The following issues were found
lib/kobject.c
9 issues
Line: 516
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
error = -ENOMEM;
goto out;
}
sprintf(devpath_string, "DEVPATH_OLD=%s", devpath);
envp[0] = devpath_string;
envp[1] = NULL;
name = dup_name = kstrdup_const(new_name, GFP_KERNEL);
if (!name) {
Reported by FlawFinder.
Line: 582
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
error = -ENOMEM;
goto out;
}
sprintf(devpath_string, "DEVPATH_OLD=%s", devpath);
envp[0] = devpath_string;
envp[1] = NULL;
error = sysfs_move_dir_ns(kobj, new_parent, kobject_namespace(kobj));
if (error)
goto out;
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int cur = strlen(kobject_name(parent));
/* back up enough to print this name with '/' */
length -= cur;
memcpy(path + length, kobject_name(parent), cur);
*(path + --length) = '/';
}
pr_debug("kobject: '%s' (%p): %s: path = '%s'\n", kobject_name(kobj),
kobj, __func__, path);
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *devpath = NULL;
const char *dup_name = NULL, *name;
char *devpath_string = NULL;
char *envp[2];
kobj = kobject_get(kobj);
if (!kobj)
return -EINVAL;
if (!kobj->parent) {
Reported by FlawFinder.
Line: 560
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kobject *old_parent;
const char *devpath = NULL;
char *devpath_string = NULL;
char *envp[2];
kobj = kobject_get(kobj);
if (!kobj)
return -EINVAL;
new_parent = kobject_get(new_parent);
Reported by FlawFinder.
Line: 141
Column: 13
CWE codes:
126
do {
if (kobject_name(parent) == NULL)
return 0;
length += strlen(kobject_name(parent)) + 1;
parent = parent->parent;
} while (parent);
return length;
}
Reported by FlawFinder.
Line: 153
Column: 13
CWE codes:
126
--length;
for (parent = kobj; parent; parent = parent->parent) {
int cur = strlen(kobject_name(parent));
/* back up enough to print this name with '/' */
length -= cur;
memcpy(path + length, kobject_name(parent), cur);
*(path + --length) = '/';
}
Reported by FlawFinder.
Line: 511
Column: 27
CWE codes:
126
error = -ENOMEM;
goto out;
}
devpath_string = kmalloc(strlen(devpath) + 15, GFP_KERNEL);
if (!devpath_string) {
error = -ENOMEM;
goto out;
}
sprintf(devpath_string, "DEVPATH_OLD=%s", devpath);
Reported by FlawFinder.
Line: 577
Column: 27
CWE codes:
126
error = -ENOMEM;
goto out;
}
devpath_string = kmalloc(strlen(devpath) + 15, GFP_KERNEL);
if (!devpath_string) {
error = -ENOMEM;
goto out;
}
sprintf(devpath_string, "DEVPATH_OLD=%s", devpath);
Reported by FlawFinder.
net/mptcp/options.c
9 issues
Line: 144
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mp_opt->thmac, mp_opt->nonce);
} else if (opsize == TCPOLEN_MPTCP_MPJ_ACK) {
ptr += 2;
memcpy(mp_opt->hmac, ptr, MPTCPOPT_HMAC_LEN);
pr_debug("MP_JOIN hmac");
} else {
mp_opt->mp_join = 0;
}
break;
Reported by FlawFinder.
Line: 266
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mp_opt->add_addr = 1;
mp_opt->addr.id = *ptr++;
if (mp_opt->addr.family == AF_INET) {
memcpy((u8 *)&mp_opt->addr.addr.s_addr, (u8 *)ptr, 4);
ptr += 4;
if (opsize == TCPOLEN_MPTCP_ADD_ADDR_PORT ||
opsize == TCPOLEN_MPTCP_ADD_ADDR_BASE_PORT) {
mp_opt->addr.port = htons(get_unaligned_be16(ptr));
ptr += 2;
Reported by FlawFinder.
Line: 276
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
else {
memcpy(mp_opt->addr.addr6.s6_addr, (u8 *)ptr, 16);
ptr += 16;
if (opsize == TCPOLEN_MPTCP_ADD_ADDR6_PORT ||
opsize == TCPOLEN_MPTCP_ADD_ADDR6_BASE_PORT) {
mp_opt->addr.port = htons(get_unaligned_be16(ptr));
ptr += 2;
Reported by FlawFinder.
