The following issues were found
tools/testing/selftests/mount/nosymfollow-test.c
8 issues
Line: 157
Column: 8
CWE codes:
362
20
Suggestion:
Reconsider approach
bzero(buf, sizeof(buf));
ret = readlink(LINK, buf, sizeof(buf));
if (ret < 0)
die("readlink failed: %s\n", strerror(errno));
if (strcmp(buf, DATA) != 0)
die("readlink strcmp failed: '%s' '%s'\n", buf, DATA);
}
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
exit(EXIT_FAILURE);
}
static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt,
Reported by FlawFinder.
Line: 48
Column: 12
CWE codes:
134
Suggestion:
Use a constant for the format specification
int buf_len;
int fd;
buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
if (buf_len < 0)
die("vsnprintf failed: %s\n", strerror(errno));
if (buf_len >= sizeof(buf))
die("vsnprintf output truncated\n");
Reported by FlawFinder.
Line: 166
Column: 15
CWE codes:
120/785!
Suggestion:
Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to ensure it is no larger than MAXPATHLEN
static void test_realpath(void)
{
char *path = realpath(LINK, NULL);
if (!path)
die("realpath failed: %s\n", strerror(errno));
if (strcmp(path, DATA) != 0)
die("realpath strcmp failed\n");
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
va_list ap)
{
ssize_t written;
char buf[4096];
int buf_len;
int fd;
buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
if (buf_len < 0)
Reported by FlawFinder.
Line: 55
Column: 7
CWE codes:
362
if (buf_len >= sizeof(buf))
die("vsnprintf output truncated\n");
fd = open(filename, O_WRONLY);
if (fd < 0) {
if ((errno == ENOENT) && enoent_ok)
return;
die("open of %s failed: %s\n", filename, strerror(errno));
}
Reported by FlawFinder.
Line: 135
Column: 9
CWE codes:
362
{
int link;
link = open(LINK, 0, O_RDWR);
if (nosymfollow) {
if ((link != -1 || errno != ELOOP)) {
die("link traversal unexpected result: %d, %s\n",
link, strerror(errno));
}
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_readlink(void)
{
char buf[4096];
ssize_t ret;
bzero(buf, sizeof(buf));
ret = readlink(LINK, buf, sizeof(buf));
Reported by FlawFinder.
tools/perf/arch/x86/util/perf_regs.c
8 issues
Line: 184
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for (i = 0; sdt_reg_tbl[i].sdt_name != NULL; i++) {
if (!strncmp(sdt_reg_tbl[i].sdt_name, sdt_reg, sdt_len)) {
strcpy(uprobe_reg, sdt_reg_tbl[i].uprobe_name);
return;
}
}
strncpy(uprobe_reg, sdt_reg, sdt_len);
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int arch_sdt_arg_parse_op(char *old_op, char **new_op)
{
char new_reg[SDT_REG_NAME_SIZE] = {0};
int new_len = 0, ret;
/*
* rm[0]: +/-NUM(REG)
* rm[1]: +/-
* rm[2]: NUM
Reported by FlawFinder.
Line: 212
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* to hold last NULL so that strlen can be used to find
* prefix length, instead of maintaining one more variable.
*/
char prefix[3] = {0};
ret = sdt_init_op_regex();
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 189
Column: 2
CWE codes:
120
}
}
strncpy(uprobe_reg, sdt_reg, sdt_len);
}
int arch_sdt_arg_parse_op(char *old_op, char **new_op)
{
char new_reg[SDT_REG_NAME_SIZE] = {0};
Reported by FlawFinder.
Line: 255
Column: 12
CWE codes:
126
new_reg);
/* Prepare final OP which should be valid for uprobe_events */
new_len = strlen(prefix) +
(rm[2].rm_eo - rm[2].rm_so) +
(rm[3].rm_eo - rm[3].rm_so) +
strlen(new_reg) +
(rm[5].rm_eo - rm[5].rm_so) +
1; /* NULL */
Reported by FlawFinder.
Line: 258
Column: 5
CWE codes:
126
new_len = strlen(prefix) +
(rm[2].rm_eo - rm[2].rm_so) +
(rm[3].rm_eo - rm[3].rm_so) +
strlen(new_reg) +
(rm[5].rm_eo - rm[5].rm_so) +
1; /* NULL */
*new_op = zalloc(new_len);
if (!*new_op)
Reported by FlawFinder.
