The following issues were found
sound/core/jack.c
8 issues
Line: 166
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct snd_jack_kctl *jack_kctl = file->private_data;
int len, ret;
char buf[128];
len = scnprintf(buf, sizeof(buf), "%s: %s\t\t%s: %i\n", "Jack", jack_kctl->kctl->id.name,
"Inject Enabled", jack_kctl->sw_inject_enable);
ret = simple_read_from_buffer(to, count, ppos, buf, len);
Reported by FlawFinder.
Line: 181
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_jack_kctl *jack_kctl = file->private_data;
int ret, err;
unsigned long enable;
char buf[8] = { 0 };
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, from, count);
err = kstrtoul(buf, 0, &enable);
if (err)
return err;
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_jack_kctl *jack_kctl = file->private_data;
int ret, err;
unsigned long enable;
char buf[8] = { 0 };
if (!jack_kctl->sw_inject_enable)
return -EINVAL;
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, from, count);
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *to, size_t count, loff_t *ppos)
{
struct snd_jack_kctl *jack_kctl = file->private_data;
char buf[64];
int len, ret;
len = scnprintf(buf, sizeof(buf), "%s\n", jack_kctl->kctl->id.name);
ret = simple_read_from_buffer(to, count, ppos, buf, len);
Reported by FlawFinder.
Line: 262
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *to, size_t count, loff_t *ppos)
{
struct snd_jack_kctl *jack_kctl = file->private_data;
char buf[256];
int len, ret;
len = parse_mask_bits(jack_kctl->mask_bits, buf, sizeof(buf));
ret = simple_read_from_buffer(to, count, ppos, buf, len);
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *to, size_t count, loff_t *ppos)
{
struct snd_jack_kctl *jack_kctl = file->private_data;
char buf[16];
int len, ret;
len = scnprintf(buf, sizeof(buf), "%s\n", jack_kctl->kctl->private_value ?
"Plugged" : "Unplugged");
ret = simple_read_from_buffer(to, count, ppos, buf, len);
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *to, size_t count, loff_t *ppos)
{
struct snd_jack_kctl *jack_kctl = file->private_data;
char buf[256];
int len, ret;
len = parse_mask_bits(jack_kctl->jack->type, buf, sizeof(buf));
ret = simple_read_from_buffer(to, count, ppos, buf, len);
Reported by FlawFinder.
Line: 255
Column: 9
CWE codes:
126
}
strlcat(buf, "\n", buf_size);
return strlen(buf);
}
static ssize_t jack_kctl_mask_bits_read(struct file *file,
char __user *to, size_t count, loff_t *ppos)
{
Reported by FlawFinder.
samples/bpf/xdp_adjust_tail_user.c
8 issues
Line: 104
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
if (optstr[i] != 'h' && 'a' <= optstr[i] && optstr[i] <= 'z')
opt_flags[(unsigned char)optstr[i]] = 1;
while ((opt = getopt(argc, argv, optstr)) != -1) {
switch (opt) {
case 'i':
ifindex = if_nametoindex(optarg);
if (!ifindex)
Reported by FlawFinder.
Line: 88
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_prog_load_attr prog_load_attr = {
.prog_type = BPF_PROG_TYPE_XDP,
};
unsigned char opt_flags[256] = {};
const char *optstr = "i:T:P:SNFh";
struct bpf_prog_info info = {};
__u32 info_len = sizeof(info);
unsigned int kill_after_s = 0;
int i, prog_fd, map_fd, opt;
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_object *obj;
__u32 max_pckt_size = 0;
__u32 key = 0;
char filename[256];
int err;
for (i = 0; i < strlen(optstr); i++)
if (optstr[i] != 'h' && 'a' <= optstr[i] && optstr[i] <= 'z')
opt_flags[(unsigned char)optstr[i]] = 1;
Reported by FlawFinder.
Line: 110
Column: 15
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
case 'i':
ifindex = if_nametoindex(optarg);
if (!ifindex)
ifindex = atoi(optarg);
break;
case 'T':
kill_after_s = atoi(optarg);
break;
case 'P':
Reported by FlawFinder.