Line: 526
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return true;
} else if (subflow->mp_join) {
opts->suboptions = OPTION_MPTCP_MPJ_ACK;
memcpy(opts->hmac, subflow->hmac, MPTCPOPT_HMAC_LEN);
*size = TCPOLEN_MPTCP_MPJ_ACK;
pr_debug("subflow=%p", subflow);
schedule_3rdack_retransmission(sk);
return true;
Reported by FlawFinder.
Line: 640
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg[i++] = addr->id;
if (addr->family == AF_INET) {
memcpy(&msg[i], &addr->addr.s_addr, 4);
i += 4;
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
else if (addr->family == AF_INET6) {
memcpy(&msg[i], &addr->addr6.s6_addr, 16);
Reported by FlawFinder.
Line: 645
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
else if (addr->family == AF_INET6) {
memcpy(&msg[i], &addr->addr6.s6_addr, 16);
i += 16;
}
#endif
msg[i++] = port >> 8;
msg[i++] = port & 0xFF;
Reported by FlawFinder.
Line: 1270
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*ptr++ = mptcp_option(MPTCPOPT_ADD_ADDR,
len, echo, opts->addr.id);
if (opts->addr.family == AF_INET) {
memcpy((u8 *)ptr, (u8 *)&opts->addr.addr.s_addr, 4);
ptr += 1;
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
else if (opts->addr.family == AF_INET6) {
memcpy((u8 *)ptr, opts->addr.addr6.s6_addr, 16);
Reported by FlawFinder.
Line: 1275
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
else if (opts->addr.family == AF_INET6) {
memcpy((u8 *)ptr, opts->addr.addr6.s6_addr, 16);
ptr += 4;
}
#endif
if (!opts->addr.port) {
Reported by FlawFinder.
Line: 1363
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (OPTION_MPTCP_MPJ_ACK & opts->suboptions) {
*ptr++ = mptcp_option(MPTCPOPT_MP_JOIN,
TCPOLEN_MPTCP_MPJ_ACK, 0, 0);
memcpy(ptr, opts->hmac, MPTCPOPT_HMAC_LEN);
ptr += 5;
}
if (OPTION_MPTCP_RST & opts->suboptions)
*ptr++ = mptcp_option(MPTCPOPT_RST,
Reported by FlawFinder.
net/llc/af_llc.c
9 issues
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sap = llc_sap_open(llc->laddr.lsap, NULL);
if (!sap)
goto out;
memcpy(llc->laddr.mac, llc->dev->dev_addr, IFHWADDRLEN);
memcpy(&llc->addr, addr, sizeof(llc->addr));
/* assign new connection to its SAP */
llc_sap_add_socket(sap, sk);
sock_reset_flag(sk, SOCK_ZAPPED);
rc = 0;
Reported by FlawFinder.
Line: 354
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
llc->dev = dev_get_by_index_rcu(&init_net, sk->sk_bound_dev_if);
if (llc->dev) {
if (is_zero_ether_addr(addr->sllc_mac))
memcpy(addr->sllc_mac, llc->dev->dev_addr,
IFHWADDRLEN);
if (addr->sllc_arphrd != llc->dev->type ||
!ether_addr_equal(addr->sllc_mac,
llc->dev->dev_addr)) {
rc = -EINVAL;
Reported by FlawFinder.
Line: 393
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* FIXME: check if the address is multicast,
* only SOCK_DGRAM can do this.
*/
memcpy(laddr.mac, addr->sllc_mac, IFHWADDRLEN);
laddr.lsap = addr->sllc_sap;
rc = -EADDRINUSE; /* mac + sap clash. */
ask = llc_lookup_established(sap, &daddr, &laddr);
if (ask) {
sock_put(ask);
Reported by FlawFinder.
Line: 403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
llc->laddr.lsap = addr->sllc_sap;
memcpy(llc->laddr.mac, addr->sllc_mac, IFHWADDRLEN);
memcpy(&llc->addr, addr, sizeof(llc->addr));
/* assign new connection to its SAP */
llc_sap_add_socket(sap, sk);
sock_reset_flag(sk, SOCK_ZAPPED);
rc = 0;
Reported by FlawFinder.
