The following issues were found
fs/f2fs/node.c
5 issues
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_addr = page_address(src_page);
dst_addr = page_address(dst_page);
memcpy(dst_addr, src_addr, PAGE_SIZE);
set_page_dirty(dst_page);
f2fs_put_page(src_page, 1);
set_to_next_nat(nm_i, nid);
Reported by FlawFinder.
Line: 2632
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
inline_size = inline_xattr_size(inode);
f2fs_wait_on_page_writeback(ipage, NODE, true, true);
memcpy(dst_addr, src_addr, inline_size);
update_inode:
f2fs_update_inode(inode, ipage);
f2fs_put_page(ipage, 1);
return 0;
}
Reported by FlawFinder.
Line: 2677
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
f2fs_update_inode_page(inode);
/* 3: update and set xattr node page dirty */
memcpy(F2FS_NODE(xpage), F2FS_NODE(page), VALID_XATTR_BLOCK_SIZE);
set_page_dirty(xpage);
f2fs_put_page(xpage, 1);
return 0;
Reported by FlawFinder.
Line: 2717
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = F2FS_INODE(page);
dst = F2FS_INODE(ipage);
memcpy(dst, src, offsetof(struct f2fs_inode, i_ext));
dst->i_size = 0;
dst->i_blocks = cpu_to_le64(1);
dst->i_links = cpu_to_le32(1);
dst->i_xattr_nid = 0;
dst->i_inline = src->i_inline & (F2FS_INLINE_XATTR | F2FS_EXTRA_ATTR);
Reported by FlawFinder.
Line: 3053
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_ERR(page))
return PTR_ERR(page);
memcpy(nm_i->nat_bits + (i << F2FS_BLKSIZE_BITS),
page_address(page), F2FS_BLKSIZE);
f2fs_put_page(page, 1);
}
cp_ver |= (cur_cp_crc(ckpt) << 32);
Reported by FlawFinder.
fs/xfs/libxfs/xfs_inode_fork.c
5 issues
Line: 55
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size) {
real_size = roundup(mem_size, 4);
ifp->if_u1.if_data = kmem_alloc(real_size, KM_NOFS);
memcpy(ifp->if_u1.if_data, data, size);
if (zero_terminate)
ifp->if_u1.if_data[size] = '\0';
} else {
ifp->if_u1.if_data = NULL;
}
Reported by FlawFinder.
Line: 427
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* First copy over the btree block header.
*/
memcpy(new_broot, ifp->if_broot,
XFS_BMBT_BLOCK_LEN(ip->i_mount));
} else {
new_broot = NULL;
}
Reported by FlawFinder.
Line: 442
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
op = (char *)XFS_BMBT_REC_ADDR(mp, ifp->if_broot, 1);
np = (char *)XFS_BMBT_REC_ADDR(mp, new_broot, 1);
memcpy(np, op, new_max * (uint)sizeof(xfs_bmbt_rec_t));
/*
* Then copy the pointers.
*/
op = (char *)XFS_BMAP_BROOT_PTR_ADDR(mp, ifp->if_broot, 1,
Reported by FlawFinder.
Line: 451
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ifp->if_broot_bytes);
np = (char *)XFS_BMAP_BROOT_PTR_ADDR(mp, new_broot, 1,
(int)new_size);
memcpy(np, op, new_max * (uint)sizeof(xfs_fsblock_t));
}
kmem_free(ifp->if_broot);
ifp->if_broot = new_broot;
ifp->if_broot_bytes = (int)new_size;
if (ifp->if_broot)
Reported by FlawFinder.
Line: 617
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(ifp->if_bytes > 0)) {
ASSERT(ifp->if_u1.if_data != NULL);
ASSERT(ifp->if_bytes <= XFS_IFORK_SIZE(ip, whichfork));
memcpy(cp, ifp->if_u1.if_data, ifp->if_bytes);
}
break;
case XFS_DINODE_FMT_EXTENTS:
if ((iip->ili_fields & extflag[whichfork]) &&
Reported by FlawFinder.
fs/nls/nls_ascii.c
5 issues
Line: 16
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/nls.h>
#include <linux/errno.h>
static const wchar_t charset2uni[256] = {
/* 0x00*/
0x0000, 0x0001, 0x0002, 0x0003,
0x0004, 0x0005, 0x0006, 0x0007,
0x0008, 0x0009, 0x000a, 0x000b,
0x000c, 0x000d, 0x000e, 0x000f,
Reported by FlawFinder.
