The following issues were found
kernel/trace/ring_buffer.c
29 issues
Line: 2297
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Writer corrupted the read? */
goto reset;
memcpy(iter->event, event, length);
/*
* If the page stamp is still the same after this rmb() then the
* event was safely copied without the writer entering the page.
*/
smp_rmb();
Reported by FlawFinder.
Line: 3855
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
body = rb_event_data(event);
memcpy(body, data, length);
rb_commit(cpu_buffer, event);
rb_wakeups(buffer, cpu_buffer);
Reported by FlawFinder.
Line: 5596
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* We have already ensured there's enough space if this
* is a time extend. */
size = rb_event_length(event);
memcpy(bpage->data + pos, rpage->data + rpos, size);
len -= size;
rb_advance_reader(cpu_buffer);
rpos = reader->read;
Reported by FlawFinder.
Line: 5653
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* missed events, then record it there.
*/
if (BUF_PAGE_SIZE - commit >= sizeof(missed_events)) {
memcpy(&bpage->data[commit], &missed_events,
sizeof(missed_events));
local_add(RB_MISSED_STORED, &bpage->commit);
commit += sizeof(missed_events);
}
local_add(RB_MISSED_EVENTS, &bpage->commit);
Reported by FlawFinder.
Line: 5812
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
item = ring_buffer_event_data(event);
item->size = size;
memcpy(item->str, rb_string, size);
if (nested) {
data->bytes_alloc_nested += event_len;
data->bytes_written_nested += len;
data->events_nested++;
Reported by FlawFinder.
Line: 323
Column: 12
CWE codes:
120
20
struct buffer_page {
struct list_head list; /* list of buffer pages */
local_t write; /* index for next write */
unsigned read; /* index for next read */
local_t entries; /* entries on this page */
unsigned long real_end; /* real end of data */
struct buffer_data_page *page; /* Actual data page */
};
Reported by FlawFinder.
Line: 515
Column: 18
CWE codes:
120
20
local_t pages_read;
long last_pages_touch;
size_t shortest_full;
unsigned long read;
unsigned long read_bytes;
rb_time_t write_stamp;
rb_time_t before_stamp;
u64 event_stamp[MAX_NEST];
u64 read_stamp;
Reported by FlawFinder.
Line: 859
Column: 9
CWE codes:
120
20
*/
size_t ring_buffer_nr_dirty_pages(struct trace_buffer *buffer, int cpu)
{
size_t read;
size_t cnt;
read = local_read(&buffer->buffers[cpu]->pages_read);
cnt = local_read(&buffer->buffers[cpu]->pages_touched);
/* The reader can read an empty page, but not more than that */
Reported by FlawFinder.
Line: 865
Column: 12
CWE codes:
120
20
read = local_read(&buffer->buffers[cpu]->pages_read);
cnt = local_read(&buffer->buffers[cpu]->pages_touched);
/* The reader can read an empty page, but not more than that */
if (cnt < read) {
WARN_ON_ONCE(read > cnt + 1);
return 0;
}
return cnt - read;
Reported by FlawFinder.
Line: 866
Column: 16
CWE codes:
120
20
cnt = local_read(&buffer->buffers[cpu]->pages_touched);
/* The reader can read an empty page, but not more than that */
if (cnt < read) {
WARN_ON_ONCE(read > cnt + 1);
return 0;
}
return cnt - read;
}
Reported by FlawFinder.
arch/s390/include/uapi/asm/vtoc.h
29 issues
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vtoc_volume_label_cdl
{
char volkey[4]; /* volume key = volume label */
char vollbl[4]; /* volume label */
char volid[6]; /* volume identifier */
__u8 security; /* security byte */
struct vtoc_cchhb vtoc; /* VTOC address */
char res1[5]; /* reserved */
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vtoc_volume_label_cdl
{
char volkey[4]; /* volume key = volume label */
char vollbl[4]; /* volume label */
char volid[6]; /* volume identifier */
__u8 security; /* security byte */
struct vtoc_cchhb vtoc; /* VTOC address */
char res1[5]; /* reserved */
char cisize[4]; /* CI-size for FBA,... */
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char volkey[4]; /* volume key = volume label */
char vollbl[4]; /* volume label */
char volid[6]; /* volume identifier */
__u8 security; /* security byte */
struct vtoc_cchhb vtoc; /* VTOC address */
char res1[5]; /* reserved */
char cisize[4]; /* CI-size for FBA,... */
/* ...blanks for CKD */
Reported by FlawFinder.