Line: 489
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
llc->daddr.lsap = addr->sllc_sap;
memcpy(llc->daddr.mac, addr->sllc_mac, IFHWADDRLEN);
sock->state = SS_CONNECTING;
sk->sk_state = TCP_SYN_SENT;
llc->link = llc_ui_next_link_no(llc->sap->laddr.lsap);
rc = llc_establish_connection(sk, llc->dev->dev_addr,
addr->sllc_mac, addr->sllc_sap);
Reported by FlawFinder.
Line: 887
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return copied;
copy_uaddr:
if (uaddr != NULL && skb != NULL) {
memcpy(uaddr, llc_ui_skb_cb(skb), sizeof(*uaddr));
msg->msg_namelen = sizeof(*uaddr);
}
if (llc_sk(sk)->cmsg_flags)
llc_cmsg_rcv(msg, skb);
Reported by FlawFinder.
Line: 1018
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(llc->dev)
sllc.sllc_arphrd = llc->dev->type;
sllc.sllc_sap = llc->daddr.lsap;
memcpy(&sllc.sllc_mac, &llc->daddr.mac, IFHWADDRLEN);
} else {
rc = -EINVAL;
if (!llc->sap)
goto out;
sllc.sllc_sap = llc->sap->laddr.lsap;
Reported by FlawFinder.
Line: 1027
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (llc->dev) {
sllc.sllc_arphrd = llc->dev->type;
memcpy(&sllc.sllc_mac, llc->dev->dev_addr,
IFHWADDRLEN);
}
}
sllc.sllc_family = AF_LLC;
memcpy(uaddr, &sllc, sizeof(sllc));
Reported by FlawFinder.
Line: 1032
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
sllc.sllc_family = AF_LLC;
memcpy(uaddr, &sllc, sizeof(sllc));
rc = sizeof(sllc);
out:
release_sock(sk);
return rc;
}
Reported by FlawFinder.
net/mpls/af_mpls.c
9 issues
Line: 595
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct rtable *rt;
struct in_addr daddr;
memcpy(&daddr, addr, sizeof(struct in_addr));
rt = ip_route_output(net, daddr.s_addr, 0, 0, 0);
if (IS_ERR(rt))
return ERR_CAST(rt);
dev = rt->dst.dev;
Reported by FlawFinder.
Line: 627
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-EAFNOSUPPORT);
memset(&fl6, 0, sizeof(fl6));
memcpy(&fl6.daddr, addr, sizeof(struct in6_addr));
dst = ipv6_stub->ipv6_dst_lookup_flow(net, NULL, &fl6, NULL);
if (IS_ERR(dst))
return ERR_CAST(dst);
dev = dst->dev;
Reported by FlawFinder.
Line: 759
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto errout;
}
memcpy(via_addr, via->rtvia_addr, alen);
*via_alen = alen;
err = 0;
errout:
return err;
Reported by FlawFinder.
Line: 783
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nh->nh_label[i] = cfg->rc_output_label[i];
nh->nh_via_table = cfg->rc_via_table;
memcpy(__mpls_nh_via(rt, nh), cfg->rc_via, cfg->rc_via_alen);
nh->nh_via_alen = cfg->rc_via_alen;
err = mpls_nh_assign_dev(net, rt, nh, cfg->rc_ifindex);
if (err)
goto errout;
Reported by FlawFinder.
Line: 1401
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mpls_dev_sysctl_register(struct net_device *dev,
struct mpls_dev *mdev)
{
char path[sizeof("net/mpls/conf/") + IFNAMSIZ];
struct net *net = dev_net(dev);
struct ctl_table *table;
int i;
table = kmemdup(&mpls_dev_table, sizeof(mpls_dev_table), GFP_KERNEL);
Reported by FlawFinder.
Line: 1664
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
via = nla_data(nla);
via->rtvia_family = family;
memcpy(via->rtvia_addr, addr, alen);
return 0;
}
int nla_put_labels(struct sk_buff *skb, int attrtype,
u8 labels, const u32 label[])
Reported by FlawFinder.
Line: 2516
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rt0->rt_ttl_propagate = MPLS_TTL_PROP_DEFAULT;
rt0->rt_nh->nh_via_table = NEIGH_LINK_TABLE;
rt0->rt_nh->nh_via_alen = lo->addr_len;
memcpy(__mpls_nh_via(rt0, rt0->rt_nh), lo->dev_addr,
lo->addr_len);
}
if (limit > MPLS_LABEL_IPV6NULL) {
struct net_device *lo = net->loopback_dev;
rt2 = mpls_rt_alloc(1, lo->addr_len, 0);
Reported by FlawFinder.
