The following issues were found
net/core/drop_monitor.c
5 issues
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NET_DM_MAX_HW_TRAP_NAME_LEN 40
struct net_dm_hw_entry {
char trap_name[NET_DM_MAX_HW_TRAP_NAME_LEN];
u32 count;
};
struct net_dm_hw_entries {
u32 num_entries;
Reported by FlawFinder.
Line: 252
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
__nla_reserve_nohdr(dskb, sizeof(struct net_dm_drop_point));
nla->nla_len += NLA_ALIGN(sizeof(struct net_dm_drop_point));
memcpy(point->pc, &location, sizeof(void *));
point->count = 1;
msg->entries++;
if (!timer_pending(&data->send_timer)) {
data->send_timer.expires = jiffies + dm_delay * HZ;
Reported by FlawFinder.
Line: 606
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t payload_len)
{
u64 pc = (u64)(uintptr_t) NET_DM_SKB_CB(skb)->pc;
char buf[NET_DM_MAX_SYMBOL_LEN];
struct nlattr *attr;
void *hdr;
int rc;
hdr = genlmsg_put(msg, 0, 0, &net_drop_monitor_family, 0,
Reported by FlawFinder.
Line: 732
Column: 24
CWE codes:
126
/* NET_DM_ATTR_ORIGIN */
nla_total_size(sizeof(u16)) +
/* NET_DM_ATTR_HW_TRAP_GROUP_NAME */
nla_total_size(strlen(hw_metadata->trap_group_name) + 1) +
/* NET_DM_ATTR_HW_TRAP_NAME */
nla_total_size(strlen(hw_metadata->trap_name) + 1) +
/* NET_DM_ATTR_IN_PORT */
net_dm_in_port_size() +
/* NET_DM_ATTR_FLOW_ACTION_COOKIE */
Reported by FlawFinder.
Line: 734
Column: 24
CWE codes:
126
/* NET_DM_ATTR_HW_TRAP_GROUP_NAME */
nla_total_size(strlen(hw_metadata->trap_group_name) + 1) +
/* NET_DM_ATTR_HW_TRAP_NAME */
nla_total_size(strlen(hw_metadata->trap_name) + 1) +
/* NET_DM_ATTR_IN_PORT */
net_dm_in_port_size() +
/* NET_DM_ATTR_FLOW_ACTION_COOKIE */
net_dm_flow_action_cookie_size(hw_metadata) +
/* NET_DM_ATTR_TIMESTAMP */
Reported by FlawFinder.
kernel/trace/trace_selftest.c
5 issues
Line: 201
Column: 9
CWE codes:
126
/* Handle PPC64 '.' name */
func1_name = "*" __stringify(DYN_FTRACE_TEST_NAME);
func2_name = "*" __stringify(DYN_FTRACE_TEST_NAME2);
len1 = strlen(func1_name);
len2 = strlen(func2_name);
/*
* Probe 1 will trace function 1.
* Probe 2 will trace function 2.
Reported by FlawFinder.
Line: 202
Column: 9
CWE codes:
126
func1_name = "*" __stringify(DYN_FTRACE_TEST_NAME);
func2_name = "*" __stringify(DYN_FTRACE_TEST_NAME2);
len1 = strlen(func1_name);
len2 = strlen(func2_name);
/*
* Probe 1 will trace function 1.
* Probe 2 will trace function 2.
* Probe 3 will trace functions 1 and 2.
Reported by FlawFinder.
Line: 349
Column: 38
CWE codes:
126
func_name = "*" __stringify(DYN_FTRACE_TEST_NAME);
/* filter only on our function */
ftrace_set_global_filter(func_name, strlen(func_name), 1);
/* enable tracing */
ret = tracer_init(trace, tr);
if (ret) {
warn_failed_init_tracer(trace, ret);
Reported by FlawFinder.