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char volid[6]; /* volume identifier */
__u8 security; /* security byte */
struct vtoc_cchhb vtoc; /* VTOC address */
char res1[5]; /* reserved */
char cisize[4]; /* CI-size for FBA,... */
/* ...blanks for CKD */
char blkperci[4]; /* no of blocks per CI (FBA), blanks for CKD */
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
Reported by FlawFinder.
Line: 49
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 security; /* security byte */
struct vtoc_cchhb vtoc; /* VTOC address */
char res1[5]; /* reserved */
char cisize[4]; /* CI-size for FBA,... */
/* ...blanks for CKD */
char blkperci[4]; /* no of blocks per CI (FBA), blanks for CKD */
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
char lvtoc[14]; /* owner code for LVTOC */
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char res1[5]; /* reserved */
char cisize[4]; /* CI-size for FBA,... */
/* ...blanks for CKD */
char blkperci[4]; /* no of blocks per CI (FBA), blanks for CKD */
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
char lvtoc[14]; /* owner code for LVTOC */
char res3[29]; /* reserved */
} __attribute__ ((packed));
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char cisize[4]; /* CI-size for FBA,... */
/* ...blanks for CKD */
char blkperci[4]; /* no of blocks per CI (FBA), blanks for CKD */
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
char lvtoc[14]; /* owner code for LVTOC */
char res3[29]; /* reserved */
} __attribute__ ((packed));
Reported by FlawFinder.
Line: 53
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ...blanks for CKD */
char blkperci[4]; /* no of blocks per CI (FBA), blanks for CKD */
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
char lvtoc[14]; /* owner code for LVTOC */
char res3[29]; /* reserved */
} __attribute__ ((packed));
struct vtoc_volume_label_ldl {
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char blkperci[4]; /* no of blocks per CI (FBA), blanks for CKD */
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
char lvtoc[14]; /* owner code for LVTOC */
char res3[29]; /* reserved */
} __attribute__ ((packed));
struct vtoc_volume_label_ldl {
char vollbl[4]; /* volume label */
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char labperci[4]; /* no of labels per CI (FBA), blanks for CKD */
char res2[4]; /* reserved */
char lvtoc[14]; /* owner code for LVTOC */
char res3[29]; /* reserved */
} __attribute__ ((packed));
struct vtoc_volume_label_ldl {
char vollbl[4]; /* volume label */
char volid[6]; /* volume identifier */
Reported by FlawFinder.
tools/vm/slabinfo.c
29 issues
Line: 1196
Column: 12
CWE codes:
362
20
Suggestion:
Reconsider approach
switch (de->d_type) {
case DT_LNK:
alias->name = strdup(de->d_name);
count = readlink(de->d_name, buffer, sizeof(buffer)-1);
if (count < 0)
fatal("Cannot read symlink %s\n", de->d_name);
buffer[count] = 0;
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, x);
vfprintf(stderr, x, ap);
va_end(ap);
exit(EXIT_FAILURE);
}
static void usage(void)
Reported by FlawFinder.
Line: 1389
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
page_size = getpagesize();
while ((c = getopt_long(argc, argv, "aABd::DefhilLnN:oPrsStTUvXz1",
opts, NULL)) != -1)
switch (c) {
case 'a':
show_alias = 1;
break;
Reported by FlawFinder.
Line: 63
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int alias_targets;
int highest_node;
char buffer[4096];
int show_empty;
int show_report;
int show_alias;
int show_slab;
Reported by FlawFinder.
Line: 158
Column: 12
CWE codes:
362
static unsigned long read_obj(const char *name)
{
FILE *f = fopen(name, "r");
if (!f)
buffer[0] = 0;
else {
if (!fgets(buffer, sizeof(buffer), f))
Reported by FlawFinder.
