The following issues were found
net/sunrpc/sysctl.c
5 issues
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int proc_do_xprt(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
char tmpbuf[256];
ssize_t len;
if (write || *ppos) {
*lenp = 0;
return 0;
Reported by FlawFinder.
Line: 87
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
proc_dodebug(struct ctl_table *table, int write, void *buffer, size_t *lenp,
loff_t *ppos)
{
char tmpbuf[20], *s = NULL;
char *p;
unsigned int value;
size_t left, len;
if ((*ppos && !write) || !*lenp) {
Reported by FlawFinder.
Line: 110
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (left > sizeof(tmpbuf) - 1)
return -EINVAL;
memcpy(tmpbuf, p, left);
tmpbuf[left] = '\0';
value = simple_strtol(tmpbuf, &s, 0);
if (s) {
left -= (s - tmpbuf);
Reported by FlawFinder.
Line: 129
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (strcmp(table->procname, "rpc_debug") == 0)
rpc_show_tasks(&init_net);
} else {
len = sprintf(tmpbuf, "0x%04x", *(unsigned int *) table->data);
if (len > left)
len = left;
memcpy(buffer, tmpbuf, len);
if ((left -= len) > 0) {
*((char *)buffer + len) = '\n';
Reported by FlawFinder.
Line: 132
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = sprintf(tmpbuf, "0x%04x", *(unsigned int *) table->data);
if (len > left)
len = left;
memcpy(buffer, tmpbuf, len);
if ((left -= len) > 0) {
*((char *)buffer + len) = '\n';
left--;
}
}
Reported by FlawFinder.
net/sunrpc/sysfs.c
5 issues
Line: 98
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!xprt)
return 0;
ret = sprintf(buf, "%s\n", xprt->address_strings[RPC_DISPLAY_ADDR]);
xprt_put(xprt);
return ret + 1;
}
static ssize_t rpc_sysfs_xprt_info_show(struct kobject *kobj,
Reported by FlawFinder.
Line: 157
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
offline = test_bit(XPRT_OFFLINE, &xprt->state);
remove = test_bit(XPRT_REMOVE, &xprt->state);
ret = sprintf(buf, "state=%s %s %s %s %s %s %s %s %s %s %s %s\n",
locked ? "LOCKED" : "",
connected ? "CONNECTED" : "",
connecting ? "CONNECTING" : "",
close_wait ? "CLOSE_WAIT" : "",
bound ? "BOUND" : "",
Reported by FlawFinder.
Line: 113
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!xprt)
return 0;
ret = sprintf(buf, "last_used=%lu\ncur_cong=%lu\ncong_win=%lu\n"
"max_num_slots=%u\nmin_num_slots=%u\nnum_reqs=%u\n"
"binding_q_len=%u\nsending_q_len=%u\npending_q_len=%u\n"
"backlog_q_len=%u\nmain_xprt=%d\nsrc_port=%u\n"
"tasks_queuelen=%ld\n",
xprt->last_used, xprt->cong, xprt->cwnd, xprt->max_reqs,
Reported by FlawFinder.
Line: 142
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return 0;
if (!xprt->state) {
ret = sprintf(buf, "state=CLOSED\n");
} else {
locked = test_bit(XPRT_LOCKED, &xprt->state);
connected = test_bit(XPRT_CONNECTED, &xprt->state);
connecting = test_bit(XPRT_CONNECTING, &xprt->state);
close_wait = test_bit(XPRT_CLOSE_WAIT, &xprt->state);
Reported by FlawFinder.
Line: 186
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!xprt_switch)
return 0;
ret = sprintf(buf, "num_xprts=%u\nnum_active=%u\nqueue_len=%ld\n",
xprt_switch->xps_nxprts, xprt_switch->xps_nactive,
atomic_long_read(&xprt_switch->xps_queuelen));
xprt_switch_put(xprt_switch);
return ret + 1;
}
Reported by FlawFinder.
