The following issues were found
tools/testing/selftests/vm/userfaultfd.c
9 issues
Line: 148
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define _err(fmt, ...) \
do { \
int ret = errno; \
fprintf(stderr, "ERROR: " fmt, ##__VA_ARGS__); \
fprintf(stderr, " (errno=%d, line=%d)\n", \
ret, __LINE__); \
} while (0)
#define err(fmt, ...) \
Reported by FlawFinder.
Line: 508
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long page_nr = *(&(page_nr)); /* uninitialized warning */
int32_t rand_nr;
unsigned long long count;
char randstate[64];
unsigned int seed;
if (bounces & BOUNCE_RANDOM) {
seed = (unsigned int) time(NULL) - bounces;
if (!(bounces & BOUNCE_RACINGFAULTS))
Reported by FlawFinder.
Line: 1284
Column: 11
CWE codes:
362
static int pagemap_open(void)
{
int fd = open("/proc/self/pagemap", O_RDONLY);
if (fd < 0)
err("open pagemap");
return fd;
Reported by FlawFinder.
Line: 1564
Column: 12
CWE codes:
362
unsigned long hps = 0;
char *line = NULL;
size_t linelen = 0;
FILE *f = fopen("/proc/meminfo", "r");
if (!f)
return 0;
while (getline(&line, &linelen, f) > 0) {
if (sscanf(line, "Hugepagesize: %lu kB", &hps) == 1) {
Reported by FlawFinder.
Line: 1638
Column: 21
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
set_test_type(argv[1]);
nr_cpus = sysconf(_SC_NPROCESSORS_ONLN);
nr_pages_per_cpu = atol(argv[2]) * 1024*1024 / page_size /
nr_cpus;
if (!nr_pages_per_cpu) {
_err("invalid MiB");
usage();
}
Reported by FlawFinder.
Line: 1645
Column: 12
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
usage();
}
bounces = atoi(argv[3]);
if (bounces <= 0) {
_err("invalid bounces");
usage();
}
nr_pages = nr_pages_per_cpu * nr_cpus;
Reported by FlawFinder.
Line: 1655
Column: 13
CWE codes:
362
if (test_type == TEST_HUGETLB) {
if (argc < 5)
usage();
huge_fd = open(argv[4], O_CREAT | O_RDWR, 0755);
if (huge_fd < 0)
err("Open of %s failed", argv[4]);
if (ftruncate(huge_fd, 0))
err("ftruncate %s to size 0 failed", argv[4]);
} else if (test_type == TEST_SHMEM) {
Reported by FlawFinder.
Line: 612
Column: 12
CWE codes:
120
20
static int uffd_read_msg(int ufd, struct uffd_msg *msg)
{
int ret = read(uffd, msg, sizeof(*msg));
if (ret != sizeof(*msg)) {
if (ret < 0) {
if (errno == EAGAIN)
return 1;
Reported by FlawFinder.
Line: 695
Column: 8
CWE codes:
120
20
if (ret <= 0)
err("poll error: %d", ret);
if (pollfd[1].revents & POLLIN) {
if (read(pollfd[1].fd, &tmp_chr, 1) != 1)
err("read pipefd error");
break;
}
if (!(pollfd[0].revents & POLLIN))
err("pollfd[0].revents %d", pollfd[0].revents);
Reported by FlawFinder.
tools/virtio/vringh_test.c
9 issues
Line: 146
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long xfers = 0, notifies = 0, receives = 0;
unsigned int first_cpu, last_cpu;
cpu_set_t cpu_set;
char buf[128];
/* Create real file to mmap. */
fd = open("/tmp/vringh_test-file", O_RDWR|O_CREAT|O_TRUNC, 0600);
if (fd < 0)
err(1, "Opening /tmp/vringh_test-file");
Reported by FlawFinder.