Line: 181
Column: 9
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!read_obj(name))
return 0;
return atol(buffer);
}
static unsigned long get_obj_and_str(const char *name, char **x)
{
unsigned long result = 0;
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void set_obj(struct slabinfo *s, const char *name, int n)
{
char x[100];
FILE *f;
snprintf(x, 100, "%s/%s", s->name, name);
f = fopen(x, "w");
if (!f)
Reported by FlawFinder.
Line: 209
Column: 6
CWE codes:
362
FILE *f;
snprintf(x, 100, "%s/%s", s->name, name);
f = fopen(x, "w");
if (!f)
fatal("Cannot write to %s\n", x);
fprintf(f, "%d\n", n);
fclose(f);
Reported by FlawFinder.
Line: 219
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned long read_slab_obj(struct slabinfo *s, const char *name)
{
char x[100];
FILE *f;
size_t l;
snprintf(x, 100, "%s/%s", s->name, name);
f = fopen(x, "r");
Reported by FlawFinder.
Line: 224
Column: 6
CWE codes:
362
size_t l;
snprintf(x, 100, "%s/%s", s->name, name);
f = fopen(x, "r");
if (!f) {
buffer[0] = 0;
l = 0;
} else {
l = fread(buffer, 1, sizeof(buffer), f);
Reported by FlawFinder.
drivers/net/ethernet/intel/igc/igc_main.c
28 issues
Line: 4830
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
q_vector->itr_register = adapter->io_addr + IGC_EITR(vector);
if (q_vector->rx.ring && q_vector->tx.ring)
sprintf(q_vector->name, "%s-TxRx-%u", netdev->name,
q_vector->rx.ring->queue_index);
else if (q_vector->tx.ring)
sprintf(q_vector->name, "%s-tx-%u", netdev->name,
q_vector->tx.ring->queue_index);
else if (q_vector->rx.ring)
Reported by FlawFinder.
Line: 4833
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(q_vector->name, "%s-TxRx-%u", netdev->name,
q_vector->rx.ring->queue_index);
else if (q_vector->tx.ring)
sprintf(q_vector->name, "%s-tx-%u", netdev->name,
q_vector->tx.ring->queue_index);
else if (q_vector->rx.ring)
sprintf(q_vector->name, "%s-rx-%u", netdev->name,
q_vector->rx.ring->queue_index);
else
Reported by FlawFinder.
Line: 4836
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(q_vector->name, "%s-tx-%u", netdev->name,
q_vector->tx.ring->queue_index);
else if (q_vector->rx.ring)
sprintf(q_vector->name, "%s-rx-%u", netdev->name,
q_vector->rx.ring->queue_index);
else
sprintf(q_vector->name, "%s-unused", netdev->name);
err = request_irq(adapter->msix_entries[vector].vector,
Reported by FlawFinder.
Line: 4839
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(q_vector->name, "%s-rx-%u", netdev->name,
q_vector->rx.ring->queue_index);
else
sprintf(q_vector->name, "%s-unused", netdev->name);
err = request_irq(adapter->msix_entries[vector].vector,
igc_msix_ring, 0, q_vector->name,
q_vector);
if (err)
Reported by FlawFinder.
Line: 947
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(hw->mac.addr, addr->sa_data, netdev->addr_len);
/* set the correct pool for the new PF MAC address in entry 0 */
igc_set_default_mac_filter(adapter);
Reported by FlawFinder.
Line: 948
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EADDRNOTAVAIL;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(hw->mac.addr, addr->sa_data, netdev->addr_len);
/* set the correct pool for the new PF MAC address in entry 0 */
igc_set_default_mac_filter(adapter);
return 0;
Reported by FlawFinder.
Line: 986
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* The shared function expects a packed array of only addresses. */
i = 0;
netdev_for_each_mc_addr(ha, netdev)
memcpy(mta_list + (i++ * ETH_ALEN), ha->addr, ETH_ALEN);
igc_update_mc_addr_list(hw, mta_list, i);
kfree(mta_list);
return netdev_mc_count(netdev);
Reported by FlawFinder.