Line: 267
Column: 5
CWE codes:
126
return -ENOMEM;
scnprintf(*new_op, new_len, "%.*s%.*s%.*s%.*s%.*s",
strlen(prefix), prefix,
(int)(rm[2].rm_eo - rm[2].rm_so), old_op + rm[2].rm_so,
(int)(rm[3].rm_eo - rm[3].rm_so), old_op + rm[3].rm_so,
strlen(new_reg), new_reg,
(int)(rm[5].rm_eo - rm[5].rm_so), old_op + rm[5].rm_so);
Reported by FlawFinder.
Line: 270
Column: 5
CWE codes:
126
strlen(prefix), prefix,
(int)(rm[2].rm_eo - rm[2].rm_so), old_op + rm[2].rm_so,
(int)(rm[3].rm_eo - rm[3].rm_so), old_op + rm[3].rm_so,
strlen(new_reg), new_reg,
(int)(rm[5].rm_eo - rm[5].rm_so), old_op + rm[5].rm_so);
return SDT_ARG_VALID;
}
Reported by FlawFinder.
tools/perf/util/intel-pt-decoder/intel-pt-log.c
8 issues
Line: 150
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(args, fmt);
vfprintf(f, fmt, args);
va_end(args);
}
Reported by FlawFinder.
Line: 22
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MAX_LOG_NAME 256
static FILE *f;
static char log_name[MAX_LOG_NAME];
bool intel_pt_enable_logging;
void *intel_pt_log_fp(void)
{
return f;
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
void intel_pt_log_set_name(const char *name)
{
strncpy(log_name, name, MAX_LOG_NAME - 5);
strcat(log_name, ".log");
}
static void intel_pt_print_data(const unsigned char *buf, int len, uint64_t pos,
int indent)
{
Reported by FlawFinder.
Line: 88
Column: 6
CWE codes:
362
if (!log_name[0])
return -1;
f = fopen(log_name, "w+");
if (!f) {
intel_pt_enable_logging = false;
return -1;
}
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __intel_pt_log_packet(const struct intel_pt_pkt *packet, int pkt_len,
uint64_t pos, const unsigned char *buf)
{
char desc[INTEL_PT_PKT_DESC_MAX];
if (intel_pt_log_open())
return;
intel_pt_print_data(buf, pkt_len, pos, 0);
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __intel_pt_log_insn(struct intel_pt_insn *intel_pt_insn, uint64_t ip)
{
char desc[INTEL_PT_INSN_DESC_MAX];
size_t len = intel_pt_insn->length;
if (intel_pt_log_open())
return;
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __intel_pt_log_insn_no_data(struct intel_pt_insn *intel_pt_insn,
uint64_t ip)
{
char desc[INTEL_PT_INSN_DESC_MAX];
if (intel_pt_log_open())
return;
intel_pt_print_no_data(ip, 8);
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
120
void intel_pt_log_set_name(const char *name)
{
strncpy(log_name, name, MAX_LOG_NAME - 5);
strcat(log_name, ".log");
}
static void intel_pt_print_data(const unsigned char *buf, int len, uint64_t pos,
int indent)
Reported by FlawFinder.
tools/power/acpi/tools/ec/ec_access.c
8 issues
Line: 57
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int c;
while ((c = getopt(argc, argv, "rs:b:w:v:h")) != -1) {
switch (c) {
case 'r':
if (read_mode != -1)
usage(argv[0], EXIT_FAILURE);
Reported by FlawFinder.
Line: 69
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (read_mode != -1 && read_mode != 1)
usage(argv[0], EXIT_FAILURE);
sleep_time = atoi(optarg);
if (sleep_time <= 0) {
sleep_time = 0;
usage(argv[0], EXIT_FAILURE);
printf("Bad sleep time: %s\n", optarg);
}
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void dump_ec(int fd)
{
char buf[EC_SPACE_SIZE];
char buf2[EC_SPACE_SIZE];
int byte_off, bytes_read;
bytes_read = read(fd, buf, EC_SPACE_SIZE);
Reported by FlawFinder.
Line: 128
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void dump_ec(int fd)
{
char buf[EC_SPACE_SIZE];
char buf2[EC_SPACE_SIZE];
int byte_off, bytes_read;
bytes_read = read(fd, buf, EC_SPACE_SIZE);
if (bytes_read == -1)
Reported by FlawFinder.