Line: 149
Column: 7
CWE codes:
362
char buf[128];
/* Create real file to mmap. */
fd = open("/tmp/vringh_test-file", O_RDWR|O_CREAT|O_TRUNC, 0600);
if (fd < 0)
err(1, "Opening /tmp/vringh_test-file");
/* Extra room at the end for some data, and indirects */
mapsize = vring_size(RINGSIZE, ALIGN)
Reported by FlawFinder.
Line: 175
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (fork() != 0) {
struct vringh vrh;
int status, err, rlen = 0;
char rbuf[5];
/* We are the host: never access guest addresses! */
munmap(guest_map, mapsize);
__user_addr_min = host_map;
Reported by FlawFinder.
Line: 447
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iovec host_riov[2], host_wiov[2];
struct vringh_iov riov, wiov;
struct vring_used_elem used[RINGSIZE];
char buf[28];
u16 head;
int err;
unsigned i;
void *ret;
bool (*getrange)(struct vringh *vrh, u64 addr, struct vringh_range *r);
Reported by FlawFinder.
Line: 502
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
errx(1, "vringh_getdesc_user: %i", err);
/* Guest puts in a descriptor. */
memcpy(__user_addr_max - 1, "a", 1);
sg_init_table(guest_sg, 1);
sg_set_buf(&guest_sg[0], __user_addr_max - 1, 1);
sg_init_table(guest_sg+1, 1);
sg_set_buf(&guest_sg[1], __user_addr_max - 3, 2);
sgs[0] = &guest_sg[0];
Reported by FlawFinder.
Line: 547
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
assert(riov.i == 1);
assert(vringh_iov_pull_user(&riov, buf, 5) == 0);
memcpy(buf, "bcdef", 5);
err = vringh_iov_push_user(&wiov, buf, 5);
if (err != 2)
errx(1, "vringh_iov_push_user: %i", err);
assert(memcmp(__user_addr_max - 3, "bc", 2) == 0);
assert(wiov.i == wiov.used);
Reported by FlawFinder.
Line: 391
Column: 9
CWE codes:
120
20
if (!virtqueue_enable_cb_delayed(vq))
continue;
/* Swallow all notifies at once. */
if (read(to_guest[0], buf, sizeof(buf)) < 1)
break;
receives++;
virtqueue_disable_cb(vq);
continue;
Reported by FlawFinder.
tools/usb/usbip/src/usbip_list.c
9 issues
Line: 344
Column: 9
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
err("failed to open %s", USBIDS_FILE);
for (;;) {
opt = getopt_long(argc, argv, "pr:ld", opts, NULL);
if (opt == -1)
break;
switch (opt) {
Reported by FlawFinder.
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_exported_devices(char *host, int sockfd)
{
char product_name[100];
char class_name[100];
struct op_devlist_reply reply;
uint16_t code = OP_REP_DEVLIST;
struct usbip_usb_device udev;
struct usbip_usb_interface uintf;
Reported by FlawFinder.
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_exported_devices(char *host, int sockfd)
{
char product_name[100];
char class_name[100];
struct op_devlist_reply reply;
uint16_t code = OP_REP_DEVLIST;
struct usbip_usb_device udev;
struct usbip_usb_interface uintf;
unsigned int i;
Reported by FlawFinder.
Line: 179
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *bConfValue;
const char *bNumIntfs;
const char *busid;
char product_name[128];
int ret = -1;
const char *devpath;
/* Create libudev context. */
udev = udev_new();
Reported by FlawFinder.
Line: 261
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct usb_device_descriptor *d_desc;
const char *descriptors;
char product_name[128];
uint16_t idVendor;
char idVendor_buf[8];
uint16_t idProduct;
char idProduct_buf[8];
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char product_name[128];
uint16_t idVendor;
char idVendor_buf[8];
uint16_t idProduct;
char idProduct_buf[8];
const char *busid;
udev = udev_new();
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint16_t idVendor;
char idVendor_buf[8];
uint16_t idProduct;
char idProduct_buf[8];
const char *busid;
udev = udev_new();
enumerate = udev_enumerate_new(udev);
Reported by FlawFinder.