Line: 1766
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
headlen = eth_get_headlen(skb->dev, va, IGC_RX_HDR_LEN);
/* align pull length to size of long to optimize memcpy performance */
memcpy(__skb_put(skb, headlen), va, ALIGN(headlen, sizeof(long)));
/* update all of the pointers */
size -= headlen;
if (size) {
skb_add_rx_frag(skb, 0, rx_buffer->page,
Reported by FlawFinder.
Line: 2444
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
skb_reserve(skb, xdp->data_meta - xdp->data_hard_start);
memcpy(__skb_put(skb, totalsize), xdp->data_meta, totalsize);
if (metasize)
skb_metadata_set(skb, metasize);
return skb;
}
Reported by FlawFinder.
Line: 4592
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&adapter->stats64_lock);
if (!test_bit(__IGC_RESETTING, &adapter->state))
igc_update_stats(adapter);
memcpy(stats, &adapter->stats64, sizeof(*stats));
spin_unlock(&adapter->stats64_lock);
}
static netdev_features_t igc_fix_features(struct net_device *netdev,
netdev_features_t features)
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnxt/bnxt.c
28 issues
Line: 520
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!fptr)
goto normal_tx;
memcpy(pdata, fptr, skb_frag_size(frag));
pdata += skb_frag_size(frag);
}
txbd->tx_bd_len_flags_type = tx_push->tx_bd_len_flags_type;
txbd->tx_bd_haddr = txr->data_mapping;
Reported by FlawFinder.
Line: 528
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
txbd->tx_bd_haddr = txr->data_mapping;
prod = NEXT_TX(prod);
txbd = &txr->tx_desc_ring[TX_RING(prod)][TX_IDX(prod)];
memcpy(txbd, tx_push1, sizeof(*txbd));
prod = NEXT_TX(prod);
tx_push->doorbell =
cpu_to_le32(DB_KEY_TX_PUSH | DB_LONG_TX_PUSH | prod);
txr->tx_prod = prod;
Reported by FlawFinder.
Line: 1039
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
off = (void *)data_ptr - page_address(page);
skb_add_rx_frag(skb, 0, page, off, len, PAGE_SIZE);
memcpy(skb->data - NET_IP_ALIGN, data_ptr - NET_IP_ALIGN,
payload + NET_IP_ALIGN);
frag = &skb_shinfo(skb)->frags[0];
skb_frag_size_sub(frag, payload);
skb_frag_off_add(frag, payload);
Reported by FlawFinder.
Line: 1185
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dma_sync_single_for_cpu(&pdev->dev, mapping, bp->rx_copy_thresh,
bp->rx_dir);
memcpy(skb->data - NET_IP_ALIGN, data - NET_IP_ALIGN,
len + NET_IP_ALIGN);
dma_sync_single_for_device(&pdev->dev, mapping, bp->rx_copy_thresh,
bp->rx_dir);
Reported by FlawFinder.
Line: 3600
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prandom_bytes(vnic->rss_hash_key,
HW_HASH_KEY_SIZE);
else
memcpy(vnic->rss_hash_key,
bp->vnic_info[0].rss_hash_key,
HW_HASH_KEY_SIZE);
}
}
}
Reported by FlawFinder.
Line: 4566
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
max_msg_len = bp->hwrm_max_ext_req_len;
memcpy(short_cmd_req, req, msg_len);
if (msg_len < max_msg_len)
memset(short_cmd_req + msg_len, 0,
max_msg_len - msg_len);
short_input.req_type = req->req_type;
Reported by FlawFinder.
Line: 4982
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.enables = cpu_to_le32(BNXT_NTP_FLTR_FLAGS);
req.ethertype = htons(ETH_P_IP);
memcpy(req.src_macaddr, fltr->src_mac_addr, ETH_ALEN);
req.ip_addr_type = CFA_NTUPLE_FILTER_ALLOC_REQ_IP_ADDR_TYPE_IPV4;
req.ip_protocol = keys->basic.ip_proto;
if (keys->basic.n_proto == htons(ETH_P_IPV6)) {
int i;
Reported by FlawFinder.
