The following issues were found
net/caif/cfpkt_skbuff.c
5 issues
Line: 112
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sk_buff *skb = pkt_to_skb(pkt);
if (skb_headlen(skb) >= len) {
memcpy(data, skb->data, len);
return 0;
}
return !cfpkt_extr_head(pkt, data, len) &&
!cfpkt_add_head(pkt, data, len);
}
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
from = skb_pull(skb, len);
from -= len;
if (data)
memcpy(data, from, len);
return 0;
}
EXPORT_SYMBOL(cfpkt_extr_head);
int cfpkt_extr_trail(struct cfpkt *pkt, void *dta, u16 len)
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
from = skb_tail_pointer(skb) - len;
skb_trim(skb, skb->len - len);
memcpy(data, from, len);
return 0;
}
int cfpkt_pad_trail(struct cfpkt *pkt, u16 len)
{
Reported by FlawFinder.
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* All set to put the last SKB and optionally write data there. */
to = pskb_put(skb, lastskb, len);
if (likely(data))
memcpy(to, data, len);
return 0;
}
inline int cfpkt_addbdy(struct cfpkt *pkt, u8 data)
{
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
to = skb_push(skb, len);
memcpy(to, data, len);
return 0;
}
EXPORT_SYMBOL(cfpkt_add_head);
inline int cfpkt_add_trail(struct cfpkt *pkt, const void *data, u16 len)
Reported by FlawFinder.
net/can/gw.c
5 issues
Line: 199
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void mod_set_fddata(struct canfd_frame *cf, struct cf_mod *mod)
{
memcpy(cf->data, mod->modframe.set.data, CANFD_MAX_DLEN);
}
/* retrieve valid CC DLC value and store it into 'len' */
static void mod_retrieve_ccdlc(struct canfd_frame *cf)
{
Reported by FlawFinder.
Line: 286
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst->can_id = src->can_id;
dst->flags = src->flags;
dst->len = src->len;
memcpy(dst->data, src->data, CANFD_MAX_DLEN);
}
static int cgw_chk_csum_parms(s8 fr, s8 to, s8 re, struct rtcanmsg *r)
{
s8 dlen = CAN_MAX_DLEN;
Reported by FlawFinder.
Line: 1093
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* update modifications with disabled softirq & quit */
local_bh_disable();
memcpy(&gwj->mod, &mod, sizeof(mod));
local_bh_enable();
return 0;
}
}
Reported by FlawFinder.
Line: 1115
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gwj->limit_hops = limhops;
/* insert already parsed information */
memcpy(&gwj->mod, &mod, sizeof(mod));
memcpy(&gwj->ccgw, &ccgw, sizeof(ccgw));
err = -ENODEV;
gwj->src.dev = __dev_get_by_index(net, gwj->ccgw.src_idx);
Reported by FlawFinder.
Line: 1116
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* insert already parsed information */
memcpy(&gwj->mod, &mod, sizeof(mod));
memcpy(&gwj->ccgw, &ccgw, sizeof(ccgw));
err = -ENODEV;
gwj->src.dev = __dev_get_by_index(net, gwj->ccgw.src_idx);
Reported by FlawFinder.
include/net/neighbour.h
5 issues
Line: 153
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 dead;
u8 protocol;
seqlock_t ha_lock;
unsigned char ha[ALIGN(MAX_ADDR_LEN, sizeof(unsigned long))] __aligned(8);
struct hh_cache hh;
int (*output)(struct neighbour *, struct sk_buff *);
const struct neigh_ops *ops;
struct list_head gc_list;
struct rcu_head rcu;
Reported by FlawFinder.
Line: 456
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
seq = read_seqbegin(&hh->hh_lock);
hh_alen = HH_DATA_ALIGN(ETH_HLEN);
memcpy(skb->data - hh_alen, hh->hh_data, ETH_ALEN + hh_alen - ETH_HLEN);
} while (read_seqretry(&hh->hh_lock, seq));
return 0;
}
#endif
Reported by FlawFinder.