Line: 473
Column: 8
CWE codes:
126
/* Handle PPC64 '.' name */
func_name = "*" __stringify(DYN_FTRACE_TEST_NAME);
len = strlen(func_name);
ret = ftrace_set_filter(&test_rec_probe, func_name, len, 1);
if (ret) {
pr_cont("*Could not set filter* ");
goto out;
Reported by FlawFinder.
Line: 589
Column: 8
CWE codes:
126
/* Handle PPC64 '.' name */
func_name = "*" __stringify(DYN_FTRACE_TEST_NAME);
len = strlen(func_name);
ret = ftrace_set_filter(&test_regs_probe, func_name, len, 1);
/*
* If DYNAMIC_FTRACE is not set, then we just trace all functions.
* This test really doesn't care.
Reported by FlawFinder.
net/netfilter/nf_conntrack_h323_main.c
5 issues
Line: 178
CWE codes:
908
}
tpktoff = 0;
} else { /* Next TPKT */
tpktoff = *dataoff + *datalen;
tcpdatalen -= tpktoff;
if (tcpdatalen <= 4) /* No more TPKT */
goto clear_out;
tpkt = *data + *datalen;
Reported by Cppcheck.
Line: 249
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(addr, p, len);
memset((void *)addr + len, 0, sizeof(*addr) - len);
memcpy(port, p + len, sizeof(__be16));
return 1;
}
Reported by FlawFinder.
Line: 251
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(addr, p, len);
memset((void *)addr + len, 0, sizeof(*addr) - len);
memcpy(port, p + len, sizeof(__be16));
return 1;
}
static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
Reported by FlawFinder.
Line: 661
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(addr, p, len);
memset((void *)addr + len, 0, sizeof(*addr) - len);
memcpy(port, p + len, sizeof(__be16));
return 1;
}
Reported by FlawFinder.
Line: 663
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(addr, p, len);
memset((void *)addr + len, 0, sizeof(*addr) - len);
memcpy(port, p + len, sizeof(__be16));
return 1;
}
static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
Reported by FlawFinder.
net/netfilter/nf_log_syslog.c
5 issues
Line: 37
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct arppayload {
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
Reported by FlawFinder.
Line: 38
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arppayload {
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
Reported by FlawFinder.
Line: 39
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arppayload {
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
{
Reported by FlawFinder.
Line: 40
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
{
u16 vid;
Reported by FlawFinder.
Line: 337
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if ((logflags & NF_LOG_IPOPT) &&
ih->ihl * 4 > sizeof(struct iphdr)) {
unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
const unsigned char *op;
unsigned int i, optsize;
optsize = ih->ihl * 4 - sizeof(struct iphdr);
op = skb_header_pointer(skb, iphoff + sizeof(_iph),
Reported by FlawFinder.
net/ipv4/cipso_ipv4.c
5 issues
Line: 1719
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
{
unsigned char optbuf[sizeof(struct ip_options) + 40];
struct ip_options *opt = (struct ip_options *)optbuf;
int res;
if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
return;
Reported by FlawFinder.
Line: 1872
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret_val = -ENOMEM;
goto socket_setattr_failure;
}
memcpy(opt->opt.__data, buf, buf_len);
opt->opt.optlen = opt_len;
opt->opt.cipso = sizeof(struct iphdr);
kfree(buf);
buf = NULL;
Reported by FlawFinder.
Line: 1949
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret_val = -ENOMEM;
goto req_setattr_failure;
}
memcpy(opt->opt.__data, buf, buf_len);
opt->opt.optlen = opt_len;
opt->opt.cipso = sizeof(struct iphdr);
kfree(buf);
buf = NULL;
Reported by FlawFinder.
Line: 2168
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret_val;
struct iphdr *iph;
struct ip_options *opt = &IPCB(skb)->opt;
unsigned char buf[CIPSO_V4_OPT_LEN_MAX];
u32 buf_len = CIPSO_V4_OPT_LEN_MAX;
u32 opt_len;
int len_delta;
ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
Reported by FlawFinder.