Line: 113
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
ifindex = atoi(optarg);
break;
case 'T':
kill_after_s = atoi(optarg);
break;
case 'P':
max_pckt_size = atoi(optarg);
break;
case 'S':
Reported by FlawFinder.
Line: 116
Column: 20
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
kill_after_s = atoi(optarg);
break;
case 'P':
max_pckt_size = atoi(optarg);
break;
case 'S':
xdp_flags |= XDP_FLAGS_SKB_MODE;
break;
case 'N':
Reported by FlawFinder.
Line: 100
Column: 18
CWE codes:
126
char filename[256];
int err;
for (i = 0; i < strlen(optstr); i++)
if (optstr[i] != 'h' && 'a' <= optstr[i] && optstr[i] <= 'z')
opt_flags[(unsigned char)optstr[i]] = 1;
while ((opt = getopt(argc, argv, optstr)) != -1) {
Reported by FlawFinder.
Line: 137
Column: 18
CWE codes:
126
if (!(xdp_flags & XDP_FLAGS_SKB_MODE))
xdp_flags |= XDP_FLAGS_DRV_MODE;
for (i = 0; i < strlen(optstr); i++) {
if (opt_flags[(unsigned int)optstr[i]]) {
fprintf(stderr, "Missing argument -%c\n", optstr[i]);
usage(argv[0]);
return 1;
}
Reported by FlawFinder.
security/tomoyo/util.c
8 issues
Line: 141
Column: 15
CWE codes:
126
if (del)
*del++ = '\0';
else
del = pos + strlen(pos);
param->data = del;
return pos;
}
static bool tomoyo_correct_path2(const char *filename, const size_t len);
Reported by FlawFinder.
Line: 386
Column: 18
CWE codes:
126
*/
bool tomoyo_str_starts(char **src, const char *find)
{
const int len = strlen(find);
char *tmp = *src;
if (strncmp(tmp, find, len))
return false;
tmp += len;
Reported by FlawFinder.
Line: 520
Column: 38
CWE codes:
126
*/
bool tomoyo_correct_word(const char *string)
{
return tomoyo_correct_word2(string, strlen(string));
}
/**
* tomoyo_correct_path2 - Check whether the given pathname follows the naming rules.
*
Reported by FlawFinder.
Line: 549
Column: 40
CWE codes:
126
*/
bool tomoyo_correct_path(const char *filename)
{
return tomoyo_correct_path2(filename, strlen(filename));
}
/**
* tomoyo_correct_domain - Check whether the given domainname follows the naming rules.
*
Reported by FlawFinder.
Line: 594
Column: 9
CWE codes:
126
return false;
cp = strchr(buffer, ' ');
if (!cp)
len = strlen(buffer);
else
len = cp - buffer;
if (buffer[len - 1] != '>' ||
!tomoyo_correct_word2(buffer + 1, len - 2))
return false;
Reported by FlawFinder.
Line: 680
Column: 18
CWE codes:
126
void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
{
const char *name = ptr->name;
const int len = strlen(name);
ptr->const_len = tomoyo_const_part_length(name);
ptr->is_dir = len && (name[len - 1] == '/');
ptr->is_patterned = (ptr->const_len < len);
ptr->hash = full_name_hash(NULL, name, len);
Reported by FlawFinder.
Line: 862
Column: 22
CWE codes:
126
while (*f && *p) {
f_delimiter = strchr(f, '/');
if (!f_delimiter)
f_delimiter = f + strlen(f);
p_delimiter = strchr(p, '/');
if (!p_delimiter)
p_delimiter = p + strlen(p);
if (*p == '\\' && *(p + 1) == '{')
goto recursive;
Reported by FlawFinder.
Line: 865
Column: 22
CWE codes:
126
f_delimiter = f + strlen(f);
p_delimiter = strchr(p, '/');
if (!p_delimiter)
p_delimiter = p + strlen(p);
if (*p == '\\' && *(p + 1) == '{')
goto recursive;
if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
p_delimiter))
return false;
Reported by FlawFinder.
samples/bpf/xdp_redirect_map_multi_user.c
8 issues
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!if_indextoname(ifindex, ifname))
goto err_out;
strcpy(ifr.ifr_name, ifname);
if (ioctl(fd, SIOCGIFHWADDR, &ifr) != 0)
goto err_out;
memcpy(mac_addr, ifr.ifr_hwaddr.sa_data, 6 * sizeof(char));
Reported by FlawFinder.
