The following issues were found
fs/cifs/smb2pdu.h
5 issues
Line: 1004
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define COPY_CHUNK_RES_KEY_SIZE 24
struct resume_key_req {
char ResumeKey[COPY_CHUNK_RES_KEY_SIZE];
__le32 ContextLength; /* MBZ */
char Context[]; /* ignored, Windows sets to 4 bytes of zero */
} __packed;
/* this goes in the ioctl buffer when doing a copychunk request */
Reported by FlawFinder.
Line: 1011
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* this goes in the ioctl buffer when doing a copychunk request */
struct copychunk_ioctl {
char SourceKey[COPY_CHUNK_RES_KEY_SIZE];
__le32 ChunkCount; /* we are only sending 1 */
__le32 Reserved;
/* array will only be one chunk long for us */
__le64 SourceOffset;
__le64 TargetOffset;
Reported by FlawFinder.
Line: 1765
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 Mode;
__le32 AlignmentRequirement;
__le32 FileNameLength;
char FileName[1];
} __packed; /* level 18 Query */
struct smb2_file_eof_info { /* encoding of request for level 10 */
__le64 EndOfFile; /* new end of file value */
} __packed; /* level 20 Set */
Reported by FlawFinder.
Line: 1810
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 EaSize; /* EA size */
__le32 ReparsePointTag; /* valid if FILE_ATTR_REPARSE_POINT set in FileAttributes */
__le64 UniqueId; /* inode num - le since Samba puts ino in low 32 bit */
char FileName[1];
} __packed; /* level 60 */
extern char smb2_padding[7];
/* equivalent of the contents of SMB3.1.1 POSIX open context response */
Reported by FlawFinder.
Line: 1813
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char FileName[1];
} __packed; /* level 60 */
extern char smb2_padding[7];
/* equivalent of the contents of SMB3.1.1 POSIX open context response */
struct create_posix_rsp {
u32 nlink;
u32 reparse_tag;
Reported by FlawFinder.
fs/jffs2/summary.c
5 issues
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
temp->type = rd->type;
temp->next = NULL;
memcpy(temp->name, rd->name, rd->nsize);
return jffs2_sum_add_mem(s, (union jffs2_sum_mem *)temp);
}
#ifdef CONFIG_JFFS2_FS_XATTR
Reported by FlawFinder.
Line: 300
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (count) {
case 1:
memcpy(temp->name,node->d.name,node->d.nsize);
break;
case 2:
memcpy(temp->name,invecs[1].iov_base,node->d.nsize);
break;
Reported by FlawFinder.
Line: 304
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 2:
memcpy(temp->name,invecs[1].iov_base,node->d.nsize);
break;
default:
BUG(); /* impossible count value */
break;
Reported by FlawFinder.
Line: 464
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!fd)
return -ENOMEM;
memcpy(&fd->name, spd->name, checkedlen);
fd->name[checkedlen] = 0;
ic = jffs2_scan_make_ino_cache(c, je32_to_cpu(spd->pino));
if (!ic) {
jffs2_free_full_dirent(fd);
Reported by FlawFinder.
Line: 748
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sdrnt_ptr->nsize = temp->d.nsize;
sdrnt_ptr->type = temp->d.type;
memcpy(sdrnt_ptr->name, temp->d.name,
temp->d.nsize);
wpage += JFFS2_SUMMARY_DIRENT_SIZE(temp->d.nsize);
break;
Reported by FlawFinder.
include/linux/counter.h
5 issues
Line: 17
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
COUNTER_COUNT_DIRECTION_FORWARD = 0,
COUNTER_COUNT_DIRECTION_BACKWARD
};
extern const char *const counter_count_direction_str[2];
enum counter_count_mode {
COUNTER_COUNT_MODE_NORMAL = 0,
COUNTER_COUNT_MODE_RANGE_LIMIT,
COUNTER_COUNT_MODE_NON_RECYCLE,
Reported by FlawFinder.
Line: 25
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
COUNTER_COUNT_MODE_NON_RECYCLE,
COUNTER_COUNT_MODE_MODULO_N
};
extern const char *const counter_count_mode_str[4];
struct counter_device;
struct counter_signal;
/**
Reported by FlawFinder.
Line: 39
Column: 12
CWE codes:
120
20
*/
struct counter_signal_ext {
const char *name;
ssize_t (*read)(struct counter_device *counter,
struct counter_signal *signal, void *priv, char *buf);
ssize_t (*write)(struct counter_device *counter,
struct counter_signal *signal, void *priv,
const char *buf, size_t len);
void *priv;
Reported by FlawFinder.
