The following issues were found
include/linux/memstick.h
7 issues
Line: 54
Column: 16
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} __attribute__((packed));
struct ms_param_register {
unsigned char system;
#define MEMSTICK_SYS_PAM 0x08
#define MEMSTICK_SYS_BAMD 0x80
unsigned char block_address_msb;
unsigned short block_address;
Reported by FlawFinder.
Line: 94
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} __attribute__((packed));
struct mspro_param_register {
unsigned char system;
#define MEMSTICK_SYS_PAR4 0x00
#define MEMSTICK_SYS_PAR8 0x40
#define MEMSTICK_SYS_SERIAL 0x80
__be16 data_count;
Reported by FlawFinder.
Line: 88
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ms_register {
struct ms_status_register status;
struct ms_id_register id;
unsigned char reserved[8];
struct ms_param_register param;
struct ms_extra_data_register extra_data;
} __attribute__((packed));
struct mspro_param_register {
Reported by FlawFinder.
Line: 128
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mspro_register {
struct ms_status_register status;
struct ms_id_register id;
unsigned char reserved0[8];
struct mspro_param_register param;
unsigned char reserved1[8];
struct mspro_io_info_register io_info;
struct mspro_io_func_register io_func;
unsigned char reserved2[7];
Reported by FlawFinder.
Line: 130
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ms_id_register id;
unsigned char reserved0[8];
struct mspro_param_register param;
unsigned char reserved1[8];
struct mspro_io_info_register io_info;
struct mspro_io_func_register io_func;
unsigned char reserved2[7];
struct mspro_io_cmd_register io_cmd;
unsigned char io_int;
Reported by FlawFinder.
Line: 133
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reserved1[8];
struct mspro_io_info_register io_info;
struct mspro_io_func_register io_func;
unsigned char reserved2[7];
struct mspro_io_cmd_register io_cmd;
unsigned char io_int;
unsigned char io_int_func;
} __attribute__((packed));
Reported by FlawFinder.
Line: 246
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scatterlist sg;
struct {
unsigned char data_len;
unsigned char data[15];
};
};
};
struct memstick_dev {
Reported by FlawFinder.
fs/cifs/smb2misc.c
7 issues
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
lw->tlink = tlink;
lw->lease_state = new_lease_state;
memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE);
queue_work(cifsiod_wq, &lw->lease_break);
}
static bool
smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
Reported by FlawFinder.
Line: 578
Column: 28
CWE codes:
362
__u8 lease_state = le32_to_cpu(rsp->NewLeaseState);
int ack_req = le32_to_cpu(rsp->Flags &
SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
struct cifs_pending_open *open;
struct cifs_pending_open *found = NULL;
list_for_each_entry(open, &tcon->pending_opens, olist) {
if (memcmp(open->lease_key, rsp->LeaseKey,
SMB2_LEASE_KEY_SIZE))
Reported by FlawFinder.
Line: 581
Column: 22
CWE codes:
362
struct cifs_pending_open *open;
struct cifs_pending_open *found = NULL;
list_for_each_entry(open, &tcon->pending_opens, olist) {
if (memcmp(open->lease_key, rsp->LeaseKey,
SMB2_LEASE_KEY_SIZE))
continue;
if (!found && ack_req) {
Reported by FlawFinder.
Line: 587
Column: 12
CWE codes:
362
continue;
if (!found && ack_req) {
found = open;
}
cifs_dbg(FYI, "found in the pending open list\n");
cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
lease_state);
Reported by FlawFinder.
Line: 607
Column: 28
CWE codes:
362
struct TCP_Server_Info *server;
struct cifs_ses *ses;
struct cifs_tcon *tcon;
struct cifs_pending_open *open;
cifs_dbg(FYI, "Checking for lease break\n");
/* look up tcon based on tid & uid */
spin_lock(&cifs_tcp_ses_lock);
Reported by FlawFinder.
Line: 626
Column: 9
CWE codes:
362
}
open = smb2_tcon_find_pending_open_lease(tcon,
rsp);
if (open) {
__u8 lease_key[SMB2_LEASE_KEY_SIZE];
struct tcon_link *tlink;
tlink = cifs_get_tlink(open->tlink);
memcpy(lease_key, open->lease_key,
Reported by FlawFinder.
