The following issues were found
fs/jffs2/readinode.c
8 issues
Line: 652
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* dirent we've already read from the flash.
*/
if (read > sizeof(*rd))
memcpy(&fd->name[0], &rd->name[0],
min_t(uint32_t, rd->nsize, (read - sizeof(*rd)) ));
/* Do we need to copy any more of the name directly from the flash? */
if (rd->nsize + sizeof(*rd) > read) {
/* FIXME: point() */
Reported by FlawFinder.
Line: 587
Column: 41
CWE codes:
120
20
* negative error code on failure.
*/
static inline int read_direntry(struct jffs2_sb_info *c, struct jffs2_raw_node_ref *ref,
struct jffs2_raw_dirent *rd, size_t read,
struct jffs2_readinode_info *rii)
{
struct jffs2_full_dirent *fd;
uint32_t crc;
Reported by FlawFinder.
Line: 651
Column: 6
CWE codes:
120
20
* Copy as much of the name as possible from the raw
* dirent we've already read from the flash.
*/
if (read > sizeof(*rd))
memcpy(&fd->name[0], &rd->name[0],
min_t(uint32_t, rd->nsize, (read - sizeof(*rd)) ));
/* Do we need to copy any more of the name directly from the flash? */
if (rd->nsize + sizeof(*rd) > read) {
Reported by FlawFinder.
Line: 656
Column: 32
CWE codes:
120
20
min_t(uint32_t, rd->nsize, (read - sizeof(*rd)) ));
/* Do we need to copy any more of the name directly from the flash? */
if (rd->nsize + sizeof(*rd) > read) {
/* FIXME: point() */
int err;
int already = read - sizeof(*rd);
err = jffs2_flash_read(c, (ref_offset(ref)) + read,
Reported by FlawFinder.
Line: 661
Column: 49
CWE codes:
120
20
int err;
int already = read - sizeof(*rd);
err = jffs2_flash_read(c, (ref_offset(ref)) + read,
rd->nsize - already, &read, &fd->name[already]);
if (unlikely(read != rd->nsize - already) && likely(!err)) {
jffs2_free_full_dirent(fd);
JFFS2_ERROR("short read: wanted %d bytes, got %zd\n",
rd->nsize - already, read);
Reported by FlawFinder.
Line: 662
Column: 27
CWE codes:
120
20
int already = read - sizeof(*rd);
err = jffs2_flash_read(c, (ref_offset(ref)) + read,
rd->nsize - already, &read, &fd->name[already]);
if (unlikely(read != rd->nsize - already) && likely(!err)) {
jffs2_free_full_dirent(fd);
JFFS2_ERROR("short read: wanted %d bytes, got %zd\n",
rd->nsize - already, read);
return -EIO;
Reported by FlawFinder.
Line: 663
Column: 16
CWE codes:
120
20
err = jffs2_flash_read(c, (ref_offset(ref)) + read,
rd->nsize - already, &read, &fd->name[already]);
if (unlikely(read != rd->nsize - already) && likely(!err)) {
jffs2_free_full_dirent(fd);
JFFS2_ERROR("short read: wanted %d bytes, got %zd\n",
rd->nsize - already, read);
return -EIO;
}
Reported by FlawFinder.
Line: 666
Column: 30
CWE codes:
120
20
if (unlikely(read != rd->nsize - already) && likely(!err)) {
jffs2_free_full_dirent(fd);
JFFS2_ERROR("short read: wanted %d bytes, got %zd\n",
rd->nsize - already, read);
return -EIO;
}
if (unlikely(err)) {
JFFS2_ERROR("read remainder of name: error %d\n", err);
Reported by FlawFinder.
fs/hpfs/namei.c
8 issues
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bail3;
}
fnode->len = len;
memcpy(fnode->name, name, len > 15 ? 15 : len);
fnode->up = cpu_to_le32(dir->i_ino);
fnode->flags |= FNODE_dir;
fnode->btree.n_free_nodes = 7;
fnode->btree.n_used_nodes = 1;
fnode->btree.first_free = cpu_to_le16(0x14);
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bail2;
}
fnode->len = len;
memcpy(fnode->name, name, len > 15 ? 15 : len);
fnode->up = cpu_to_le32(dir->i_ino);
mark_buffer_dirty(bh);
brelse(bh);
insert_inode_hash(result);
Reported by FlawFinder.