Line: 59
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x007c, 0x007d, 0x007e, 0x007f,
};
static const unsigned char page00[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 78
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
};
static const unsigned char *const page_uni2charset[256] = {
page00,
};
static const unsigned char charset2lower[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
Reported by FlawFinder.
Line: 82
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
page00,
};
static const unsigned char charset2lower[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 101
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, /* 0x78-0x7f */
};
static const unsigned char charset2upper[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
fs/hostfs/hostfs_kern.c
5 issues
Line: 112
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (p > name + len)
strcpy(name + len, p);
return name;
}
static char *dentry_name(struct dentry *dentry)
Reported by FlawFinder.
Line: 93
Column: 8
CWE codes:
126
size_t len;
root = dentry->d_sb->s_fs_info;
len = strlen(root);
if (IS_ERR(p)) {
__putname(name);
return NULL;
}
Reported by FlawFinder.
Line: 103
Column: 13
CWE codes:
126
* This function relies on the fact that dentry_path_raw() will place
* the path name at the end of the provided buffer.
*/
BUG_ON(p + strlen(p) + 1 != name + PATH_MAX);
strlcpy(name, root, PATH_MAX);
if (len > p - name) {
__putname(name);
return NULL;
Reported by FlawFinder.
Line: 253
Column: 18
CWE codes:
126
static int hostfs_show_options(struct seq_file *seq, struct dentry *root)
{
const char *root_path = root->d_sb->s_fs_info;
size_t offset = strlen(root_ino) + 1;
if (strlen(root_path) > offset)
seq_show_option(seq, root_path + offset, NULL);
if (append)
Reported by FlawFinder.
Line: 255
Column: 6
CWE codes:
126
const char *root_path = root->d_sb->s_fs_info;
size_t offset = strlen(root_ino) + 1;
if (strlen(root_path) > offset)
seq_show_option(seq, root_path + offset, NULL);
if (append)
seq_puts(seq, ",append");
Reported by FlawFinder.
fs/nfs/mount_clnt.c
5 issues
Line: 360
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
fh->size = NFS2_FHSIZE;
memcpy(fh->data, p, NFS2_FHSIZE);
return 0;
}
static int mnt_xdr_dec_mountres(struct rpc_rqst *req,
struct xdr_stream *xdr,
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
fh->size = size;
memcpy(fh->data, p, size);
return 0;
}
static int decode_auth_flavors(struct xdr_stream *xdr, struct mountres *res)
{
Reported by FlawFinder.
Line: 177
Column: 6
CWE codes:
126
(info->hostname ? info->hostname : "server"),
info->dirpath);
if (strlen(info->dirpath) > MNTPATHLEN)
return -ENAMETOOLONG;
if (info->noresvport)
args.flags |= RPC_CLNT_CREATE_NONPRIVPORT;
Reported by FlawFinder.
Line: 264
Column: 6
CWE codes:
126
struct rpc_clnt *clnt;
int status;
if (strlen(info->dirpath) > MNTPATHLEN)
return;
if (info->noresvport)
args.flags |= RPC_CLNT_CREATE_NONPRIVPORT;
Reported by FlawFinder.
Line: 305
Column: 27
CWE codes:
126
static void encode_mntdirpath(struct xdr_stream *xdr, const char *pathname)
{
const u32 pathname_len = strlen(pathname);
__be32 *p;
p = xdr_reserve_space(xdr, 4 + pathname_len);
xdr_encode_opaque(p, pathname, pathname_len);
}
Reported by FlawFinder.
fs/btrfs/xattr.c
5 issues
Line: 486
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = -ENOMEM;
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
err = btrfs_setxattr(trans, inode, name, xattr->value,
xattr->value_len, 0);
kfree(name);
if (err < 0)
Reported by FlawFinder.