Line: 480
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (likely(skb_headroom(skb) >= HH_DATA_MOD)) {
/* this is inlined by gcc */
memcpy(skb->data - HH_DATA_MOD, hh->hh_data,
HH_DATA_MOD);
}
} else {
hh_alen = HH_DATA_ALIGN(hh_len);
Reported by FlawFinder.
Line: 487
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hh_alen = HH_DATA_ALIGN(hh_len);
if (likely(skb_headroom(skb) >= hh_alen)) {
memcpy(skb->data - hh_alen, hh->hh_data,
hh_alen);
}
}
} while (read_seqretry(&hh->hh_lock, seq));
Reported by FlawFinder.
Line: 553
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
seq = read_seqbegin(&n->ha_lock);
memcpy(dst, n->ha, dev->addr_len);
} while (read_seqretry(&n->ha_lock, seq));
}
static inline void neigh_update_is_router(struct neighbour *neigh, u32 flags,
int *notify)
Reported by FlawFinder.
net/ethtool/stats.c
5 issues
Line: 27
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define STATS_REPDATA(__reply_base) \
container_of(__reply_base, struct stats_reply_data, base)
const char stats_std_names[__ETHTOOL_STATS_CNT][ETH_GSTRING_LEN] = {
[ETHTOOL_STATS_ETH_PHY] = "eth-phy",
[ETHTOOL_STATS_ETH_MAC] = "eth-mac",
[ETHTOOL_STATS_ETH_CTRL] = "eth-ctrl",
[ETHTOOL_STATS_RMON] = "rmon",
};
Reported by FlawFinder.
Line: 34
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[ETHTOOL_STATS_RMON] = "rmon",
};
const char stats_eth_phy_names[__ETHTOOL_A_STATS_ETH_PHY_CNT][ETH_GSTRING_LEN] = {
[ETHTOOL_A_STATS_ETH_PHY_5_SYM_ERR] = "SymbolErrorDuringCarrier",
};
const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN] = {
[ETHTOOL_A_STATS_ETH_MAC_2_TX_PKT] = "FramesTransmittedOK",
Reported by FlawFinder.
Line: 38
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[ETHTOOL_A_STATS_ETH_PHY_5_SYM_ERR] = "SymbolErrorDuringCarrier",
};
const char stats_eth_mac_names[__ETHTOOL_A_STATS_ETH_MAC_CNT][ETH_GSTRING_LEN] = {
[ETHTOOL_A_STATS_ETH_MAC_2_TX_PKT] = "FramesTransmittedOK",
[ETHTOOL_A_STATS_ETH_MAC_3_SINGLE_COL] = "SingleCollisionFrames",
[ETHTOOL_A_STATS_ETH_MAC_4_MULTI_COL] = "MultipleCollisionFrames",
[ETHTOOL_A_STATS_ETH_MAC_5_RX_PKT] = "FramesReceivedOK",
[ETHTOOL_A_STATS_ETH_MAC_6_FCS_ERR] = "FrameCheckSequenceErrors",
Reported by FlawFinder.
Line: 63
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[ETHTOOL_A_STATS_ETH_MAC_25_TOO_LONG_ERR] = "FrameTooLongErrors",
};
const char stats_eth_ctrl_names[__ETHTOOL_A_STATS_ETH_CTRL_CNT][ETH_GSTRING_LEN] = {
[ETHTOOL_A_STATS_ETH_CTRL_3_TX] = "MACControlFramesTransmitted",
[ETHTOOL_A_STATS_ETH_CTRL_4_RX] = "MACControlFramesReceived",
[ETHTOOL_A_STATS_ETH_CTRL_5_RX_UNSUP] = "UnsupportedOpcodesReceived",
};
Reported by FlawFinder.