net/sunrpc/xprtrdma/transport.c
5 issues
Line: 164
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
xprt_rdma_format_addresses4(struct rpc_xprt *xprt, struct sockaddr *sap)
{
struct sockaddr_in *sin = (struct sockaddr_in *)sap;
char buf[20];
snprintf(buf, sizeof(buf), "%08x", ntohl(sin->sin_addr.s_addr));
xprt->address_strings[RPC_DISPLAY_HEX_ADDR] = kstrdup(buf, GFP_KERNEL);
xprt->address_strings[RPC_DISPLAY_NETID] = RPCBIND_NETID_RDMA;
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
xprt_rdma_format_addresses6(struct rpc_xprt *xprt, struct sockaddr *sap)
{
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sap;
char buf[40];
snprintf(buf, sizeof(buf), "%pi6", &sin6->sin6_addr);
xprt->address_strings[RPC_DISPLAY_HEX_ADDR] = kstrdup(buf, GFP_KERNEL);
xprt->address_strings[RPC_DISPLAY_NETID] = RPCBIND_NETID_RDMA6;
Reported by FlawFinder.
Line: 187
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void
xprt_rdma_format_addresses(struct rpc_xprt *xprt, struct sockaddr *sap)
{
char buf[128];
switch (sap->sa_family) {
case AF_INET:
xprt_rdma_format_addresses4(xprt, sap);
break;
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xprt->prot = IPPROTO_TCP;
xprt->xprt_class = &xprt_rdma;
xprt->addrlen = args->addrlen;
memcpy(&xprt->addr, sap, xprt->addrlen);
if (rpc_get_port(sap))
xprt_set_bound(xprt);
xprt_rdma_format_addresses(xprt, sap);
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
xprt_rdma_set_port(struct rpc_xprt *xprt, u16 port)
{
struct sockaddr *sap = (struct sockaddr *)&xprt->addr;
char buf[8];
rpc_set_port(sap, port);
kfree(xprt->address_strings[RPC_DISPLAY_PORT]);
snprintf(buf, sizeof(buf), "%u", port);
Reported by FlawFinder.
net/wireless/core.c
5 issues
Line: 104
Column: 2
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
return -EINVAL;
/* prohibit calling the thing phy%d when %d is not its number */
sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
/* count number of places needed to print wiphy_idx */
digits = 1;
while (wiphy_idx /= 10)
digits++;
Reported by FlawFinder.
Line: 794
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
if (wiphy->addresses)
memcpy(wiphy->perm_addr, wiphy->addresses[0].addr, ETH_ALEN);
/* sanity check ifmodes */
WARN_ON(!ifmodes);
ifmodes &= ((1 << NUM_NL80211_IFTYPES) - 1) & ~1;
if (WARN_ON(ifmodes != wiphy->interface_modes))
Reported by FlawFinder.
Line: 100
Column: 6
CWE codes:
126
ASSERT_RTNL();
if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
return -EINVAL;
/* prohibit calling the thing phy%d when %d is not its number */
sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
Reported by FlawFinder.
Line: 105
Column: 15
CWE codes:
126
/* prohibit calling the thing phy%d when %d is not its number */
sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
/* count number of places needed to print wiphy_idx */
digits = 1;
while (wiphy_idx /= 10)
digits++;
/*
Reported by FlawFinder.
Line: 114
Column: 16
CWE codes:
126
* deny the name if it is phy<idx> where <idx> is printed
* without leading zeroes. taken == strlen(newname) here
*/
if (taken == strlen(PHY_NAME) + digits)
return -EINVAL;
}
/* Ensure another device does not already have this name. */
list_for_each_entry(rdev2, &cfg80211_rdev_list, list)
Reported by FlawFinder.
net/wireless/wext-compat.c
5 issues
Line: 30
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct iw_request_info *info,
char *name, char *extra)
{
strcpy(name, "IEEE 802.11");
return 0;
}
EXPORT_WEXT_HANDLER(cfg80211_wext_giwname);
int cfg80211_wext_siwmode(struct net_device *dev, struct iw_request_info *info,
Reported by FlawFinder.
Line: 520
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!addr && (params->cipher == WLAN_CIPHER_SUITE_WEP40 ||
params->cipher == WLAN_CIPHER_SUITE_WEP104)) {
wdev->wext.keys->params[idx] = *params;
memcpy(wdev->wext.keys->data[idx],
params->key, params->key_len);
wdev->wext.keys->params[idx].key =
wdev->wext.keys->data[idx];
}
Reported by FlawFinder.