Line: 487
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
err = btrfs_setxattr(trans, inode, name, xattr->value,
xattr->value_len, 0);
kfree(name);
if (err < 0)
break;
Reported by FlawFinder.
Line: 39
Column: 10
CWE codes:
126
/* lookup the xattr by name */
di = btrfs_lookup_xattr(NULL, root, path, btrfs_ino(BTRFS_I(inode)),
name, strlen(name), 0);
if (!di) {
ret = -ENODATA;
goto out;
} else if (IS_ERR(di)) {
ret = PTR_ERR(di);
Reported by FlawFinder.
Line: 86
Column: 20
CWE codes:
126
struct btrfs_root *root = BTRFS_I(inode)->root;
struct btrfs_fs_info *fs_info = root->fs_info;
struct btrfs_path *path;
size_t name_len = strlen(name);
int ret = 0;
ASSERT(trans);
if (name_len + size > BTRFS_MAX_XATTR_SIZE(root->fs_info))
Reported by FlawFinder.
Line: 481
Column: 11
CWE codes:
126
nofs_flag = memalloc_nofs_save();
for (xattr = xattr_array; xattr->name != NULL; xattr++) {
name = kmalloc(XATTR_SECURITY_PREFIX_LEN +
strlen(xattr->name) + 1, GFP_KERNEL);
if (!name) {
err = -ENOMEM;
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
Reported by FlawFinder.
fs/nfsd/export.c
5 issues
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
/* client fsidtype \xfsid */
struct svc_expkey *ek = container_of(h, struct svc_expkey, h);
char type[5];
qword_add(bpp, blen, ek->ek_client->name);
snprintf(type, 5, "%d", ek->ek_fsidtype);
qword_add(bpp, blen, type);
qword_addhex(bpp, blen, (char*)ek->ek_fsid, key_len(ek->ek_fsidtype));
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key.ek_client = dom;
key.ek_fsidtype = fsidtype;
memcpy(key.ek_fsid, buf, len);
ek = svc_expkey_lookup(cd, &key);
err = -ENOMEM;
if (!ek)
goto out;
Reported by FlawFinder.
Line: 908
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key.ek_client = clp;
key.ek_fsidtype = fsid_type;
memcpy(key.ek_fsid, fsidv, key_len(fsid_type));
ek = svc_expkey_lookup(cd, &key);
if (ek == NULL)
return ERR_PTR(-ENOMEM);
err = cache_check(cd, &ek->h, reqp);
Reported by FlawFinder.
Line: 1010
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -EINVAL;
else
err = 0;
memcpy(f, &fh.fh_handle, sizeof(struct knfsd_fh));
fh_put(&fh);
exp_put(exp);
out:
path_put(&path);
return err;
Reported by FlawFinder.
Line: 1188
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct flags {
int flag;
char *name[2];
} expflags[] = {
{ NFSEXP_READONLY, {"ro", "rw"}},
{ NFSEXP_INSECURE_PORT, {"insecure", ""}},
{ NFSEXP_ROOTSQUASH, {"root_squash", "no_root_squash"}},
{ NFSEXP_ALLSQUASH, {"all_squash", ""}},
Reported by FlawFinder.
fs/orangefs/orangefs-kernel.h
5 issues
Line: 187
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* per inode private orangefs info */
struct orangefs_inode_s {
struct orangefs_object_kref refn;
char link_target[ORANGEFS_NAME_MAX];
/*
* Reading/Writing Extended attributes need to acquire the appropriate
* reader/writer semaphore on the orangefs_inode_s structure.