Line: 273
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bail2;
}
fnode->len = len;
memcpy(fnode->name, name, len > 15 ? 15 : len);
fnode->up = cpu_to_le32(dir->i_ino);
mark_buffer_dirty(bh);
insert_inode_hash(result);
Reported by FlawFinder.
Line: 352
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bail2;
}
fnode->len = len;
memcpy(fnode->name, name, len > 15 ? 15 : len);
fnode->up = cpu_to_le32(dir->i_ino);
hpfs_set_ea(result, fnode, "SYMLINK", symlink, strlen(symlink));
mark_buffer_dirty(bh);
brelse(bh);
Reported by FlawFinder.
Line: 563
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((nde = map_dirent(new_dir, hpfs_i(new_dir)->i_dno, new_name, new_len, NULL, &qbh1))) {
clear_nlink(new_inode);
copy_de(nde, &de);
memcpy(nde->name, new_name, new_len);
hpfs_mark_4buffers_dirty(&qbh1);
hpfs_brelse4(&qbh1);
goto end;
}
hpfs_error(new_dir->i_sb, "hpfs_rename: could not find dirent");
Reported by FlawFinder.
Line: 607
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((fnode = hpfs_map_fnode(i->i_sb, i->i_ino, &bh))) {
fnode->up = cpu_to_le32(new_dir->i_ino);
fnode->len = new_len;
memcpy(fnode->name, new_name, new_len>15?15:new_len);
if (new_len < 15) memset(&fnode->name[new_len], 0, 15 - new_len);
mark_buffer_dirty(bh);
brelse(bh);
}
end1:
Reported by FlawFinder.
Line: 339
Column: 19
CWE codes:
126
result->i_gid = current_fsgid();
result->i_blocks = 1;
set_nlink(result, 1);
result->i_size = strlen(symlink);
inode_nohighmem(result);
result->i_op = &page_symlink_inode_operations;
result->i_data.a_ops = &hpfs_symlink_aops;
r = hpfs_add_dirent(dir, name, len, &dee);
Reported by FlawFinder.
Line: 354
Column: 49
CWE codes:
126
fnode->len = len;
memcpy(fnode->name, name, len > 15 ? 15 : len);
fnode->up = cpu_to_le32(dir->i_ino);
hpfs_set_ea(result, fnode, "SYMLINK", symlink, strlen(symlink));
mark_buffer_dirty(bh);
brelse(bh);
insert_inode_hash(result);
Reported by FlawFinder.
fs/hpfs/buffer.c
8 issues
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bail4;
}
memcpy(data + 0 * 512, qbh->bh[0]->b_data, 512);
memcpy(data + 1 * 512, qbh->bh[1]->b_data, 512);
memcpy(data + 2 * 512, qbh->bh[2]->b_data, 512);
memcpy(data + 3 * 512, qbh->bh[3]->b_data, 512);
return data;
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(data + 0 * 512, qbh->bh[0]->b_data, 512);
memcpy(data + 1 * 512, qbh->bh[1]->b_data, 512);
memcpy(data + 2 * 512, qbh->bh[2]->b_data, 512);
memcpy(data + 3 * 512, qbh->bh[3]->b_data, 512);
return data;
Reported by FlawFinder.
Line: 149
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data + 0 * 512, qbh->bh[0]->b_data, 512);
memcpy(data + 1 * 512, qbh->bh[1]->b_data, 512);
memcpy(data + 2 * 512, qbh->bh[2]->b_data, 512);
memcpy(data + 3 * 512, qbh->bh[3]->b_data, 512);
return data;
bail4:
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data + 0 * 512, qbh->bh[0]->b_data, 512);
memcpy(data + 1 * 512, qbh->bh[1]->b_data, 512);
memcpy(data + 2 * 512, qbh->bh[2]->b_data, 512);
memcpy(data + 3 * 512, qbh->bh[3]->b_data, 512);
return data;
bail4:
brelse(qbh->bh[3]);
Reported by FlawFinder.
Line: 223
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void hpfs_mark_4buffers_dirty(struct quad_buffer_head *qbh)
{
if (unlikely(qbh->data != qbh->bh[0]->b_data)) {
memcpy(qbh->bh[0]->b_data, qbh->data + 0 * 512, 512);
memcpy(qbh->bh[1]->b_data, qbh->data + 1 * 512, 512);
memcpy(qbh->bh[2]->b_data, qbh->data + 2 * 512, 512);
memcpy(qbh->bh[3]->b_data, qbh->data + 3 * 512, 512);
}
mark_buffer_dirty(qbh->bh[0]);
Reported by FlawFinder.
