The following issues were found
lib/ubsan.c
5 issues
Line: 169
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs)
{
struct overflow_data *data = _data;
char rhs_val_str[VALUE_LENGTH];
if (suppress_report(&data->location))
return;
ubsan_prologue(&data->location, "division-overflow");
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __ubsan_handle_out_of_bounds(void *_data, void *index)
{
struct out_of_bounds_data *data = _data;
char index_str[VALUE_LENGTH];
if (suppress_report(&data->location))
return;
ubsan_prologue(&data->location, "array-index-out-of-bounds");
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct shift_out_of_bounds_data *data = _data;
struct type_descriptor *rhs_type = data->rhs_type;
struct type_descriptor *lhs_type = data->lhs_type;
char rhs_str[VALUE_LENGTH];
char lhs_str[VALUE_LENGTH];
unsigned long ua_flags = user_access_save();
if (suppress_report(&data->location))
goto out;
Reported by FlawFinder.
Line: 298
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct type_descriptor *rhs_type = data->rhs_type;
struct type_descriptor *lhs_type = data->lhs_type;
char rhs_str[VALUE_LENGTH];
char lhs_str[VALUE_LENGTH];
unsigned long ua_flags = user_access_save();
if (suppress_report(&data->location))
goto out;
Reported by FlawFinder.
Line: 347
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __ubsan_handle_load_invalid_value(void *_data, void *val)
{
struct invalid_value_data *data = _data;
char val_str[VALUE_LENGTH];
if (suppress_report(&data->location))
return;
ubsan_prologue(&data->location, "invalid-load");
Reported by FlawFinder.
net/ipv4/ping.c
5 issues
Line: 455
CWE codes:
908
static inline int ping_supported(int family, int type, int code)
{
return (family == AF_INET && type == ICMP_ECHO && code == 0) ||
(family == AF_INET && type == ICMP_EXT_ECHO && code == 0) ||
(family == AF_INET6 && type == ICMPV6_ECHO_REQUEST && code == 0) ||
(family == AF_INET6 && type == ICMPV6_EXT_ECHO_REQUEST && code == 0);
}
Reported by Cppcheck.
Line: 494
CWE codes:
908
/* We assume the packet has already been checked by icmp_unreach */
if (!ping_supported(family, icmph->type, icmph->code))
return;
pr_debug("ping_err(proto=0x%x,type=%d,code=%d,id=%04x,seq=%04x)\n",
skb->protocol, type, code, ntohs(icmph->un.echo.id),
ntohs(icmph->un.echo.sequence));
Reported by Cppcheck.
Line: 494
CWE codes:
908
/* We assume the packet has already been checked by icmp_unreach */
if (!ping_supported(family, icmph->type, icmph->code))
return;
pr_debug("ping_err(proto=0x%x,type=%d,code=%d,id=%04x,seq=%04x)\n",
skb->protocol, type, code, ntohs(icmph->un.echo.id),
ntohs(icmph->un.echo.sequence));
Reported by Cppcheck.
Line: 634
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pfh->wcheck = csum_partial((char *)&pfh->icmph,
sizeof(struct icmphdr), pfh->wcheck);
pfh->icmph.checksum = csum_fold(pfh->wcheck);
memcpy(icmp_hdr(skb), &pfh->icmph, sizeof(struct icmphdr));
skb->ip_summed = CHECKSUM_NONE;
return ip_push_pending_frames(sk, fl4);
}
int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
Reported by FlawFinder.
Line: 743
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_lock();
inet_opt = rcu_dereference(inet->inet_opt);
if (inet_opt) {
memcpy(&opt_copy, inet_opt,
sizeof(*inet_opt) + inet_opt->opt.optlen);
ipc.opt = &opt_copy.opt;
}
rcu_read_unlock();
}
Reported by FlawFinder.
net/ipv6/esp6.c
5 issues
Line: 655
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aead_request_set_ad(req, assoclen);
memset(iv, 0, ivlen);
memcpy(iv + ivlen - min(ivlen, 8), (u8 *)&esp->seqno + 8 - min(ivlen, 8),
min(ivlen, 8));
ESP_SKB_CB(skb)->tmp = tmp;
err = crypto_aead_encrypt(req);
Reported by FlawFinder.
Line: 1053
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int esp_init_aead(struct xfrm_state *x)
{
char aead_name[CRYPTO_MAX_ALG_NAME];
struct crypto_aead *aead;
int err;
err = -ENAMETOOLONG;
if (snprintf(aead_name, CRYPTO_MAX_ALG_NAME, "%s(%s)",
Reported by FlawFinder.