Line: 2218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* fields populated and the checksum calculated - yes this means we
* are doing more work than needed but we do it to keep the core
* stack clean and tidy */
memcpy(iph + 1, buf, buf_len);
if (opt_len > buf_len)
memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);
if (len_delta != 0) {
iph->ihl = 5 + (opt_len >> 2);
iph->tot_len = htons(skb->len);
Reported by FlawFinder.
net/ipv6/seg6_local.c
5 issues
Line: 1159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nla)
return -EMSGSIZE;
memcpy(nla_data(nla), srh, len);
return 0;
}
static int cmp_nla_srh(struct seg6_local_lwt *a, struct seg6_local_lwt *b)
Reported by FlawFinder.
Line: 1251
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int parse_nla_nh4(struct nlattr **attrs, struct seg6_local_lwt *slwt)
{
memcpy(&slwt->nh4, nla_data(attrs[SEG6_LOCAL_NH4]),
sizeof(struct in_addr));
return 0;
}
Reported by FlawFinder.
Line: 1265
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nla)
return -EMSGSIZE;
memcpy(nla_data(nla), &slwt->nh4, sizeof(struct in_addr));
return 0;
}
static int cmp_nla_nh4(struct seg6_local_lwt *a, struct seg6_local_lwt *b)
Reported by FlawFinder.
Line: 1277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int parse_nla_nh6(struct nlattr **attrs, struct seg6_local_lwt *slwt)
{
memcpy(&slwt->nh6, nla_data(attrs[SEG6_LOCAL_NH6]),
sizeof(struct in6_addr));
return 0;
}
Reported by FlawFinder.
Line: 1291
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nla)
return -EMSGSIZE;
memcpy(nla_data(nla), &slwt->nh6, sizeof(struct in6_addr));
return 0;
}
static int cmp_nla_nh6(struct seg6_local_lwt *a, struct seg6_local_lwt *b)
Reported by FlawFinder.
mm/util.c
5 issues
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = strlen(s) + 1;
buf = kmalloc_track_caller(len, gfp);
if (buf)
memcpy(buf, s, len);
return buf;
}
EXPORT_SYMBOL(kstrdup);
/**
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = strnlen(s, max);
buf = kmalloc_track_caller(len+1, gfp);
if (buf) {
memcpy(buf, s, len);
buf[len] = '\0';
}
return buf;
}
EXPORT_SYMBOL(kstrndup);
Reported by FlawFinder.
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = kmalloc_track_caller(len, gfp);
if (p)
memcpy(p, src, len);
return p;
}
EXPORT_SYMBOL(kmemdup);
/**
Reported by FlawFinder.
Line: 153
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = kmalloc_track_caller(len + 1, gfp);
if (buf) {
memcpy(buf, s, len);
buf[len] = '\0';
}
return buf;
}
EXPORT_SYMBOL(kmemdup_nul);
Reported by FlawFinder.
Line: 59
Column: 8
CWE codes:
126
if (!s)
return NULL;
len = strlen(s) + 1;
buf = kmalloc_track_caller(len, gfp);
if (buf)
memcpy(buf, s, len);
return buf;
}
Reported by FlawFinder.
kernel/trace/trace_printk.c
5 issues
Line: 258
CWE codes:
570
{
const char **ptr = __start___tracepoint_str;
for (ptr = __start___tracepoint_str; ptr < __stop___tracepoint_str; ptr++) {
if (str == *ptr)
return true;
}
return false;
}
Reported by Cppcheck.
Line: 271
CWE codes:
570
int start_index;
int last_index;
start_index = __stop___trace_bprintk_fmt - __start___trace_bprintk_fmt;
if (*pos < start_index)
return __start___trace_bprintk_fmt + *pos;
/*
Reported by Cppcheck.
Line: 289
CWE codes:
570
* the ASCII text for userspace.
*/
last_index = start_index;
start_index = __stop___tracepoint_str - __start___tracepoint_str;
if (*pos < last_index + start_index)
return __start___tracepoint_str + (*pos - last_index);
start_index += last_index;
Reported by Cppcheck.
