The following issues were found
net/ipv4/tcp_ipv4.c
8 issues
Line: 675
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_TCP_MD5SIG
struct tcp_md5sig_key *key = NULL;
const __u8 *hash_location = NULL;
unsigned char newhash[16];
int genhash;
struct sock *sk1 = NULL;
#endif
u64 transmit_time = 0;
struct sock *ctl_sk;
Reported by FlawFinder.
Line: 1148
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* key mismatches, since changing MD5 key on live flows
* can lead to packet drops.
*/
data_race(memcpy(key->key, newkey, newkeylen));
/* Pairs with READ_ONCE() in tcp_md5_hash_key().
* Also note that a reader could catch new key->keylen value
* but old key->key[], this is the reason we use __GFP_ZERO
* at sock_kmalloc() time below these lines.
Reported by FlawFinder.
Line: 1180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(key->key, newkey, newkeylen);
key->keylen = newkeylen;
key->family = family;
key->prefixlen = prefixlen;
key->l3index = l3index;
memcpy(&key->addr, addr,
Reported by FlawFinder.
Line: 1185
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key->family = family;
key->prefixlen = prefixlen;
key->l3index = l3index;
memcpy(&key->addr, addr,
(family == AF_INET6) ? sizeof(struct in6_addr) :
sizeof(struct in_addr));
hlist_add_head_rcu(&key->node, &md5sig->head);
return 0;
}
Reported by FlawFinder.
Line: 1295
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bp->len = cpu_to_be16(nbytes);
_th = (struct tcphdr *)(bp + 1);
memcpy(_th, th, sizeof(*th));
_th->check = 0;
sg_init_one(&sg, bp, sizeof(*bp) + sizeof(*th));
ahash_request_set_crypt(hp->md5_req, &sg, NULL,
sizeof(*bp) + sizeof(*th));
Reported by FlawFinder.
Line: 1403
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct iphdr *iph = ip_hdr(skb);
const struct tcphdr *th = tcp_hdr(skb);
const union tcp_md5_addr *addr;
unsigned char newhash[16];
int genhash, l3index;
/* sdif set, means packet ingressed via a device
* in an L3 domain and dif is set to the l3mdev
*/
Reported by FlawFinder.
Line: 2956
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
net->ipv4.sysctl_tcp_pacing_ss_ratio = 200;
net->ipv4.sysctl_tcp_pacing_ca_ratio = 120;
if (net != &init_net) {
memcpy(net->ipv4.sysctl_tcp_rmem,
init_net.ipv4.sysctl_tcp_rmem,
sizeof(init_net.ipv4.sysctl_tcp_rmem));
memcpy(net->ipv4.sysctl_tcp_wmem,
init_net.ipv4.sysctl_tcp_wmem,
sizeof(init_net.ipv4.sysctl_tcp_wmem));
Reported by FlawFinder.
Line: 2959
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(net->ipv4.sysctl_tcp_rmem,
init_net.ipv4.sysctl_tcp_rmem,
sizeof(init_net.ipv4.sysctl_tcp_rmem));
memcpy(net->ipv4.sysctl_tcp_wmem,
init_net.ipv4.sysctl_tcp_wmem,
sizeof(init_net.ipv4.sysctl_tcp_wmem));
}
net->ipv4.sysctl_tcp_comp_sack_delay_ns = NSEC_PER_MSEC;
net->ipv4.sysctl_tcp_comp_sack_slack_ns = 100 * NSEC_PER_USEC;
Reported by FlawFinder.
lib/crypto/curve25519-hacl64.c
8 issues
Line: 287
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 count1)
{
u128 t[5];
memcpy(output, input, 5 * sizeof(*input));
fsquare_fsquare_times_(output, t, count1);
}
static __always_inline void fsquare_fsquare_times_inplace(u64 *output,
u32 count1)
Reported by FlawFinder.
Line: 359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 b2;
u64 b3;
u64 b4;
memcpy(tmp, b, 5 * sizeof(*b));
b0 = tmp[0];
b1 = tmp[1];
b2 = tmp[2];
b3 = tmp[3];
b4 = tmp[4];
Reported by FlawFinder.
Line: 475
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static __always_inline void point_copy(u64 *output, u64 *input)
{
memcpy(output, input, 5 * sizeof(*input));
memcpy(output + 5, input + 5, 5 * sizeof(*input));
}
static __always_inline void addanddouble_fmonty(u64 *pp, u64 *ppq, u64 *p,
u64 *pq, u64 *qmqp)
Reported by FlawFinder.
