The following issues were found
include/uapi/linux/dm-ioctl.h
7 issues
Line: 143
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 dev; /* in/out */
char name[DM_NAME_LEN]; /* device name */
char uuid[DM_UUID_LEN]; /* unique identifier for
* the block device */
char data[7]; /* padding or data */
};
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 dev; /* in/out */
char name[DM_NAME_LEN]; /* device name */
char uuid[DM_UUID_LEN]; /* unique identifier for
* the block device */
char data[7]; /* padding or data */
};
/*
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[DM_NAME_LEN]; /* device name */
char uuid[DM_UUID_LEN]; /* unique identifier for
* the block device */
char data[7]; /* padding or data */
};
/*
* Used to specify tables. These structures appear after the
* dm_ioctl.
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
__u32 next;
char target_type[DM_MAX_TYPE_NAME];
/*
* Parameter string starts immediately after this object.
* Be careful to add padding after string to ensure correct
* alignment of subsequent dm_target_spec.
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 dev;
__u32 next; /* offset to the next record from
the _start_ of this */
char name[0];
/*
* The following members can be accessed by taking a pointer that
* points immediately after the terminating zero character in "name"
* and aligning this pointer to next 8-byte boundary.
Reported by FlawFinder.
Line: 219
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 next;
__u32 version[3];
char name[0];
};
/*
* Used to pass message to a target
*/
Reported by FlawFinder.
Line: 228
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dm_target_msg {
__u64 sector; /* Device sector */
char message[0];
};
/*
* If you change this make sure you make the corresponding change
* to dm-ioctl.c:lookup_ioctl()
Reported by FlawFinder.
net/netfilter/nft_set_pipapo.c
7 issues
Line: 653
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (group = 0; group < f->groups; group++) {
for (bucket = 0; bucket < NFT_PIPAPO_BUCKETS(f->bb); bucket++) {
memcpy(new_p, old_p, copy * sizeof(*new_p));
new_p += copy;
old_p += copy;
if (new_bucket_size > f->bsize)
new_p += new_bucket_size - f->bsize;
Reported by FlawFinder.
Line: 671
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(new_mt, f->mt, min(old_rules, rules) * sizeof(*new_mt));
if (rules > old_rules) {
memset(new_mt + old_rules, 0,
(rules - old_rules) * sizeof(*new_mt));
}
Reported by FlawFinder.
Line: 982
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 tmp[NFT_PIPAPO_MAX_BYTES];
int i;
memcpy(tmp, base, len);
/* Network order, byte-addressed */
for (i = 0; i <= step; i++)
#ifdef __BIG_ENDIAN__
tmp[i / BITS_PER_BYTE] |= BIT(i % BITS_PER_BYTE);
Reported by FlawFinder.
Line: 1042
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int step, masks = 0, bytes = DIV_ROUND_UP(len, BITS_PER_BYTE);
u8 base[NFT_PIPAPO_MAX_BYTES];
memcpy(base, start, bytes);
while (memcmp(base, end, bytes) <= 0) {
int err;
step = 0;
while (pipapo_step_diff(base, step, bytes)) {
Reported by FlawFinder.
Line: 1302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < old->field_count; i++) {
unsigned long *new_lt;
memcpy(dst, src, offsetof(struct nft_pipapo_field, lt));
new_lt = kvzalloc(src->groups * NFT_PIPAPO_BUCKETS(src->bb) *
src->bsize * sizeof(*dst->lt) +
NFT_PIPAPO_ALIGN_HEADROOM,
GFP_KERNEL);
Reported by FlawFinder.
Line: 1313
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
NFT_PIPAPO_LT_ASSIGN(dst, new_lt);
memcpy(NFT_PIPAPO_LT_ALIGN(new_lt),
NFT_PIPAPO_LT_ALIGN(src->lt),
src->bsize * sizeof(*dst->lt) *
src->groups * NFT_PIPAPO_BUCKETS(src->bb));
dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL);
Reported by FlawFinder.