Line: 2530
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rt2->rt_ttl_propagate = MPLS_TTL_PROP_DEFAULT;
rt2->rt_nh->nh_via_table = NEIGH_LINK_TABLE;
rt2->rt_nh->nh_via_alen = lo->addr_len;
memcpy(__mpls_nh_via(rt2, rt2->rt_nh), lo->dev_addr,
lo->addr_len);
}
rtnl_lock();
/* Remember the original table */
Reported by FlawFinder.
Line: 2548
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (old_limit < limit)
cp_size = old_limit * sizeof(struct mpls_route *);
memcpy(labels, old, cp_size);
/* If needed set the predefined labels */
if ((old_limit <= MPLS_LABEL_IPV6NULL) &&
(limit > MPLS_LABEL_IPV6NULL)) {
RCU_INIT_POINTER(labels[MPLS_LABEL_IPV6NULL], rt2);
Reported by FlawFinder.
kernel/sysctl.c
9 issues
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len;
char tmp[TMPBUFLEN], *p = tmp;
sprintf(p, "%s%lu", neg ? "-" : "", val);
len = strlen(tmp);
if (len > *size)
len = *size;
memcpy(*buf, tmp, len);
*size -= len;
Reported by FlawFinder.
Line: 309
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > *lenp)
len = *lenp;
if (len)
memcpy(buffer, data, len);
if (len < *lenp) {
buffer[len] = '\n';
len++;
}
*lenp = len;
Reported by FlawFinder.
Line: 457
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *perm_tr, unsigned perm_tr_len, char *tr)
{
int len;
char *p, tmp[TMPBUFLEN];
if (!*size)
return -EINVAL;
len = *size;
Reported by FlawFinder.
Line: 466
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > TMPBUFLEN - 1)
len = TMPBUFLEN - 1;
memcpy(tmp, *buf, len);
tmp[len] = 0;
p = tmp;
if (*p == '-' && *size > 1) {
*neg = true;
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void proc_put_long(void **buf, size_t *size, unsigned long val, bool neg)
{
int len;
char tmp[TMPBUFLEN], *p = tmp;
sprintf(p, "%s%lu", neg ? "-" : "", val);
len = strlen(tmp);
if (len > *size)
len = *size;
Reported by FlawFinder.
Line: 521
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = strlen(tmp);
if (len > *size)
len = *size;
memcpy(*buf, tmp, len);
*size -= len;
*buf += len;
}
#undef TMPBUFLEN
Reported by FlawFinder.
Line: 272
Column: 10
CWE codes:
126
if (write) {
if (sysctl_writes_strict == SYSCTL_WRITES_STRICT) {
/* Only continue writes not past the end of buffer. */
len = strlen(data);
if (len > maxlen - 1)
len = maxlen - 1;
if (*ppos > len)
return 0;
Reported by FlawFinder.
Line: 294
Column: 9
CWE codes:
126
}
data[len] = 0;
} else {
len = strlen(data);
if (len > maxlen)
len = maxlen;
if (*ppos > len) {
*lenp = 0;
Reported by FlawFinder.
Line: 518
Column: 8
CWE codes:
126
char tmp[TMPBUFLEN], *p = tmp;
sprintf(p, "%s%lu", neg ? "-" : "", val);
len = strlen(tmp);
if (len > *size)
len = *size;
memcpy(*buf, tmp, len);
*size -= len;
*buf += len;
Reported by FlawFinder.
net/mac80211/tdls.c
9 issues
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lnkid->ie_type = WLAN_EID_LINK_ID;
lnkid->ie_len = sizeof(struct ieee80211_tdls_lnkie) - 2;
memcpy(lnkid->bssid, sdata->u.mgd.bssid, ETH_ALEN);
memcpy(lnkid->init_sta, init_addr, ETH_ALEN);
memcpy(lnkid->resp_sta, rsp_addr, ETH_ALEN);
}
static void
Reported by FlawFinder.