Line: 476
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static __always_inline void point_copy(u64 *output, u64 *input)
{
memcpy(output, input, 5 * sizeof(*input));
memcpy(output + 5, input + 5, 5 * sizeof(*input));
}
static __always_inline void addanddouble_fmonty(u64 *pp, u64 *ppq, u64 *p,
u64 *pq, u64 *qmqp)
{
Reported by FlawFinder.
Line: 499
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 *origxprime;
xxprime0 = buf + 25;
zzprime0 = buf + 30;
memcpy(origx, x, 5 * sizeof(*x));
fsum(x, z);
fdifference(z, origx);
memcpy(origxprime0, xprime, 5 * sizeof(*xprime));
fsum(xprime, zprime);
fdifference(zprime, origxprime0);
Reported by FlawFinder.
Line: 502
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(origx, x, 5 * sizeof(*x));
fsum(x, z);
fdifference(z, origx);
memcpy(origxprime0, xprime, 5 * sizeof(*xprime));
fsum(xprime, zprime);
fdifference(zprime, origxprime0);
fmul(xxprime0, xprime, z);
fmul(zzprime0, x, zprime);
origxprime = buf + 5;
Reported by FlawFinder.
Line: 519
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xxprime = buf + 25;
zzprime = buf + 30;
zzzprime = buf + 35;
memcpy(origxprime, xxprime, 5 * sizeof(*xxprime));
fsum(xxprime, zzprime);
fdifference(zzprime, origxprime);
fsquare_fsquare_times(x3, xxprime, 1);
fsquare_fsquare_times(zzzprime, zzprime, 1);
fmul(z3, zzzprime, qx);
Reported by FlawFinder.
Line: 773
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u8 e[32] __aligned(32) = { 0 };
u8 *scalar;
memcpy(e, secret, 32);
curve25519_clamp_secret(e);
scalar = e;
{
u64 buf[15] = { 0 };
u64 *nq = buf;
Reported by FlawFinder.
lib/test_kasan.c
8 issues
Line: 487
CWE codes:
628
memset((char *)ptr, 0, 64);
KUNIT_EXPECT_KASAN_FAIL(test,
memmove((char *)ptr, (char *)ptr + 4, invalid_size));
kfree(ptr);
}
static void kmalloc_uaf(struct kunit *test)
Reported by Cppcheck.
Line: 627
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct kmem_cache *cache;
size_t size = 200;
char *p[10];
bool ret;
int i;
cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
Reported by FlawFinder.
Line: 648
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
kmem_cache_destroy(cache);
}
static char global_array[10];
static void kasan_global_oob(struct kunit *test)
{
/*
* Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS
Reported by FlawFinder.
Line: 712
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void kasan_stack_oob(struct kunit *test)
{
char stack_array[10];
/* See comment in kasan_global_oob. */
char *volatile array = stack_array;
char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF];
KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
Reported by FlawFinder.
Line: 725
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void kasan_alloca_oob_left(struct kunit *test)
{
volatile int i = 10;
char alloca_array[i];
/* See comment in kasan_global_oob. */
char *volatile array = alloca_array;
char *p = array - 1;
/* Only generic mode instruments dynamic allocas. */
Reported by FlawFinder.
Line: 740
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void kasan_alloca_oob_right(struct kunit *test)
{
volatile int i = 10;
char alloca_array[i];
/* See comment in kasan_global_oob. */
char *volatile array = alloca_array;
char *p = array + i;
/* Only generic mode instruments dynamic allocas. */
Reported by FlawFinder.
Line: 986
Column: 43
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
area = vmalloc(3000);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
vfree(area);
}
/*
* Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
Reported by FlawFinder.
Line: 880
Column: 51
CWE codes:
126
KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
}
static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
Reported by FlawFinder.
net/ipv6/route.c
8 issues
Line: 4352
CWE codes:
908
struct fib6_nh *nh;
/* RA routes do not use nexthops */
if (rt->nh)
continue;
nh = rt->fib6_nh;
if (dev == nh->fib_nh_dev &&
((rt->fib6_flags & (RTF_ADDRCONF | RTF_DEFAULT)) == (RTF_ADDRCONF | RTF_DEFAULT)) &&
Reported by Cppcheck.