Line: 77
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
fmt = kmalloc(strlen(*iter) + 1, GFP_KERNEL);
if (fmt) {
list_add_tail(&tb_fmt->list, &trace_bprintk_fmt_list);
strcpy(fmt, *iter);
tb_fmt->fmt = fmt;
} else
kfree(tb_fmt);
}
*iter = fmt;
Reported by FlawFinder.
Line: 74
Column: 18
CWE codes:
126
fmt = NULL;
tb_fmt = kmalloc(sizeof(*tb_fmt), GFP_KERNEL);
if (tb_fmt) {
fmt = kmalloc(strlen(*iter) + 1, GFP_KERNEL);
if (fmt) {
list_add_tail(&tb_fmt->list, &trace_bprintk_fmt_list);
strcpy(fmt, *iter);
tb_fmt->fmt = fmt;
} else
Reported by FlawFinder.
kernel/irq/proc.c
5 issues
Line: 321
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void register_handler_proc(unsigned int irq, struct irqaction *action)
{
char name [MAX_NAMELEN];
struct irq_desc *desc = irq_to_desc(irq);
if (!desc->dir || action->dir || !action->name ||
!name_unique(irq, action))
return;
Reported by FlawFinder.
Line: 342
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static DEFINE_MUTEX(register_lock);
void __maybe_unused *irqp = (void *)(unsigned long) irq;
char name [MAX_NAMELEN];
if (!root_irq_dir || (desc->irq_data.chip == &no_irq_chip))
return;
/*
Reported by FlawFinder.
Line: 357
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (desc->dir)
goto out_unlock;
sprintf(name, "%d", irq);
/* create /proc/irq/1234 */
desc->dir = proc_mkdir(name, root_irq_dir);
if (!desc->dir)
goto out_unlock;
Reported by FlawFinder.
Line: 395
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void unregister_irq_proc(unsigned int irq, struct irq_desc *desc)
{
char name [MAX_NAMELEN];
if (!root_irq_dir || !desc->dir)
return;
#ifdef CONFIG_SMP
remove_proc_entry("smp_affinity", desc->dir);
Reported by FlawFinder.
Line: 411
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
#endif
remove_proc_entry("spurious", desc->dir);
sprintf(name, "%u", irq);
remove_proc_entry(name, root_irq_dir);
}
#undef MAX_NAMELEN
Reported by FlawFinder.
kernel/trace/trace_osnoise.c
5 issues
Line: 1666
CWE codes:
685
mutex_lock(&interface_lock);
len = snprintf(NULL, 0, "%*pbl\n", cpumask_pr_args(&osnoise_cpumask)) + 1;
mask_str = kmalloc(len, GFP_KERNEL);
if (!mask_str) {
count = -ENOMEM;
goto out_unlock;
}
Reported by Cppcheck.
Line: 1673
CWE codes:
685
goto out_unlock;
}
len = snprintf(mask_str, len, "%*pbl\n", cpumask_pr_args(&osnoise_cpumask));
if (len >= count) {
count = -EINVAL;
goto out_free;
}
Reported by Cppcheck.
Line: 479
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
entry = ring_buffer_event_data(event);
memcpy(&entry->caller, fstack->calls, size);
entry->size = fstack->nr_entries;
if (!call_filter_check_discard(call, entry, buffer, event))
trace_buffer_unlock_commit_nostack(buffer, event);
Reported by FlawFinder.
Line: 1516
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct task_struct *kthread;
void *main = osnoise_main;
char comm[24];
#ifdef CONFIG_TIMERLAT_TRACER
if (osnoise_data.timerlat_tracer) {
snprintf(comm, 24, "timerlat/%d", cpu);
main = timerlat_main;
Reported by FlawFinder.
Line: 1718
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct trace_array *tr = osnoise_trace;
cpumask_var_t osnoise_cpumask_new;
int running, err;
char buf[256];
if (count >= 256)
return -EINVAL;
if (copy_from_user(buf, ubuf, count))
Reported by FlawFinder.