Line: 157
Column: 12
CWE codes:
120
20
*/
struct counter_count_ext {
const char *name;
ssize_t (*read)(struct counter_device *counter,
struct counter_count *count, void *priv, char *buf);
ssize_t (*write)(struct counter_device *counter,
struct counter_count *count, void *priv,
const char *buf, size_t len);
void *priv;
Reported by FlawFinder.
Line: 353
Column: 12
CWE codes:
120
20
*/
struct counter_device_ext {
const char *name;
ssize_t (*read)(struct counter_device *counter, void *priv, char *buf);
ssize_t (*write)(struct counter_device *counter, void *priv,
const char *buf, size_t len);
void *priv;
};
Reported by FlawFinder.
fs/fuse/cuse.c
5 issues
Line: 582
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct cuse_conn *cc = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", atomic_read(&cc->fc.num_waiting));
}
static DEVICE_ATTR(waiting, 0400, cuse_class_waiting_show, NULL);
static ssize_t cuse_class_abort_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 234
Column: 7
CWE codes:
126
}
key = val = p;
p += strlen(p);
if (valp) {
strsep(&val, "=");
if (!val)
val = key + strlen(key);
Reported by FlawFinder.
Line: 239
Column: 16
CWE codes:
126
if (valp) {
strsep(&val, "=");
if (!val)
val = key + strlen(key);
key = strstrip(key);
val = strstrip(val);
} else
key = strstrip(key);
Reported by FlawFinder.
Line: 245
Column: 7
CWE codes:
126
} else
key = strstrip(key);
if (!strlen(key)) {
pr_err("zero length info key specified\n");
return -EINVAL;
}
*pp = p;
Reported by FlawFinder.
Line: 289
Column: 25
CWE codes:
126
pr_warn("unknown device info \"%s\"\n", key);
}
if (!devinfo->name || !strlen(devinfo->name)) {
pr_err("DEVNAME unspecified\n");
return -EINVAL;
}
return 0;
Reported by FlawFinder.
drivers/video/fbdev/savage/savagefb.h
5 issues
Line: 155
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct savage_reg {
unsigned char MiscOutReg; /* Misc */
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned int mode, refresh;
Reported by FlawFinder.
Line: 156
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct savage_reg {
unsigned char MiscOutReg; /* Misc */
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned int mode, refresh;
unsigned char SR08, SR0E, SR0F;
Reported by FlawFinder.
Line: 157
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MiscOutReg; /* Misc */
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned int mode, refresh;
unsigned char SR08, SR0E, SR0F;
unsigned char SR10, SR11, SR12, SR13, SR15, SR18, SR29, SR30;
Reported by FlawFinder.
Line: 158
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned int mode, refresh;
unsigned char SR08, SR0E, SR0F;
unsigned char SR10, SR11, SR12, SR13, SR15, SR18, SR29, SR30;
unsigned char SR54[8];
Reported by FlawFinder.
Line: 163
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int mode, refresh;
unsigned char SR08, SR0E, SR0F;
unsigned char SR10, SR11, SR12, SR13, SR15, SR18, SR29, SR30;
unsigned char SR54[8];
unsigned char Clock;
unsigned char CR31, CR32, CR33, CR34, CR36, CR3A, CR3B, CR3C;
unsigned char CR40, CR41, CR42, CR43, CR45;
unsigned char CR50, CR51, CR53, CR55, CR58, CR5B, CR5D, CR5E;
unsigned char CR60, CR63, CR65, CR66, CR67, CR68, CR69, CR6D, CR6F;
Reported by FlawFinder.
fs/nfsd/nfs3proc.c
5 issues
Line: 113
Column: 11
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
dprintk("nfsd: ACCESS(3) %s 0x%x\n",
SVCFH_fmt(&argp->fh),
argp->access);
fh_copy(&resp->fh, &argp->fh);
resp->access = argp->access;
resp->status = nfsd_access(rqstp, &resp->fh, &resp->access, NULL);
return rpc_success;
Reported by FlawFinder.
Line: 116
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
argp->access);
fh_copy(&resp->fh, &argp->fh);
resp->access = argp->access;
resp->status = nfsd_access(rqstp, &resp->fh, &resp->access, NULL);
return rpc_success;
}
/*
Reported by FlawFinder.
Line: 117
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
fh_copy(&resp->fh, &argp->fh);
resp->access = argp->access;
resp->status = nfsd_access(rqstp, &resp->fh, &resp->access, NULL);
return rpc_success;
}
/*
* Read a symlink.
Reported by FlawFinder.