Line: 1273
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int flags = strict ? RT6_LOOKUP_F_IFACE : 0;
if (saddr) {
memcpy(&fl6.saddr, saddr, sizeof(*saddr));
flags |= RT6_LOOKUP_F_HAS_SADDR;
}
dst = fib6_rule_lookup(net, &fl6, skb, flags, ip6_pol_route_lookup);
if (dst->error == 0)
Reported by FlawFinder.
Line: 2667
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rt->rt6i_gateway = ort->rt6i_gateway;
rt->rt6i_flags = ort->rt6i_flags & ~RTF_PCPU;
memcpy(&rt->rt6i_dst, &ort->rt6i_dst, sizeof(struct rt6key));
#ifdef CONFIG_IPV6_SUBTREES
memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
#endif
}
Reported by FlawFinder.
Line: 2669
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&rt->rt6i_dst, &ort->rt6i_dst, sizeof(struct rt6key));
#ifdef CONFIG_IPV6_SUBTREES
memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
#endif
}
dst_release(dst_orig);
return new ? new : ERR_PTR(-ENOMEM);
Reported by FlawFinder.
Line: 5163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nh)
return -ENOMEM;
nh->fib6_info = rt;
memcpy(&nh->r_cfg, r_cfg, sizeof(*r_cfg));
list_add_tail(&nh->next, rt6_nh_list);
return 0;
}
Reported by FlawFinder.
Line: 5246
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* fib6_info structs per nexthop
*/
while (rtnh_ok(rtnh, remaining)) {
memcpy(&r_cfg, cfg, sizeof(*cfg));
if (rtnh->rtnh_ifindex)
r_cfg.fc_ifindex = rtnh->rtnh_ifindex;
attrlen = rtnh_attrlen(rtnh);
if (attrlen > 0) {
Reported by FlawFinder.
Line: 5416
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Parse a Multipath Entry */
while (rtnh_ok(rtnh, remaining)) {
memcpy(&r_cfg, cfg, sizeof(*cfg));
if (rtnh->rtnh_ifindex)
r_cfg.fc_ifindex = rtnh->rtnh_ifindex;
attrlen = rtnh_attrlen(rtnh);
if (attrlen > 0) {
Reported by FlawFinder.
Line: 6441
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
net->ipv6.fib6_null_entry = fib6_info_alloc(GFP_KERNEL, true);
if (!net->ipv6.fib6_null_entry)
goto out_ip6_dst_entries;
memcpy(net->ipv6.fib6_null_entry, &fib6_null_entry_template,
sizeof(*net->ipv6.fib6_null_entry));
net->ipv6.ip6_null_entry = kmemdup(&ip6_null_entry_template,
sizeof(*net->ipv6.ip6_null_entry),
GFP_KERNEL);
Reported by FlawFinder.
lib/test_ubsan.c
8 issues
Line: 20
CWE codes:
369
volatile int val2 = 0;
UBSAN_TEST(CONFIG_UBSAN_DIV_ZERO);
val /= val2;
}
static void test_ubsan_shift_out_of_bounds(void)
{
volatile int neg = -1, wrap = 4;
Reported by Cppcheck.
Line: 30
CWE codes:
758
int val2 = INT_MAX;
UBSAN_TEST(CONFIG_UBSAN_SHIFT, "negative exponent");
val1 <<= neg;
UBSAN_TEST(CONFIG_UBSAN_SHIFT, "left overflow");
val2 <<= wrap;
}
Reported by Cppcheck.
Line: 46
CWE codes:
788
above[0] = below[0];
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
arr[j] = i;
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
arr[k] = i;
}
Reported by Cppcheck.
Line: 49
CWE codes:
786
arr[j] = i;
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
arr[k] = i;
}
enum ubsan_test_enum {
UBSAN_TEST_ZERO = 0,
UBSAN_TEST_ONE,
Reported by Cppcheck.
Line: 88
CWE codes:
476
int val;
UBSAN_TEST(CONFIG_UBSAN_OBJECT_SIZE);
val = *ptr;
}
static void test_ubsan_misaligned_access(void)
{
volatile char arr[5] __aligned(4) = {1, 2, 3, 4, 5};
Reported by Cppcheck.
Line: 39
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_ubsan_out_of_bounds(void)
{
volatile int i = 4, j = 5, k = -1;
volatile char above[4] = { }; /* Protect surrounding memory. */
volatile int arr[4];
volatile char below[4] = { }; /* Protect surrounding memory. */
above[0] = below[0];
Reported by FlawFinder.