Line: 150
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
unsigned int ifindex;
char filename[256];
while ((opt = getopt(argc, argv, "SNFX")) != -1) {
switch (opt) {
case 'S':
xdp_flags |= XDP_FLAGS_SKB_MODE;
break;
case 'N':
Reported by FlawFinder.
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sum += (values[i] - prev[i]);
if (sum)
printf("Forwarding %10llu pkt/s\n", sum / interval);
memcpy(prev, values, sizeof(values));
}
}
static int get_mac_addr(unsigned int ifindex, void *mac_addr)
{
Reported by FlawFinder.
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_mac_addr(unsigned int ifindex, void *mac_addr)
{
char ifname[IF_NAMESIZE];
struct ifreq ifr;
int fd, ret = -1;
fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd < 0)
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ioctl(fd, SIOCGIFHWADDR, &ifr) != 0)
goto err_out;
memcpy(mac_addr, ifr.ifr_hwaddr.sa_data, 6 * sizeof(char));
ret = 0;
err_out:
close(fd);
return ret;
Reported by FlawFinder.
Line: 97
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int update_mac_map(struct bpf_object *obj)
{
int i, ret = -1, mac_map_fd;
unsigned char mac_addr[6];
unsigned int ifindex;
mac_map_fd = bpf_object__find_map_fd_by_name(obj, "mac_map");
if (mac_map_fd < 0) {
printf("find mac map fd failed\n");
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ingress_prog_fd, egress_prog_fd = 0;
struct bpf_devmap_val devmap_val;
bool attach_egress_prog = false;
char ifname[IF_NAMESIZE];
struct bpf_map *mac_map;
struct bpf_object *obj;
unsigned int ifindex;
char filename[256];
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_map *mac_map;
struct bpf_object *obj;
unsigned int ifindex;
char filename[256];
while ((opt = getopt(argc, argv, "SNFX")) != -1) {
switch (opt) {
case 'S':
xdp_flags |= XDP_FLAGS_SKB_MODE;
Reported by FlawFinder.
security/selinux/hooks.c
8 issues
Line: 7136
Column: 16
CWE codes:
134
Suggestion:
Use a constant format string for syslog
LSM_HOOK_INIT(capable, selinux_capable),
LSM_HOOK_INIT(quotactl, selinux_quotactl),
LSM_HOOK_INIT(quota_on, selinux_quota_on),
LSM_HOOK_INIT(syslog, selinux_syslog),
LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
Reported by FlawFinder.
Line: 3570
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
if (buffer && len <= buffer_size)
memcpy(buffer, XATTR_NAME_SELINUX, len);
return len;
}
static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
{
Reported by FlawFinder.
Line: 902
Column: 8
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
char newflags = new->flags & SE_MNTMASK;
if (oldflags != newflags)
goto mismatch;
if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
goto mismatch;
if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
goto mismatch;
if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
Reported by FlawFinder.
Line: 904
Column: 8
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if (oldflags != newflags)
goto mismatch;
if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
goto mismatch;
if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
goto mismatch;
if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
goto mismatch;
if (oldflags & ROOTCONTEXT_MNT) {
Reported by FlawFinder.
Line: 906
Column: 8
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
goto mismatch;
if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
goto mismatch;
if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
goto mismatch;
if (oldflags & ROOTCONTEXT_MNT) {
struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
Reported by FlawFinder.
Line: 908
Column: 8
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
goto mismatch;
if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
goto mismatch;
if (oldflags & ROOTCONTEXT_MNT) {
struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
if (oldroot->sid != newroot->sid)
goto mismatch;
Reported by FlawFinder.
Line: 913
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
if (oldroot->sid != newroot->sid)
goto mismatch;
}
return 0;
mismatch:
pr_warn("SELinux: mount invalid. Same superblock, "
"different security settings for (dev %s, "
Reported by FlawFinder.