Line: 5045
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le32(CFA_L2_FILTER_ALLOC_REQ_ENABLES_L2_ADDR |
CFA_L2_FILTER_ALLOC_REQ_ENABLES_DST_ID |
CFA_L2_FILTER_ALLOC_REQ_ENABLES_L2_ADDR_MASK);
memcpy(req.l2_addr, mac_addr, ETH_ALEN);
req.l2_addr_mask[0] = 0xff;
req.l2_addr_mask[1] = 0xff;
req.l2_addr_mask[2] = 0xff;
req.l2_addr_mask[3] = 0xff;
req.l2_addr_mask[4] = 0xff;
Reported by FlawFinder.
Line: 6697
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Tick values in micro seconds.
* 1 coal_buf x bufs_per_record = 1 completion record.
*/
memcpy(&coal, &bp->rx_coal, sizeof(struct bnxt_coal));
coal.coal_ticks = cpr->rx_ring_coal.coal_ticks;
coal.coal_bufs = cpr->rx_ring_coal.coal_bufs;
if (!bnapi->rx_ring)
Reported by FlawFinder.
Line: 7601
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pf->fw_fid = le16_to_cpu(resp->fid);
pf->port_id = le16_to_cpu(resp->port_id);
memcpy(pf->mac_addr, resp->mac_address, ETH_ALEN);
pf->first_vf_id = le16_to_cpu(resp->first_vf_id);
pf->max_vfs = le16_to_cpu(resp->max_vfs);
pf->max_encap_records = le32_to_cpu(resp->max_encap_records);
pf->max_decap_records = le32_to_cpu(resp->max_decap_records);
pf->max_tx_em_flows = le32_to_cpu(resp->max_tx_em_flows);
Reported by FlawFinder.
drivers/media/usb/ttusb-dec/ttusb_dec.c
28 issues
Line: 83
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef int (dvb_filter_pes2ts_cb_t) (void *, unsigned char *);
struct dvb_filter_pes2ts {
unsigned char buf[188];
unsigned char cc;
dvb_filter_pes2ts_cb_t *cb;
void *priv;
};
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t filter_info_list_lock;
struct input_dev *rc_input_dev;
char rc_phys[64];
int active; /* Loaded successfully */
};
struct urb_frame {
Reported by FlawFinder.
Line: 225
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[1]&=~0x40;
while (len>=184) {
buf[3]=0x10|((p2ts->cc++)&0x0f);
memcpy(buf+4, pes, 184);
if ((ret=p2ts->cb(p2ts->priv, buf)))
return ret;
len-=184; pes+=184;
buf[1]&=~0x40;
}
Reported by FlawFinder.
Line: 241
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(buf+6, 0xff, rest-1);
}
buf[4]=rest;
memcpy(buf+5+rest, pes, len);
return p2ts->cb(p2ts->priv, buf);
}
static void ttusb_dec_set_model(struct ttusb_dec *dec,
enum ttusb_dec_model model);
Reported by FlawFinder.
Line: 339
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b[3] = param_length;
if (params)
memcpy(&b[4], params, param_length);
if (debug) {
printk(KERN_DEBUG "%s: command: %*ph\n",
__func__, param_length, b);
}
Reported by FlawFinder.
Line: 371
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (result_length)
*result_length = b[3];
if (cmd_result && b[3] > 0)
memcpy(cmd_result, &b[4], b[3]);
}
err:
mutex_unlock(&dec->usb_mutex);
Reported by FlawFinder.
Line: 397
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (c_length >= 0x0c) {
if (mode != NULL) {
memcpy(&tmp, c, 4);
*mode = ntohl(tmp);
}
if (model != NULL) {
memcpy(&tmp, &c[4], 4);
*model = ntohl(tmp);
Reported by FlawFinder.
Line: 401
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*mode = ntohl(tmp);
}
if (model != NULL) {
memcpy(&tmp, &c[4], 4);
*model = ntohl(tmp);
}
if (version != NULL) {
memcpy(&tmp, &c[8], 4);
*version = ntohl(tmp);
Reported by FlawFinder.
Line: 405
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*model = ntohl(tmp);
}
if (version != NULL) {
memcpy(&tmp, &c[8], 4);
*version = ntohl(tmp);
}
return 0;
} else {
return -ENOENT;
Reported by FlawFinder.