Line: 773
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
erq->length = min_t(size_t, erq->length,
wdev->wext.keys->params[idx].key_len);
memcpy(keybuf, wdev->wext.keys->params[idx].key, erq->length);
erq->flags |= IW_ENCODE_ENABLED;
return 0;
}
Reported by FlawFinder.
Line: 1298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = 0;
wdev_lock(wdev);
if (wdev->current_bss)
memcpy(addr, wdev->current_bss->pub.bssid, ETH_ALEN);
else
err = -EOPNOTSUPP;
wdev_unlock(wdev);
if (err)
return err;
Reported by FlawFinder.
Line: 1346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wdev_unlock(wdev);
return NULL;
}
memcpy(bssid, wdev->current_bss->pub.bssid, ETH_ALEN);
wdev_unlock(wdev);
memset(&sinfo, 0, sizeof(sinfo));
wiphy_lock(&rdev->wiphy);
Reported by FlawFinder.
net/wireless/wext-sme.c
5 issues
Line: 187
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wdev->wext.prev_bssid_valid = false;
wdev->wext.connect.ssid = wdev->wext.ssid;
memcpy(wdev->wext.ssid, ssid, len);
wdev->wext.connect.ssid_len = len;
wdev->wext.connect.crypto.control_port = false;
wdev->wext.connect.crypto.control_port_ethertype =
cpu_to_be16(ETH_P_PAE);
Reported by FlawFinder.
Line: 226
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data->length > IW_ESSID_MAX_SIZE)
ret = -EINVAL;
else
memcpy(ssid, ie + 2, data->length);
}
rcu_read_unlock();
} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
data->flags = 1;
data->length = wdev->wext.connect.ssid_len;
Reported by FlawFinder.
Line: 232
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
data->flags = 1;
data->length = wdev->wext.connect.ssid_len;
memcpy(ssid, wdev->wext.connect.ssid, data->length);
}
wdev_unlock(wdev);
return ret;
}
Reported by FlawFinder.
Line: 279
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (bssid) {
memcpy(wdev->wext.bssid, bssid, ETH_ALEN);
wdev->wext.connect.bssid = wdev->wext.bssid;
} else
wdev->wext.connect.bssid = NULL;
err = cfg80211_mgd_wext_connect(rdev, wdev);
Reported by FlawFinder.
Line: 304
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wdev_lock(wdev);
if (wdev->current_bss)
memcpy(ap_addr->sa_data, wdev->current_bss->pub.bssid, ETH_ALEN);
else
eth_zero_addr(ap_addr->sa_data);
wdev_unlock(wdev);
return 0;
Reported by FlawFinder.
net/wireless/wext-spy.c
5 issues
Line: 57
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy addresses */
for (i = 0; i < wrqu->data.length; i++)
memcpy(spydata->spy_address[i], address[i].sa_data,
ETH_ALEN);
/* Reset stats */
memset(spydata->spy_stat, 0,
sizeof(struct iw_quality) * IW_MAX_SPY);
}
Reported by FlawFinder.
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy addresses. */
for (i = 0; i < spydata->spy_number; i++) {
memcpy(address[i].sa_data, spydata->spy_address[i], ETH_ALEN);
address[i].sa_family = AF_UNIX;
}
/* Copy stats to the user buffer (just after). */
if (spydata->spy_number > 0)
memcpy(extra + (sizeof(struct sockaddr) *spydata->spy_number),
Reported by FlawFinder.
Line: 96
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy stats to the user buffer (just after). */
if (spydata->spy_number > 0)
memcpy(extra + (sizeof(struct sockaddr) *spydata->spy_number),
spydata->spy_stat,
sizeof(struct iw_quality) * spydata->spy_number);
/* Reset updated flags. */
for (i = 0; i < spydata->spy_number; i++)
spydata->spy_stat[i].updated &= ~IW_QUAL_ALL_UPDATED;
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wrqu.data.length = 1;
wrqu.data.flags = 0;
/* Copy address */
memcpy(threshold.addr.sa_data, address, ETH_ALEN);
threshold.addr.sa_family = ARPHRD_ETHER;
/* Copy stats */
threshold.qual = *wstats;
/* Copy also thresholds */
threshold.low = spydata->spy_thr_low;
Reported by FlawFinder.