Line: 631
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct tcon_link *tlink;
tlink = cifs_get_tlink(open->tlink);
memcpy(lease_key, open->lease_key,
SMB2_LEASE_KEY_SIZE);
spin_unlock(&tcon->open_file_lock);
spin_unlock(&cifs_tcp_ses_lock);
smb2_queue_pending_open_break(tlink,
lease_key,
Reported by FlawFinder.
fs/btrfs/extent_io.c
7 issues
Line: 2662
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const u32 csum_size = fs_info->csum_size;
repair_io_bio->csum = repair_io_bio->csum_inline;
memcpy(repair_io_bio->csum,
failed_io_bio->csum + csum_size * icsum, csum_size);
}
bio_add_page(repair_bio, page, failrec->len, pgoff);
repair_io_bio->logical = failrec->start;
Reported by FlawFinder.
Line: 6573
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur = min(len, (PAGE_SIZE - offset));
kaddr = page_address(page);
memcpy(dst, kaddr + offset, cur);
dst += cur;
len -= cur;
offset = 0;
i++;
Reported by FlawFinder.
Line: 6683
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kaddr = page_address(eb->pages[0]) +
get_eb_offset_in_page(eb, offsetof(struct btrfs_header,
chunk_tree_uuid));
memcpy(kaddr, srcv, BTRFS_FSID_SIZE);
}
void write_extent_buffer_fsid(const struct extent_buffer *eb, const void *srcv)
{
char *kaddr;
Reported by FlawFinder.
Line: 6693
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
assert_eb_page_uptodate(eb, eb->pages[0]);
kaddr = page_address(eb->pages[0]) +
get_eb_offset_in_page(eb, offsetof(struct btrfs_header, fsid));
memcpy(kaddr, srcv, BTRFS_FSID_SIZE);
}
void write_extent_buffer(const struct extent_buffer *eb, const void *srcv,
unsigned long start, unsigned long len)
{
Reported by FlawFinder.
Line: 6719
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur = min(len, PAGE_SIZE - offset);
kaddr = page_address(page);
memcpy(kaddr + offset, src, cur);
src += cur;
len -= cur;
offset = 0;
i++;
Reported by FlawFinder.
Line: 6774
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t dst_offset = get_eb_offset_in_page(dst, 0);
ASSERT(src->fs_info->sectorsize < PAGE_SIZE);
memcpy(page_address(dst->pages[0]) + dst_offset,
page_address(src->pages[0]) + src_offset,
src->len);
}
}
Reported by FlawFinder.
Line: 6978
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (must_memmove)
memmove(dst_kaddr + dst_off, src_kaddr + src_off, len);
else
memcpy(dst_kaddr + dst_off, src_kaddr + src_off, len);
}
void memcpy_extent_buffer(const struct extent_buffer *dst,
unsigned long dst_offset, unsigned long src_offset,
unsigned long len)
Reported by FlawFinder.
drivers/xen/xenbus/xenbus_dev_frontend.c
7 issues
Line: 111
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int len;
union {
struct xsd_sockmsg msg;
char buffer[XENSTORE_PAYLOAD_MAX];
} u;
/* Response queue. */
struct mutex reply_mutex;
struct list_head read_buffers;
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rb->cons = 0;
rb->len = len;
memcpy(rb->msg, data, len);
list_add_tail(&rb->list, queue);
return 0;
}
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct {
struct xsd_sockmsg hdr;
char body[16];
} msg;
int rc;
msg.hdr = u->u.msg;
msg.hdr.type = msg_type;
Reported by FlawFinder.
Line: 433
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.hdr.len = strlen(reply) + 1;
if (msg.hdr.len > sizeof(msg.body))
return -E2BIG;
memcpy(&msg.body, reply, msg.hdr.len);
mutex_lock(&u->reply_mutex);
rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len);
wake_up(&u->read_waitq);
mutex_unlock(&u->reply_mutex);
Reported by FlawFinder.
Line: 281
Column: 13
CWE codes:
126
token_caller = adap->token;
path_len = strlen(path) + 1;
tok_len = strlen(token_caller) + 1;
body_len = path_len + tok_len;
hdr.type = XS_WATCH_EVENT;
hdr.len = body_len;
Reported by FlawFinder.
Line: 282
Column: 12
CWE codes:
126
token_caller = adap->token;
path_len = strlen(path) + 1;
tok_len = strlen(token_caller) + 1;
body_len = path_len + tok_len;
hdr.type = XS_WATCH_EVENT;
hdr.len = body_len;
Reported by FlawFinder.