Line: 299
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
d_desc = (const struct usb_device_descriptor *) descriptors;
idVendor = le16toh(d_desc->idVendor);
sprintf(idVendor_buf, "0x%4x", idVendor);
idProduct = le16toh(d_desc->idProduct);
sprintf(idProduct_buf, "0x%4x", idVendor);
busid = udev_device_get_sysname(dev);
/* Get product name. */
Reported by FlawFinder.
Line: 301
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
idVendor = le16toh(d_desc->idVendor);
sprintf(idVendor_buf, "0x%4x", idVendor);
idProduct = le16toh(d_desc->idProduct);
sprintf(idProduct_buf, "0x%4x", idVendor);
busid = udev_device_get_sysname(dev);
/* Get product name. */
usbip_names_get_product(product_name, sizeof(product_name),
le16toh(idVendor),
Reported by FlawFinder.
net/mac80211/ht.c
9 issues
Line: 248
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
apply:
changed = memcmp(&sta->sta.ht_cap, &ht_cap, sizeof(ht_cap));
memcpy(&sta->sta.ht_cap, &ht_cap, sizeof(ht_cap));
switch (sdata->vif.bss_conf.chandef.width) {
default:
WARN_ON_ONCE(1);
fallthrough;
Reported by FlawFinder.
Line: 429
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(skb, local->hw.extra_tx_headroom);
mgmt = skb_put_zero(skb, 24);
memcpy(mgmt->da, da, ETH_ALEN);
memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
if (sdata->vif.type == NL80211_IFTYPE_AP ||
sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
Reported by FlawFinder.
Line: 430
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(skb, local->hw.extra_tx_headroom);
mgmt = skb_put_zero(skb, 24);
memcpy(mgmt->da, da, ETH_ALEN);
memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
if (sdata->vif.type == NL80211_IFTYPE_AP ||
sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
else if (sdata->vif.type == NL80211_IFTYPE_STATION)
Reported by FlawFinder.
Line: 434
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sdata->vif.type == NL80211_IFTYPE_AP ||
sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
else if (sdata->vif.type == NL80211_IFTYPE_STATION)
memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
memcpy(mgmt->bssid, sdata->u.ibss.bssid, ETH_ALEN);
Reported by FlawFinder.
Line: 436
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
else if (sdata->vif.type == NL80211_IFTYPE_STATION)
memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
memcpy(mgmt->bssid, sdata->u.ibss.bssid, ETH_ALEN);
mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (sdata->vif.type == NL80211_IFTYPE_STATION)
memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
memcpy(mgmt->bssid, sdata->u.ibss.bssid, ETH_ALEN);
mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
skb_put(skb, 1 + sizeof(mgmt->u.action.u.delba));
Reported by FlawFinder.
Line: 509
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(skb, local->hw.extra_tx_headroom);
action_frame = skb_put(skb, 27);
memcpy(action_frame->da, da, ETH_ALEN);
memcpy(action_frame->sa, sdata->dev->dev_addr, ETH_ALEN);
memcpy(action_frame->bssid, bssid, ETH_ALEN);
action_frame->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
action_frame->u.action.category = WLAN_CATEGORY_HT;
Reported by FlawFinder.
Line: 510
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(skb, local->hw.extra_tx_headroom);
action_frame = skb_put(skb, 27);
memcpy(action_frame->da, da, ETH_ALEN);
memcpy(action_frame->sa, sdata->dev->dev_addr, ETH_ALEN);
memcpy(action_frame->bssid, bssid, ETH_ALEN);
action_frame->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
action_frame->u.action.category = WLAN_CATEGORY_HT;
action_frame->u.action.u.ht_smps.action = WLAN_HT_ACTION_SMPS;
Reported by FlawFinder.
