The following issues were found
net/ipv6/ip6_tunnel.c
7 issues
Line: 267
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (err < 0)
goto out;
strcpy(t->parms.name, dev->name);
ip6_tnl_link(ip6n, t);
return 0;
out:
Reported by FlawFinder.
Line: 2293
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
t = netdev_priv(ip6n->fb_tnl_dev);
strcpy(t->parms.name, ip6n->fb_tnl_dev->name);
return 0;
err_register:
free_netdev(ip6n->fb_tnl_dev);
err_alloc_dev:
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct net_device *dev;
struct ip6_tnl *t;
char name[IFNAMSIZ];
int err = -E2BIG;
if (p->name[0]) {
if (!dev_valid_name(p->name))
goto failed;
Reported by FlawFinder.
Line: 300
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto failed;
strlcpy(name, p->name, IFNAMSIZ);
} else {
sprintf(name, "ip6tnl%%d");
}
err = -ENOMEM;
dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
ip6_tnl_dev_setup);
if (!dev)
Reported by FlawFinder.
Line: 1452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int mtu;
int t_hlen;
memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
/* Set up flowi template */
fl6->saddr = p->laddr;
fl6->daddr = p->raddr;
Reported by FlawFinder.
Line: 1453
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int t_hlen;
memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
/* Set up flowi template */
fl6->saddr = p->laddr;
fl6->daddr = p->raddr;
fl6->flowi6_oif = p->link;
Reported by FlawFinder.
Line: 1566
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p->flowinfo = u->flowinfo;
p->link = u->link;
p->proto = u->proto;
memcpy(p->name, u->name, sizeof(u->name));
}
static void
ip6_tnl_parm_to_user(struct ip6_tnl_parm *u, const struct __ip6_tnl_parm *p)
{
Reported by FlawFinder.
net/nfc/llcp_core.c
7 issues
Line: 572
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gb_cur = local->gb;
memcpy(gb_cur, llcp_magic, ARRAY_SIZE(llcp_magic));
gb_cur += ARRAY_SIZE(llcp_magic);
memcpy(gb_cur, version_tlv, version_length);
gb_cur += version_length;
Reported by FlawFinder.
Line: 575
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(gb_cur, llcp_magic, ARRAY_SIZE(llcp_magic));
gb_cur += ARRAY_SIZE(llcp_magic);
memcpy(gb_cur, version_tlv, version_length);
gb_cur += version_length;
memcpy(gb_cur, lto_tlv, lto_length);
gb_cur += lto_length;
Reported by FlawFinder.
Line: 578
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(gb_cur, version_tlv, version_length);
gb_cur += version_length;
memcpy(gb_cur, lto_tlv, lto_length);
gb_cur += lto_length;
memcpy(gb_cur, wks_tlv, wks_length);
gb_cur += wks_length;
Reported by FlawFinder.
Line: 581
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(gb_cur, lto_tlv, lto_length);
gb_cur += lto_length;
memcpy(gb_cur, wks_tlv, wks_length);
gb_cur += wks_length;
memcpy(gb_cur, miux_tlv, miux_length);
gb_cur += miux_length;
Reported by FlawFinder.
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(gb_cur, wks_tlv, wks_length);
gb_cur += wks_length;
memcpy(gb_cur, miux_tlv, miux_length);
gb_cur += miux_length;
local->gb_len = gb_len;
out:
Reported by FlawFinder.
Line: 629
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
memcpy(local->remote_gb, gb, gb_len);
local->remote_gb_len = gb_len;
if (memcmp(local->remote_gb, llcp_magic, 3)) {
pr_err("MAC does not support LLCP\n");
return -EINVAL;
Reported by FlawFinder.
