The following issues were found
include/uapi/linux/videodev2.h
5 issues
Line: 906
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int APPn; /* Number of APP segment to be written,
* must be 0..15 */
int APP_len; /* Length of data in JPEG APPn segment */
char APP_data[60]; /* Data in the JPEG APPn segment. */
int COM_len; /* Length of data in JPEG COM segment */
char COM_data[60]; /* Data in JPEG COM segment */
__u32 jpeg_markers; /* Which markers should go into the JPEG
Reported by FlawFinder.
Line: 909
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char APP_data[60]; /* Data in the JPEG APPn segment. */
int COM_len; /* Length of data in JPEG COM segment */
char COM_data[60]; /* Data in JPEG COM segment */
__u32 jpeg_markers; /* Which markers should go into the JPEG
* output. Unless you exactly know what
* you do, leave them untouched.
* Including less markers will make the
Reported by FlawFinder.
Line: 1836
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct v4l2_query_ext_ctrl {
__u32 id;
__u32 type;
char name[32];
__s64 minimum;
__s64 maximum;
__u64 step;
__s64 default_value;
__u32 flags;
Reported by FlawFinder.
Line: 2472
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 type; /* Match type */
union { /* Match this chip, meaning determined by type */
__u32 addr;
char name[32];
};
} __attribute__ ((packed));
struct v4l2_dbg_register {
struct v4l2_dbg_match match;
Reported by FlawFinder.
Line: 2489
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* VIDIOC_DBG_G_CHIP_INFO */
struct v4l2_dbg_chip_info {
struct v4l2_dbg_match match;
char name[32];
__u32 flags;
__u32 reserved[32];
} __attribute__ ((packed));
/**
Reported by FlawFinder.
include/uapi/linux/atmlec.h
5 issues
Line: 64
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int sizeoftlvs; /* LANE2: if != 0, tlvs follow */
union {
struct {
unsigned char mac_addr[ETH_ALEN];
unsigned char atm_addr[ATM_ESA_LEN];
unsigned int flag; /*
* Topology_change flag,
* remoteflag, permanent flag,
* lecid, transaction id
Reported by FlawFinder.
Line: 65
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
struct {
unsigned char mac_addr[ETH_ALEN];
unsigned char atm_addr[ATM_ESA_LEN];
unsigned int flag; /*
* Topology_change flag,
* remoteflag, permanent flag,
* lecid, transaction id
*/
Reported by FlawFinder.
Line: 78
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
__u16 lec_id; /* requestor lec_id */
__u32 tran_id; /* transaction id */
unsigned char mac_addr[ETH_ALEN]; /* dst mac addr */
unsigned char atm_addr[ATM_ESA_LEN]; /* reqestor ATM addr */
} proxy; /*
* For mapping LE_ARP requests to responses. Filled by
* zeppelin, returned by kernel. Used only when proxying
*/
Reported by FlawFinder.
Line: 79
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u16 lec_id; /* requestor lec_id */
__u32 tran_id; /* transaction id */
unsigned char mac_addr[ETH_ALEN]; /* dst mac addr */
unsigned char atm_addr[ATM_ESA_LEN]; /* reqestor ATM addr */
} proxy; /*
* For mapping LE_ARP requests to responses. Filled by
* zeppelin, returned by kernel. Used only when proxying
*/
} content;
Reported by FlawFinder.
Line: 89
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct atmlec_ioc {
int dev_num;
unsigned char atm_addr[ATM_ESA_LEN];
unsigned char receive; /* 1= receive vcc, 0 = send vcc */
};
#endif /* _ATMLEC_H_ */
Reported by FlawFinder.
kernel/livepatch/core.c
5 issues
Line: 198
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *sec_objname)
{
int i, cnt, ret;
char sym_objname[MODULE_NAME_LEN];
char sym_name[KSYM_NAME_LEN];
Elf_Rela *relas;
Elf_Sym *sym;
unsigned long sympos, addr;
bool sym_vmlinux;
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, cnt, ret;
char sym_objname[MODULE_NAME_LEN];
char sym_name[KSYM_NAME_LEN];
Elf_Rela *relas;
Elf_Sym *sym;
unsigned long sympos, addr;
bool sym_vmlinux;
bool sec_vmlinux = !strcmp(sec_objname, "vmlinux");
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *objname)
{
int cnt, ret;
char sec_objname[MODULE_NAME_LEN];
Elf_Shdr *sec = sechdrs + secndx;
/*
* Format: .klp.rela.sec_objname.section_name
* See comment in klp_resolve_symbols() for an explanation
Reported by FlawFinder.