Line: 916
Column: 1
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
goto mismatch;
}
return 0;
mismatch:
pr_warn("SELinux: mount invalid. Same superblock, "
"different security settings for (dev %s, "
"type %s)\n", newsb->s_id, newsb->s_type->name);
return -EBUSY;
}
Reported by FlawFinder.
security/landlock/ruleset.c
8 issues
Line: 185
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -EINVAL;
if (WARN_ON_ONCE(this->layers[0].level != 0))
return -EINVAL;
this->layers[0].access |= (*layers)[0].access;
return 0;
}
if (WARN_ON_ONCE(this->layers[0].level == 0))
return -EINVAL;
Reported by FlawFinder.
Line: 185
Column: 43
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -EINVAL;
if (WARN_ON_ONCE(this->layers[0].level != 0))
return -EINVAL;
this->layers[0].access |= (*layers)[0].access;
return 0;
}
if (WARN_ON_ONCE(this->layers[0].level == 0))
return -EINVAL;
Reported by FlawFinder.
Line: 226
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
};
BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS);
BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS);
}
/* @ruleset must be locked by the caller. */
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
struct landlock_object *const object, const u32 access)
Reported by FlawFinder.
Line: 231
Column: 51
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* @ruleset must be locked by the caller. */
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
struct landlock_object *const object, const u32 access)
{
struct landlock_layer layers[] = {{
.access = access,
/* When @level is zero, insert_rule() extends @ruleset. */
.level = 0,
Reported by FlawFinder.
Line: 234
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct landlock_object *const object, const u32 access)
{
struct landlock_layer layers[] = {{
.access = access,
/* When @level is zero, insert_rule() extends @ruleset. */
.level = 0,
}};
build_check_layer();
Reported by FlawFinder.
Line: 299
Column: 45
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
err = -EINVAL;
goto out_unlock;
}
layers[0].access = walker_rule->layers[0].access;
err = insert_rule(dst, walker_rule->object, &layers,
ARRAY_SIZE(layers));
if (err)
goto out_unlock;
}
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_rule->object = object;
new_rule->num_layers = new_num_layers;
/* Copies the original layer stack. */
memcpy(new_rule->layers, layers,
flex_array_size(new_rule, layers, num_layers));
if (new_layer)
/* Adds a copy of @new_layer on the layer stack. */
new_rule->layers[new_rule->num_layers - 1] = *new_layer;
return new_rule;
Reported by FlawFinder.
Line: 340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_unlock;
}
/* Copies the parent layer stack and leaves a space for the new layer. */
memcpy(child->fs_access_masks, parent->fs_access_masks,
flex_array_size(parent, fs_access_masks, parent->num_layers));
if (WARN_ON_ONCE(!parent->hierarchy)) {
err = -EINVAL;
goto out_unlock;
Reported by FlawFinder.
security/keys/proc.c
8 issues
Line: 160
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long flags;
key_ref_t key_ref, skey_ref;
time64_t now, expiry;
char xbuf[16];
short state;
u64 timo;
int rc;
struct keyring_search_context ctx = {
Reported by FlawFinder.
Line: 202
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* come up with a suitable timeout value */
expiry = READ_ONCE(key->expiry);
if (expiry == 0) {
memcpy(xbuf, "perm", 5);
} else if (now >= expiry) {
memcpy(xbuf, "expd", 5);
} else {
timo = expiry - now;
Reported by FlawFinder.
Line: 204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (expiry == 0) {
memcpy(xbuf, "perm", 5);
} else if (now >= expiry) {
memcpy(xbuf, "expd", 5);
} else {
timo = expiry - now;
if (timo < 60)
sprintf(xbuf, "%llus", timo);
Reported by FlawFinder.
Line: 209
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
timo = expiry - now;
if (timo < 60)
sprintf(xbuf, "%llus", timo);
else if (timo < 60*60)
sprintf(xbuf, "%llum", div_u64(timo, 60));
else if (timo < 60*60*24)
sprintf(xbuf, "%lluh", div_u64(timo, 60 * 60));
else if (timo < 60*60*24*7)
Reported by FlawFinder.