Line: 511
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
action_frame = skb_put(skb, 27);
memcpy(action_frame->da, da, ETH_ALEN);
memcpy(action_frame->sa, sdata->dev->dev_addr, ETH_ALEN);
memcpy(action_frame->bssid, bssid, ETH_ALEN);
action_frame->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
action_frame->u.action.category = WLAN_CATEGORY_HT;
action_frame->u.action.u.ht_smps.action = WLAN_HT_ACTION_SMPS;
switch (smps) {
Reported by FlawFinder.
net/mac80211/debugfs_sta.c
9 issues
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t sta_flags_read(struct file *file, char __user *userbuf,
size_t count, loff_t *ppos)
{
char buf[16 * NUM_WLAN_STA_FLAGS], *pos = buf;
char *end = buf + sizeof(buf) - 1;
struct sta_info *sta = file->private_data;
unsigned int flg;
BUILD_BUG_ON(ARRAY_SIZE(sta_flag_names) != NUM_WLAN_STA_FLAGS);
Reported by FlawFinder.
Line: 111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct sta_info *sta = file->private_data;
char buf[17*IEEE80211_NUM_ACS], *p = buf;
int ac;
for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
p += scnprintf(p, sizeof(buf)+buf-p, "AC%d: %d\n", ac,
skb_queue_len(&sta->ps_tx_buf[ac]) +
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t sta_last_seq_ctrl_read(struct file *file, char __user *userbuf,
size_t count, loff_t *ppos)
{
char buf[15*IEEE80211_NUM_TIDS], *p = buf;
int i;
struct sta_info *sta = file->private_data;
for (i = 0; i < IEEE80211_NUM_TIDS; i++)
p += scnprintf(p, sizeof(buf)+buf-p, "%x ",
le16_to_cpu(sta->last_seq_ctrl[i]));
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct sta_info *sta = file->private_data;
u32 ac, q_limit_l, q_limit_h;
char _buf[100] = {}, *buf = _buf;
if (count > sizeof(_buf))
return -EINVAL;
if (copy_from_user(buf, userbuf, count))
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t sta_agg_status_read(struct file *file, char __user *userbuf,
size_t count, loff_t *ppos)
{
char buf[71 + IEEE80211_NUM_TIDS * 40], *p = buf;
int i;
struct sta_info *sta = file->private_data;
struct tid_ampdu_rx *tid_rx;
struct tid_ampdu_tx *tid_tx;
Reported by FlawFinder.
Line: 361
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t sta_agg_status_write(struct file *file, const char __user *userbuf,
size_t count, loff_t *ppos)
{
char _buf[25] = {}, *buf = _buf;
struct sta_info *sta = file->private_data;
bool start, tx;
unsigned long tid;
char *pos;
int ret, timeout = 5000;
Reported by FlawFinder.
Line: 437
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (_cond) \
p += scnprintf(p, sizeof(buf)+buf-p, "\t" _str "\n"); \
} while (0)
char buf[512], *p = buf;
int i;
struct sta_info *sta = file->private_data;
struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t sta_vht_capa_read(struct file *file, char __user *userbuf,
size_t count, loff_t *ppos)
{
char buf[512], *p = buf;
struct sta_info *sta = file->private_data;
struct ieee80211_sta_vht_cap *vhtc = &sta->sta.vht_cap;
p += scnprintf(p, sizeof(buf) + buf - p, "VHT %ssupported\n",
vhtc->vht_supported ? "" : "not ");
Reported by FlawFinder.
Line: 102
Column: 60
CWE codes:
126
sta_flag_names[flg]);
}
return simple_read_from_buffer(userbuf, count, ppos, buf, strlen(buf));
}
STA_OPS(flags);
static ssize_t sta_num_ps_buf_frames_read(struct file *file,
char __user *userbuf,
Reported by FlawFinder.
net/ipv4/netfilter/ipt_CLUSTERIP.c
9 issues
Line: 597
CWE codes:
786
hbuffer[k++] = hex_asc_lo(payload->src_hw[j]);
hbuffer[k++] = ':';
}
hbuffer[--k] = '\0';
pr_debug("src %pI4@%s, dst %pI4\n",
&payload->src_ip, hbuffer, &payload->dst_ip);
}
#endif
Reported by Cppcheck.