*/
struct rw_semaphore xattr_sem;
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int flags;
#define ORANGEFS_OPT_INTR 0x01
#define ORANGEFS_OPT_LOCAL_LOCK 0x02
char devname[ORANGEFS_MAX_SERVER_ADDR_LEN];
struct super_block *sb;
int mount_pending;
int no_list;
struct list_head list;
};
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct orangefs_cached_xattr {
struct hlist_node node;
char key[ORANGEFS_MAX_XATTR_NAMELEN];
char val[ORANGEFS_MAX_XATTR_VALUELEN];
ssize_t length;
unsigned long timeout;
};
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct orangefs_cached_xattr {
struct hlist_node node;
char key[ORANGEFS_MAX_XATTR_NAMELEN];
char val[ORANGEFS_MAX_XATTR_VALUELEN];
ssize_t length;
unsigned long timeout;
};
struct orangefs_write_range {
Reported by FlawFinder.
Line: 264
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline ino_t orangefs_khandle_to_ino(struct orangefs_khandle *khandle)
{
union {
unsigned char u[8];
__u64 ino;
} ihandle;
ihandle.u[0] = khandle->u[0] ^ khandle->u[4];
ihandle.u[1] = khandle->u[1] ^ khandle->u[5];
Reported by FlawFinder.
fs/orangefs/downcall.h
5 issues
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct orangefs_getattr_response {
struct ORANGEFS_sys_attr_s attributes;
char link_target[ORANGEFS_NAME_MAX];
};
struct orangefs_mkdir_response {
struct orangefs_object_kref refn;
};
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct orangefs_getxattr_response {
__s32 val_sz;
__s32 __pad1;
char val[ORANGEFS_MAX_XATTR_VALUELEN];
};
/* the listxattr response is an array of attribute names */
struct orangefs_listxattr_response {
__s32 returned_count;
Reported by FlawFinder.
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__s32 returned_count;
__s32 __pad1;
__u64 token;
char key[ORANGEFS_MAX_XATTR_LISTLEN * ORANGEFS_MAX_XATTR_NAMELEN];
__s32 keylen;
__s32 __pad2;
__s32 lengths[ORANGEFS_MAX_XATTR_LISTLEN];
};
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define PERF_COUNT_BUF_SIZE 4096
struct orangefs_perf_count_response {
char buffer[PERF_COUNT_BUF_SIZE];
};
#define FS_KEY_BUF_SIZE 4096
struct orangefs_fs_key_response {
__s32 fs_keylen;
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct orangefs_fs_key_response {
__s32 fs_keylen;
__s32 __pad1;
char fs_key[FS_KEY_BUF_SIZE];
};
/* 2.9.6 */
struct orangefs_features_response {
__u64 features;
Reported by FlawFinder.
fs/openpromfs/inode.c
5 issues
Line: 78
Column: 12
CWE codes:
126
if (is_string(pval, len)) {
while (len > 0) {
int n = strlen(pval);
seq_printf(f, "%s", (char *) pval);
/* Skip over the NULL byte too. */
pval += n + 1;
Reported by FlawFinder.
Line: 205
Column: 11
CWE codes:
126
child = dp->child;
while (child) {
const char *node_name = kbasename(child->full_name);
int n = strlen(node_name);
if (len == n &&
!strncmp(node_name, name, len)) {
ent_type = op_inode_node;
ent_data.node = child;
Reported by FlawFinder.
Line: 219
Column: 11
CWE codes:
126
prop = dp->properties;
while (prop) {
int n = strlen(prop->name);
if (len == n && !strncmp(prop->name, name, len)) {
ent_type = op_inode_prop;
ent_data.prop = prop;
ino = prop->unique_id;
Reported by FlawFinder.
Line: 304
Column: 8
CWE codes:
126
while (child) {
if (!dir_emit(ctx,
kbasename(child->full_name),
strlen(kbasename(child->full_name)),
child->unique_id, DT_DIR))
goto out;
ctx->pos++;
child = child->sibling;
Reported by FlawFinder.
Line: 319
Column: 34
CWE codes:
126
i--;
}
while (prop) {
if (!dir_emit(ctx, prop->name, strlen(prop->name),
prop->unique_id, DT_REG))
goto out;
ctx->pos++;
prop = prop->next;
Reported by FlawFinder.