Line: 430
Column: 16
CWE codes:
126
msg.hdr = u->u.msg;
msg.hdr.type = msg_type;
msg.hdr.len = strlen(reply) + 1;
if (msg.hdr.len > sizeof(msg.body))
return -E2BIG;
memcpy(&msg.body, reply, msg.hdr.len);
mutex_lock(&u->reply_mutex);
Reported by FlawFinder.
include/linux/bpf.h
7 issues
Line: 179
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_MEMCG_KMEM
struct mem_cgroup *memcg;
#endif
char name[BPF_OBJ_NAME_LEN];
u32 btf_vmlinux_value_type_id;
bool bypass_spec_v1;
bool frozen; /* write-once; write-protected by freeze_mutex */
/* 22 bytes hole */
Reported by FlawFinder.
Line: 214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(map_value_has_spin_lock(map))) {
u32 off = map->spin_lock_off;
memcpy(dst, src, off);
memcpy(dst + off + sizeof(struct bpf_spin_lock),
src + off + sizeof(struct bpf_spin_lock),
map->value_size - off - sizeof(struct bpf_spin_lock));
} else {
memcpy(dst, src, map->value_size);
Reported by FlawFinder.
Line: 215
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 off = map->spin_lock_off;
memcpy(dst, src, off);
memcpy(dst + off + sizeof(struct bpf_spin_lock),
src + off + sizeof(struct bpf_spin_lock),
map->value_size - off - sizeof(struct bpf_spin_lock));
} else {
memcpy(dst, src, map->value_size);
}
Reported by FlawFinder.
Line: 219
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src + off + sizeof(struct bpf_spin_lock),
map->value_size - off - sizeof(struct bpf_spin_lock));
} else {
memcpy(dst, src, map->value_size);
}
}
void copy_map_value_locked(struct bpf_map *map, void *dst, void *src,
bool lock_src);
int bpf_obj_name_cpy(char *dst, const char *src, unsigned int size);
Reported by FlawFinder.
Line: 603
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_ksym {
unsigned long start;
unsigned long end;
char name[KSYM_NAME_LEN];
struct list_head lnode;
struct latch_tree_node tnode;
bool prog;
};
Reported by FlawFinder.
Line: 857
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct user_struct *user;
u64 load_time; /* ns since boottime */
struct bpf_map *cgroup_storage[MAX_BPF_CGROUP_STORAGE_TYPE];
char name[BPF_OBJ_NAME_LEN];
#ifdef CONFIG_SECURITY
void *security;
#endif
struct bpf_prog_offload *offload;
struct btf *btf;
Reported by FlawFinder.
Line: 1012
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 index_mask;
struct bpf_array_aux *aux;
union {
char value[0] __aligned(8);
void *ptrs[0] __aligned(8);
void __percpu *pptrs[0] __aligned(8);
};
};
Reported by FlawFinder.
drivers/video/fbdev/via/viafbdev.c
7 issues
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct viafb_par *viaparinfo)
{
memset(fix, 0, sizeof(struct fb_fix_screeninfo));
strcpy(fix->id, viafb_name);
fix->smem_start = viaparinfo->fbmem;
fix->smem_len = viaparinfo->fbmem_free;
fix->type = FB_TYPE_PACKED_PIXELS;
Reported by FlawFinder.
Line: 1132
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t viafb_dvp0_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char buf[20], *value, *pbuf;
u8 reg_val = 0;
unsigned long length, i;
if (count < 1)
return -EINVAL;
length = count > 20 ? 20 : count;
Reported by FlawFinder.
Line: 1202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t viafb_dvp1_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char buf[20], *value, *pbuf;
u8 reg_val = 0;
unsigned long length, i;
if (count < 1)
return -EINVAL;
length = count > 20 ? 20 : count;
Reported by FlawFinder.
Line: 1356
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t viafb_vt1636_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char buf[30], *value, *pbuf;
struct IODATA reg_val;
unsigned long length, i;
if (count < 1)
return -EINVAL;
length = count > 30 ? 30 : count;
Reported by FlawFinder.
Line: 1462
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t odev_update(const char __user *buffer, size_t count, u32 *odev)
{
char buf[64], *ptr = buf;
u32 devices;
bool add, sub;
if (count < 1 || count > 63)
return -EINVAL;
Reported by FlawFinder.