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (unlikely(qbh->data != qbh->bh[0]->b_data)) {
memcpy(qbh->bh[0]->b_data, qbh->data + 0 * 512, 512);
memcpy(qbh->bh[1]->b_data, qbh->data + 1 * 512, 512);
memcpy(qbh->bh[2]->b_data, qbh->data + 2 * 512, 512);
memcpy(qbh->bh[3]->b_data, qbh->data + 3 * 512, 512);
}
mark_buffer_dirty(qbh->bh[0]);
mark_buffer_dirty(qbh->bh[1]);
Reported by FlawFinder.
Line: 225
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(qbh->data != qbh->bh[0]->b_data)) {
memcpy(qbh->bh[0]->b_data, qbh->data + 0 * 512, 512);
memcpy(qbh->bh[1]->b_data, qbh->data + 1 * 512, 512);
memcpy(qbh->bh[2]->b_data, qbh->data + 2 * 512, 512);
memcpy(qbh->bh[3]->b_data, qbh->data + 3 * 512, 512);
}
mark_buffer_dirty(qbh->bh[0]);
mark_buffer_dirty(qbh->bh[1]);
mark_buffer_dirty(qbh->bh[2]);
Reported by FlawFinder.
Line: 226
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(qbh->bh[0]->b_data, qbh->data + 0 * 512, 512);
memcpy(qbh->bh[1]->b_data, qbh->data + 1 * 512, 512);
memcpy(qbh->bh[2]->b_data, qbh->data + 2 * 512, 512);
memcpy(qbh->bh[3]->b_data, qbh->data + 3 * 512, 512);
}
mark_buffer_dirty(qbh->bh[0]);
mark_buffer_dirty(qbh->bh[1]);
mark_buffer_dirty(qbh->bh[2]);
mark_buffer_dirty(qbh->bh[3]);
Reported by FlawFinder.
fs/cifs/smbencrypt.c
8 issues
Line: 37
Column: 35
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
/* following came from the other byteorder.h to avoid include conflicts */
#define CVAL(buf,pos) (((unsigned char *)(buf))[pos])
#define SSVALX(buf,pos,val) (CVAL(buf,pos)=(val)&0xFF,CVAL(buf,pos+1)=(val)>>8)
#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((__u16)(val)))
static void
str_to_key(unsigned char *str, unsigned char *key)
Reported by FlawFinder.
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
{
unsigned char key2[8];
struct des_ctx ctx;
str_to_key(key, key2);
if (fips_enabled) {
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
E_P16(unsigned char *p14, unsigned char *p16)
{
int rc;
unsigned char sp8[8] =
{ 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
rc = smbhash(p16, sp8, p14);
if (rc)
return rc;
Reported by FlawFinder.
Line: 147
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SMBencrypt(unsigned char *passwd, const unsigned char *c8, unsigned char *p24)
{
int rc;
unsigned char p14[14], p16[16], p21[21];
memset(p14, '\0', 14);
memset(p16, '\0', 16);
memset(p21, '\0', 21);
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(p16, '\0', 16);
memset(p21, '\0', 21);
memcpy(p14, passwd, 14);
rc = E_P16(p14, p16);
if (rc)
return rc;
memcpy(p21, p16, 16);
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc)
return rc;
memcpy(p21, p16, 16);
rc = E_P24(p21, c8, p24);
return rc;
}
Reported by FlawFinder.
Line: 196
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct nls_table *codepage)
{
int rc;
unsigned char p16[16], p21[21];
memset(p16, '\0', 16);
memset(p21, '\0', 21);
rc = E_md4hash(passwd, p16, codepage);
Reported by FlawFinder.
Line: 207
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, rc);
return rc;
}
memcpy(p21, p16, 16);
rc = E_P24(p21, c8, p24);
return rc;
}
Reported by FlawFinder.
fs/nilfs2/super.c
8 issues
Line: 193
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* sbp[0] points to newer log than sbp[1],
* so copy sbp[0] to sbp[1] to take over sbp[0].
*/
memcpy(nilfs->ns_sbp[1], nilfs->ns_sbp[0],
nilfs->ns_sbsize);
nilfs_fall_back_super_block(nilfs);
goto retry;
}
} else {
Reported by FlawFinder.