Line: 220
Column: 7
CWE codes:
362
else
usage(argv[0], EXIT_FAILURE);
fd = open(SYSFS_PATH, file_mode);
if (fd == -1)
err(EXIT_FAILURE, "%s", SYSFS_PATH);
if (read_mode)
if (read_byte_offset == -1)
Reported by FlawFinder.
Line: 131
Column: 15
CWE codes:
120
20
char buf2[EC_SPACE_SIZE];
int byte_off, bytes_read;
bytes_read = read(fd, buf, EC_SPACE_SIZE);
if (bytes_read == -1)
err(EXIT_FAILURE, "Could not read from %s\n", SYSFS_PATH);
if (bytes_read != EC_SPACE_SIZE)
Reported by FlawFinder.
Line: 154
Column: 15
CWE codes:
120
20
lseek(fd, 0, SEEK_SET);
sleep(sleep_time);
bytes_read = read(fd, buf2, EC_SPACE_SIZE);
if (bytes_read == -1)
err(EXIT_FAILURE, "Could not read from %s\n", SYSFS_PATH);
if (bytes_read != EC_SPACE_SIZE)
Reported by FlawFinder.
Line: 184
Column: 10
CWE codes:
120
20
if (error != byte_offset)
err(EXIT_FAILURE, "Cannot set offset to 0x%.2x", byte_offset);
error = read(fd, &buf, 1);
if (error != 1)
err(EXIT_FAILURE, "Could not read byte 0x%.2x from %s\n",
byte_offset, SYSFS_PATH);
printf("0x%.2x\n", buf);
return;
Reported by FlawFinder.
tools/perf/builtin-kvm.c
8 issues
Line: 391
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
time_diff = sample->time - time_begin;
if (kvm->duration && time_diff > kvm->duration) {
char decode[decode_str_len];
kvm->events_ops->decode_key(kvm, &event->key, decode);
if (!skip_event(decode)) {
pr_info("%" PRIu64 " VM %d, vcpu %d: %s event took %" PRIu64 "usec\n",
sample->time, sample->pid, vcpu_record->vcpu_id,
Reported by FlawFinder.
Line: 592
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_timeofday(void)
{
char date[64];
struct timeval tv;
struct tm ltime;
gettimeofday(&tv, NULL);
if (localtime_r(&tv.tv_sec, <ime)) {
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_result(struct perf_kvm_stat *kvm)
{
char decode[decode_str_len];
struct kvm_event *event;
int vcpu = kvm->trace_vcpu;
if (kvm->live) {
puts(CONSOLE_CLEAR);
Reported by FlawFinder.
Line: 708
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cpu_isa_config(struct perf_kvm_stat *kvm)
{
char buf[128], *cpuid;
int err;
if (kvm->live) {
err = get_cpuid(buf, sizeof(buf));
if (err != 0) {
Reported by FlawFinder.
Line: 1023
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int err, rc = -1;
struct evsel *pos;
struct evlist *evlist = kvm->evlist;
char sbuf[STRERR_BUFSIZE];
evlist__config(evlist, &kvm->opts, NULL);
/*
* Note: exclude_{guest,host} do not apply here.
Reported by FlawFinder.
Line: 1345
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int kvm_events_live(struct perf_kvm_stat *kvm,
int argc, const char **argv)
{
char errbuf[BUFSIZ];
int err;
const struct option live_options[] = {
OPT_STRING('p', "pid", &kvm->opts.target.pid, "pid",
"record events on existing process id"),
Reported by FlawFinder.
Line: 882
Column: 7
CWE codes:
120
20
uint64_t c;
int rc;
rc = read(kvm->timerfd, &c, sizeof(uint64_t));
if (rc < 0) {
if (errno == EAGAIN)
return 0;
pr_err("Failed to read timer fd: %d\n", errno);
Reported by FlawFinder.
tools/testing/selftests/net/so_txtime.c
8 issues
Line: 441
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int domain = PF_UNSPEC;
int c;
while ((c = getopt(argc, argv, "46c:S:D:rt:m:")) != -1) {
switch (c) {
case '4':
if (domain != PF_UNSPEC)
error(1, 0, "Pass one of -4 or -6");
domain = PF_INET;
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void do_send_one(int fdt, struct timed_send *ts)
{
char control[CMSG_SPACE(sizeof(uint64_t))];
struct msghdr msg = {0};
struct iovec iov = {0};
struct cmsghdr *cm;
uint64_t tdeliver;
int ret;
Reported by FlawFinder.