Line: 222
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lnkid->ie_len = sizeof(struct ieee80211_tdls_lnkie) - 2;
memcpy(lnkid->bssid, sdata->u.mgd.bssid, ETH_ALEN);
memcpy(lnkid->init_sta, init_addr, ETH_ALEN);
memcpy(lnkid->resp_sta, rsp_addr, ETH_ALEN);
}
static void
ieee80211_tdls_add_aid(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(lnkid->bssid, sdata->u.mgd.bssid, ETH_ALEN);
memcpy(lnkid->init_sta, init_addr, ETH_ALEN);
memcpy(lnkid->resp_sta, rsp_addr, ETH_ALEN);
}
static void
ieee80211_tdls_add_aid(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
{
Reported by FlawFinder.
Line: 753
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tf = skb_put(skb, offsetof(struct ieee80211_tdls_data, u));
memcpy(tf->da, peer, ETH_ALEN);
memcpy(tf->sa, sdata->vif.addr, ETH_ALEN);
tf->ether_type = cpu_to_be16(ETH_P_TDLS);
tf->payload_type = WLAN_TDLS_SNAP_RFTYPE;
/* network header is after the ethernet header */
Reported by FlawFinder.
Line: 754
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tf = skb_put(skb, offsetof(struct ieee80211_tdls_data, u));
memcpy(tf->da, peer, ETH_ALEN);
memcpy(tf->sa, sdata->vif.addr, ETH_ALEN);
tf->ether_type = cpu_to_be16(ETH_P_TDLS);
tf->payload_type = WLAN_TDLS_SNAP_RFTYPE;
/* network header is after the ethernet header */
skb_set_network_header(skb, ETH_HLEN);
Reported by FlawFinder.
Line: 834
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ieee80211_mgmt *mgmt;
mgmt = skb_put_zero(skb, 24);
memcpy(mgmt->da, peer, ETH_ALEN);
memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
Reported by FlawFinder.
Line: 835
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mgmt = skb_put_zero(skb, 24);
memcpy(mgmt->da, peer, ETH_ALEN);
memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
Reported by FlawFinder.
Line: 836
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mgmt = skb_put_zero(skb, 24);
memcpy(mgmt->da, peer, ETH_ALEN);
memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
IEEE80211_STYPE_ACTION);
switch (action_code) {
Reported by FlawFinder.
Line: 1113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ieee80211_flush_queues(local, sdata, false);
memcpy(sdata->u.mgd.tdls_peer, peer, ETH_ALEN);
mutex_unlock(&local->mtx);
/* we cannot take the mutex while preparing the setup packet */
ret = ieee80211_tdls_prep_mgmt_packet(wiphy, dev, peer, action_code,
dialog_token, status_code,
Reported by FlawFinder.
net/bluetooth/hci_debugfs.c
9 issues
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos) \
{ \
struct hci_dev *hdev = file->private_data; \
char buf[3]; \
\
buf[0] = test_bit(__quirk, &hdev->quirks) ? 'Y' : 'N'; \
buf[1] = '\n'; \
buf[2] = '\0'; \
return simple_read_from_buffer(user_buf, count, ppos, buf, 2); \
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[3];
buf[0] = hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS) ? 'Y' : 'N';
buf[1] = '\n';
buf[2] = '\0';
return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[3];
buf[0] = hci_dev_test_flag(hdev, HCI_SC_ONLY) ? 'Y' : 'N';
buf[1] = '\n';
buf[2] = '\0';
return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
Reported by FlawFinder.
Line: 429
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[3];
buf[0] = hdev->ssp_debug_mode ? 'Y' : 'N';
buf[1] = '\n';
buf[2] = '\0';
return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
Reported by FlawFinder.
Line: 502
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[3];
buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y' : 'N';
buf[1] = '\n';
buf[2] = '\0';
return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
Reported by FlawFinder.
Line: 743
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[3];
buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ? 'Y' : 'N';
buf[1] = '\n';
buf[2] = '\0';
return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
Reported by FlawFinder.
Line: 1133
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[3];
buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_NO_MITM) ? 'Y' : 'N';
buf[1] = '\n';
buf[2] = '\0';
return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
Reported by FlawFinder.
Line: 1146
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct hci_dev *hdev = file->private_data;
char buf[32];
size_t buf_size = min(count, (sizeof(buf) - 1));
bool enable;
if (copy_from_user(buf, user_buf, buf_size))
return -EFAULT;
Reported by FlawFinder.