Line: 252
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return ERR_PTR(-ENOENT);
}
c->ifindex = dev->ifindex;
strcpy(c->ifname, dev->name);
memcpy(&c->clustermac, &i->clustermac, ETH_ALEN);
dev_mc_add(dev, c->clustermac);
dev_put(dev);
c->clusterip = ip;
Reported by FlawFinder.
Line: 57
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u_int32_t hash_initval; /* hash initialization */
struct rcu_head rcu; /* for call_rcu */
struct net *net; /* netns for pernet list */
char ifname[IFNAMSIZ]; /* device ifname */
};
#ifdef CONFIG_PROC_FS
static const struct proc_ops clusterip_proc_ops;
#endif
Reported by FlawFinder.
Line: 253
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
c->ifindex = dev->ifindex;
strcpy(c->ifname, dev->name);
memcpy(&c->clustermac, &i->clustermac, ETH_ALEN);
dev_mc_add(dev, c->clustermac);
dev_put(dev);
c->clusterip = ip;
c->num_total_nodes = i->num_total_nodes;
Reported by FlawFinder.
Line: 276
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_PROC_FS
{
char buffer[16];
/* create proc dir entry */
sprintf(buffer, "%pI4", &ip);
mutex_lock(&cn->mutex);
c->pde = proc_create_data(buffer, 0600,
Reported by FlawFinder.
Line: 279
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buffer[16];
/* create proc dir entry */
sprintf(buffer, "%pI4", &ip);
mutex_lock(&cn->mutex);
c->pde = proc_create_data(buffer, 0600,
cn->procdir,
&clusterip_proc_ops, c);
mutex_unlock(&cn->mutex);
Reported by FlawFinder.
Line: 589
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void arp_print(struct arp_payload *payload)
{
#define HBUFFERLEN 30
char hbuffer[HBUFFERLEN];
int j, k;
for (k = 0, j = 0; k < HBUFFERLEN - 3 && j < ETH_ALEN; j++) {
hbuffer[k++] = hex_asc_hi(payload->src_hw[j]);
hbuffer[k++] = hex_asc_lo(payload->src_hw[j]);
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* mangle reply hardware address */
memcpy(payload->src_hw, c->clustermac, arp->ar_hln);
#ifdef DEBUG
pr_debug("mangled arp reply: ");
arp_print(payload);
#endif
Reported by FlawFinder.
Line: 779
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct clusterip_config *c = PDE_DATA(file_inode(file));
#define PROC_WRITELEN 10
char buffer[PROC_WRITELEN+1];
unsigned long nodenum;
int rc;
if (size > PROC_WRITELEN)
return -EIO;
Reported by FlawFinder.
kernel/cgroup/cgroup.c
9 issues
Line: 2725
spin_lock_irq(&css_set_lock);
rcu_read_lock();
task = leader;
do {
cgroup_migrate_add_task(task, mgctx);
if (!threadgroup)
break;
} while_each_thread(leader, task);
rcu_read_unlock();
Reported by Cppcheck.
Line: 89
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
DEFINE_SPINLOCK(trace_cgroup_path_lock);
char trace_cgroup_path[TRACE_CGROUP_PATH_LEN];
bool cgroup_debug __read_mostly;
/*
* Protects cgroup_idr and css_idr so that IDs can be released without
* grabbing cgroup_mutex.
Reported by FlawFinder.
Line: 220
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
OPT_FEATURE_COUNT
};
static const char *cgroup_opt_feature_names[OPT_FEATURE_COUNT] = {
#ifdef CONFIG_PSI
"pressure",
#endif
};
Reported by FlawFinder.
Line: 1633
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cgroup_rm_file(struct cgroup *cgrp, const struct cftype *cft)
{
char name[CGROUP_FILE_NAME_MAX];
lockdep_assert_held(&cgroup_mutex);
if (cft->file_offset) {
struct cgroup_subsys_state *css = cgroup_css(cgrp, cft->ss);
Reported by FlawFinder.