Line: 1268
Column: 28
CWE codes:
126
pr_debug("Looking for %.16s\n", service_name);
if (service_name_len == strlen("urn:nfc:sn:sdp") &&
!strncmp(service_name, "urn:nfc:sn:sdp",
service_name_len)) {
sap = 1;
goto add_snl;
}
Reported by FlawFinder.
lib/kunit/test.c
7 issues
Line: 37
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* kunit_err() only accepts literals, so evaluate the args first. */
va_start(args, fmt);
len = vsnprintf(NULL, 0, fmt, args) + 1;
va_end(args);
buffer = kunit_kmalloc(current->kunit_test, len, GFP_KERNEL);
if (!buffer)
return;
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(args, fmt);
vsnprintf(buffer, len, fmt, args);
va_end(args);
kunit_err(current->kunit_test, "%s:%d: %s", file, line, buffer);
kunit_kfree(current->kunit_test, buffer);
}
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(args, fmt);
vsnprintf(line, sizeof(line), fmt, args);
va_end(args);
strncat(log, line, len_left);
}
EXPORT_SYMBOL_GPL(kunit_log_append);
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
void kunit_log_append(char *log, const char *fmt, ...)
{
char line[KUNIT_LOG_SIZE];
va_list args;
int len_left;
if (!log)
return;
Reported by FlawFinder.
Line: 398
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int kunit_run_tests(struct kunit_suite *suite)
{
char param_desc[KUNIT_PARAM_DESC_SIZE];
struct kunit_case *test_case;
kunit_print_subtest_start(suite);
kunit_suite_for_each_test_case(suite, test_case) {
Reported by FlawFinder.
Line: 67
Column: 30
CWE codes:
126
if (!log)
return;
len_left = KUNIT_LOG_SIZE - strlen(log) - 1;
if (len_left <= 0)
return;
va_start(args, fmt);
vsnprintf(line, sizeof(line), fmt, args);
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
vsnprintf(line, sizeof(line), fmt, args);
va_end(args);
strncat(log, line, len_left);
}
EXPORT_SYMBOL_GPL(kunit_log_append);
size_t kunit_suite_num_test_cases(struct kunit_suite *suite)
{
Reported by FlawFinder.
net/netfilter/nft_flow_offload.c
7 issues
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct net_device_path *path;
int i;
memcpy(info->h_dest, ha, ETH_ALEN);
for (i = 0; i < stack->num_paths; i++) {
path = &stack->path[i];
switch (path->type) {
case DEV_PATH_ETHERNET:
Reported by FlawFinder.
Line: 108
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case DEV_PATH_PPPOE:
info->indev = path->dev;
if (is_zero_ether_addr(info->h_source))
memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
if (path->type == DEV_PATH_ETHERNET)
break;
if (path->type == DEV_PATH_DSA) {
i = stack->num_paths;
Reported by FlawFinder.
Line: 127
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info->encap[info->num_encaps].proto = path->encap.proto;
info->num_encaps++;
if (path->type == DEV_PATH_PPPOE)
memcpy(info->h_dest, path->encap.h_dest, ETH_ALEN);
break;
case DEV_PATH_BRIDGE:
if (is_zero_ether_addr(info->h_source))
memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
Reported by FlawFinder.
Line: 131
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case DEV_PATH_BRIDGE:
if (is_zero_ether_addr(info->h_source))
memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
switch (path->bridge.vlan_mode) {
case DEV_PATH_BR_VLAN_UNTAG_HW:
info->ingress_vlans |= BIT(info->num_encaps - 1);
break;
Reported by FlawFinder.
Line: 190
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct dst_entry *dst = route->tuple[dir].dst;
struct net_device_path_stack stack;
struct nft_forward_info info = {};
unsigned char ha[ETH_ALEN];
int i;
if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
nft_dev_path_info(&stack, &info, ha, &ft->data);
Reported by FlawFinder.
Line: 208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
route->tuple[!dir].in.ingress_vlans = info.ingress_vlans;
if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
route->tuple[dir].out.ifindex = info.outdev->ifindex;
route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
route->tuple[dir].xmit_type = info.xmit_type;
}
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
route->tuple[dir].out.ifindex = info.outdev->ifindex;
route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
route->tuple[dir].xmit_type = info.xmit_type;
}
}
Reported by FlawFinder.
kernel/bpf/disasm.c
7 issues
Line: 62
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return "unknown";
}
const char *const bpf_class_string[8] = {
[BPF_LD] = "ld",
[BPF_LDX] = "ldx",
[BPF_ST] = "st",
[BPF_STX] = "stx",
[BPF_ALU] = "alu",
Reported by FlawFinder.