Line: 446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dprintk("%s\n", __func__);
memcpy(&b[0], &pcr, 2);
memcpy(&b[2], &audio, 2);
memcpy(&b[4], &video, 2);
ttusb_dec_send_command(dec, 0x50, sizeof(b), b, NULL, NULL);
Reported by FlawFinder.
net/xfrm/xfrm_user.c
28 issues
Line: 310
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!p)
return -ENOMEM;
strcpy(p->alg_name, algo->name);
*algpp = p;
return 0;
}
static int attach_crypt(struct xfrm_state *x, struct nlattr *rta)
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!p)
return -ENOMEM;
strcpy(p->alg_name, algo->name);
x->ealg = p;
x->geniv = algo->uinfo.encr.geniv;
return 0;
}
Reported by FlawFinder.
Line: 361
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!p)
return -ENOMEM;
strcpy(p->alg_name, algo->name);
p->alg_key_len = ualg->alg_key_len;
p->alg_trunc_len = algo->uinfo.auth.icv_truncbits;
memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8);
*algpp = p;
Reported by FlawFinder.
Line: 392
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!p)
return -ENOMEM;
strcpy(p->alg_name, algo->name);
if (!p->alg_trunc_len)
p->alg_trunc_len = algo->uinfo.auth.icv_truncbits;
*algpp = p;
return 0;
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!p)
return -ENOMEM;
strcpy(p->alg_name, algo->name);
x->aead = p;
x->geniv = algo->uinfo.aead.geniv;
return 0;
}
Reported by FlawFinder.
Line: 364
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strcpy(p->alg_name, algo->name);
p->alg_key_len = ualg->alg_key_len;
p->alg_trunc_len = algo->uinfo.auth.icv_truncbits;
memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8);
*algpp = p;
return 0;
}
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(p, up, ulen);
memcpy(pp, up, ulen);
*replay_esn = p;
*preplay_esn = pp;
Reported by FlawFinder.
Line: 475
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(p, up, ulen);
memcpy(pp, up, ulen);
*replay_esn = p;
*preplay_esn = pp;
return 0;
Reported by FlawFinder.
Line: 528
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (re) {
struct xfrm_replay_state_esn *replay_esn;
replay_esn = nla_data(re);
memcpy(x->replay_esn, replay_esn,
xfrm_replay_state_esn_len(replay_esn));
memcpy(x->preplay_esn, replay_esn,
xfrm_replay_state_esn_len(replay_esn));
}
Reported by FlawFinder.
Line: 530
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
replay_esn = nla_data(re);
memcpy(x->replay_esn, replay_esn,
xfrm_replay_state_esn_len(replay_esn));
memcpy(x->preplay_esn, replay_esn,
xfrm_replay_state_esn_len(replay_esn));
}
if (rp) {
struct xfrm_replay_state *replay;
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/bpf_iter.c
28 issues
Line: 694
CWE codes:
401
skel = bpf_iter_bpf_percpu_hash_map__open();
if (CHECK(!skel, "bpf_iter_bpf_percpu_hash_map__open",
"skeleton open failed\n"))
return;
skel->rodata->num_cpus = bpf_num_possible_cpus();
err = bpf_iter_bpf_percpu_hash_map__load(skel);
if (CHECK(!skel, "bpf_iter_bpf_percpu_hash_map__load",
Reported by Cppcheck.
Line: 866
CWE codes:
401
skel = bpf_iter_bpf_percpu_array_map__open();
if (CHECK(!skel, "bpf_iter_bpf_percpu_array_map__open",
"skeleton open failed\n"))
return;
skel->rodata->num_cpus = bpf_num_possible_cpus();
err = bpf_iter_bpf_percpu_array_map__load(skel);
if (CHECK(!skel, "bpf_iter_bpf_percpu_array_map__load",
Reported by Cppcheck.
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void do_dummy_read(struct bpf_program *prog)
{
struct bpf_link *link;
char buf[16] = {};
int iter_fd, len;
link = bpf_program__attach_iter(prog, NULL);
if (!ASSERT_OK_PTR(link, "attach_iter"))
return;
Reported by FlawFinder.