Line: 255
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sbp[0]->s_magic != cpu_to_le16(NILFS_SUPER_MAGIC)) {
if (sbp[1] &&
sbp[1]->s_magic == cpu_to_le16(NILFS_SUPER_MAGIC)) {
memcpy(sbp[0], sbp[1], nilfs->ns_sbsize);
} else {
nilfs_crit(sb, "superblock broke");
return NULL;
}
} else if (sbp[1] &&
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else if (sbp[1] &&
sbp[1]->s_magic != cpu_to_le16(NILFS_SUPER_MAGIC)) {
memcpy(sbp[1], sbp[0], nilfs->ns_sbsize);
}
if (flip && sbp[1])
nilfs_swap_super_block(nilfs);
Reported by FlawFinder.
Line: 283
Column: 21
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sbp[0]->s_wtime = cpu_to_le64(t);
sbp[0]->s_sum = 0;
sbp[0]->s_sum = cpu_to_le32(crc32_le(nilfs->ns_crc_seed,
(unsigned char *)sbp[0],
nilfs->ns_sbsize));
if (flag == NILFS_SB_COMMIT_ALL && sbp[1]) {
sbp[1]->s_wtime = sbp[0]->s_wtime;
sbp[1]->s_sum = 0;
sbp[1]->s_sum = cpu_to_le32(crc32_le(nilfs->ns_crc_seed,
Reported by FlawFinder.
Line: 289
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sbp[1]->s_wtime = sbp[0]->s_wtime;
sbp[1]->s_sum = 0;
sbp[1]->s_sum = cpu_to_le32(crc32_le(nilfs->ns_crc_seed,
(unsigned char *)sbp[1],
nilfs->ns_sbsize));
}
clear_nilfs_sb_dirty(nilfs);
nilfs->ns_flushed_device = 1;
/* make sure store to ns_flushed_device cannot be reordered */
Reported by FlawFinder.
Line: 377
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(nsbp, 0, nilfs->ns_blocksize);
if (sb2i >= 0) {
memcpy(nsbp, nilfs->ns_sbp[sb2i], nilfs->ns_sbsize);
brelse(nilfs->ns_sbh[sb2i]);
nilfs->ns_sbh[sb2i] = nsbh;
nilfs->ns_sbp[sb2i] = nsbp;
} else if (nilfs->ns_sbh[0]->b_blocknr < nilfs->ns_first_data_block) {
/* secondary super block will be restored to index 1 */
Reported by FlawFinder.
Line: 446
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sbp[0]->s_dev_size = cpu_to_le64(newsize);
sbp[0]->s_nsegments = cpu_to_le64(nilfs->ns_nsegments);
if (sbp[1])
memcpy(sbp[1], sbp[0], nilfs->ns_sbsize);
ret = nilfs_commit_super(sb, NILFS_SB_COMMIT_ALL);
}
up_write(&nilfs->ns_sem);
/*
Reported by FlawFinder.
Line: 830
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le16(le16_to_cpu(sbp[0]->s_state) & ~NILFS_VALID_FS);
/* synchronize sbp[1] with sbp[0] */
if (sbp[1])
memcpy(sbp[1], sbp[0], nilfs->ns_sbsize);
return nilfs_commit_super(sb, NILFS_SB_COMMIT_ALL);
}
struct nilfs_super_block *nilfs_read_super_block(struct super_block *sb,
u64 pos, int blocksize,
Reported by FlawFinder.
fs/reiserfs/namei.c
8 issues
Line: 448
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* 48 bytes now and we avoid kmalloc if we
* create file with short name
*/
char small_buf[32 + DEH_SIZE];
char *buffer;
int buflen, paste_size;
int retval;
Reported by FlawFinder.
Line: 497
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
deh->deh_objectid = INODE_PKEY(inode)->k_objectid;
/* copy name */
memcpy((char *)(deh + 1), name, namelen);
/* padd by 0s to the 4 byte boundary */
padd_item((char *)(deh + 1), ROUND_UP(namelen), namelen);
/*
* entry is ready to be pasted into tree, set 'visibility'
Reported by FlawFinder.
Line: 1154
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retval = -ENOMEM;
goto out_failed;
}
memcpy(name, symname, strlen(symname));
padd_item(name, item_len, strlen(symname));
retval = journal_begin(&th, parent_dir->i_sb, jbegin_count);
if (retval) {
drop_new_inode(inode);
Reported by FlawFinder.