Line: 730
Column: 6
CWE codes:
126
if (!func->new_func && !func->nop)
return -EINVAL;
if (strlen(func->old_name) >= KSYM_NAME_LEN)
return -EINVAL;
INIT_LIST_HEAD(&func->stack_node);
func->patched = false;
func->transition = false;
Reported by FlawFinder.
Line: 825
Column: 28
CWE codes:
126
int ret;
const char *name;
if (klp_is_module(obj) && strlen(obj->name) >= MODULE_NAME_LEN)
return -EINVAL;
obj->patched = false;
obj->mod = NULL;
Reported by FlawFinder.
include/uapi/linux/fd.h
5 issues
Line: 119
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* structure */
typedef char floppy_drive_name[16];
#define FDGETDRVTYP _IOR(2, 0x0f, floppy_drive_name)
/* get drive type: 5 1/4 or 3 1/2 */
/*
Reported by FlawFinder.
Line: 279
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* to bigger structures
*/
unsigned char track[4];
/* Position of the heads of the 4 units attached to this FDC,
* as stored on the FDC. In the future, the position as stored
* on the FDC might not agree with the actual physical
* position of these drive heads. By allowing such
* disagreement, it will be possible to reset the FDC without
Reported by FlawFinder.
Line: 376
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char cmd_count;
union {
struct {
unsigned char cmd[FD_RAW_CMD_SIZE];
unsigned char reply_count;
unsigned char reply[FD_RAW_REPLY_SIZE];
};
unsigned char fullcmd[FD_RAW_CMD_FULLSIZE];
};
Reported by FlawFinder.
Line: 378
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
unsigned char cmd[FD_RAW_CMD_SIZE];
unsigned char reply_count;
unsigned char reply[FD_RAW_REPLY_SIZE];
};
unsigned char fullcmd[FD_RAW_CMD_FULLSIZE];
};
int track;
int resultcode;
Reported by FlawFinder.
Line: 380
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reply_count;
unsigned char reply[FD_RAW_REPLY_SIZE];
};
unsigned char fullcmd[FD_RAW_CMD_FULLSIZE];
};
int track;
int resultcode;
int reserved1;
Reported by FlawFinder.
net/core/flow_dissector.c
5 issues
Line: 475
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct flow_dissector_key_arp *key_arp;
struct {
unsigned char ar_sha[ETH_ALEN];
unsigned char ar_sip[4];
unsigned char ar_tha[ETH_ALEN];
unsigned char ar_tip[4];
} *arp_eth, _arp_eth;
const struct arphdr *arp;
Reported by FlawFinder.
Line: 476
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct flow_dissector_key_arp *key_arp;
struct {
unsigned char ar_sha[ETH_ALEN];
unsigned char ar_sip[4];
unsigned char ar_tha[ETH_ALEN];
unsigned char ar_tip[4];
} *arp_eth, _arp_eth;
const struct arphdr *arp;
struct arphdr _arp;
Reported by FlawFinder.
Line: 477
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
unsigned char ar_sha[ETH_ALEN];
unsigned char ar_sip[4];
unsigned char ar_tha[ETH_ALEN];
unsigned char ar_tip[4];
} *arp_eth, _arp_eth;
const struct arphdr *arp;
struct arphdr _arp;
Reported by FlawFinder.
Line: 478
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ar_sha[ETH_ALEN];
unsigned char ar_sip[4];
unsigned char ar_tha[ETH_ALEN];
unsigned char ar_tip[4];
} *arp_eth, _arp_eth;
const struct arphdr *arp;
struct arphdr _arp;
if (!dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ARP))
Reported by FlawFinder.
Line: 1032
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key_eth_addrs = skb_flow_dissector_target(flow_dissector,
FLOW_DISSECTOR_KEY_ETH_ADDRS,
target_container);
memcpy(key_eth_addrs, ð->h_dest, sizeof(*key_eth_addrs));
}
proto_again:
fdret = FLOW_DISSECT_RET_CONTINUE;
Reported by FlawFinder.
lib/zlib_dfltcc/dfltcc.h
5 issues
Line: 25
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Parameter Block for Query Available Functions.