Line: 3777
Column: 11
CWE codes:
362
{
struct cftype *cft = of_cft(of);
if (cft->open)
return cft->open(of);
return 0;
}
static void cgroup_file_release(struct kernfs_open_file *of)
Reported by FlawFinder.
Line: 3778
Column: 15
CWE codes:
362
struct cftype *cft = of_cft(of);
if (cft->open)
return cft->open(of);
return 0;
}
static void cgroup_file_release(struct kernfs_open_file *of)
{
Reported by FlawFinder.
Line: 3930
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cgroup_add_file(struct cgroup_subsys_state *css, struct cgroup *cgrp,
struct cftype *cft)
{
char name[CGROUP_FILE_NAME_MAX];
struct kernfs_node *kn;
struct lock_class_key *key = NULL;
int ret;
#ifdef CONFIG_DEBUG_LOCK_ALLOC
Reported by FlawFinder.
Line: 5739
Column: 8
CWE codes:
126
"invalid cgroup_subsys %d:%s css_alloc=%p css_free=%p id:name=%d:%s\n",
i, cgroup_subsys_name[i], ss->css_alloc, ss->css_free,
ss->id, ss->name);
WARN(strlen(cgroup_subsys_name[i]) > MAX_CGROUP_TYPE_NAMELEN,
"cgroup_subsys_name %s too long\n", cgroup_subsys_name[i]);
ss->id = i;
ss->name = cgroup_subsys_name[i];
if (!ss->legacy_name)
Reported by FlawFinder.
Line: 5948
Column: 7
CWE codes:
126
if (root->subsys_mask & (1 << ssid))
seq_printf(m, "%s%s", count++ ? "," : "",
ss->legacy_name);
if (strlen(root->name))
seq_printf(m, "%sname=%s", count ? "," : "",
root->name);
seq_putc(m, ':');
cgrp = task_cgroup_from_root(tsk, root);
Reported by FlawFinder.
include/uapi/linux/gpio.h
9 issues
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @lines: number of GPIO lines on this chip
*/
struct gpiochip_info {
char name[GPIO_MAX_NAME_SIZE];
char label[GPIO_MAX_NAME_SIZE];
__u32 lines;
};
/*
Reported by FlawFinder.
Line: 34
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct gpiochip_info {
char name[GPIO_MAX_NAME_SIZE];
char label[GPIO_MAX_NAME_SIZE];
__u32 lines;
};
/*
* Maximum number of requested lines.
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct gpio_v2_line_request {
__u32 offsets[GPIO_V2_LINES_MAX];
char consumer[GPIO_MAX_NAME_SIZE];
struct gpio_v2_line_config config;
__u32 num_lines;
__u32 event_buffer_size;
/* Pad to fill implicit padding and reserve space for future use. */
__u32 padding[5];
Reported by FlawFinder.
Line: 222
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @padding: reserved for future use
*/
struct gpio_v2_line_info {
char name[GPIO_MAX_NAME_SIZE];
char consumer[GPIO_MAX_NAME_SIZE];
__u32 offset;
__u32 num_attrs;
__aligned_u64 flags;
struct gpio_v2_line_attribute attrs[GPIO_V2_LINE_NUM_ATTRS_MAX];
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct gpio_v2_line_info {
char name[GPIO_MAX_NAME_SIZE];
char consumer[GPIO_MAX_NAME_SIZE];
__u32 offset;
__u32 num_attrs;
__aligned_u64 flags;
struct gpio_v2_line_attribute attrs[GPIO_V2_LINE_NUM_ATTRS_MAX];
/* Space reserved for future use. */
Reported by FlawFinder.
Line: 335
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gpioline_info {
__u32 line_offset;
__u32 flags;
char name[GPIO_MAX_NAME_SIZE];
char consumer[GPIO_MAX_NAME_SIZE];
};
/* Maximum number of requested handles */
#define GPIOHANDLES_MAX 64
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 line_offset;
__u32 flags;
char name[GPIO_MAX_NAME_SIZE];
char consumer[GPIO_MAX_NAME_SIZE];
};
/* Maximum number of requested handles */
#define GPIOHANDLES_MAX 64
Reported by FlawFinder.