Line: 1322
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!dst->mt)
goto out_mt;
memcpy(dst->mt, src->mt, src->rules * sizeof(*src->mt));
src++;
dst++;
}
return new;
Reported by FlawFinder.
net/ipv4/fib_trie.c
7 issues
Line: 146
Column: 15
CWE codes:
120
20
Suggestion:
Use fgets() instead
#ifdef CONFIG_IP_FIB_TRIE_STATS
struct trie_use_stats {
unsigned int gets;
unsigned int backtrack;
unsigned int semantic_match_passed;
unsigned int semantic_match_miss;
unsigned int null_node_hit;
unsigned int resize_node_skipped;
Reported by FlawFinder.
Line: 1455
Column: 22
CWE codes:
120
20
Suggestion:
Use fgets() instead
}
#ifdef CONFIG_IP_FIB_TRIE_STATS
this_cpu_inc(stats->gets);
#endif
/* Step 1: Travel to the longest prefix match in the trie */
for (;;) {
index = get_cindex(key, n);
Reported by FlawFinder.
Line: 2586
Column: 19
CWE codes:
120
20
Suggestion:
Use fgets() instead
for_each_possible_cpu(cpu) {
const struct trie_use_stats *pcpu = per_cpu_ptr(stats, cpu);
s.gets += pcpu->gets;
s.backtrack += pcpu->backtrack;
s.semantic_match_passed += pcpu->semantic_match_passed;
s.semantic_match_miss += pcpu->semantic_match_miss;
s.null_node_hit += pcpu->null_node_hit;
s.resize_node_skipped += pcpu->resize_node_skipped;
Reported by FlawFinder.
Line: 2595
Column: 35
CWE codes:
120
20
Suggestion:
Use fgets() instead
}
seq_printf(seq, "\nCounters:\n---------\n");
seq_printf(seq, "gets = %u\n", s.gets);
seq_printf(seq, "backtracks = %u\n", s.backtrack);
seq_printf(seq, "semantic match passed = %u\n",
s.semantic_match_passed);
seq_printf(seq, "semantic match miss = %u\n", s.semantic_match_miss);
seq_printf(seq, "null node hit= %u\n", s.null_node_hit);
Reported by FlawFinder.
Line: 1915
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new_fa)
goto out;
memcpy(new_fa, fa, sizeof(*fa));
/* insert clone into table */
if (!local_l)
local_l = fib_find_node(lt, &local_tp, l->key);
Reported by FlawFinder.
Line: 2753
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static const char *const rtn_type_names[__RTN_MAX] = {
[RTN_UNSPEC] = "UNSPEC",
[RTN_UNICAST] = "UNICAST",
[RTN_LOCAL] = "LOCAL",
[RTN_BROADCAST] = "BROADCAST",
[RTN_ANYCAST] = "ANYCAST",
Reported by FlawFinder.
Line: 2801
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
seq_printf(seq, " |-- %pI4\n", &val);
hlist_for_each_entry_rcu(fa, &n->leaf, fa_list) {
char buf1[32], buf2[32];
seq_indent(seq, iter->depth + 1);
seq_printf(seq, " /%zu %s %s",
KEYLENGTH - fa->fa_slen,
rtn_scope(buf1, sizeof(buf1),
Reported by FlawFinder.
lib/cmdline_kunit.c
7 issues
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int rc = cmdline_test_values[i];
int offset;
sprintf(in, "%u%s", get_random_int() % 256, str);
/* Only first '-' after the number will advance the pointer */
offset = strlen(in) - strlen(str) + !!(rc == 2);
cmdline_do_one_test(test, in, rc, offset);
} while (++i < ARRAY_SIZE(cmdline_test_strings));
}
Reported by FlawFinder.
Line: 97
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int rc = strcmp(str, "") ? (strcmp(str, "-") ? 0 : 1) : 1;
int offset;
sprintf(in, "%s%u", str, get_random_int() % 256);
/*
* Only first and leading '-' not followed by integer
* will advance the pointer.