Line: 41
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile int i = 4, j = 5, k = -1;
volatile char above[4] = { }; /* Protect surrounding memory. */
volatile int arr[4];
volatile char below[4] = { }; /* Protect surrounding memory. */
above[0] = below[0];
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
arr[j] = i;
Reported by FlawFinder.
Line: 93
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_ubsan_misaligned_access(void)
{
volatile char arr[5] __aligned(4) = {1, 2, 3, 4, 5};
volatile int *ptr, val = 6;
UBSAN_TEST(CONFIG_UBSAN_ALIGNMENT);
ptr = (int *)(arr + 1);
*ptr = val;
Reported by FlawFinder.
kernel/trace/trace_probe_tmpl.h
8 issues
Line: 125
CWE codes:
476
probe_mem_read_user(dest, (void *)val + code->offset, code->size);
break;
case FETCH_OP_ST_STRING:
loc = *(u32 *)dest;
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
Reported by Cppcheck.
Line: 125
CWE codes:
476
probe_mem_read_user(dest, (void *)val + code->offset, code->size);
break;
case FETCH_OP_ST_STRING:
loc = *(u32 *)dest;
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
Reported by Cppcheck.
Line: 125
CWE codes:
476
probe_mem_read_user(dest, (void *)val + code->offset, code->size);
break;
case FETCH_OP_ST_STRING:
loc = *(u32 *)dest;
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
Reported by Cppcheck.
Line: 125
CWE codes:
476
probe_mem_read_user(dest, (void *)val + code->offset, code->size);
break;
case FETCH_OP_ST_STRING:
loc = *(u32 *)dest;
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
Reported by Cppcheck.
Line: 129
CWE codes:
476
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
break;
default:
return -EILSEQ;
}
Reported by Cppcheck.
Line: 129
CWE codes:
476
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
break;
default:
return -EILSEQ;
}
Reported by Cppcheck.
Line: 129
CWE codes:
476
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
break;
default:
return -EILSEQ;
}
Reported by Cppcheck.
Line: 129
CWE codes:
476
ret = fetch_store_string(val + code->offset, dest, base);
break;
case FETCH_OP_ST_USTRING:
loc = *(u32 *)dest;
ret = fetch_store_string_user(val + code->offset, dest, base);
break;
default:
return -EILSEQ;
}
Reported by Cppcheck.
net/ethtool/netlink.h
8 issues
Line: 57
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!attr)
return -EMSGSIZE;
memcpy(nla_data(attr), s, len);
((char *)nla_data(attr))[len] = '\0';
return 0;
}
/**
Reported by FlawFinder.
Line: 58
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return -EMSGSIZE;
memcpy(nla_data(attr), s, len);
((char *)nla_data(attr))[len] = '\0';
return 0;
}
/**
* ethnl_update_u32() - update u32 value from NLA_U32 attribute
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!memcmp(dst, nla_data(attr), len))
return;
memcpy(dst, nla_data(attr), len);
*mod = true;
}
/**
* ethnl_update_bitfield32() - update u32 value from NLA_BITFIELD32 attribute
Reported by FlawFinder.
Line: 406
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ethnl_tunnel_info_dumpit(struct sk_buff *skb, struct netlink_callback *cb);
int ethnl_set_fec(struct sk_buff *skb, struct genl_info *info);
extern const char stats_std_names[__ETHTOOL_STATS_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_phy_names[__ETHTOOL_A_STATS_ETH_PHY_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_ctrl_names[__ETHTOOL_A_STATS_ETH_CTRL_CNT][ETH_GSTRING_LEN];
extern const char stats_rmon_names[__ETHTOOL_A_STATS_RMON_CNT][ETH_GSTRING_LEN];
Reported by FlawFinder.
Line: 407
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ethnl_set_fec(struct sk_buff *skb, struct genl_info *info);
extern const char stats_std_names[__ETHTOOL_STATS_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_phy_names[__ETHTOOL_A_STATS_ETH_PHY_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_ctrl_names[__ETHTOOL_A_STATS_ETH_CTRL_CNT][ETH_GSTRING_LEN];
extern const char stats_rmon_names[__ETHTOOL_A_STATS_RMON_CNT][ETH_GSTRING_LEN];
#endif /* _NET_ETHTOOL_NETLINK_H */
Reported by FlawFinder.
Line: 408
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char stats_std_names[__ETHTOOL_STATS_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_phy_names[__ETHTOOL_A_STATS_ETH_PHY_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_ctrl_names[__ETHTOOL_A_STATS_ETH_CTRL_CNT][ETH_GSTRING_LEN];
extern const char stats_rmon_names[__ETHTOOL_A_STATS_RMON_CNT][ETH_GSTRING_LEN];
#endif /* _NET_ETHTOOL_NETLINK_H */
Reported by FlawFinder.