Line: 82
Column: 20
CWE codes:
126
de->de_namelen = de->de_entrylen - (de_with_sd(deh) ? SD_SIZE : 0);
de->de_name = ih_item_body(de->de_bh, de->de_ih) + deh_location(deh);
if (de->de_name[de->de_namelen - 1] == 0)
de->de_namelen = strlen(de->de_name);
}
/* what entry points to */
static inline void set_de_object_key(struct reiserfs_dir_entry *de)
{
Reported by FlawFinder.
Line: 1141
Column: 22
CWE codes:
126
jbegin_count += retval;
reiserfs_write_lock(parent_dir->i_sb);
item_len = ROUND_UP(strlen(symname));
if (item_len > MAX_DIRECT_ITEM_LEN(parent_dir->i_sb->s_blocksize)) {
retval = -ENAMETOOLONG;
drop_new_inode(inode);
goto out_failed;
}
Reported by FlawFinder.
Line: 1154
Column: 24
CWE codes:
126
retval = -ENOMEM;
goto out_failed;
}
memcpy(name, symname, strlen(symname));
padd_item(name, item_len, strlen(symname));
retval = journal_begin(&th, parent_dir->i_sb, jbegin_count);
if (retval) {
drop_new_inode(inode);
Reported by FlawFinder.
Line: 1155
Column: 28
CWE codes:
126
goto out_failed;
}
memcpy(name, symname, strlen(symname));
padd_item(name, item_len, strlen(symname));
retval = journal_begin(&th, parent_dir->i_sb, jbegin_count);
if (retval) {
drop_new_inode(inode);
kfree(name);
Reported by FlawFinder.
Line: 1165
Column: 54
CWE codes:
126
}
retval =
reiserfs_new_inode(&th, parent_dir, mode, name, strlen(symname),
dentry, inode, &security);
kfree(name);
if (retval) { /* reiserfs_new_inode iputs for us */
goto out_failed;
}
Reported by FlawFinder.
include/linux/skbuff.h
8 issues
Line: 276
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* mac since neigh resolution overwrites it, only used while
* skb is out in neigh layer.
*/
char neigh_header[8];
};
};
#endif
#if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
Reported by FlawFinder.
Line: 755
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* want to keep them across layers you have to do a skb_clone()
* first. This is owned by whoever has the skb queued ATM.
*/
char cb[48] __aligned(8);
union {
struct {
unsigned long _skb_refdst;
void (*destructor)(struct sk_buff *skb);
Reported by FlawFinder.
Line: 2279
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
void *tmp = __skb_put(skb, len);
memcpy(tmp, data, len);
return tmp;
}
static inline void __skb_put_u8(struct sk_buff *skb, u8 val)
{
Reported by FlawFinder.
Line: 2302
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
void *tmp = skb_put(skb, len);
memcpy(tmp, data, len);
return tmp;
}
static inline void skb_put_u8(struct sk_buff *skb, u8 val)
Reported by FlawFinder.
Line: 3736
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *to,
const unsigned int len)
{
memcpy(to, skb->data, len);
}
static inline void skb_copy_from_linear_data_offset(const struct sk_buff *skb,
const int offset, void *to,
const unsigned int len)
Reported by FlawFinder.
Line: 3743
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const int offset, void *to,
const unsigned int len)
{
memcpy(to, skb->data + offset, len);
}
static inline void skb_copy_to_linear_data(struct sk_buff *skb,
const void *from,
const unsigned int len)
Reported by FlawFinder.
Line: 3750
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const void *from,
const unsigned int len)
{
memcpy(skb->data, from, len);
}
static inline void skb_copy_to_linear_data_offset(struct sk_buff *skb,
const int offset,
const void *from,
Reported by FlawFinder.
Line: 3758
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const void *from,
const unsigned int len)
{
memcpy(skb->data + offset, from, len);
}
void skb_init(void);
static inline ktime_t skb_get_ktime(const struct sk_buff *skb)
Reported by FlawFinder.
fs/nilfs2/sysfs.c
8 issues
Line: 121
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
nilfs_snapshot_README_show(struct nilfs_snapshot_attr *attr,
struct nilfs_root *root, char *buf)
{
return snprintf(buf, PAGE_SIZE, snapshot_readme_str);
}
NILFS_SNAPSHOT_RO_ATTR(inodes_count);
NILFS_SNAPSHOT_RO_ATTR(blocks_count);
NILFS_SNAPSHOT_RO_ATTR(README);
Reported by FlawFinder.