*/
struct dfltcc_qaf_param {
char fns[16];
char reserved1[8];
char fmts[2];
char reserved2[6];
};
Reported by FlawFinder.
Line: 26
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct dfltcc_qaf_param {
char fns[16];
char reserved1[8];
char fmts[2];
char reserved2[6];
};
static_assert(sizeof(struct dfltcc_qaf_param) == 32);
Reported by FlawFinder.
Line: 27
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dfltcc_qaf_param {
char fns[16];
char reserved1[8];
char fmts[2];
char reserved2[6];
};
static_assert(sizeof(struct dfltcc_qaf_param) == 32);
Reported by FlawFinder.
Line: 28
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char fns[16];
char reserved1[8];
char fmts[2];
char reserved2[6];
};
static_assert(sizeof(struct dfltcc_qaf_param) == 32);
#define DFLTCC_FMT0 0
Reported by FlawFinder.
Line: 100
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uLong block_size; /* New block each X bytes */
uLong block_threshold; /* New block after total_in > X */
uLong dht_threshold; /* New block only if avail_in >= X */
char msg[64]; /* Buffer for strm->msg */
};
/* Resides right after inflate_state or deflate_state */
#define GET_DFLTCC_STATE(state) ((struct dfltcc_state *)((state) + 1))
Reported by FlawFinder.
net/mac80211/scan.c
5 issues
Line: 101
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
clen = IEEE80211_MAX_SUPP_RATES;
if (clen > elems->supp_rates_len)
clen = elems->supp_rates_len;
memcpy(bss->supp_rates, elems->supp_rates, clen);
srlen += clen;
}
if (elems->ext_supp_rates) {
clen = IEEE80211_MAX_SUPP_RATES - srlen;
if (clen > elems->ext_supp_rates_len)
Reported by FlawFinder.
Line: 108
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
clen = IEEE80211_MAX_SUPP_RATES - srlen;
if (clen > elems->ext_supp_rates_len)
clen = elems->ext_supp_rates_len;
memcpy(bss->supp_rates + srlen, elems->ext_supp_rates,
clen);
srlen += clen;
}
if (srlen) {
bss->supp_rates_len = srlen;
Reported by FlawFinder.
Line: 502
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (info->aborted)
set_bit(SCAN_ABORTED, &local->scanning);
memcpy(&local->scan_info, info, sizeof(*info));
ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0);
}
EXPORT_SYMBOL(ieee80211_scan_completed);
Reported by FlawFinder.
Line: 757
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->mac_addr,
req->mac_addr_mask);
else
memcpy(local->scan_addr, sdata->vif.addr, ETH_ALEN);
if (hw_scan) {
__set_bit(SCAN_HW_SCANNING, &local->scanning);
} else if ((req->n_channels == 1) &&
(req->channels[0] == local->_oper_chandef.chan)) {
Reported by FlawFinder.
Line: 1209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
local->int_scan_req->ssids = &local->scan_ssid;
local->int_scan_req->n_ssids = 1;
local->int_scan_req->scan_width = scan_width;
memcpy(local->int_scan_req->ssids[0].ssid, ssid, IEEE80211_MAX_SSID_LEN);
local->int_scan_req->ssids[0].ssid_len = ssid_len;
ret = __ieee80211_start_scan(sdata, sdata->local->int_scan_req);
unlock:
mutex_unlock(&local->mtx);
Reported by FlawFinder.
include/soc/tegra/bpmp-abi.h
5 issues
Line: 751
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** @brief File name - Null-terminated string with maximum
* length @ref DEBUG_FNAME_MAX_SZ
*/
char name[DEBUG_FNAME_MAX_SZ];
} BPMP_ABI_PACKED;
/**
* @ingroup Debugfs
* @brief Response data for CMD_DEBUG_OPEN_RO/WO command
Reported by FlawFinder.
Line: 794
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** @brief Size of data provided in this response in bytes */
uint32_t readlen;
/** @brief File data from seek position */
char data[DEBUG_READ_MAX_SZ];
} BPMP_ABI_PACKED;
/**
* @ingroup Debugfs
* @brief Maximum size of write data in bytes.
Reported by FlawFinder.