Line: 413
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 lineoffsets[GPIOHANDLES_MAX];
__u32 flags;
__u8 default_values[GPIOHANDLES_MAX];
char consumer_label[GPIO_MAX_NAME_SIZE];
__u32 lines;
int fd;
};
/**
Reported by FlawFinder.
Line: 476
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 lineoffset;
__u32 handleflags;
__u32 eventflags;
char consumer_label[GPIO_MAX_NAME_SIZE];
int fd;
};
/*
* GPIO event types
Reported by FlawFinder.
mm/shmem.c
9 issues
Line: 1442
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#if defined(CONFIG_NUMA) && defined(CONFIG_TMPFS)
static void shmem_show_mpol(struct seq_file *seq, struct mempolicy *mpol)
{
char buffer[64];
if (!mpol || mpol->mode == MPOL_DEFAULT)
return; /* show nothing */
mpol_to_str(buffer, sizeof(buffer), mpol);
Reported by FlawFinder.
Line: 3078
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
inode->i_mapping->a_ops = &shmem_aops;
inode->i_op = &shmem_symlink_inode_operations;
memcpy(page_address(page), symname, len);
SetPageUptodate(page);
set_page_dirty(page);
unlock_page(page);
put_page(page);
}
Reported by FlawFinder.
Line: 3154
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(new_xattr->name, XATTR_SECURITY_PREFIX,
XATTR_SECURITY_PREFIX_LEN);
memcpy(new_xattr->name + XATTR_SECURITY_PREFIX_LEN,
xattr->name, len);
simple_xattr_list_add(&info->xattrs, new_xattr);
Reported by FlawFinder.
Line: 3156
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(new_xattr->name, XATTR_SECURITY_PREFIX,
XATTR_SECURITY_PREFIX_LEN);
memcpy(new_xattr->name + XATTR_SECURITY_PREFIX_LEN,
xattr->name, len);
simple_xattr_list_add(&info->xattrs, new_xattr);
}
Reported by FlawFinder.
Line: 3952
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t shmem_enabled_store(struct kobject *kobj,
struct kobj_attribute *attr, const char *buf, size_t count)
{
char tmp[16];
int huge;
if (count + 1 > sizeof(tmp))
return -EINVAL;
memcpy(tmp, buf, count);
Reported by FlawFinder.
Line: 3957
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (count + 1 > sizeof(tmp))
return -EINVAL;
memcpy(tmp, buf, count);
tmp[count] = '\0';
if (count && tmp[count - 1] == '\n')
tmp[count - 1] = '\0';
huge = shmem_parse_huge(tmp);
Reported by FlawFinder.
Line: 3045
Column: 8
CWE codes:
126
struct inode *inode;
struct page *page;
len = strlen(symname) + 1;
if (len > PAGE_SIZE)
return -ENAMETOOLONG;
inode = shmem_get_inode(dir->i_sb, dir, S_IFLNK | 0777, 0,
VM_NORESERVE);
Reported by FlawFinder.
Line: 3146
Column: 9
CWE codes:
126
if (!new_xattr)
return -ENOMEM;
len = strlen(xattr->name) + 1;
new_xattr->name = kmalloc(XATTR_SECURITY_PREFIX_LEN + len,
GFP_KERNEL);
if (!new_xattr->name) {
kvfree(new_xattr);
return -ENOMEM;
Reported by FlawFinder.
Line: 3469
Column: 11
CWE codes:
126
if (value) {
*value++ = '\0';
len = strlen(value);
}
err = vfs_parse_fs_string(fc, this_char, value, len);
if (err < 0)
return err;
}
Reported by FlawFinder.
net/ethtool/ioctl.c
9 issues
Line: 1836
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list args;
va_start(args, fmt);
vsnprintf(*data, ETH_GSTRING_LEN, fmt, args);
va_end(args);
*data += ETH_GSTRING_LEN;
}
EXPORT_SYMBOL(ethtool_sprintf);
Reported by FlawFinder.