Line: 1245
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void hci_debugfs_create_conn(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
char name[6];
if (IS_ERR_OR_NULL(hdev->debugfs))
return;
snprintf(name, sizeof(name), "%u", conn->handle);
Reported by FlawFinder.
net/netfilter/nft_cmp.c
9 issues
Line: 165
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
datamask = (u8 *)®->mask;
}
memcpy(key + reg->offset, data, reg->len);
memcpy(mask + reg->offset, datamask, reg->len);
flow->match.dissector.used_keys |= BIT(reg->key);
flow->match.dissector.offset[reg->key] = reg->base_offset;
Reported by FlawFinder.
Line: 166
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(key + reg->offset, data, reg->len);
memcpy(mask + reg->offset, datamask, reg->len);
flow->match.dissector.used_keys |= BIT(reg->key);
flow->match.dissector.offset[reg->key] = reg->base_offset;
if (reg->key == FLOW_DISSECTOR_KEY_META &&
Reported by FlawFinder.
Line: 37
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
switch (priv->op) {
case NFT_CMP_EQ:
if (d != 0)
goto mismatch;
break;
case NFT_CMP_NEQ:
if (d == 0)
goto mismatch;
break;
Reported by FlawFinder.
Line: 41
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
break;
case NFT_CMP_NEQ:
if (d == 0)
goto mismatch;
break;
case NFT_CMP_LT:
if (d == 0)
goto mismatch;
fallthrough;
Reported by FlawFinder.
Line: 45
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
break;
case NFT_CMP_LT:
if (d == 0)
goto mismatch;
fallthrough;
case NFT_CMP_LTE:
if (d > 0)
goto mismatch;
break;
Reported by FlawFinder.
Line: 49
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
fallthrough;
case NFT_CMP_LTE:
if (d > 0)
goto mismatch;
break;
case NFT_CMP_GT:
if (d == 0)
goto mismatch;
fallthrough;
Reported by FlawFinder.
Line: 53
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
break;
case NFT_CMP_GT:
if (d == 0)
goto mismatch;
fallthrough;
case NFT_CMP_GTE:
if (d < 0)
goto mismatch;
break;
Reported by FlawFinder.
Line: 57
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
fallthrough;
case NFT_CMP_GTE:
if (d < 0)
goto mismatch;
break;
}
return;
mismatch:
Reported by FlawFinder.
Line: 62
Column: 1
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
}
return;
mismatch:
regs->verdict.code = NFT_BREAK;
}
static const struct nla_policy nft_cmp_policy[NFTA_CMP_MAX + 1] = {
[NFTA_CMP_SREG] = { .type = NLA_U32 },
Reported by FlawFinder.
net/9p/client.c
9 issues
Line: 1018
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
clnt->fcall_cache = NULL;
client_id = utsname()->nodename;
memcpy(clnt->name, client_id, strlen(client_id) + 1);
spin_lock_init(&clnt->lock);
idr_init(&clnt->fids);
idr_init(&clnt->reqs);
Reported by FlawFinder.
Line: 534
Column: 33
CWE codes:
126
err = -ecode;
if (!err) {
err = p9_errstr2errno(ename, strlen(ename));
p9_debug(P9_DEBUG_9P, "<<< RERROR (%d) %s\n",
-ecode, ename);
}
kfree(ename);
Reported by FlawFinder.
Line: 621
Column: 33
CWE codes:
126
err = -ecode;
if (!err) {
err = p9_errstr2errno(ename, strlen(ename));
p9_debug(P9_DEBUG_9P, "<<< RERROR (%d) %s\n",
-ecode, ename);
}
kfree(ename);
Reported by FlawFinder.
Line: 1018
Column: 32
CWE codes:
126
clnt->fcall_cache = NULL;
client_id = utsname()->nodename;
memcpy(clnt->name, client_id, strlen(client_id) + 1);
spin_lock_init(&clnt->lock);
idr_init(&clnt->fids);
idr_init(&clnt->reqs);
Reported by FlawFinder.
Line: 1823
Column: 10
CWE codes:
126
ret = 2+4+13+4+4+4+8+2+2+2+2;
if (wst->name)
ret += strlen(wst->name);
if (wst->uid)
ret += strlen(wst->uid);
if (wst->gid)
ret += strlen(wst->gid);
if (wst->muid)
Reported by FlawFinder.