Line: 73
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[BPF_ALU64] = "alu64",
};
const char *const bpf_alu_string[16] = {
[BPF_ADD >> 4] = "+=",
[BPF_SUB >> 4] = "-=",
[BPF_MUL >> 4] = "*=",
[BPF_DIV >> 4] = "/=",
[BPF_OR >> 4] = "|=",
Reported by FlawFinder.
Line: 90
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[BPF_END >> 4] = "endian",
};
static const char *const bpf_atomic_alu_string[16] = {
[BPF_ADD >> 4] = "add",
[BPF_AND >> 4] = "and",
[BPF_OR >> 4] = "or",
[BPF_XOR >> 4] = "xor",
};
Reported by FlawFinder.
Line: 104
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[BPF_DW >> 3] = "u64",
};
static const char *const bpf_jmp_string[16] = {
[BPF_JA >> 4] = "jmp",
[BPF_JEQ >> 4] = "==",
[BPF_JGT >> 4] = ">",
[BPF_JLT >> 4] = "<",
[BPF_JGE >> 4] = ">=",
Reported by FlawFinder.
Line: 248
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
bool is_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD ||
insn->src_reg == BPF_PSEUDO_MAP_VALUE;
char tmp[64];
if (is_ptr && !allow_ptr_leaks)
imm = 0;
verbose(cbs->private_data, "(%02x) r%d = %s\n",
Reported by FlawFinder.
Line: 265
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 opcode = BPF_OP(insn->code);
if (opcode == BPF_CALL) {
char tmp[64];
if (insn->src_reg == BPF_PSEUDO_CALL) {
verbose(cbs->private_data, "(%02x) call pc%s\n",
insn->code,
__func_get_name(cbs, insn,
Reported by FlawFinder.
Line: 273
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
__func_get_name(cbs, insn,
tmp, sizeof(tmp)));
} else {
strcpy(tmp, "unknown");
verbose(cbs->private_data, "(%02x) call %s#%d\n", insn->code,
__func_get_name(cbs, insn,
tmp, sizeof(tmp)),
insn->imm);
}
Reported by FlawFinder.
net/ipv6/calipso.c
7 issues
Line: 730
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret_val;
u32 len, pad;
u16 crc;
static const unsigned char padding[4] = {2, 1, 0, 3};
unsigned char *calipso;
/* CALIPSO has 4n + 2 alignment */
pad = padding[start & 3];
if (buf_len <= start + pad + CALIPSO_HDR_LEN)
Reported by FlawFinder.
Line: 933
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-ENOMEM);
if (start > sizeof(*hop))
memcpy(new, hop, start);
ret_val = calipso_genopt((unsigned char *)new, start, buf_len, doi_def,
secattr);
if (ret_val < 0) {
kfree(new);
return ERR_PTR(ret_val);
Reported by FlawFinder.
Line: 948
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf_len += pad;
if (end != hop_len) {
memcpy((char *)new + buf_len, (char *)hop + end, hop_len - end);
buf_len += hop_len - end;
}
new->nexthdr = 0;
new->hdrlen = buf_len / 8 - 1;
Reported by FlawFinder.
Line: 993
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!*new)
return -ENOMEM;
memcpy(*new, hop, start);
(*new)->hdrlen -= delta / 8;
pad = (end - start) & 7;
calipso_pad_write((unsigned char *)*new, start, pad);
if (end != hop_len)
memcpy((char *)*new + start + pad, (char *)hop + end,
Reported by FlawFinder.
Line: 998
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pad = (end - start) & 7;
calipso_pad_write((unsigned char *)*new, start, pad);
if (end != hop_len)
memcpy((char *)*new + start + pad, (char *)hop + end,
hop_len - end);
return 0;
}
Reported by FlawFinder.
Line: 1301
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret_val;
struct ipv6hdr *ip6_hdr;
struct ipv6_opt_hdr *hop;
unsigned char buf[CALIPSO_MAX_BUFFER];
int len_delta, new_end, pad, payload;
unsigned int start, end;
ip6_hdr = ipv6_hdr(skb);
if (ip6_hdr->nexthdr == NEXTHDR_HOP) {
Reported by FlawFinder.