Line: 192
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define TASKBUFSZ 32768
static char taskbuf[TASKBUFSZ];
static int do_btf_read(struct bpf_iter_task_btf *skel)
{
struct bpf_program *prog = skel->progs.dump_task_struct;
struct bpf_iter_task_btf__bss *bss = skel->bss;
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool read_one_char)
{
int err = -1, len, read_buf_len, start;
char buf[16] = {};
read_buf_len = read_one_char ? 1 : 16;
start = 0;
while ((len = read(iter_fd, buf + start, read_buf_len)) > 0) {
start += len;
Reported by FlawFinder.
Line: 375
Column: 12
CWE codes:
362
{
int err, iter_fd;
iter_fd = open(path, O_RDONLY);
if (CHECK(iter_fd < 0, "open", "open %s failed: %s\n",
path, strerror(errno)))
return -1;
err = do_read_with_fd(iter_fd, expected, false);
Reported by FlawFinder.
Line: 590
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int b;
int c;
} key;
char buf[64];
skel = bpf_iter_bpf_hash_map__open();
if (CHECK(!skel, "bpf_iter_bpf_hash_map__open",
"skeleton open failed\n"))
return;
Reported by FlawFinder.
Line: 686
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int b;
int c;
} key;
char buf[64];
void *val;
val = malloc(8 * bpf_num_possible_cpus());
skel = bpf_iter_bpf_percpu_hash_map__open();
Reported by FlawFinder.
Line: 772
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union bpf_iter_link_info linfo;
int err, i, map_fd, iter_fd;
struct bpf_link *link;
char buf[64] = {};
int len, start;
skel = bpf_iter_bpf_array_map__open_and_load();
if (CHECK(!skel, "bpf_iter_bpf_array_map__open_and_load",
"skeleton open_and_load failed\n"))
Reported by FlawFinder.
Line: 857
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union bpf_iter_link_info linfo;
int err, i, j, map_fd, iter_fd;
struct bpf_link *link;
char buf[64];
void *val;
int len;
val = malloc(8 * bpf_num_possible_cpus());
Reported by FlawFinder.
drivers/scsi/sd.c
28 issues
Line: 287
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct scsi_disk *sdkp = to_scsi_disk(dev);
int ct = sdkp->RCD + 2*sdkp->WCE;
return sprintf(buf, "%s\n", sd_cache_types[ct]);
}
static DEVICE_ATTR_RW(cache_type);
static ssize_t
FUA_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 351
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!dif && !dix)
return sprintf(buf, "none\n");
return sprintf(buf, "%s%u\n", dix ? "dix" : "dif", dif);
}
static DEVICE_ATTR_RO(protection_mode);
static ssize_t
app_tag_own_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 390
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scsi_disk *sdkp = to_scsi_disk(dev);
return sprintf(buf, "%s\n", lbp_mode[sdkp->provisioning_mode]);
}
static ssize_t
provisioning_mode_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 436
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scsi_disk *sdkp = to_scsi_disk(dev);
return sprintf(buf, "%s\n", zeroing_mode[sdkp->zeroing_mode]);
}
static ssize_t
zeroing_mode_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ct, rcd, wce, sp;
struct scsi_disk *sdkp = to_scsi_disk(dev);
struct scsi_device *sdp = sdkp->device;
char buffer[64];
char *buffer_data;
struct scsi_mode_data data;
struct scsi_sense_hdr sshdr;
static const char temp[] = "temporary ";
int len;
Reported by FlawFinder.
Line: 227
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct scsi_disk *sdkp = to_scsi_disk(dev);
struct scsi_device *sdp = sdkp->device;
return sprintf(buf, "%u\n", sdp->manage_start_stop);
}
static ssize_t
manage_start_stop_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 255
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scsi_disk *sdkp = to_scsi_disk(dev);
return sprintf(buf, "%u\n", sdkp->device->allow_restart);
}
static ssize_t
allow_restart_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 296
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scsi_disk *sdkp = to_scsi_disk(dev);
return sprintf(buf, "%u\n", sdkp->DPOFUA);
}
static DEVICE_ATTR_RO(FUA);
static ssize_t
protection_type_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 306
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scsi_disk *sdkp = to_scsi_disk(dev);
return sprintf(buf, "%u\n", sdkp->protection_type);
}
static ssize_t
protection_type_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 349
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (!dif && !dix)
return sprintf(buf, "none\n");
return sprintf(buf, "%s%u\n", dix ? "dix" : "dif", dif);
}
static DEVICE_ATTR_RO(protection_mode);
Reported by FlawFinder.