Line: 69
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[ETHTOOL_A_STATS_ETH_CTRL_5_RX_UNSUP] = "UnsupportedOpcodesReceived",
};
const char stats_rmon_names[__ETHTOOL_A_STATS_RMON_CNT][ETH_GSTRING_LEN] = {
[ETHTOOL_A_STATS_RMON_UNDERSIZE] = "etherStatsUndersizePkts",
[ETHTOOL_A_STATS_RMON_OVERSIZE] = "etherStatsOversizePkts",
[ETHTOOL_A_STATS_RMON_FRAG] = "etherStatsFragments",
[ETHTOOL_A_STATS_RMON_JABBER] = "etherStatsJabbers",
};
Reported by FlawFinder.
kernel/gcov/fs.c
5 issues
Line: 532
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
node->parent = parent;
if (name)
strcpy(node->name, name);
}
/*
* Create a new node and associated debugfs entry. Needs to be called with
* node_lock held.
Reported by FlawFinder.
Line: 740
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gcov_info_filename(info));
return;
}
memcpy(loaded_info, node->loaded_info,
num * sizeof(struct gcov_info *));
loaded_info[num] = info;
/* Check if the new data set is compatible. */
if (num == 0) {
/*
Reported by FlawFinder.
Line: 445
Column: 33
CWE codes:
126
const char *rel;
char *result;
if (strncmp(filename, objtree, strlen(objtree)) == 0) {
rel = filename + strlen(objtree) + 1;
if (ext->dir == SRC_TREE)
result = link_target(srctree, rel, ext->ext);
else
result = link_target(objtree, rel, ext->ext);
Reported by FlawFinder.
Line: 446
Column: 20
CWE codes:
126
char *result;
if (strncmp(filename, objtree, strlen(objtree)) == 0) {
rel = filename + strlen(objtree) + 1;
if (ext->dir == SRC_TREE)
result = link_target(srctree, rel, ext->ext);
else
result = link_target(objtree, rel, ext->ext);
} else {
Reported by FlawFinder.
Line: 544
Column: 44
CWE codes:
126
{
struct gcov_node *node;
node = kzalloc(sizeof(struct gcov_node) + strlen(name) + 1, GFP_KERNEL);
if (!node)
goto err_nomem;
if (info) {
node->loaded_info = kcalloc(1, sizeof(struct gcov_info *),
GFP_KERNEL);
Reported by FlawFinder.
include/uapi/linux/if_arp.h
5 issues
Line: 121
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sockaddr arp_ha; /* hardware address */
int arp_flags; /* flags */
struct sockaddr arp_netmask; /* netmask (only for proxy arps) */
char arp_dev[IFNAMSIZ];
};
struct arpreq_old {
struct sockaddr arp_pa; /* protocol address */
struct sockaddr arp_ha; /* hardware address */
Reported by FlawFinder.
Line: 155
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* Ethernet looks like this : This bit is variable sized however...
*/
unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */
unsigned char ar_sip[4]; /* sender IP address */
unsigned char ar_tha[ETH_ALEN]; /* target hardware address */
unsigned char ar_tip[4]; /* target IP address */
#endif
Reported by FlawFinder.
Line: 156
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Ethernet looks like this : This bit is variable sized however...
*/
unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */
unsigned char ar_sip[4]; /* sender IP address */
unsigned char ar_tha[ETH_ALEN]; /* target hardware address */
unsigned char ar_tip[4]; /* target IP address */
#endif
};
Reported by FlawFinder.
Line: 157
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */
unsigned char ar_sip[4]; /* sender IP address */
unsigned char ar_tha[ETH_ALEN]; /* target hardware address */
unsigned char ar_tip[4]; /* target IP address */
#endif
};
Reported by FlawFinder.