*/
offset = rc ? strlen(in) : !!(*str == '-');
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cmdline_test_lead_int(struct kunit *test)
{
unsigned int i = 0;
char in[32];
do {
const char *str = cmdline_test_strings[i];
int rc = cmdline_test_values[i];
int offset;
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cmdline_test_tail_int(struct kunit *test)
{
unsigned int i = 0;
char in[32];
do {
const char *str = cmdline_test_strings[i];
/* When "" or "-" the result will be valid integer */
int rc = strcmp(str, "") ? (strcmp(str, "-") ? 0 : 1) : 1;
Reported by FlawFinder.
Line: 81
Column: 12
CWE codes:
126
sprintf(in, "%u%s", get_random_int() % 256, str);
/* Only first '-' after the number will advance the pointer */
offset = strlen(in) - strlen(str) + !!(rc == 2);
cmdline_do_one_test(test, in, rc, offset);
} while (++i < ARRAY_SIZE(cmdline_test_strings));
}
static void cmdline_test_tail_int(struct kunit *test)
Reported by FlawFinder.
Line: 81
Column: 25
CWE codes:
126
sprintf(in, "%u%s", get_random_int() % 256, str);
/* Only first '-' after the number will advance the pointer */
offset = strlen(in) - strlen(str) + !!(rc == 2);
cmdline_do_one_test(test, in, rc, offset);
} while (++i < ARRAY_SIZE(cmdline_test_strings));
}
static void cmdline_test_tail_int(struct kunit *test)
Reported by FlawFinder.
Line: 102
Column: 17
CWE codes:
126
* Only first and leading '-' not followed by integer
* will advance the pointer.
*/
offset = rc ? strlen(in) : !!(*str == '-');
cmdline_do_one_test(test, in, rc, offset);
} while (++i < ARRAY_SIZE(cmdline_test_strings));
}
static void cmdline_do_one_range_test(struct kunit *test, const char *in,
Reported by FlawFinder.
include/sound/core.h
7 issues
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int number; /* number of soundcard (index to
snd_cards) */
char id[16]; /* id string of this card */
char driver[16]; /* driver name */
char shortname[32]; /* short name of this soundcard */
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
snd_cards) */
char id[16]; /* id string of this card */
char driver[16]; /* driver name */
char shortname[32]; /* short name of this soundcard */
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
char components[128]; /* card components delimited with
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char id[16]; /* id string of this card */
char driver[16]; /* driver name */
char shortname[32]; /* short name of this soundcard */
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
char components[128]; /* card components delimited with
space */
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char id[16]; /* id string of this card */
char driver[16]; /* driver name */
char shortname[32]; /* short name of this soundcard */
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
char components[128]; /* card components delimited with
space */
struct module *module; /* top-level module */
Reported by FlawFinder.
Line: 87
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char driver[16]; /* driver name */
char shortname[32]; /* short name of this soundcard */
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
char components[128]; /* card components delimited with
space */
struct module *module; /* top-level module */
Reported by FlawFinder.
Line: 88
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char shortname[32]; /* short name of this soundcard */
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
char components[128]; /* card components delimited with
space */
struct module *module; /* top-level module */
void *private_data; /* private data for soundcard */
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char longname[80]; /* name of this soundcard */
char irq_descr[32]; /* Interrupt description */
char mixername[80]; /* mixer name */
char components[128]; /* card components delimited with
space */
struct module *module; /* top-level module */
void *private_data; /* private data for soundcard */
void (*private_free) (struct snd_card *card); /* callback for freeing of
Reported by FlawFinder.
net/hsr/hsr_framereg.c
7 issues
Line: 63
Column: 25
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Search for mac entry. Caller must hold rcu read lock.
*/
static struct hsr_node *find_node_by_addr_A(struct list_head *node_db,
const unsigned char addr[ETH_ALEN])
{
struct hsr_node *node;
list_for_each_entry_rcu(node, node_db, mac_list) {
if (ether_addr_equal(node->macaddress_A, addr))
Reported by FlawFinder.