Line: 211
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (timo < 60)
sprintf(xbuf, "%llus", timo);
else if (timo < 60*60)
sprintf(xbuf, "%llum", div_u64(timo, 60));
else if (timo < 60*60*24)
sprintf(xbuf, "%lluh", div_u64(timo, 60 * 60));
else if (timo < 60*60*24*7)
sprintf(xbuf, "%llud", div_u64(timo, 60 * 60 * 24));
else
Reported by FlawFinder.
Line: 213
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (timo < 60*60)
sprintf(xbuf, "%llum", div_u64(timo, 60));
else if (timo < 60*60*24)
sprintf(xbuf, "%lluh", div_u64(timo, 60 * 60));
else if (timo < 60*60*24*7)
sprintf(xbuf, "%llud", div_u64(timo, 60 * 60 * 24));
else
sprintf(xbuf, "%lluw", div_u64(timo, 60 * 60 * 24 * 7));
}
Reported by FlawFinder.
Line: 215
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (timo < 60*60*24)
sprintf(xbuf, "%lluh", div_u64(timo, 60 * 60));
else if (timo < 60*60*24*7)
sprintf(xbuf, "%llud", div_u64(timo, 60 * 60 * 24));
else
sprintf(xbuf, "%lluw", div_u64(timo, 60 * 60 * 24 * 7));
}
state = key_read_state(key);
Reported by FlawFinder.
Line: 217
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (timo < 60*60*24*7)
sprintf(xbuf, "%llud", div_u64(timo, 60 * 60 * 24));
else
sprintf(xbuf, "%lluw", div_u64(timo, 60 * 60 * 24 * 7));
}
state = key_read_state(key);
#define showflag(FLAGS, LETTER, FLAG) \
Reported by FlawFinder.
sound/sound_core.c
8 issues
Line: 258
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (r < 0)
goto fail;
else if (r < SOUND_STEP)
sprintf(s->name, "sound/%s", name);
else
sprintf(s->name, "sound/%s%d", name, r / SOUND_STEP);
if (!preclaim_oss) {
/*
Reported by FlawFinder.
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (r < SOUND_STEP)
sprintf(s->name, "sound/%s", name);
else
sprintf(s->name, "sound/%s%d", name, r / SOUND_STEP);
if (!preclaim_oss) {
/*
* Something else might have grabbed the minor. If
* first free slot is requested, rescan with @low set
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int unit_minor;
const struct file_operations *unit_fops;
struct sound_unit *next;
char name[32];
};
/*
* By default, OSS sound_core claims full legacy minor range (0-255)
* of SOUND_MAJOR to trap open attempts to any sound minor and
Reported by FlawFinder.
Line: 356
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int chain = unit % SOUND_STEP;
int max_unit = 256;
const char *name;
char _name[16];
switch (chain) {
case 0:
name = "mixer";
break;
Reported by FlawFinder.
Line: 404
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
default:
{
__unknown:
sprintf(_name, "unknown%d", chain);
if (unit >= SOUND_STEP)
strcat(_name, "-");
name = _name;
}
break;
Reported by FlawFinder.
Line: 592
Column: 19
CWE codes:
362
int err = 0;
replace_fops(file, new_fops);
if (file->f_op->open)
err = file->f_op->open(inode,file);
return err;
}
return -ENODEV;
Reported by FlawFinder.
Line: 593
Column: 22
CWE codes:
362
replace_fops(file, new_fops);
if (file->f_op->open)
err = file->f_op->open(inode,file);
return err;
}
return -ENODEV;
}
Reported by FlawFinder.
Line: 406
Column: 9
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
__unknown:
sprintf(_name, "unknown%d", chain);
if (unit >= SOUND_STEP)
strcat(_name, "-");
name = _name;
}
break;
}
return sound_insert_unit(&chains[chain], fops, -1, unit, max_unit,
Reported by FlawFinder.
security/apparmor/policy.c
8 issues
Line: 516
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
gfp);
if (name) {
sprintf(name, "%s//null-%s", parent->base.hname, base);
goto name;
}
/* fall through to try shorter uniq */
}
Reported by FlawFinder.