drivers/block/loop.c
28 issues
Line: 870
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int autoclear = (lo->lo_flags & LO_FLAGS_AUTOCLEAR);
return sprintf(buf, "%s\n", autoclear ? "1" : "0");
}
static ssize_t loop_attr_partscan_show(struct loop_device *lo, char *buf)
{
int partscan = (lo->lo_flags & LO_FLAGS_PARTSCAN);
Reported by FlawFinder.
Line: 877
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int partscan = (lo->lo_flags & LO_FLAGS_PARTSCAN);
return sprintf(buf, "%s\n", partscan ? "1" : "0");
}
static ssize_t loop_attr_dio_show(struct loop_device *lo, char *buf)
{
int dio = (lo->lo_flags & LO_FLAGS_DIRECT_IO);
Reported by FlawFinder.
Line: 884
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int dio = (lo->lo_flags & LO_FLAGS_DIRECT_IO);
return sprintf(buf, "%s\n", dio ? "1" : "0");
}
LOOP_ATTR_RO(backing_file);
LOOP_ATTR_RO(offset);
LOOP_ATTR_RO(sizelimit);
Reported by FlawFinder.
Line: 858
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t loop_attr_offset_show(struct loop_device *lo, char *buf)
{
return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_offset);
}
static ssize_t loop_attr_sizelimit_show(struct loop_device *lo, char *buf)
{
return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_sizelimit);
Reported by FlawFinder.
Line: 863
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t loop_attr_sizelimit_show(struct loop_device *lo, char *buf)
{
return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_sizelimit);
}
static ssize_t loop_attr_autoclear_show(struct loop_device *lo, char *buf)
{
int autoclear = (lo->lo_flags & LO_FLAGS_AUTOCLEAR);
Reported by FlawFinder.
Line: 1163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
lo->lo_crypt_name[LO_NAME_SIZE-1] = 0;
if (!xfer)
Reported by FlawFinder.
Line: 1164
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
lo->lo_file_name[LO_NAME_SIZE-1] = 0;
lo->lo_crypt_name[LO_NAME_SIZE-1] = 0;
if (!xfer)
xfer = &none_funcs;
Reported by FlawFinder.
Line: 1179
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lo->lo_init[0] = info->lo_init[0];
lo->lo_init[1] = info->lo_init[1];
if (info->lo_encrypt_key_size) {
memcpy(lo->lo_encrypt_key, info->lo_encrypt_key,
info->lo_encrypt_key_size);
lo->lo_key_owner = uid;
}
return 0;
Reported by FlawFinder.
Line: 1601
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info->lo_offset = lo->lo_offset;
info->lo_sizelimit = lo->lo_sizelimit;
info->lo_flags = lo->lo_flags;
memcpy(info->lo_file_name, lo->lo_file_name, LO_NAME_SIZE);
memcpy(info->lo_crypt_name, lo->lo_crypt_name, LO_NAME_SIZE);
info->lo_encrypt_type =
lo->lo_encryption ? lo->lo_encryption->number : 0;
if (lo->lo_encrypt_key_size && capable(CAP_SYS_ADMIN)) {
info->lo_encrypt_key_size = lo->lo_encrypt_key_size;
Reported by FlawFinder.
Line: 1602
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info->lo_sizelimit = lo->lo_sizelimit;
info->lo_flags = lo->lo_flags;
memcpy(info->lo_file_name, lo->lo_file_name, LO_NAME_SIZE);
memcpy(info->lo_crypt_name, lo->lo_crypt_name, LO_NAME_SIZE);
info->lo_encrypt_type =
lo->lo_encryption ? lo->lo_encryption->number : 0;
if (lo->lo_encrypt_key_size && capable(CAP_SYS_ADMIN)) {
info->lo_encrypt_key_size = lo->lo_encrypt_key_size;
memcpy(info->lo_encrypt_key, lo->lo_encrypt_key,
Reported by FlawFinder.