Line: 158
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */
unsigned char ar_sip[4]; /* sender IP address */
unsigned char ar_tha[ETH_ALEN]; /* target hardware address */
unsigned char ar_tip[4]; /* target IP address */
#endif
};
Reported by FlawFinder.
net/dns_resolver/dns_key.c
5 issues
Line: 151
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
do {
int opt_len, opt_nlen;
const char *eq;
char optval[128];
next_opt = memchr(opt, '#', end - opt) ?: end;
opt_len = next_opt - opt;
if (opt_len <= 0 || opt_len > sizeof(optval)) {
pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
Reported by FlawFinder.
Line: 165
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (eq) {
opt_nlen = eq - opt;
eq++;
memcpy(optval, eq, next_opt - eq);
optval[next_opt - eq] = '\0';
} else {
opt_nlen = opt_len;
optval[0] = '\0';
}
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
upayload->datalen = result_len;
memcpy(upayload->data, data, result_len);
upayload->data[result_len] = '\0';
prep->payload.data[dns_key_data] = upayload;
kleave(" = 0");
return 0;
Reported by FlawFinder.
Line: 256
Column: 9
CWE codes:
126
if (strcasecmp(src, dsp) == 0)
goto matched;
slen = strlen(src);
dlen = strlen(dsp);
if (slen <= 0 || dlen <= 0)
goto no_match;
if (src[slen - 1] == '.')
slen--;
Reported by FlawFinder.
Line: 257
Column: 9
CWE codes:
126
goto matched;
slen = strlen(src);
dlen = strlen(dsp);
if (slen <= 0 || dlen <= 0)
goto no_match;
if (src[slen - 1] == '.')
slen--;
if (dsp[dlen - 1] == '.')
Reported by FlawFinder.
net/ipv6/rpl_iptunnel.c
5 issues
Line: 111
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
}
memcpy(&rlwt->tuninfo.srh, srh, srh_len);
newts->type = LWTUNNEL_ENCAP_RPL;
newts->flags |= LWTUNNEL_STATE_INPUT_REDIRECT;
newts->flags |= LWTUNNEL_STATE_OUTPUT_REDIRECT;
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
isrh = (struct ipv6_rpl_sr_hdr *)buf;
csrh = (struct ipv6_rpl_sr_hdr *)(buf + ((srh->hdrlen + 1) << 3));
memcpy(isrh, srh, sizeof(*isrh));
memcpy(isrh->rpl_segaddr, &srh->rpl_segaddr[1],
(srh->segments_left - 1) * 16);
isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr->daddr;
ipv6_rpl_srh_compress(csrh, isrh, &srh->rpl_segaddr[0],
Reported by FlawFinder.
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
csrh = (struct ipv6_rpl_sr_hdr *)(buf + ((srh->hdrlen + 1) << 3));
memcpy(isrh, srh, sizeof(*isrh));
memcpy(isrh->rpl_segaddr, &srh->rpl_segaddr[1],
(srh->segments_left - 1) * 16);
isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr->daddr;
ipv6_rpl_srh_compress(csrh, isrh, &srh->rpl_segaddr[0],
isrh->segments_left - 1);
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr = ipv6_hdr(skb);
memmove(hdr, oldhdr, sizeof(*hdr));
isrh = (void *)hdr + sizeof(*hdr);
memcpy(isrh, csrh, hdrlen);
isrh->nexthdr = hdr->nexthdr;
hdr->nexthdr = NEXTHDR_ROUTING;
hdr->daddr = srh->rpl_segaddr[0];
Reported by FlawFinder.
Line: 311
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EMSGSIZE;
data = nla_data(nla);
memcpy(data, tuninfo->srh, len);
return 0;
}
static int rpl_fill_encap_info(struct sk_buff *skb,
Reported by FlawFinder.
net/batman-adv/translation-table.c
5 issues
Line: 1030
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_for_each_entry_safe(entry, safe, &bat_priv->tt.changes_list,
list) {
if (tt_diff_entries_count < tt_diff_entries_num) {
memcpy(tt_change + tt_diff_entries_count,
&entry->change,
sizeof(struct batadv_tvlv_tt_change));
tt_diff_entries_count++;
}
list_del(&entry->list);
Reported by FlawFinder.