Line: 525
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
if (!name)
return NULL;
sprintf(name, "%s//null-%x", parent->base.hname,
atomic_inc_return(&parent->ns->uniq_null));
name:
/* lookup to see if this is a dup creation */
bname = basename(name);
Reported by FlawFinder.
Line: 324
Column: 39
CWE codes:
126
*/
static struct aa_profile *__find_child(struct list_head *head, const char *name)
{
return __strn_find_child(head, name, strlen(name));
}
/**
* aa_find_child - find a profile by @name in @parent
* @parent: profile to search (NOT NULL)
Reported by FlawFinder.
Line: 422
Column: 40
CWE codes:
126
static struct aa_profile *__lookup_profile(struct aa_policy *base,
const char *hname)
{
return __lookupn_profile(base, hname, strlen(hname));
}
/**
* aa_lookup_profile - find a profile by its full or partial name
* @ns: the namespace to start from (NOT NULL)
Reported by FlawFinder.
Line: 454
Column: 39
CWE codes:
126
struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *hname)
{
return aa_lookupn_profile(ns, hname, strlen(hname));
}
struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
const char *fqname, size_t n)
{
Reported by FlawFinder.
Line: 513
Column: 18
CWE codes:
126
AA_BUG(!parent);
if (base) {
name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
gfp);
if (name) {
sprintf(name, "%s//null-%s", parent->base.hname, base);
goto name;
}
Reported by FlawFinder.
Line: 513
Column: 51
CWE codes:
126
AA_BUG(!parent);
if (base) {
name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
gfp);
if (name) {
sprintf(name, "%s//null-%s", parent->base.hname, base);
goto name;
}
Reported by FlawFinder.
Line: 522
Column: 17
CWE codes:
126
/* fall through to try shorter uniq */
}
name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
if (!name)
return NULL;
sprintf(name, "%s//null-%x", parent->base.hname,
atomic_inc_return(&parent->ns->uniq_null));
Reported by FlawFinder.
scripts/dtc/srcpos.c
8 issues
Line: 83
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
res[j++] = '.';
res[j++] = '/';
}
strcpy(res + j, p1);
return res;
}
return NULL;
}
Reported by FlawFinder.
Line: 381
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
srcstr = srcpos_string(pos);
fprintf(stderr, "%s: %s ", prefix, srcstr);
vfprintf(stderr, fmt, va);
fprintf(stderr, "\n");
free(srcstr);
}
Reported by FlawFinder.
Line: 34
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = slash - path;
char *dir = xmalloc(len + 1);
memcpy(dir, path, len);
dir[len] = '\0';
return dir;
}
return NULL;
}
Reported by FlawFinder.
Line: 109
Column: 8
CWE codes:
362
else
fullname = join_path(dirname, fname);
*fp = fopen(fullname, "rb");
if (!*fp) {
free(fullname);
fullname = NULL;
}
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos_new = xmalloc(sizeof(struct srcpos));
assert(pos->next == NULL);
memcpy(pos_new, pos, sizeof(struct srcpos));
/* allocate without free */
srcfile_state = xmalloc(sizeof(struct srcfile_state));
memcpy(srcfile_state, pos->file, sizeof(struct srcfile_state));
pos_new->file = srcfile_state;
Reported by FlawFinder.
Line: 268
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* allocate without free */
srcfile_state = xmalloc(sizeof(struct srcfile_state));
memcpy(srcfile_state, pos->file, sizeof(struct srcfile_state));
pos_new->file = srcfile_state;
return pos_new;
}
Reported by FlawFinder.
Line: 49
Column: 15
CWE codes:
126
static void set_initial_path(char *fname)
{
int i, len = strlen(fname);
xasprintf(&initial_path, "%s", fname);
initial_pathlen = 0;
for (i = 0; i != len; i++)
if (initial_path[i] == '/')
Reported by FlawFinder.
Line: 74
Column: 17
CWE codes:
126
p1 = prevslash1 + 1;
if (prevslash1) {
int diff = initial_pathlen - slashes, i, j;
int restlen = strlen(fname) - (p1 - fname);
char *res;
res = xmalloc((3 * diff) + restlen + 1);
for (i = 0, j = 0; i != diff; i++) {
res[j++] = '.';
Reported by FlawFinder.