Line: 1354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
hop->hdrlen += len_delta / 8;
}
memcpy((char *)hop + start, buf + (start & 3), new_end - start);
calipso_pad_write((unsigned char *)hop, new_end, pad);
return 0;
}
Reported by FlawFinder.
lib/kobject_uevent.c
7 issues
Line: 296
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* add header */
scratch = skb_put(skb, len);
sprintf(scratch, "%s@%s", action_string, devpath);
skb_put_data(skb, env->buf, env->buflen);
parms = &NETLINK_CB(skb);
parms->creds.uid = GLOBAL_ROOT_UID;
Reported by FlawFinder.
Line: 665
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
va_start(args, format);
len = vsnprintf(&env->buf[env->buflen],
sizeof(env->buf) - env->buflen,
format, args);
va_end(args);
if (len >= (sizeof(env->buf) - env->buflen)) {
Reported by FlawFinder.
Line: 35
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 uevent_seqnum;
#ifdef CONFIG_UEVENT_HELPER
char uevent_helper[UEVENT_HELPER_PATH_LEN] = CONFIG_UEVENT_HELPER_PATH;
#endif
struct uevent_sock {
struct list_head list;
struct sock *sk;
Reported by FlawFinder.
Line: 686
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct netlink_ext_ack *extack)
{
/* u64 to chars: 2^64 - 1 = 21 chars */
char buf[sizeof("SEQNUM=") + 21];
struct sk_buff *skbc;
int ret;
/* bump and prepare sequence number */
ret = snprintf(buf, sizeof(buf), "SEQNUM=%llu", ++uevent_seqnum);
Reported by FlawFinder.
Line: 289
Column: 32
CWE codes:
126
size_t len;
/* allocate message with maximum possible size */
len = strlen(action_string) + strlen(devpath) + 2;
skb = alloc_skb(len + env->buflen, GFP_KERNEL);
if (!skb)
return NULL;
/* add header */
Reported by FlawFinder.
Line: 289
Column: 8
CWE codes:
126
size_t len;
/* allocate message with maximum possible size */
len = strlen(action_string) + strlen(devpath) + 2;
skb = alloc_skb(len + env->buflen, GFP_KERNEL);
if (!skb)
return NULL;
/* add header */
Reported by FlawFinder.
Line: 432
Column: 9
CWE codes:
126
continue;
}
len = strlen(env->envp[i]) + 1;
if (i != env->envp_idx - 1) {
memmove(env->envp[i], env->envp[i + 1],
env->buflen - len);
Reported by FlawFinder.
mm/slub.c
7 issues
Line: 790
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
slab_bug(s, "%s", buf);
print_page_info(page);
dump_stack();
add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
Reported by FlawFinder.
Line: 276
Column: 42
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
* calls get_freepointer() with an untagged pointer, which causes the
* freepointer to be restored incorrectly.
*/
return (void *)((unsigned long)ptr ^ s->random ^
swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
#else
return ptr;
#endif
}
Reported by FlawFinder.
Line: 784
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fmt, ...)
{
va_list args;
char buf[100];
if (slab_add_kunit_errors())
return;
va_start(args, fmt);
Reported by FlawFinder.
Line: 4479
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct kmem_cache *s = kmem_cache_zalloc(kmem_cache, GFP_NOWAIT);
struct kmem_cache_node *n;
memcpy(s, static_cache, kmem_cache->object_size);
/*
* This runs very early, and only the boot processor is supposed to be
* up. Even if it weren't true, IRQs are not up so we couldn't fire
* IPIs around.
Reported by FlawFinder.
Line: 4797
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
if (t->count) {
memcpy(l, t->loc, sizeof(struct location) * t->count);
free_loc_track(t);
}
t->max = max;
t->loc = l;
return 1;
Reported by FlawFinder.
Line: 5586
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*p++ = 'A';
if (p != name + 1)
*p++ = '-';
p += sprintf(p, "%07u", s->size);
BUG_ON(p > name + ID_STR_LENGTH - 1);
return name;
}
Reported by FlawFinder.
Line: 1483
Column: 8
CWE codes:
126
if (flags & SLAB_NOLEAKTRACE)
slub_debug_local &= ~SLAB_STORE_USER;
len = strlen(name);
next_block = slub_debug_string;
/* Go through all blocks of debug options, see if any matches our slab's name */
while (next_block) {
next_block = parse_slub_debug_flags(next_block, &block_flags, &iter, false);
if (!iter)
Reported by FlawFinder.
net/bluetooth/hci_sock.c
7 issues
Line: 633
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list args;
va_start(args, fmt);
len = vsnprintf(NULL, 0, fmt, args);
va_end(args);
skb = bt_skb_alloc(len + 1, GFP_ATOMIC);
if (!skb)
return;
Reported by FlawFinder.