Line: 409
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char stats_std_names[__ETHTOOL_STATS_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_phy_names[__ETHTOOL_A_STATS_ETH_PHY_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_ctrl_names[__ETHTOOL_A_STATS_ETH_CTRL_CNT][ETH_GSTRING_LEN];
extern const char stats_rmon_names[__ETHTOOL_A_STATS_RMON_CNT][ETH_GSTRING_LEN];
#endif /* _NET_ETHTOOL_NETLINK_H */
Reported by FlawFinder.
Line: 410
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char stats_eth_phy_names[__ETHTOOL_A_STATS_ETH_PHY_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN];
extern const char stats_eth_ctrl_names[__ETHTOOL_A_STATS_ETH_CTRL_CNT][ETH_GSTRING_LEN];
extern const char stats_rmon_names[__ETHTOOL_A_STATS_RMON_CNT][ETH_GSTRING_LEN];
#endif /* _NET_ETHTOOL_NETLINK_H */
Reported by FlawFinder.
include/trace/events/afs.h
8 issues
Line: 845
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->fid.vnode = 0;
__entry->fid.unique = 0;
}
memcpy(__entry->name, name->name, __len);
__entry->name[__len] = 0;
),
TP_printk("c=%08x %06llx:%06llx:%06x %s \"%s\"",
__entry->call,
Reported by FlawFinder.
Line: 884
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->fid.vnode = 0;
__entry->fid.unique = 0;
}
memcpy(__entry->name, name->name, __len);
__entry->name[__len] = 0;
memcpy(__entry->name2, name2->name, __len2);
__entry->name2[__len2] = 0;
),
Reported by FlawFinder.
Line: 886
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(__entry->name, name->name, __len);
__entry->name[__len] = 0;
memcpy(__entry->name2, name2->name, __len2);
__entry->name2[__len2] = 0;
),
TP_printk("c=%08x %06llx:%06llx:%06x %s \"%s\" \"%s\"",
__entry->call,
Reported by FlawFinder.
Line: 1091
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int __len = min_t(int, name->len, 23);
__entry->dfid = dvnode->fid;
__entry->fid = *fid;
memcpy(__entry->name, name->name, __len);
__entry->name[__len] = 0;
),
TP_printk("d=%llx:%llx:%x \"%s\" f=%llx:%x",
__entry->dfid.vid, __entry->dfid.vnode, __entry->dfid.unique,
Reported by FlawFinder.
Line: 1136
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->slot = slot;
__entry->f_vnode = f_vnode;
__entry->f_unique = f_unique;
memcpy(__entry->name, name, __len);
__entry->name[__len] = 0;
),
TP_printk("d=%x:%x %s %s %u[%u] f=%x:%x \"%s\"",
__entry->vnode, __entry->unique,
Reported by FlawFinder.
Line: 1372
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int __len;
__entry->vid = volume->vid;
__len = min_t(int, cell->name_len, 23);
memcpy(__entry->cell, cell->name, __len);
__entry->cell[__len] = 0;
__len = min_t(int, volume->name_len, 23);
memcpy(__entry->volume, volume->name, __len);
__entry->volume[__len] = 0;
),
Reported by FlawFinder.
Line: 1375
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(__entry->cell, cell->name, __len);
__entry->cell[__len] = 0;
__len = min_t(int, volume->name_len, 23);
memcpy(__entry->volume, volume->name, __len);
__entry->volume[__len] = 0;
),
TP_printk("--- MOUNT %s:%s %llx",
__entry->cell, __entry->volume, __entry->vid)
Reported by FlawFinder.
Line: 1126
Column: 19
CWE codes:
126
),
TP_fast_assign(
int __len = strlen(name);
__len = min(__len, 23);
__entry->vnode = dvnode->fid.vnode;
__entry->unique = dvnode->fid.unique;
__entry->why = why;
__entry->op = op;
Reported by FlawFinder.
include/uapi/linux/netfilter_arp/arp_tables.h
8 issues
Line: 39
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define ARPT_DEV_ADDR_LEN_MAX 16
struct arpt_devaddr_info {
char addr[ARPT_DEV_ADDR_LEN_MAX];
char mask[ARPT_DEV_ADDR_LEN_MAX];
};
/* Yes, Virginia, you have to zero the padding. */
struct arpt_arp {
Reported by FlawFinder.