Line: 1089
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rtattr *rta;
char *key;
char *p;
char authenc_name[CRYPTO_MAX_ALG_NAME];
unsigned int keylen;
int err;
err = -EINVAL;
if (!x->ealg)
Reported by FlawFinder.
Line: 1141
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (x->aalg) {
struct xfrm_algo_desc *aalg_desc;
memcpy(p, x->aalg->alg_key, (x->aalg->alg_key_len + 7) / 8);
p += (x->aalg->alg_key_len + 7) / 8;
aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
BUG_ON(!aalg_desc);
Reported by FlawFinder.
Line: 1164
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
param->enckeylen = cpu_to_be32((x->ealg->alg_key_len + 7) / 8);
memcpy(p, x->ealg->alg_key, (x->ealg->alg_key_len + 7) / 8);
err = crypto_aead_setkey(aead, key, keylen);
free_key:
kfree(key);
Reported by FlawFinder.
net/decnet/dn_neigh.c
5 issues
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
neigh->output = neigh->ops->connected_output;
if ((dev->type == ARPHRD_IPGRE) || (dev->flags & IFF_POINTOPOINT))
memcpy(neigh->ha, dev->broadcast, dev->addr_len);
else if ((dev->type == ARPHRD_ETHER) || (dev->type == ARPHRD_LOOPBACK))
dn_dn2eth(neigh->ha, dn->addr);
else {
net_dbg_ratelimited("Trying to create neigh for hw %d\n",
dev->type);
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dst_entry *dst = skb_dst(skb);
struct dn_route *rt = (struct dn_route *)dst;
struct net_device *dev = neigh->dev;
char mac_addr[ETH_ALEN];
unsigned int seq;
int err;
dn_dn2eth(mac_addr, rt->rt_local_src);
do {
Reported by FlawFinder.
Line: 407
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
neigh->updated = jiffies;
if (neigh->dev->type == ARPHRD_ETHER)
memcpy(neigh->ha, ð_hdr(skb)->h_source, ETH_ALEN);
dn->blksize = le16_to_cpu(msg->blksize);
dn->priority = msg->priority;
dn->flags &= ~DN_NDFLAG_P3;
Reported by FlawFinder.
Line: 466
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
neigh->updated = jiffies;
if (neigh->dev->type == ARPHRD_ETHER)
memcpy(neigh->ha, ð_hdr(skb)->h_source, ETH_ALEN);
dn->flags &= ~(DN_NDFLAG_R1 | DN_NDFLAG_R2);
dn->blksize = le16_to_cpu(msg->blksize);
dn->priority = 0;
}
Reported by FlawFinder.
Line: 554
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct neighbour *n)
{
struct dn_neigh *dn = container_of(n, struct dn_neigh, n);
char buf[DN_ASCBUF_LEN];
read_lock(&n->lock);
seq_printf(seq, "%-7s %s%s%s %02x %02d %07ld %-8s\n",
dn_addr2asc(le16_to_cpu(dn->addr), buf),
(dn->flags&DN_NDFLAG_R1) ? "1" : "-",
Reported by FlawFinder.
include/linux/trace_events.h
5 issues
Line: 276
Column: 15
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
};
struct trace_event_class {
const char *system;
void *probe;
#ifdef CONFIG_PERF_EVENTS
void *perf_probe;
#endif
int (*reg)(struct trace_event_call *event,
Reported by FlawFinder.
Line: 424
Column: 24
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
};
extern struct trace_event_file *trace_get_event_file(const char *instance,
const char *system,
const char *event);
extern void trace_put_event_file(struct trace_event_file *file);
#define MAX_DYNEVENT_CMD_LEN (2048)
Reported by FlawFinder.
Line: 580
Column: 30
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct event_filter __rcu *filter;
struct dentry *dir;
struct trace_array *tr;
struct trace_subsystem_dir *system;
struct list_head triggers;
/*
* 32 bit flags:
* bit 0: enabled
Reported by FlawFinder.
Line: 752
Column: 37
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
#define is_signed_type(type) (((type)(-1)) < (type)1)
int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set);
int trace_set_clr_event(const char *system, const char *event, int set);
int trace_array_set_clr_event(struct trace_array *tr, const char *system,
const char *event, bool enable);
/*
* The double __builtin_constant_p is because gcc will give us an error
* if we try to allocate the static variable to fmt if it is not a
Reported by FlawFinder.