Line: 79
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* frames from self that's been looped over the HSR ring.
*/
int hsr_create_self_node(struct hsr_priv *hsr,
unsigned char addr_a[ETH_ALEN],
unsigned char addr_b[ETH_ALEN])
{
struct list_head *self_node_db = &hsr->self_node_db;
struct hsr_node *node, *oldnode;
Reported by FlawFinder.
Line: 80
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int hsr_create_self_node(struct hsr_priv *hsr,
unsigned char addr_a[ETH_ALEN],
unsigned char addr_b[ETH_ALEN])
{
struct list_head *self_node_db = &hsr->self_node_db;
struct hsr_node *node, *oldnode;
node = kmalloc(sizeof(*node), GFP_KERNEL);
Reported by FlawFinder.
Line: 354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(ð_hdr(skb)->h_source, node->macaddress_A, ETH_ALEN);
}
/* 'skb' is a frame meant for another host.
* 'port' is the outgoing interface
*
Reported by FlawFinder.
Line: 518
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
void *hsr_get_next_node(struct hsr_priv *hsr, void *_pos,
unsigned char addr[ETH_ALEN])
{
struct hsr_node *node;
if (!_pos) {
node = list_first_or_null_rcu(&hsr->node_db,
Reported by FlawFinder.
Line: 540
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
int hsr_get_node_data(struct hsr_priv *hsr,
const unsigned char *addr,
unsigned char addr_b[ETH_ALEN],
unsigned int *addr_b_ifindex,
int *if1_age,
u16 *if1_seq,
int *if2_age,
Reported by FlawFinder.
Line: 541
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int hsr_get_node_data(struct hsr_priv *hsr,
const unsigned char *addr,
unsigned char addr_b[ETH_ALEN],
unsigned int *addr_b_ifindex,
int *if1_age,
u16 *if1_seq,
int *if2_age,
u16 *if2_seq)
Reported by FlawFinder.
net/hsr/hsr_framereg.h
7 issues
Line: 51
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void hsr_prune_nodes(struct timer_list *t);
int hsr_create_self_node(struct hsr_priv *hsr,
unsigned char addr_a[ETH_ALEN],
unsigned char addr_b[ETH_ALEN]);
void *hsr_get_next_node(struct hsr_priv *hsr, void *_pos,
unsigned char addr[ETH_ALEN]);
Reported by FlawFinder.
Line: 52
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int hsr_create_self_node(struct hsr_priv *hsr,
unsigned char addr_a[ETH_ALEN],
unsigned char addr_b[ETH_ALEN]);
void *hsr_get_next_node(struct hsr_priv *hsr, void *_pos,
unsigned char addr[ETH_ALEN]);
int hsr_get_node_data(struct hsr_priv *hsr,
Reported by FlawFinder.
Line: 55
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char addr_b[ETH_ALEN]);
void *hsr_get_next_node(struct hsr_priv *hsr, void *_pos,
unsigned char addr[ETH_ALEN]);
int hsr_get_node_data(struct hsr_priv *hsr,
const unsigned char *addr,
unsigned char addr_b[ETH_ALEN],
unsigned int *addr_b_ifindex,
Reported by FlawFinder.
Line: 58
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char addr[ETH_ALEN]);
int hsr_get_node_data(struct hsr_priv *hsr,
const unsigned char *addr,
unsigned char addr_b[ETH_ALEN],
unsigned int *addr_b_ifindex,
int *if1_age,
u16 *if1_seq,
int *if2_age,
Reported by FlawFinder.
Line: 59
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int hsr_get_node_data(struct hsr_priv *hsr,
const unsigned char *addr,
unsigned char addr_b[ETH_ALEN],
unsigned int *addr_b_ifindex,
int *if1_age,
u16 *if1_seq,
int *if2_age,
u16 *if2_seq);
Reported by FlawFinder.