Line: 174
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct ethtool_ops *ops = dev->ethtool_ops;
if (stringset == ETH_SS_FEATURES)
memcpy(data, netdev_features_strings,
sizeof(netdev_features_strings));
else if (stringset == ETH_SS_RSS_HASH_FUNCS)
memcpy(data, rss_hash_func_strings,
sizeof(rss_hash_func_strings));
else if (stringset == ETH_SS_TUNABLES)
Reported by FlawFinder.
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data, netdev_features_strings,
sizeof(netdev_features_strings));
else if (stringset == ETH_SS_RSS_HASH_FUNCS)
memcpy(data, rss_hash_func_strings,
sizeof(rss_hash_func_strings));
else if (stringset == ETH_SS_TUNABLES)
memcpy(data, tunable_strings, sizeof(tunable_strings));
else if (stringset == ETH_SS_PHY_TUNABLES)
memcpy(data, phy_tunable_strings, sizeof(phy_tunable_strings));
Reported by FlawFinder.
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data, rss_hash_func_strings,
sizeof(rss_hash_func_strings));
else if (stringset == ETH_SS_TUNABLES)
memcpy(data, tunable_strings, sizeof(tunable_strings));
else if (stringset == ETH_SS_PHY_TUNABLES)
memcpy(data, phy_tunable_strings, sizeof(phy_tunable_strings));
else if (stringset == ETH_SS_PHY_STATS && dev->phydev &&
!ops->get_ethtool_phy_stats && phy_ops &&
phy_ops->get_strings)
Reported by FlawFinder.
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (stringset == ETH_SS_TUNABLES)
memcpy(data, tunable_strings, sizeof(tunable_strings));
else if (stringset == ETH_SS_PHY_TUNABLES)
memcpy(data, phy_tunable_strings, sizeof(phy_tunable_strings));
else if (stringset == ETH_SS_PHY_STATS && dev->phydev &&
!ops->get_ethtool_phy_stats && phy_ops &&
phy_ops->get_strings)
phy_ops->get_strings(dev->phydev, data);
else if (stringset == ETH_SS_LINK_MODES)
Reported by FlawFinder.
Line: 188
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy_ops->get_strings)
phy_ops->get_strings(dev->phydev, data);
else if (stringset == ETH_SS_LINK_MODES)
memcpy(data, link_mode_names,
__ETHTOOL_LINK_MODE_MASK_NBITS * ETH_GSTRING_LEN);
else
/* ops->get_strings is valid because checked earlier */
ops->get_strings(dev, stringset, data);
}
Reported by FlawFinder.
Line: 937
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
BUG_ON(len > sizeof(netdev_rss_key));
net_get_random_once(netdev_rss_key, sizeof(netdev_rss_key));
memcpy(buffer, netdev_rss_key, len);
}
EXPORT_SYMBOL(netdev_rss_key_fill);
static noinline_for_stack int ethtool_get_rxfh_indir(struct net_device *dev,
void __user *useraddr)
Reported by FlawFinder.
Line: 3106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct ethtool_flow_ext *ext_h_spec = &fs->h_ext;
const struct ethtool_flow_ext *ext_m_spec = &fs->m_ext;
memcpy(match->key.eth_addrs.dst, ext_h_spec->h_dest,
ETH_ALEN);
memcpy(match->mask.eth_addrs.dst, ext_m_spec->h_dest,
ETH_ALEN);
match->dissector.used_keys |=
Reported by FlawFinder.
Line: 3108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(match->key.eth_addrs.dst, ext_h_spec->h_dest,
ETH_ALEN);
memcpy(match->mask.eth_addrs.dst, ext_m_spec->h_dest,
ETH_ALEN);
match->dissector.used_keys |=
BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS);
match->dissector.offset[FLOW_DISSECTOR_KEY_ETH_ADDRS] =
Reported by FlawFinder.