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cm->cmsg_level = SOL_SOCKET;
cm->cmsg_type = SCM_TXTIME;
cm->cmsg_len = CMSG_LEN(sizeof(tdeliver));
memcpy(CMSG_DATA(cm), &tdeliver, sizeof(tdeliver));
}
ret = sendmsg(fdt, &msg, 0);
if (ret == -1)
error(1, errno, "write");
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void do_recv_one(int fdr, struct timed_send *ts)
{
int64_t tstop, texpect;
char rbuf[2];
int ret;
ret = recv(fdr, rbuf, sizeof(rbuf), 0);
if (ret == -1 && errno == EAGAIN)
error(1, EAGAIN, "recv: timeout");
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void do_recv_verify_empty(int fdr)
{
char rbuf[1];
int ret;
ret = recv(fdr, rbuf, sizeof(rbuf), 0);
if (ret != -1 || errno != EAGAIN)
error(1, 0, "recv: not empty as expected (%d, %d)", ret, errno);
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_recv_errqueue_timeout(int fdt)
{
char control[CMSG_SPACE(sizeof(struct sock_extended_err)) +
CMSG_SPACE(sizeof(struct sockaddr_in6))] = {0};
char data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr) +
sizeof(struct udphdr) + 1];
struct sock_extended_err *err;
int ret, num_tstamp = 0;
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char control[CMSG_SPACE(sizeof(struct sock_extended_err)) +
CMSG_SPACE(sizeof(struct sockaddr_in6))] = {0};
char data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr) +
sizeof(struct udphdr) + 1];
struct sock_extended_err *err;
int ret, num_tstamp = 0;
struct msghdr msg = {0};
struct iovec iov = {0};
Reported by FlawFinder.
Line: 258
Column: 8
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
if (cfg_start_time_ns < now)
return;
err = usleep((cfg_start_time_ns - now) / 1000);
if (err)
error(1, errno, "usleep");
}
static void setsockopt_txtime(int fd)
Reported by FlawFinder.
tools/testing/selftests/powerpc/pmu/ebb/ebb.c
8 issues
Line: 186
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *decode_mmcr0(u32 value)
{
static char buf[16];
buf[0] = '\0';
if (value & (1 << 31))
strcat(buf, "FC ");
Reported by FlawFinder.
Line: 191
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
buf[0] = '\0';
if (value & (1 << 31))
strcat(buf, "FC ");
if (value & (1 << 26))
strcat(buf, "PMAE ");
if (value & (1 << 7))
strcat(buf, "PMAO ");
Reported by FlawFinder.
Line: 193
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (value & (1 << 31))
strcat(buf, "FC ");
if (value & (1 << 26))
strcat(buf, "PMAE ");
if (value & (1 << 7))
strcat(buf, "PMAO ");
return buf;
}
Reported by FlawFinder.
Line: 195
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (value & (1 << 26))
strcat(buf, "PMAE ");
if (value & (1 << 7))
strcat(buf, "PMAO ");
return buf;
}
static char *decode_bescr(u64 value)
Reported by FlawFinder.
Line: 202
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *decode_bescr(u64 value)
{
static char buf[16];
buf[0] = '\0';
if (value & (1ull << 63))
strcat(buf, "GE ");
Reported by FlawFinder.
Line: 207
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
buf[0] = '\0';
if (value & (1ull << 63))
strcat(buf, "GE ");
if (value & (1ull << 32))
strcat(buf, "PMAE ");
if (value & 1)
strcat(buf, "PMAO ");
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (value & (1ull << 63))
strcat(buf, "GE ");
if (value & (1ull << 32))
strcat(buf, "PMAE ");
if (value & 1)
strcat(buf, "PMAO ");
return buf;
}
Reported by FlawFinder.
Line: 211
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (value & (1ull << 32))
strcat(buf, "PMAE ");
if (value & 1)
strcat(buf, "PMAO ");
return buf;
}
void dump_ebb_hw_state(void)
Reported by FlawFinder.
tools/pci/pcitest.c
8 issues
Line: 177
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
/* set default endpoint device */
test->device = "/dev/pci-endpoint-test.0";
while ((c = getopt(argc, argv, "D:b:m:x:i:deIlhrwcs:")) != EOF)
switch (c) {
case 'D':
test->device = optarg;
continue;
case 'b':
Reported by FlawFinder.
