {
char buf[F2FS_MAX_EXTENSION][F2FS_EXTENSION_LEN];
memcpy(buf, &extlist[cold_count],
F2FS_EXTENSION_LEN * hot_count);
memset(extlist[cold_count], 0, F2FS_EXTENSION_LEN);
memcpy(extlist[cold_count], name, strlen(name));
Reported by FlawFinder.
Line: 275
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
char buf[F2FS_MAX_EXTENSION][F2FS_EXTENSION_LEN];
memcpy(buf, &extlist[cold_count],
F2FS_EXTENSION_LEN * hot_count);
memset(extlist[cold_count], 0, F2FS_EXTENSION_LEN);
memcpy(extlist[cold_count], name, strlen(name));
memcpy(&extlist[cold_count + 1], buf,
F2FS_EXTENSION_LEN * hot_count);
Reported by FlawFinder.
Line: 278
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf, &extlist[cold_count],
F2FS_EXTENSION_LEN * hot_count);
memset(extlist[cold_count], 0, F2FS_EXTENSION_LEN);
memcpy(extlist[cold_count], name, strlen(name));
memcpy(&extlist[cold_count + 1], buf,
F2FS_EXTENSION_LEN * hot_count);
sbi->raw_super->extension_count = cpu_to_le32(cold_count + 1);
}
return 0;
Reported by FlawFinder.
Line: 279
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
F2FS_EXTENSION_LEN * hot_count);
memset(extlist[cold_count], 0, F2FS_EXTENSION_LEN);
memcpy(extlist[cold_count], name, strlen(name));
memcpy(&extlist[cold_count + 1], buf,
F2FS_EXTENSION_LEN * hot_count);
sbi->raw_super->extension_count = cpu_to_le32(cold_count + 1);
}
return 0;
}
Reported by FlawFinder.
Line: 290
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *name)
{
__u8 (*extlist)[F2FS_EXTENSION_LEN] = sbi->raw_super->extension_list;
unsigned char (*noext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).noextensions;
unsigned char (*ext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).extensions;
unsigned char ext_cnt = F2FS_OPTION(sbi).compress_ext_cnt;
unsigned char noext_cnt = F2FS_OPTION(sbi).nocompress_ext_cnt;
int i, cold_count, hot_count;
Reported by FlawFinder.
Line: 291
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
__u8 (*extlist)[F2FS_EXTENSION_LEN] = sbi->raw_super->extension_list;
unsigned char (*noext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).noextensions;
unsigned char (*ext)[F2FS_EXTENSION_LEN] = F2FS_OPTION(sbi).extensions;
unsigned char ext_cnt = F2FS_OPTION(sbi).compress_ext_cnt;
unsigned char noext_cnt = F2FS_OPTION(sbi).nocompress_ext_cnt;
int i, cold_count, hot_count;
if (!f2fs_sb_has_compression(sbi) ||
Reported by FlawFinder.
Line: 159
Column: 16
CWE codes:
126
static inline int is_extension_exist(const unsigned char *s, const char *sub,
bool tmp_ext)
{
size_t slen = strlen(s);
size_t sublen = strlen(sub);
int i;
if (sublen == 1 && *sub == '*')
return 1;
Reported by FlawFinder.
Line: 160
Column: 18
CWE codes:
126
bool tmp_ext)
{
size_t slen = strlen(s);
size_t sublen = strlen(sub);
int i;
if (sublen == 1 && *sub == '*')
return 1;
Reported by FlawFinder.