Line: 753
Column: 67
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set);
int trace_set_clr_event(const char *system, const char *event, int set);
int trace_array_set_clr_event(struct trace_array *tr, const char *system,
const char *event, bool enable);
/*
* The double __builtin_constant_p is because gcc will give us an error
* if we try to allocate the static variable to fmt if it is not a
* constant. Even with the outer if statement optimizing out.
Reported by FlawFinder.
net/bridge/br_private.h
5 issues
Line: 58
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef __u16 port_id;
struct bridge_id {
unsigned char prio[2];
unsigned char addr[ETH_ALEN];
};
struct mac_addr {
unsigned char addr[ETH_ALEN];
Reported by FlawFinder.
Line: 59
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bridge_id {
unsigned char prio[2];
unsigned char addr[ETH_ALEN];
};
struct mac_addr {
unsigned char addr[ETH_ALEN];
};
Reported by FlawFinder.
Line: 63
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct mac_addr {
unsigned char addr[ETH_ALEN];
};
#ifdef CONFIG_BRIDGE_IGMP_SNOOPING
/* our own querier */
struct bridge_mcast_own_query {
Reported by FlawFinder.
Line: 244
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_bridge_port_group {
struct net_bridge_port_group __rcu *next;
struct net_bridge_port_group_sg_key key;
unsigned char eth_addr[ETH_ALEN] __aligned(2);
unsigned char flags;
unsigned char filter_mode;
unsigned char grp_query_rexmit_cnt;
unsigned char rt_protocol;
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
#ifdef CONFIG_SYSFS
char sysfs_name[IFNAMSIZ];
#endif
#ifdef CONFIG_NET_POLL_CONTROLLER
struct netpoll *np;
#endif
Reported by FlawFinder.
net/bluetooth/hidp/core.c
5 issues
Line: 42
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static DECLARE_WAIT_QUEUE_HEAD(hidp_session_wq);
static LIST_HEAD(hidp_session_list);
static unsigned char hidp_keycode[256] = {
0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36,
37, 38, 50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45,
21, 44, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 28, 1,
14, 15, 57, 12, 13, 26, 27, 43, 43, 39, 40, 41, 51, 52,
53, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 87, 88,
Reported by FlawFinder.
Line: 152
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct hidp_session *session = input_get_drvdata(dev);
unsigned char newleds;
unsigned char hdr, data[2];
BT_DBG("session %p type %d code %d value %d",
session, type, code, value);
if (type != EV_LED)
Reported by FlawFinder.
Line: 212
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(keys, udata, 8);
break;
case 0x02: /* Mouse report */
input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb = session->report_return;
if (skb) {
len = skb->len < count ? skb->len : count;
memcpy(data, skb->data, len);
kfree_skb(skb);
session->report_return = NULL;
} else {
/* Device returned a HANDSHAKE, indicating protocol error. */
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > HID_MAX_BUFFER_SIZE)
len = HID_MAX_BUFFER_SIZE;
memcpy(session->input_buf, data, len);
hid_input_report(session->hid, type, session->input_buf, len, intr);
}
static void hidp_process_handshake(struct hidp_session *session,
unsigned char param)
Reported by FlawFinder.
net/core/neighbour.c
5 issues
Line: 596
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(n->primary_key, pkey, key_len);
n->dev = dev;
dev_hold(dev);
/* Protocol specific setup. */
if (tbl->constructor && (error = tbl->constructor(n)) < 0) {
Reported by FlawFinder.
Line: 742
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n->protocol = 0;
write_pnet(&n->net, net);
memcpy(n->key, pkey, key_len);
n->dev = dev;
if (dev)
dev_hold(dev);
if (tbl->pconstructor && tbl->pconstructor(n)) {
Reported by FlawFinder.
Line: 1352
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (lladdr != neigh->ha) {
write_seqlock(&neigh->ha_lock);
memcpy(&neigh->ha, lladdr, dev->addr_len);
write_sequnlock(&neigh->ha_lock);
neigh_update_hhs(neigh);
if (!(new & NUD_CONNECTED))
neigh->confirmed = jiffies -
(NEIGH_VAR(neigh->parms, BASE_REACHABLE_TIME) << 1);
Reported by FlawFinder.
Line: 2458
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
read_lock_bh(&neigh->lock);
ndm->ndm_state = neigh->nud_state;
if (neigh->nud_state & NUD_VALID) {
char haddr[MAX_ADDR_LEN];
neigh_ha_snapshot(haddr, neigh, neigh->dev);
if (nla_put(skb, NDA_LLADDR, neigh->dev->addr_len, haddr) < 0) {
read_unlock_bh(&neigh->lock);
goto nla_put_failure;
Reported by FlawFinder.