Line: 40
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arpt_devaddr_info {
char addr[ARPT_DEV_ADDR_LEN_MAX];
char mask[ARPT_DEV_ADDR_LEN_MAX];
};
/* Yes, Virginia, you have to zero the padding. */
struct arpt_arp {
/* Source and target IP addr */
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* so there is no use in offering a way to do filtering on it.
*/
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
/* Flags word */
__u8 flags;
/* Inverse flags */
Reported by FlawFinder.
Line: 67
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
/* Flags word */
__u8 flags;
/* Inverse flags */
__u16 invflags;
Reported by FlawFinder.
Line: 112
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xt_counters counters;
/* The matches (if any), then the target. */
unsigned char elems[0];
};
/*
* New IP firewall options for [gs]etsockopt at the RAW IP level.
* Unlike BSD Linux inherits IP options so you don't have to use a raw
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* The argument to ARPT_SO_GET_INFO */
struct arpt_getinfo {
/* Which table: caller fills this in. */
char name[XT_TABLE_MAXNAMELEN];
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
unsigned int valid_hooks;
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* The argument to ARPT_SO_SET_REPLACE. */
struct arpt_replace {
/* Which table. */
char name[XT_TABLE_MAXNAMELEN];
/* Which hook entry points are valid: bitmask. You can't
change this. */
unsigned int valid_hooks;
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* The argument to ARPT_SO_GET_ENTRIES. */
struct arpt_get_entries {
/* Which table: user fills this in. */
char name[XT_TABLE_MAXNAMELEN];
/* User fills this in: total entry size. */
unsigned int size;
/* The entries. */
Reported by FlawFinder.
include/uapi/linux/ethtool.h
8 issues
Line: 189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct ethtool_drvinfo {
__u32 cmd;
char driver[32];
char version[32];
char fw_version[ETHTOOL_FWVERS_LEN];
char bus_info[ETHTOOL_BUSINFO_LEN];
char erom_version[ETHTOOL_EROMVERS_LEN];
char reserved2[12];
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ethtool_drvinfo {
__u32 cmd;
char driver[32];
char version[32];
char fw_version[ETHTOOL_FWVERS_LEN];
char bus_info[ETHTOOL_BUSINFO_LEN];
char erom_version[ETHTOOL_EROMVERS_LEN];
char reserved2[12];
__u32 n_priv_flags;
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 cmd;
char driver[32];
char version[32];
char fw_version[ETHTOOL_FWVERS_LEN];
char bus_info[ETHTOOL_BUSINFO_LEN];
char erom_version[ETHTOOL_EROMVERS_LEN];
char reserved2[12];
__u32 n_priv_flags;
__u32 n_stats;
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char driver[32];
char version[32];
char fw_version[ETHTOOL_FWVERS_LEN];
char bus_info[ETHTOOL_BUSINFO_LEN];
char erom_version[ETHTOOL_EROMVERS_LEN];
char reserved2[12];
__u32 n_priv_flags;
__u32 n_stats;
__u32 testinfo_len;
Reported by FlawFinder.
Line: 193
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char version[32];
char fw_version[ETHTOOL_FWVERS_LEN];
char bus_info[ETHTOOL_BUSINFO_LEN];
char erom_version[ETHTOOL_EROMVERS_LEN];
char reserved2[12];
__u32 n_priv_flags;
__u32 n_stats;
__u32 testinfo_len;
__u32 eedump_len;
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char fw_version[ETHTOOL_FWVERS_LEN];
char bus_info[ETHTOOL_BUSINFO_LEN];
char erom_version[ETHTOOL_EROMVERS_LEN];
char reserved2[12];
__u32 n_priv_flags;
__u32 n_stats;
__u32 testinfo_len;
__u32 eedump_len;
__u32 regdump_len;
Reported by FlawFinder.
Line: 983
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct ethtool_flow_ext {
__u8 padding[2];
unsigned char h_dest[ETH_ALEN];
__be16 vlan_etype;
__be16 vlan_tci;
__be32 data[2];
};
Reported by FlawFinder.
Line: 1235
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ethtool_flash {
__u32 cmd;
__u32 region;
char data[ETHTOOL_FLASH_MAX_FILENAME];
};
/**
* struct ethtool_dump - used for retrieving, setting device dump
* @cmd: Command number - %ETHTOOL_GET_DUMP_FLAG, %ETHTOOL_GET_DUMP_DATA, or
Reported by FlawFinder.