Line: 1825
Column: 10
CWE codes:
126
if (wst->name)
ret += strlen(wst->name);
if (wst->uid)
ret += strlen(wst->uid);
if (wst->gid)
ret += strlen(wst->gid);
if (wst->muid)
ret += strlen(wst->muid);
Reported by FlawFinder.
Line: 1827
Column: 10
CWE codes:
126
if (wst->uid)
ret += strlen(wst->uid);
if (wst->gid)
ret += strlen(wst->gid);
if (wst->muid)
ret += strlen(wst->muid);
if ((proto_version == p9_proto_2000u) ||
(proto_version == p9_proto_2000L)) {
Reported by FlawFinder.
Line: 1829
Column: 10
CWE codes:
126
if (wst->gid)
ret += strlen(wst->gid);
if (wst->muid)
ret += strlen(wst->muid);
if ((proto_version == p9_proto_2000u) ||
(proto_version == p9_proto_2000L)) {
ret += 2+4+4+4; /* extension[s] n_uid[4] n_gid[4] n_muid[4] */
if (wst->extension)
Reported by FlawFinder.
Line: 1835
Column: 11
CWE codes:
126
(proto_version == p9_proto_2000L)) {
ret += 2+4+4+4; /* extension[s] n_uid[4] n_gid[4] n_muid[4] */
if (wst->extension)
ret += strlen(wst->extension);
}
return ret;
}
Reported by FlawFinder.
net/netfilter/nft_ct.c
9 issues
Line: 126
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct nf_conn_labels *labels = nf_ct_labels_find(ct);
if (labels)
memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE);
else
memset(dest, 0, NF_CT_LABELS_MAX_SIZE);
return;
}
#endif
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (acct)
count = nft_ct_get_eval_counter(acct->counter,
priv->key, priv->dir);
memcpy(dest, &count, sizeof(count));
return;
}
case NFT_CT_AVGPKT: {
const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
u64 avgcnt = 0, bcnt = 0, pcnt = 0;
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
avgcnt = div64_u64(bcnt, pcnt);
}
memcpy(dest, &avgcnt, sizeof(avgcnt));
return;
}
case NFT_CT_L3PROTOCOL:
nft_reg_store8(dest, nf_ct_l3num(ct));
return;
Reported by FlawFinder.
Line: 189
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tuple = &ct->tuplehash[priv->dir].tuple;
switch (priv->key) {
case NFT_CT_SRC:
memcpy(dest, tuple->src.u3.all,
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
return;
case NFT_CT_DST:
memcpy(dest, tuple->dst.u3.all,
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
Reported by FlawFinder.
Line: 193
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
return;
case NFT_CT_DST:
memcpy(dest, tuple->dst.u3.all,
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
return;
case NFT_CT_PROTO_SRC:
nft_reg_store16(dest, (__force u16)tuple->src.u.all);
return;
Reported by FlawFinder.
Line: 215
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case NFT_CT_SRC_IP6:
if (nf_ct_l3num(ct) != NFPROTO_IPV6)
goto err;
memcpy(dest, tuple->src.u3.ip6, sizeof(struct in6_addr));
return;
case NFT_CT_DST_IP6:
if (nf_ct_l3num(ct) != NFPROTO_IPV6)
goto err;
memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr));
Reported by FlawFinder.
Line: 220
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case NFT_CT_DST_IP6:
if (nf_ct_l3num(ct) != NFPROTO_IPV6)
goto err;
memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr));
return;
default:
break;
}
return;
Reported by FlawFinder.
Line: 979
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct nft_ct_helper_obj *priv = nft_obj_data(obj);
struct nf_conntrack_helper *help4, *help6;
char name[NF_CT_HELPER_NAME_LEN];
int family = ctx->family;
int err;
if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
return -EINVAL;
Reported by FlawFinder.
Line: 119
Column: 3
CWE codes:
120
helper = rcu_dereference(help->helper);
if (helper == NULL)
goto err;
strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);
return;
#ifdef CONFIG_NF_CONNTRACK_LABELS
case NFT_CT_LABELS: {
struct nf_conn_labels *labels = nf_ct_labels_find(ct);
Reported by FlawFinder.