Line: 72
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hsr_node {
struct list_head mac_list;
unsigned char macaddress_A[ETH_ALEN];
unsigned char macaddress_B[ETH_ALEN];
/* Local slave through which AddrB frames are received from this node */
enum hsr_port_type addr_B_port;
unsigned long time_in[HSR_PT_PORTS];
bool time_in_stale[HSR_PT_PORTS];
Reported by FlawFinder.
Line: 73
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hsr_node {
struct list_head mac_list;
unsigned char macaddress_A[ETH_ALEN];
unsigned char macaddress_B[ETH_ALEN];
/* Local slave through which AddrB frames are received from this node */
enum hsr_port_type addr_B_port;
unsigned long time_in[HSR_PT_PORTS];
bool time_in_stale[HSR_PT_PORTS];
unsigned long time_out[HSR_PT_PORTS];
Reported by FlawFinder.
kernel/trace/trace_boot.c
7 issues
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xbc_node *anode;
const char *p;
char buf[MAX_BUF_LEN];
unsigned long v = 0;
/* Common ftrace options */
xbc_node_for_each_array_value(node, "options", anode, p) {
if (strlcpy(buf, p, ARRAY_SIZE(buf)) >= ARRAY_SIZE(buf)) {
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
trace_boot_enable_events(struct trace_array *tr, struct xbc_node *node)
{
struct xbc_node *anode;
char buf[MAX_BUF_LEN];
const char *p;
xbc_node_for_each_array_value(node, "events", anode, p) {
if (strlcpy(buf, p, ARRAY_SIZE(buf)) >= ARRAY_SIZE(buf)) {
pr_err("String is too long: %s\n", p);
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dynevent_cmd cmd;
struct xbc_node *anode;
char buf[MAX_BUF_LEN];
const char *val;
int ret = 0;
xbc_node_for_each_array_value(node, "probes", anode, val) {
kprobe_event_cmd_init(&cmd, buf, MAX_BUF_LEN);
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dynevent_cmd cmd;
struct xbc_node *anode;
char buf[MAX_BUF_LEN];
const char *p;
int ret;
synth_event_cmd_init(&cmd, buf, MAX_BUF_LEN);
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct trace_event_file *file;
struct xbc_node *anode;
char buf[MAX_BUF_LEN];
const char *p, *group, *event;
group = xbc_node_get_data(gnode);
event = xbc_node_get_data(enode);
Reported by FlawFinder.
Line: 277
Column: 37
CWE codes:
126
q = kstrdup(p, GFP_KERNEL);
if (!q)
return;
if (ftrace_set_filter(tr->ops, q, strlen(q), 0) < 0)
pr_err("Failed to add %s to ftrace filter\n", p);
else
ftrace_filter_param = true;
kfree(q);
}
Reported by FlawFinder.
Line: 287
Column: 38
CWE codes:
126
q = kstrdup(p, GFP_KERNEL);
if (!q)
return;
if (ftrace_set_notrace(tr->ops, q, strlen(q), 0) < 0)
pr_err("Failed to add %s to ftrace filter\n", p);
else
ftrace_filter_param = true;
kfree(q);
}
Reported by FlawFinder.
lib/test_kmod.c
7 issues
Line: 744
Column: 13
CWE codes:
126
kfree_const(config->test_driver);
config->test_driver = NULL;
copied = config_copy_test_driver_name(config, test_str,
strlen(test_str));
break;
case TEST_KMOD_FS_TYPE:
kfree_const(config->test_fs);
config->test_fs = NULL;
copied = config_copy_test_fs(config, test_str,
Reported by FlawFinder.
Line: 750
Column: 11
CWE codes:
126
kfree_const(config->test_fs);
config->test_fs = NULL;
copied = config_copy_test_fs(config, test_str,
strlen(test_str));
break;
default:
mutex_unlock(&test_dev->config_mutex);
return -EINVAL;
}
Reported by FlawFinder.
Line: 761
Column: 31
CWE codes:
126
mutex_unlock(&test_dev->config_mutex);
if (copied <= 0 || copied != strlen(test_str)) {
test_dev->test_is_oom = true;
return -ENOMEM;
}
test_dev->test_is_oom = false;
Reported by FlawFinder.