Line: 1818
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_fb_release;
}
viaparinfo1 = viafbinfo1->par;
memcpy(viaparinfo1, viaparinfo, viafb_par_length);
viaparinfo1->vram_addr = viafb_second_offset;
viaparinfo1->memsize = viaparinfo->memsize -
viafb_second_offset;
viaparinfo->memsize = viafb_second_offset;
viaparinfo1->fbmem = viaparinfo->fbmem + viafb_second_offset;
Reported by FlawFinder.
Line: 1833
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
viaparinfo->iga_path = IGA1;
viaparinfo1->iga_path = IGA2;
memcpy(viafbinfo1, viafbinfo, sizeof(struct fb_info));
viafbinfo1->par = viaparinfo1;
viafbinfo1->screen_base = viafbinfo->screen_base +
viafb_second_offset;
default_var.xres = viafb_second_xres;
Reported by FlawFinder.
fs/ubifs/journal.c
7 issues
Line: 479
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* needed anymore.
*/
if (!last_reference) {
memcpy(ino->data, ui->data, ui->data_len);
data_len = ui->data_len;
}
ubifs_prep_grp_node(c, ino, UBIFS_INO_NODE_SZ + data_len, last);
}
Reported by FlawFinder.
Line: 604
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dent->inum = deletion ? 0 : cpu_to_le64(inode->i_ino);
dent->type = get_dent_type(inode->i_mode);
dent->nlen = cpu_to_le16(fname_len(nm));
memcpy(dent->name, fname_name(nm), fname_len(nm));
dent->name[fname_len(nm)] = '\0';
set_dent_cookie(c, dent);
zero_dent_node_unused(dent);
ubifs_prep_grp_node(c, dent, dlen, 0);
Reported by FlawFinder.
Line: 1100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dent1->inum = cpu_to_le64(fst_inode->i_ino);
dent1->type = get_dent_type(fst_inode->i_mode);
dent1->nlen = cpu_to_le16(fname_len(snd_nm));
memcpy(dent1->name, fname_name(snd_nm), fname_len(snd_nm));
dent1->name[fname_len(snd_nm)] = '\0';
set_dent_cookie(c, dent1);
zero_dent_node_unused(dent1);
ubifs_prep_grp_node(c, dent1, dlen1, 0);
err = ubifs_node_calc_hash(c, dent1, hash_dent1);
Reported by FlawFinder.
Line: 1116
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dent2->inum = cpu_to_le64(snd_inode->i_ino);
dent2->type = get_dent_type(snd_inode->i_mode);
dent2->nlen = cpu_to_le16(fname_len(fst_nm));
memcpy(dent2->name, fname_name(fst_nm), fname_len(fst_nm));
dent2->name[fname_len(fst_nm)] = '\0';
set_dent_cookie(c, dent2);
zero_dent_node_unused(dent2);
ubifs_prep_grp_node(c, dent2, dlen2, 0);
err = ubifs_node_calc_hash(c, dent2, hash_dent2);
Reported by FlawFinder.
Line: 1275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dent->inum = cpu_to_le64(old_inode->i_ino);
dent->type = get_dent_type(old_inode->i_mode);
dent->nlen = cpu_to_le16(fname_len(new_nm));
memcpy(dent->name, fname_name(new_nm), fname_len(new_nm));
dent->name[fname_len(new_nm)] = '\0';
set_dent_cookie(c, dent);
zero_dent_node_unused(dent);
ubifs_prep_grp_node(c, dent, dlen1, 0);
err = ubifs_node_calc_hash(c, dent, hash_dent1);
Reported by FlawFinder.
Line: 1297
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dent2->type = DT_UNKNOWN;
}
dent2->nlen = cpu_to_le16(fname_len(old_nm));
memcpy(dent2->name, fname_name(old_nm), fname_len(old_nm));
dent2->name[fname_len(old_nm)] = '\0';
set_dent_cookie(c, dent2);
zero_dent_node_unused(dent2);
ubifs_prep_grp_node(c, dent2, dlen2, 0);
err = ubifs_node_calc_hash(c, dent2, hash_dent2);
Reported by FlawFinder.