Line: 1053
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
bat_priv->tt.last_changeset = kzalloc(tt_diff_len, GFP_ATOMIC);
if (bat_priv->tt.last_changeset) {
memcpy(bat_priv->tt.last_changeset,
tt_change, tt_change_len);
bat_priv->tt.last_changeset_len = tt_diff_len;
}
}
spin_unlock_bh(&bat_priv->tt.last_changeset_lock);
Reported by FlawFinder.
Line: 2641
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
orig_node->tt_buff_len = 0;
orig_node->tt_buff = kmalloc(tt_buff_len, GFP_ATOMIC);
if (orig_node->tt_buff) {
memcpy(orig_node->tt_buff, tt_buff, tt_buff_len);
orig_node->tt_buff_len = tt_buff_len;
}
}
spin_unlock_bh(&orig_node->tt_buff_lock);
}
Reported by FlawFinder.
Line: 3079
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto unlock;
/* Copy the last orig_node's OGM buffer */
memcpy(tt_change, req_dst_orig_node->tt_buff,
req_dst_orig_node->tt_buff_len);
spin_unlock_bh(&req_dst_orig_node->tt_buff_lock);
} else {
/* allocate the tvlv, put the tt_data and all the tt_vlan_data
* in the initial part
Reported by FlawFinder.
Line: 3206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto unlock;
/* Copy the last orig_node's OGM buffer */
memcpy(tt_change, bat_priv->tt.last_changeset,
bat_priv->tt.last_changeset_len);
spin_unlock_bh(&bat_priv->tt.last_changeset_lock);
} else {
req_ttvn = (u8)atomic_read(&bat_priv->tt.vn);
Reported by FlawFinder.
net/batman-adv/bridge_loop_avoidance.c
5 issues
Line: 1290
CWE codes:
476
goto purge_now;
if (!batadv_compare_eth(backbone_gw->orig,
primary_if->net_dev->dev_addr))
goto skip;
if (!batadv_has_timed_out(claim->lasttime,
BATADV_BLA_CLAIM_TIMEOUT))
goto skip;
Reported by Cppcheck.
Line: 457
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct batadv_bla_backbone_gw *backbone_gw;
struct batadv_priv *bat_priv;
char vid_str[6] = { '\0' };
backbone_gw = container_of(work, struct batadv_bla_backbone_gw,
report_work);
bat_priv = backbone_gw->bat_priv;
Reported by FlawFinder.
Line: 663
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 mac[ETH_ALEN];
__be16 crc;
memcpy(mac, batadv_announce_mac, 4);
spin_lock_bh(&backbone_gw->crc_lock);
crc = htons(backbone_gw->crc);
spin_unlock_bh(&backbone_gw->crc_lock);
memcpy(&mac[4], &crc, 2);
Reported by FlawFinder.
Line: 667
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_bh(&backbone_gw->crc_lock);
crc = htons(backbone_gw->crc);
spin_unlock_bh(&backbone_gw->crc_lock);
memcpy(&mac[4], &crc, 2);
batadv_bla_send_claim(bat_priv, mac, backbone_gw->vid,
BATADV_CLAIM_TYPE_ANNOUNCE);
}
Reported by FlawFinder.
Line: 1535
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla hash registering\n");
/* setting claim destination address */
memcpy(&bat_priv->bla.claim_dest.magic, claim_dest, 3);
bat_priv->bla.claim_dest.type = 0;
primary_if = batadv_primary_if_get_selected(bat_priv);
if (primary_if) {
crc = crc16(0, primary_if->net_dev->dev_addr, ETH_ALEN);
bat_priv->bla.claim_dest.group = htons(crc);
Reported by FlawFinder.