Line: 815
Column: 12
CWE codes:
126
__kmod_config_free(config);
copied = config_copy_test_driver_name(config, TEST_START_DRIVER,
strlen(TEST_START_DRIVER));
if (copied != strlen(TEST_START_DRIVER))
goto err_out;
copied = config_copy_test_fs(config, TEST_START_TEST_FS,
strlen(TEST_START_TEST_FS));
Reported by FlawFinder.
Line: 816
Column: 16
CWE codes:
126
copied = config_copy_test_driver_name(config, TEST_START_DRIVER,
strlen(TEST_START_DRIVER));
if (copied != strlen(TEST_START_DRIVER))
goto err_out;
copied = config_copy_test_fs(config, TEST_START_TEST_FS,
strlen(TEST_START_TEST_FS));
if (copied != strlen(TEST_START_TEST_FS))
Reported by FlawFinder.
Line: 820
Column: 10
CWE codes:
126
goto err_out;
copied = config_copy_test_fs(config, TEST_START_TEST_FS,
strlen(TEST_START_TEST_FS));
if (copied != strlen(TEST_START_TEST_FS))
goto err_out;
config->num_threads = kmod_init_test_thread_limit();
config->test_result = 0;
Reported by FlawFinder.
Line: 821
Column: 16
CWE codes:
126
copied = config_copy_test_fs(config, TEST_START_TEST_FS,
strlen(TEST_START_TEST_FS));
if (copied != strlen(TEST_START_TEST_FS))
goto err_out;
config->num_threads = kmod_init_test_thread_limit();
config->test_result = 0;
config->test_case = TEST_START_TEST_CASE;
Reported by FlawFinder.
net/bluetooth/cmtp/capi.c
7 issues
Line: 552
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
session->ctrl.owner = THIS_MODULE;
session->ctrl.driverdata = session;
strcpy(session->ctrl.name, session->name);
session->ctrl.driver_name = "cmtp";
session->ctrl.load_firmware = cmtp_load_firmware;
session->ctrl.reset_ctr = cmtp_reset_ctr;
session->ctrl.register_appl = cmtp_register_appl;
Reported by FlawFinder.
Line: 179
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
capimsg_setu8 (s, 13, len);
if (len > 0)
memcpy(s + 14, buf, len);
cmtp_send_capimsg(session, skb);
}
static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *skb)
Reported by FlawFinder.
Line: 241
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (!info && ctrl) {
memcpy(&ctrl->profile,
skb->data + CAPI_MSG_BASELEN + 11,
sizeof(capi_profile));
session->state = BT_CONNECTED;
capi_ctr_ready(ctrl);
}
Reported by FlawFinder.
Line: 385
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cmtp_session *session = ctrl->driverdata;
struct cmtp_application *application;
unsigned long timeo = CMTP_INTEROP_TIMEOUT;
unsigned char buf[8];
int err = 0, nconn, want = rp->level3cnt;
BT_DBG("ctrl %p appl %u level3cnt %u datablkcnt %u datablklen %u",
ctrl, appl, rp->level3cnt, rp->datablkcnt, rp->datablklen);
Reported by FlawFinder.
Line: 526
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cmtp_attach_device(struct cmtp_session *session)
{
unsigned char buf[4];
long ret;
BT_DBG("session %p", session);
capimsg_setu32(buf, 0, 0);
Reported by FlawFinder.
Line: 259
Column: 5
CWE codes:
120
skb->data[CAPI_MSG_BASELEN + 14]);
memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
strncpy(ctrl->manu,
skb->data + CAPI_MSG_BASELEN + 15, len);
}
break;
Reported by FlawFinder.
Line: 287
Column: 5
CWE codes:
120
skb->data[CAPI_MSG_BASELEN + 16]);
memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
strncpy(ctrl->serial,
skb->data + CAPI_MSG_BASELEN + 17, len);
}
break;
}
Reported by FlawFinder.