Line: 222
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
nilfs_mounted_snapshots_README_show(struct nilfs_mounted_snapshots_attr *attr,
struct the_nilfs *nilfs, char *buf)
{
return snprintf(buf, PAGE_SIZE, mounted_snapshots_readme_str);
}
NILFS_MOUNTED_SNAPSHOTS_RO_ATTR(README);
static struct attribute *nilfs_mounted_snapshots_attrs[] = {
Reported by FlawFinder.
Line: 327
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
nilfs_checkpoints_README_show(struct nilfs_checkpoints_attr *attr,
struct the_nilfs *nilfs, char *buf)
{
return snprintf(buf, PAGE_SIZE, checkpoints_readme_str);
}
NILFS_CHECKPOINTS_RO_ATTR(checkpoints_number);
NILFS_CHECKPOINTS_RO_ATTR(snapshots_number);
NILFS_CHECKPOINTS_RO_ATTR(last_seg_checkpoint);
Reported by FlawFinder.
Line: 416
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct the_nilfs *nilfs,
char *buf)
{
return snprintf(buf, PAGE_SIZE, segments_readme_str);
}
NILFS_SEGMENTS_RO_ATTR(segments_number);
NILFS_SEGMENTS_RO_ATTR(blocks_per_segment);
NILFS_SEGMENTS_RO_ATTR(clean_segments);
Reported by FlawFinder.
Line: 659
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
nilfs_segctor_README_show(struct nilfs_segctor_attr *attr,
struct the_nilfs *nilfs, char *buf)
{
return snprintf(buf, PAGE_SIZE, segctor_readme_str);
}
NILFS_SEGCTOR_RO_ATTR(last_pseg_block);
NILFS_SEGCTOR_RO_ATTR(last_seg_sequence);
NILFS_SEGCTOR_RO_ATTR(last_seg_checkpoint);
Reported by FlawFinder.
Line: 804
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
nilfs_superblock_README_show(struct nilfs_superblock_attr *attr,
struct the_nilfs *nilfs, char *buf)
{
return snprintf(buf, PAGE_SIZE, sb_readme_str);
}
NILFS_SUPERBLOCK_RO_ATTR(sb_write_time);
NILFS_SUPERBLOCK_RO_ATTR(sb_write_time_secs);
NILFS_SUPERBLOCK_RO_ATTR(sb_write_count);
Reported by FlawFinder.
Line: 908
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct the_nilfs *nilfs,
char *buf)
{
return snprintf(buf, PAGE_SIZE, dev_readme_str);
}
NILFS_DEV_RO_ATTR(revision);
NILFS_DEV_RO_ATTR(blocksize);
NILFS_DEV_RO_ATTR(device_size);
Reported by FlawFinder.
Line: 1067
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct attribute *attr,
char *buf)
{
return snprintf(buf, PAGE_SIZE, features_readme_str);
}
NILFS_FEATURE_RO_ATTR(revision);
NILFS_FEATURE_RO_ATTR(README);
Reported by FlawFinder.
fs/hfsplus/dir.c
8 issues
Line: 88
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
HFSPLUS_I(d_inode(sb->s_root))->
create_date)) {
struct qstr str;
char name[32];
if (dentry->d_fsdata) {
/*
* We found a link pointing to another link,
* so ignore it and treat it as regular file.
Reported by FlawFinder.
Line: 101
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dentry->d_fsdata = (void *)(unsigned long)cnid;
linkid =
be32_to_cpu(entry.file.permissions.dev);
str.len = sprintf(name, "iNode%d", linkid);
str.name = name;
err = hfsplus_cat_build_key(sb, fd.search_key,
HFSPLUS_SB(sb)->hidden_dir->i_ino,
&str);
if (unlikely(err < 0))
Reported by FlawFinder.
Line: 281
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Can be done after the list insertion; exclusion with
* hfsplus_delete_cat() is provided by directory lock.
*/
memcpy(&rd->key, fd.key, sizeof(struct hfsplus_cat_key));
out:
kfree(strbuf);
hfs_find_exit(&fd);
return err;
}
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode *inode = d_inode(src_dentry);
struct inode *src_dir = d_inode(src_dentry->d_parent);
struct qstr str;
char name[32];
u32 cnid, id;
int res;
if (HFSPLUS_IS_RSRC(inode))
return -EPERM;
Reported by FlawFinder.