Line: 207
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Update all records that match */
for (i = 0; i < spydata->spy_number; i++)
if (ether_addr_equal(address, spydata->spy_address[i])) {
memcpy(&(spydata->spy_stat[i]), wstats,
sizeof(struct iw_quality));
match = i;
}
/* Generate an event if we cross the spy threshold.
Reported by FlawFinder.
net/x25/x25_facilities.c
5 issues
Line: 159
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (p[2] > X25_MAX_AE_LEN)
return -1;
dte_facs->calling_len = p[2];
memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
*vc_fac_mask |= X25_MASK_CALLING_AE;
break;
case X25_FAC_CALLED_AE:
if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
return -1;
Reported by FlawFinder.
Line: 168
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (p[2] > X25_MAX_AE_LEN)
return -1;
dte_facs->called_len = p[2];
memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
*vc_fac_mask |= X25_MASK_CALLED_AE;
break;
default:
pr_debug("unknown facility %02X,"
"length %d\n", p[0], p[1]);
Reported by FlawFinder.
Line: 239
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*p++ = X25_FAC_CALLING_AE;
*p++ = 1 + bytecount;
*p++ = dte_facs->calling_len;
memcpy(p, dte_facs->calling_ae, bytecount);
p += bytecount;
}
if (dte_facs->called_len && (facil_mask & X25_MASK_CALLED_AE)) {
unsigned int bytecount = (dte_facs->called_len % 2) ?
Reported by FlawFinder.
Line: 250
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*p++ = X25_FAC_CALLED_AE;
*p++ = 1 + bytecount;
*p++ = dte_facs->called_len;
memcpy(p, dte_facs->called_ae, bytecount);
p+=bytecount;
}
len = p - buffer;
buffer[0] = len - 1;
Reported by FlawFinder.
Line: 274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len;
memset(&theirs, 0, sizeof(theirs));
memcpy(new, ours, sizeof(*new));
memset(dte, 0, sizeof(*dte));
len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
if (len < 0)
return len;
Reported by FlawFinder.
samples/auxdisplay/cfag12864b-example.c
5 issues
Line: 42
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cfag12864b_fd;
unsigned char * cfag12864b_mem;
unsigned char cfag12864b_buffer[CFAG12864B_SIZE];
/*
* init a cfag12864b framebuffer device
*
* No error: return = 0
Reported by FlawFinder.
Line: 53
Column: 18
CWE codes:
362
*/
static int cfag12864b_init(char *path)
{
cfag12864b_fd = open(path, O_RDWR);
if (cfag12864b_fd == -1)
return -1;
cfag12864b_mem = mmap(0, CFAG12864B_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED, cfag12864b_fd, 0);
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void cfag12864b_blit(void)
{
memcpy(cfag12864b_mem, cfag12864b_buffer, CFAG12864B_SIZE);
}
/*
* ----------------------
* end of cfag12864b code
Reported by FlawFinder.
Line: 189
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void example(unsigned char n)
{
unsigned short i, j;
unsigned char matrix[CFAG12864B_WIDTH * CFAG12864B_HEIGHT];
if (n > EXAMPLES)
return;
printf("Example %i/%i - ", n, EXAMPLES);
Reported by FlawFinder.
samples/bpf/offwaketime_kern.c
5 issues
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MINBLOCK_US 1
struct key_t {
char waker[TASK_COMM_LEN];
char target[TASK_COMM_LEN];
u32 wret;
u32 tret;
};
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct key_t {
char waker[TASK_COMM_LEN];
char target[TASK_COMM_LEN];
u32 wret;
u32 tret;
};
struct {
Reported by FlawFinder.
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} start SEC(".maps");
struct wokeby_t {
char name[TASK_COMM_LEN];
u32 ret;
};
struct {
__uint(type, BPF_MAP_TYPE_HASH);
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* taken from /sys/kernel/debug/tracing/events/sched/sched_switch/format */
struct sched_switch_args {
unsigned long long pad;
char prev_comm[16];
int prev_pid;
int prev_prio;
long long prev_state;
char next_comm[16];
int next_pid;
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int prev_pid;
int prev_prio;
long long prev_state;
char next_comm[16];
int next_pid;
int next_prio;
};
SEC("tracepoint/sched/sched_switch")
int oncpu(struct sched_switch_args *ctx)
Reported by FlawFinder.