Line: 1714
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xent->inum = 0;
xent->type = get_dent_type(inode->i_mode);
xent->nlen = cpu_to_le16(fname_len(nm));
memcpy(xent->name, fname_name(nm), fname_len(nm));
xent->name[fname_len(nm)] = '\0';
zero_dent_node_unused(xent);
ubifs_prep_grp_node(c, xent, xlen, 0);
ino = (void *)xent + aligned_xlen;
Reported by FlawFinder.
fs/dlm/user.c
7 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 bastparam;
__u32 bastaddr;
__u32 lksb;
char lvb[DLM_USER_LVB_LEN];
char name[];
};
struct dlm_write_request32 {
__u32 version[3];
Reported by FlawFinder.
Line: 99
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kb->cmd == DLM_USER_REMOVE_LOCKSPACE) {
kb->i.lspace.flags = kb32->i.lspace.flags;
kb->i.lspace.minor = kb32->i.lspace.minor;
memcpy(kb->i.lspace.name, kb32->i.lspace.name, namelen);
} else if (kb->cmd == DLM_USER_PURGE) {
kb->i.purge.nodeid = kb32->i.purge.nodeid;
kb->i.purge.pid = kb32->i.purge.pid;
} else {
kb->i.lock.mode = kb32->i.lock.mode;
Reported by FlawFinder.
Line: 116
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kb->i.lock.bastparam = (void *)(long)kb32->i.lock.bastparam;
kb->i.lock.bastaddr = (void *)(long)kb32->i.lock.bastaddr;
kb->i.lock.lksb = (void *)(long)kb32->i.lock.lksb;
memcpy(kb->i.lock.lvb, kb32->i.lock.lvb, DLM_USER_LVB_LEN);
memcpy(kb->i.lock.name, kb32->i.lock.name, namelen);
}
}
static void compat_output(struct dlm_lock_result *res,
Reported by FlawFinder.
Line: 117
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kb->i.lock.bastaddr = (void *)(long)kb32->i.lock.bastaddr;
kb->i.lock.lksb = (void *)(long)kb32->i.lock.lksb;
memcpy(kb->i.lock.lvb, kb32->i.lock.lvb, DLM_USER_LVB_LEN);
memcpy(kb->i.lock.name, kb32->i.lock.name, namelen);
}
}
static void compat_output(struct dlm_lock_result *res,
struct dlm_lock_result32 *res32)
Reported by FlawFinder.
Line: 703
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
result.version[0] = DLM_DEVICE_VERSION_MAJOR;
result.version[1] = DLM_DEVICE_VERSION_MINOR;
result.version[2] = DLM_DEVICE_VERSION_PATCH;
memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr));
result.user_lksb = ua->user_lksb;
/* FIXME: dlm1 provides for the user's bastparam/addr to not be updated
in a conversion unless the conversion is successful. See code
in dlm_user_convert() for updating ua from ua_tmp. OpenVMS, though,
Reported by FlawFinder.
Line: 345
Column: 8
CWE codes:
126
return 0;
error = -ENOMEM;
len = strlen(name) + strlen(name_prefix) + 2;
ls->ls_device.name = kzalloc(len, GFP_NOFS);
if (!ls->ls_device.name)
goto fail;
snprintf((char *)ls->ls_device.name, len, "%s_%s", name_prefix,
Reported by FlawFinder.
Line: 345
Column: 23
CWE codes:
126
return 0;
error = -ENOMEM;
len = strlen(name) + strlen(name_prefix) + 2;
ls->ls_device.name = kzalloc(len, GFP_NOFS);
if (!ls->ls_device.name)
goto fail;
snprintf((char *)ls->ls_device.name, len, "%s_%s", name_prefix,
Reported by FlawFinder.
fs/hostfs/hostfs_user.c
7 issues
Line: 204
Column: 14
CWE codes:
362
Suggestion:
Use fchmod( ) instead
if (fd >= 0) {
if (fchmod(fd, attrs->ia_mode) != 0)
return -errno;
} else if (chmod(file, attrs->ia_mode) != 0) {
return -errno;
}
}
if (attrs->ia_valid & HOSTFS_ATTR_UID) {
if (fd >= 0) {
Reported by FlawFinder.
Line: 212
Column: 14
CWE codes:
362
Suggestion:
Use fchown( ) instead
if (fd >= 0) {
if (fchown(fd, attrs->ia_uid, -1))
return -errno;
} else if (chown(file, attrs->ia_uid, -1)) {
return -errno;
}
}
if (attrs->ia_valid & HOSTFS_ATTR_GID) {
if (fd >= 0) {
Reported by FlawFinder.