Line: 3631
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i;
struct neigh_sysctl_table *t;
const char *dev_name_source;
char neigh_path[ sizeof("net//neigh/") + IFNAMSIZ + IFNAMSIZ ];
char *p_name;
t = kmemdup(&neigh_sysctl_template, sizeof(*t), GFP_KERNEL);
if (!t)
goto err;
Reported by FlawFinder.
lib/test_scanf.c
5 issues
Line: 41
Column: 8
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
va_start(ap, n_args);
va_copy(ap_copy, ap);
ret = vsscanf(string, fmt, ap_copy);
va_end(ap_copy);
if (ret != n_args) {
pr_warn("vsscanf(\"%s\", \"%s\", ...) returned %d expected %d\n",
string, fmt, ret, n_args);
Reported by FlawFinder.
Line: 198
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
const T expect_val = (T)(val); \
T result = ~expect_val; /* should be overwritten */ \
\
snprintf(test_buffer, BUF_SIZE, gen_fmt, expect_val); \
_test(fn, &expect_val, test_buffer, "%" scan_fmt, 1, &result); \
} while (0)
#define simple_numbers_loop(T, gen_fmt, scan_fmt, fn) \
do { \
Reported by FlawFinder.
Line: 321
Column: 14
CWE codes:
134
Suggestion:
Use a constant for the format specification
int field_len;
va_start(ap, val_fmt);
field_len = vsnprintf(buf + *buf_pos, buf_len - *buf_pos, val_fmt, ap);
va_end(ap);
if (field_len < 0)
field_len = 0;
Reported by FlawFinder.
Line: 627
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
bool fail = false; \
\
total_tests++; \
len = snprintf(test_buffer, BUF_SIZE, gen_fmt, expect); \
got = (fn)(test_buffer, &endp, base); \
pr_debug(#fn "(\"%s\", %d) -> " gen_fmt "\n", test_buffer, base, got); \
if (got != (expect)) { \
fail = true; \
pr_warn(#fn "(\"%s\", %d): got " gen_fmt " expected " gen_fmt "\n", \
Reported by FlawFinder.
Line: 374
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define numbers_list_fix_width(T, gen_fmt, field_sep, width, scan_fmt, fn) \
do { \
char full_fmt[16]; \
\
snprintf(full_fmt, sizeof(full_fmt), "%u%s", width, scan_fmt); \
numbers_list_8(T, gen_fmt, field_sep, full_fmt, fn); \
} while (0)
Reported by FlawFinder.
lib/test_rhashtable.c
5 issues
Line: 516
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
list = rht_dereference(list->next, ht);
p = rht_obj(ht, pos);
offset += sprintf(buff + offset, " val %d (tid=%d)%s", p->value.id, p->value.tid,
list? ", " : " ");
cnt++;
} while (list);
pos = next,
Reported by FlawFinder.
Line: 525
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
next = !rht_is_a_nulls(pos) ?
rht_dereference(pos->next, ht) : NULL;
offset += sprintf(buff + offset, "]]%s", !rht_is_a_nulls(pos) ? " -> " : "");
}
}
printk(KERN_ERR "\n---- ht: ----%s\n-------------\n", buff);
mutex_unlock(&ht->mutex);
Reported by FlawFinder.
Line: 489
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct rhashtable *ht;
const struct bucket_table *tbl;
char buff[512] = "";
int offset = 0;
unsigned int i, cnt = 0;
ht = &rhlt->ht;
/* Take the mutex to avoid RCU warning */
Reported by FlawFinder.
Line: 505
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
next = !rht_is_a_nulls(pos) ? rht_dereference(pos->next, ht) : NULL;
if (!rht_is_a_nulls(pos)) {
offset += sprintf(buff + offset, "\nbucket[%d] -> ", i);
}
while (!rht_is_a_nulls(pos)) {
struct rhlist_head *list = container_of(pos, struct rhlist_head, rhead);
offset += sprintf(buff + offset, "[[");
Reported by FlawFinder.
Line: 510
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
while (!rht_is_a_nulls(pos)) {
struct rhlist_head *list = container_of(pos, struct rhlist_head, rhead);
offset += sprintf(buff + offset, "[[");
do {
pos = &list->rhead;
list = rht_dereference(list->next, ht);
p = rht_obj(ht, pos);
Reported by FlawFinder.