Line: 817
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/** @brief Size of write data in bytes */
uint32_t datalen;
/** @brief Data to be written */
char data[DEBUG_WRITE_MAX_SZ];
} BPMP_ABI_PACKED;
/**
* @ingroup Debugfs
* @brief Parameters for CMD_DEBUG_CLOSE command
Reported by FlawFinder.
Line: 2336
Column: 39
CWE codes:
120
20
/** @brief request type specific parameters. */
union {
struct cmd_ringbuf_console_query_abi_req query_abi;
struct cmd_ringbuf_console_read_req read;
struct cmd_ringbuf_console_write_req write;
struct cmd_ringbuf_console_get_fifo_req get_fifo;
} BPMP_UNION_ANON;
} BPMP_ABI_PACKED;
Reported by FlawFinder.
Line: 2350
Column: 39
CWE codes:
120
20
*/
union mrq_ringbuf_console_bpmp_to_host_response {
struct cmd_ringbuf_console_query_abi_resp query_abi;
struct cmd_ringbuf_console_read_resp read;
struct cmd_ringbuf_console_write_resp write;
struct cmd_ringbuf_console_get_fifo_resp get_fifo;
} BPMP_ABI_PACKED;
/** @} */
Reported by FlawFinder.
net/mac80211/sta_info.c
5 issues
Line: 375
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
#endif
memcpy(sta->addr, addr, ETH_ALEN);
memcpy(sta->sta.addr, addr, ETH_ALEN);
sta->sta.max_rx_aggregation_subframes =
local->hw.max_rx_aggregation_subframes;
/* Extended Key ID needs to install keys for keyid 0 and 1 Rx-only.
Reported by FlawFinder.
Line: 376
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
memcpy(sta->addr, addr, ETH_ALEN);
memcpy(sta->sta.addr, addr, ETH_ALEN);
sta->sta.max_rx_aggregation_subframes =
local->hw.max_rx_aggregation_subframes;
/* Extended Key ID needs to install keys for keyid 0 and 1 Rx-only.
* The Tx path starts to use a key as soon as the key slot ptk_idx
Reported by FlawFinder.
Line: 1417
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nullfunc = skb_put(skb, size);
nullfunc->frame_control = fc;
nullfunc->duration_id = 0;
memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
memcpy(nullfunc->addr3, sdata->vif.addr, ETH_ALEN);
nullfunc->seq_ctrl = 0;
skb->priority = tid;
Reported by FlawFinder.
Line: 1418
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nullfunc->frame_control = fc;
nullfunc->duration_id = 0;
memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
memcpy(nullfunc->addr3, sdata->vif.addr, ETH_ALEN);
nullfunc->seq_ctrl = 0;
skb->priority = tid;
skb_set_queue_mapping(skb, ieee802_1d_to_ac[tid]);
Reported by FlawFinder.
Line: 1419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nullfunc->duration_id = 0;
memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
memcpy(nullfunc->addr3, sdata->vif.addr, ETH_ALEN);
nullfunc->seq_ctrl = 0;
skb->priority = tid;
skb_set_queue_mapping(skb, ieee802_1d_to_ac[tid]);
if (qos) {
Reported by FlawFinder.
include/linux/swap.h
5 issues
Line: 119
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
union swap_header {
struct {
char reserved[PAGE_SIZE - 10];
char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */
} magic;
struct {
char bootbits[1024]; /* Space for disklabel etc. */
__u32 version;
Reported by FlawFinder.
Line: 120
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union swap_header {
struct {
char reserved[PAGE_SIZE - 10];
char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */
} magic;
struct {
char bootbits[1024]; /* Space for disklabel etc. */
__u32 version;
__u32 last_page;
Reported by FlawFinder.
Line: 123
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */
} magic;
struct {
char bootbits[1024]; /* Space for disklabel etc. */
__u32 version;
__u32 last_page;
__u32 nr_badpages;
unsigned char sws_uuid[16];
unsigned char sws_volume[16];
Reported by FlawFinder.
Line: 127
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 version;
__u32 last_page;
__u32 nr_badpages;
unsigned char sws_uuid[16];
unsigned char sws_volume[16];
__u32 padding[117];
__u32 badpages[1];
} info;
};
Reported by FlawFinder.
Line: 128
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 last_page;
__u32 nr_badpages;
unsigned char sws_uuid[16];
unsigned char sws_volume[16];
__u32 padding[117];
__u32 badpages[1];
} info;
};
Reported by FlawFinder.