Line: 322
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
get_random_bytes(&id, sizeof(cnid));
id &= 0x3fffffff;
str.name = name;
str.len = sprintf(name, "iNode%d", id);
res = hfsplus_rename_cat(inode->i_ino,
src_dir, &src_dentry->d_name,
sbi->hidden_dir, &str);
if (!res)
break;
Reported by FlawFinder.
Line: 363
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hfsplus_sb_info *sbi = HFSPLUS_SB(dir->i_sb);
struct inode *inode = d_inode(dentry);
struct qstr str;
char name[32];
u32 cnid;
int res;
if (HFSPLUS_IS_RSRC(inode))
return -EPERM;
Reported by FlawFinder.
Line: 375
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (inode->i_ino == cnid &&
atomic_read(&HFSPLUS_I(inode)->opencnt)) {
str.name = name;
str.len = sprintf(name, "temp%lu", inode->i_ino);
res = hfsplus_rename_cat(inode->i_ino,
dir, &dentry->d_name,
sbi->hidden_dir, &str);
if (!res) {
inode->i_flags |= S_DEAD;
Reported by FlawFinder.
Line: 449
Column: 37
CWE codes:
126
if (!inode)
goto out;
res = page_symlink(inode, symname, strlen(symname) + 1);
if (res)
goto out_err;
res = hfsplus_create_cat(inode->i_ino, dir, &dentry->d_name, inode);
if (res)
Reported by FlawFinder.
fs/xfs/xfs_ioctl.c
8 issues
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_put;
memcpy(&handle.ha_fsid, ip->i_mount->m_fixedfsid, sizeof(xfs_fsid_t));
if (cmd == XFS_IOC_PATH_TO_FSHANDLE) {
/*
* This handle only contains an fsid, zero the rest.
*/
Reported by FlawFinder.
Line: 342
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aep = context->buffer + context->firstu;
aep->a_valuelen = valuelen;
memcpy(aep->a_name, name, namelen);
aep->a_name[namelen] = 0;
alist->al_offset[context->count++] = context->firstu;
alist->al_count = context->count;
trace_xfs_attr_list_add(context);
}
Reported by FlawFinder.
Line: 1816
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *user_label)
{
struct xfs_sb *sbp = &mp->m_sb;
char label[XFSLABEL_MAX + 1];
/* Paranoia */
BUILD_BUG_ON(sizeof(sbp->sb_fname) > FSLABEL_MAX);
/* 1 larger than sb_fname, so this ensures a trailing NUL char */
Reported by FlawFinder.
Line: 1839
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *newlabel)
{
struct xfs_sb *sbp = &mp->m_sb;
char label[XFSLABEL_MAX + 1];
size_t len;
int error;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
Reported by FlawFinder.
Line: 1863
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&mp->m_sb_lock);
memset(sbp->sb_fname, 0, sizeof(sbp->sb_fname));
memcpy(sbp->sb_fname, label, len);
spin_unlock(&mp->m_sb_lock);
/*
* Now we do several things to satisfy userspace.
* In addition to normal logging of the primary superblock, we also
Reported by FlawFinder.
Line: 477
Column: 14
CWE codes:
126
.attr_filter = xfs_attr_filter(flags),
.attr_flags = xfs_attr_flags(flags),
.name = name,
.namelen = strlen(name),
.valuelen = *len,
};
int error;
if (*len > XFS_XATTR_SIZE_MAX)
Reported by FlawFinder.
Line: 511
Column: 14
CWE codes:
126
.attr_filter = xfs_attr_filter(flags),
.attr_flags = xfs_attr_flags(flags),
.name = name,
.namelen = strlen(name),
};
int error;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
return -EPERM;
Reported by FlawFinder.
Line: 1824
Column: 2
CWE codes:
120
/* 1 larger than sb_fname, so this ensures a trailing NUL char */
memset(label, 0, sizeof(label));
spin_lock(&mp->m_sb_lock);
strncpy(label, sbp->sb_fname, XFSLABEL_MAX);
spin_unlock(&mp->m_sb_lock);
if (copy_to_user(user_label, label, sizeof(label)))
return -EFAULT;
return 0;
Reported by FlawFinder.