Line: 47
Column: 7
CWE codes:
362
int ret = -EINVAL;
int fd;
fd = open(test->device, O_RDWR);
if (fd < 0) {
perror("can't open PCI Endpoint Test device");
return -ENODEV;
}
Reported by FlawFinder.
Line: 183
Column: 18
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
test->device = optarg;
continue;
case 'b':
test->barnum = atoi(optarg);
if (test->barnum < 0 || test->barnum > 5)
goto usage;
continue;
case 'l':
test->legacyirq = true;
Reported by FlawFinder.
Line: 191
Column: 18
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
test->legacyirq = true;
continue;
case 'm':
test->msinum = atoi(optarg);
if (test->msinum < 1 || test->msinum > 32)
goto usage;
continue;
case 'x':
test->msixnum = atoi(optarg);
Reported by FlawFinder.
Line: 196
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
goto usage;
continue;
case 'x':
test->msixnum = atoi(optarg);
if (test->msixnum < 1 || test->msixnum > 2048)
goto usage;
continue;
case 'i':
test->irqtype = atoi(optarg);
Reported by FlawFinder.
Line: 201
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
goto usage;
continue;
case 'i':
test->irqtype = atoi(optarg);
if (test->irqtype < 0 || test->irqtype > 2)
goto usage;
test->set_irqtype = true;
continue;
case 'I':
Reported by FlawFinder.
Line: 128
Column: 12
CWE codes:
120
20
fprintf(stdout, "%s\n", result[ret]);
}
if (test->read) {
param.size = test->size;
if (test->use_dma)
param.flags = PCITEST_FLAGS_USE_DMA;
ret = ioctl(fd, PCITEST_READ, ¶m);
fprintf(stdout, "READ (%7ld bytes):\t\t", test->size);
Reported by FlawFinder.
tools/testing/selftests/net/reuseport_bpf.c
8 issues
Line: 96
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void attach_ebpf(int fd, uint16_t mod)
{
static char bpf_log_buf[65536];
static const char bpf_license[] = "GPL";
int bpf_fd;
const struct bpf_insn prog[] = {
/* BPF_MOV64_REG(BPF_REG_6, BPF_REG_1) */
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_recv_order(const struct test_params p, int fd[], int mod)
{
char recv_buf[8], send_buf[8];
struct msghdr msg;
struct iovec recv_io = { recv_buf, 8 };
struct epoll_event ev;
int epfd, conn, i, sport, expected;
uint32_t data, ndata;
Reported by FlawFinder.
Line: 239
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (data = 0; data < p.recv_socks * 2; ++data) {
sport = p.send_port_min + data;
ndata = htonl(data);
memcpy(send_buf, &ndata, sizeof(ndata));
send_from(p, sport, send_buf, sizeof(ndata));
i = epoll_wait(epfd, &ev, 1, -1);
if (i < 0)
error(1, errno, "epoll wait failed");
Reported by FlawFinder.
Line: 415
Column: 11
CWE codes:
362
void enable_fastopen(void)
{
int fd = open("/proc/sys/net/ipv4/tcp_fastopen", 0);
int rw_mask = 3; /* bit 1: client side; bit-2 server side */
int val, size;
char buf[16];
if (fd < 0)
Reported by FlawFinder.
Line: 418
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fd = open("/proc/sys/net/ipv4/tcp_fastopen", 0);
int rw_mask = 3; /* bit 1: client side; bit-2 server side */
int val, size;
char buf[16];
if (fd < 0)
error(1, errno, "Unable to open tcp_fastopen sysctl");
if (read(fd, buf, sizeof(buf)) <= 0)
error(1, errno, "Unable to read tcp_fastopen sysctl");
Reported by FlawFinder.
Line: 424
Column: 8
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
error(1, errno, "Unable to open tcp_fastopen sysctl");
if (read(fd, buf, sizeof(buf)) <= 0)
error(1, errno, "Unable to read tcp_fastopen sysctl");
val = atoi(buf);
close(fd);
if ((val & rw_mask) != rw_mask) {
fd = open("/proc/sys/net/ipv4/tcp_fastopen", O_RDWR);
if (fd < 0)
Reported by FlawFinder.