Line: 641
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
return;
va_start(args, fmt);
vsprintf(skb_put(skb, len), fmt, args);
*(u8 *)skb_put(skb, 1) = 0;
va_end(args);
__net_timestamp(skb);
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short channel;
unsigned long flags;
__u32 cookie;
char comm[TASK_COMM_LEN];
};
static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
{
struct hci_dev *hdev = hci_pi(sk)->hdev;
Reported by FlawFinder.
Line: 250
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
/* Put type byte before the data */
memcpy(skb_push(skb_copy, 1), &hci_skb_pkt_type(skb), 1);
}
nskb = skb_clone(skb_copy, GFP_ATOMIC);
if (!nskb)
continue;
Reported by FlawFinder.
Line: 441
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ni->type = hdev->dev_type;
ni->bus = hdev->bus;
bacpy(&ni->bdaddr, &hdev->bdaddr);
memcpy(ni->name, hdev->name, 8);
opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
break;
case HCI_DEV_UNREG:
Reported by FlawFinder.
Line: 735
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ev = skb_put(skb, sizeof(*ev) + dlen);
ev->type = type;
memcpy(ev->data, data, dlen);
bt_cb(skb)->incoming = 1;
__net_timestamp(skb);
hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
Reported by FlawFinder.
Line: 1104
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&haddr, 0, sizeof(haddr));
len = min_t(unsigned int, sizeof(haddr), addr_len);
memcpy(&haddr, addr, len);
if (haddr.hci_family != AF_BLUETOOTH)
return -EINVAL;
lock_sock(sk);
Reported by FlawFinder.
mm/zsmalloc.c
7 issues
Line: 1147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy object to per-cpu buffer */
addr = kmap_atomic(pages[0]);
memcpy(buf, addr + off, sizes[0]);
kunmap_atomic(addr);
addr = kmap_atomic(pages[1]);
memcpy(buf + sizes[0], addr, sizes[1]);
kunmap_atomic(addr);
out:
Reported by FlawFinder.
Line: 1150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf, addr + off, sizes[0]);
kunmap_atomic(addr);
addr = kmap_atomic(pages[1]);
memcpy(buf + sizes[0], addr, sizes[1]);
kunmap_atomic(addr);
out:
return area->vm_buf;
}
Reported by FlawFinder.
Line: 1177
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy per-cpu buffer to object */
addr = kmap_atomic(pages[0]);
memcpy(addr + off, buf, sizes[0]);
kunmap_atomic(addr);
addr = kmap_atomic(pages[1]);
memcpy(addr, buf + sizes[0], sizes[1]);
kunmap_atomic(addr);
Reported by FlawFinder.
Line: 1180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(addr + off, buf, sizes[0]);
kunmap_atomic(addr);
addr = kmap_atomic(pages[1]);
memcpy(addr, buf + sizes[0], sizes[1]);
kunmap_atomic(addr);
out:
/* enable page faults to match kunmap_atomic() return conditions */
pagefault_enable();
Reported by FlawFinder.
Line: 1563
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (1) {
size = min(s_size, d_size);
memcpy(d_addr + d_off, s_addr + s_off, size);
written += size;
if (written == class->size)
break;
Reported by FlawFinder.
Line: 1981
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Here, any user cannot access all objects in the zspage so let's move.
*/
d_addr = kmap_atomic(newpage);
memcpy(d_addr, s_addr, PAGE_SIZE);
kunmap_atomic(d_addr);
for (addr = s_addr + offset; addr < s_addr + pos;
addr += class->size) {
head = obj_to_head(page, addr);
Reported by FlawFinder.
Line: 2285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void zs_pool_stats(struct zs_pool *pool, struct zs_pool_stats *stats)
{
memcpy(stats, &pool->stats, sizeof(struct zs_pool_stats));
}
EXPORT_SYMBOL_GPL(zs_pool_stats);
static unsigned long zs_shrinker_scan(struct shrinker *shrinker,
struct shrink_control *sc)
Reported by FlawFinder.