Line: 220
Column: 14
CWE codes:
362
Suggestion:
Use fchown( ) instead
if (fd >= 0) {
if (fchown(fd, -1, attrs->ia_gid))
return -errno;
} else if (chown(file, -1, attrs->ia_gid)) {
return -errno;
}
}
if (attrs->ia_valid & HOSTFS_ATTR_SIZE) {
if (fd >= 0) {
Reported by FlawFinder.
Line: 341
Column: 6
CWE codes:
362
20
Suggestion:
Reconsider approach
{
int n;
n = readlink(file, buf, size);
if (n < 0)
return -errno;
if (n < size)
buf[n] = '\0';
return n;
Reported by FlawFinder.
Line: 65
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
mode |= W_OK;
if (x)
mode |= X_OK;
if (access(path, mode) != 0)
return -errno;
else return 0;
}
int open_file(char *path, int r, int w, int append)
Reported by FlawFinder.
Line: 404
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*bavail_out = buf.f_bavail;
*files_out = buf.f_files;
*ffree_out = buf.f_ffree;
memcpy(fsid_out, &buf.f_fsid,
sizeof(buf.f_fsid) > fsid_size ? fsid_size :
sizeof(buf.f_fsid));
*namelen_out = buf.f_namelen;
return 0;
Reported by FlawFinder.
Line: 117
Column: 13
CWE codes:
126
ent = readdir(dir);
if (ent == NULL)
return NULL;
*len_out = strlen(ent->d_name);
*ino_out = ent->d_ino;
*type_out = ent->d_type;
*pos_out = ent->d_off;
return ent->d_name;
}
Reported by FlawFinder.
fs/fat/namei_msdos.c
7 issues
Line: 123
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fat_slot_info *sinfo)
{
struct msdos_sb_info *sbi = MSDOS_SB(dir->i_sb);
unsigned char msdos_name[MSDOS_NAME];
int err;
err = msdos_format_name(name, len, msdos_name, &sbi->options);
if (err)
return -ENOENT;
Reported by FlawFinder.
Line: 154
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int msdos_hash(const struct dentry *dentry, struct qstr *qstr)
{
struct fat_mount_options *options = &MSDOS_SB(dentry->d_sb)->options;
unsigned char msdos_name[MSDOS_NAME];
int error;
error = msdos_format_name(qstr->name, qstr->len, msdos_name, options);
if (!error)
qstr->hash = full_name_hash(dentry, msdos_name, MSDOS_NAME);
Reported by FlawFinder.
Line: 171
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int len, const char *str, const struct qstr *name)
{
struct fat_mount_options *options = &MSDOS_SB(dentry->d_sb)->options;
unsigned char a_msdos_name[MSDOS_NAME], b_msdos_name[MSDOS_NAME];
int error;
error = msdos_format_name(name->name, name->len, a_msdos_name, options);
if (error)
goto old_compare;
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__le16 time, date;
int err;
memcpy(de.name, name, MSDOS_NAME);
de.attr = is_dir ? ATTR_DIR : ATTR_ARCH;
if (is_hid)
de.attr |= ATTR_HIDDEN;
de.lcase = 0;
fat_time_unix2fat(sbi, ts, &time, &date, NULL);
Reported by FlawFinder.
Line: 271
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode *inode = NULL;
struct fat_slot_info sinfo;
struct timespec64 ts;
unsigned char msdos_name[MSDOS_NAME];
int err, is_hid;
mutex_lock(&MSDOS_SB(sb)->s_lock);
err = msdos_format_name(dentry->d_name.name, dentry->d_name.len,
Reported by FlawFinder.
Line: 348
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct super_block *sb = dir->i_sb;
struct fat_slot_info sinfo;
struct inode *inode;
unsigned char msdos_name[MSDOS_NAME];
struct timespec64 ts;
int err, is_hid, cluster;
mutex_lock(&MSDOS_SB(sb)->s_lock);
Reported by FlawFinder.
Line: 603
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int flags)
{
struct super_block *sb = old_dir->i_sb;
unsigned char old_msdos_name[MSDOS_NAME], new_msdos_name[MSDOS_NAME];
int err, is_hid;
if (flags & ~RENAME_NOREPLACE)
return -EINVAL;
Reported by FlawFinder.