Line: 428
Column: 8
CWE codes:
362
close(fd);
if ((val & rw_mask) != rw_mask) {
fd = open("/proc/sys/net/ipv4/tcp_fastopen", O_RDWR);
if (fd < 0)
error(1, errno,
"Unable to open tcp_fastopen sysctl for writing");
val |= rw_mask;
size = snprintf(buf, 16, "%d", val);
Reported by FlawFinder.
Line: 422
Column: 6
CWE codes:
120
20
if (fd < 0)
error(1, errno, "Unable to open tcp_fastopen sysctl");
if (read(fd, buf, sizeof(buf)) <= 0)
error(1, errno, "Unable to read tcp_fastopen sysctl");
val = atoi(buf);
close(fd);
if ((val & rw_mask) != rw_mask) {
Reported by FlawFinder.
tools/testing/selftests/powerpc/tm/tm-signal-context-chk-vsx.c
8 issues
Line: 106
CWE codes:
788
* copy VSX least significant one from 64-bit slots below
* saved VMX registers.
*/
memcpy(vsx, &ucp->uc_mcontext.fp_regs[FPR20 + i], 8);
memcpy(vsx + 8, &vsx_ptr[VSX20 + i], 8);
fail = memcmp(vsx, &vsxs[i], sizeof(vector int));
if (fail) {
Reported by Cppcheck.
Line: 115
CWE codes:
788
broken = 1;
printf("VSX%d (1st context) == 0x", VSX20 + i);
for (j = 0; j < 16; j++)
printf("%02x", vsx[j]);
printf(" instead of 0x");
for (j = 0; j < 4; j++)
printf("%08x", vsxs[i][j]);
printf(" (expected)\n");
}
Reported by Cppcheck.
Line: 130
CWE codes:
788
* copy VSX least significant one from 64-bit slots below
* saved VMX registers.
*/
memcpy(vsx_tm, &tm_ucp->uc_mcontext.fp_regs[FPR20 + i], 8);
memcpy(vsx_tm + 8, &tm_vsx_ptr[VSX20 + i], 8);
fail = memcmp(vsx_tm, &vsxs[NV_VSX_REGS + i], sizeof(vector int));
if (fail) {
Reported by Cppcheck.
Line: 139
CWE codes:
788
broken = 1;
printf("VSX%d (2nd context) == 0x", VSX20 + i);
for (j = 0; j < 16; j++)
printf("%02x", vsx_tm[j]);
printf(" instead of 0x");
for (j = 0; j < 4; j++)
printf("%08x", vsxs[NV_VSX_REGS + i][j]);
printf("(expected)\n");
}
Reported by Cppcheck.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* copy VSX least significant one from 64-bit slots below
* saved VMX registers.
*/
memcpy(vsx, &ucp->uc_mcontext.fp_regs[FPR20 + i], 8);
memcpy(vsx + 8, &vsx_ptr[VSX20 + i], 8);
fail = memcmp(vsx, &vsxs[i], sizeof(vector int));
if (fail) {
Reported by FlawFinder.
Line: 107
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* saved VMX registers.
*/
memcpy(vsx, &ucp->uc_mcontext.fp_regs[FPR20 + i], 8);
memcpy(vsx + 8, &vsx_ptr[VSX20 + i], 8);
fail = memcmp(vsx, &vsxs[i], sizeof(vector int));
if (fail) {
broken = 1;
Reported by FlawFinder.
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* copy VSX least significant one from 64-bit slots below
* saved VMX registers.
*/
memcpy(vsx_tm, &tm_ucp->uc_mcontext.fp_regs[FPR20 + i], 8);
memcpy(vsx_tm + 8, &tm_vsx_ptr[VSX20 + i], 8);
fail = memcmp(vsx_tm, &vsxs[NV_VSX_REGS + i], sizeof(vector int));
if (fail) {
Reported by FlawFinder.
Line: 131
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* saved VMX registers.
*/
memcpy(vsx_tm, &tm_ucp->uc_mcontext.fp_regs[FPR20 + i], 8);
memcpy(vsx_tm + 8, &tm_vsx_ptr[VSX20 + i], 8);
fail = memcmp(vsx_tm, &vsxs[NV_VSX_REGS + i], sizeof(vector int));
if (fail) {
broken = 1;
Reported by FlawFinder.