Line: 493
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset = argp->cookie;
resp->status = nfsd_readdir(rqstp, &resp->fh, &offset,
&resp->common, nfs3svc_encode_entry3);
memcpy(resp->verf, argp->verf, 8);
nfs3svc_encode_cookie3(resp, offset);
/* Recycle only pages that were part of the reply */
rqstp->rq_next_page = resp->xdr.page_ptr + 1;
Reported by FlawFinder.
Line: 536
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp->status = nfsd_readdir(rqstp, &resp->fh, &offset,
&resp->common, nfs3svc_encode_entryplus3);
memcpy(resp->verf, argp->verf, 8);
nfs3svc_encode_cookie3(resp, offset);
/* Recycle only pages that were part of the reply */
rqstp->rq_next_page = resp->xdr.page_ptr + 1;
Reported by FlawFinder.
drivers/video/fbdev/sis/init.c
5 issues
Line: 2232
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short *idx2)
{
unsigned short temp1, temp2;
static const unsigned char ThTiming[8] = {
1, 2, 2, 3, 0, 1, 1, 2
};
temp1 = temp2 = (SiS_GetReg(SiS_Pr->SiS_P3c4,0x18) & 0x62) >> 1;
(*idx2) = (unsigned short)(ThTiming[((temp2 >> 3) | temp1) & 0x07]);
Reported by FlawFinder.
Line: 2246
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned short
SiS_GetFIFOThresholdA300(unsigned short idx1, unsigned short idx2)
{
static const unsigned char ThLowA[8 * 3] = {
61, 3,52, 5,68, 7,100,11,
43, 3,42, 5,54, 7, 78,11,
34, 3,37, 5,47, 7, 67,11
};
Reported by FlawFinder.
Line: 2258
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short
SiS_GetFIFOThresholdB300(unsigned short idx1, unsigned short idx2)
{
static const unsigned char ThLowB[8 * 3] = {
81, 4,72, 6,88, 8,120,12,
55, 4,54, 6,66, 8, 90,12,
42, 4,45, 6,55, 8, 75,12
};
Reported by FlawFinder.
Line: 2410
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short i, data, VCLK, MCLK16, colorth = 0;
unsigned int templ, datal;
const unsigned char *queuedata = NULL;
static const unsigned char FQBQData[21] = {
0x01,0x21,0x41,0x61,0x81,
0x31,0x51,0x71,0x91,0xb1,
0x00,0x20,0x40,0x60,0x80,
0x30,0x50,0x70,0x90,0xb0,
0xff
Reported by FlawFinder.
Line: 2417
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x30,0x50,0x70,0x90,0xb0,
0xff
};
static const unsigned char FQBQData730[16] = {
0x34,0x74,0xb4,
0x23,0x63,0xa3,
0x12,0x52,0x92,
0x01,0x41,0x81,
0x00,0x40,0x80,
Reported by FlawFinder.
fs/orangefs/protocol.h
5 issues
Line: 19
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* the last four bytes as an inum.
*/
struct orangefs_khandle {
unsigned char u[16];
} __aligned(8);
/*
* kernel version of an object ref.
*/
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *p, int size)
{
memcpy(p, kh->u, 16);
memset(p + 16, 0, size - 16);
}
static inline void ORANGEFS_khandle_from(struct orangefs_khandle *kh,
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *p, int size)
{
memset(kh, 0, 16);
memcpy(kh->u, p, 16);
}
/* pvfs2-types.h ************************************************************/
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This structure is used by the VFS-client interaction alone */
struct ORANGEFS_keyval_pair {
char key[ORANGEFS_MAX_XATTR_NAMELEN];
__s32 key_sz; /* __s32 for portable, fixed-size structures */
__s32 val_sz;
char val[ORANGEFS_MAX_XATTR_VALUELEN];
};
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char key[ORANGEFS_MAX_XATTR_NAMELEN];
__s32 key_sz; /* __s32 for portable, fixed-size structures */
__s32 val_sz;
char val[ORANGEFS_MAX_XATTR_VALUELEN];
};
/* pvfs2-sysint.h ***********************************************************/
/* Describes attributes for a file, directory, or symlink. */
struct ORANGEFS_sys_attr_s {
Reported by FlawFinder.
fs/erofs/xattr.c
5 issues
Line: 364
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct getxattr_iter *it = container_of(_it, struct getxattr_iter, it);
memcpy(it->buffer + processed, buf, len);
}
static const struct xattr_iter_handlers find_xattr_handlers = {
.entry = xattr_entrymatch,
.name = xattr_namematch,
Reported by FlawFinder.
Line: 562
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
+ entry->e_name_len + 1 > it->buffer_size)
return -ERANGE;
memcpy(it->buffer + it->buffer_ofs, prefix, prefix_len);
it->buffer_ofs += prefix_len;
return 0;
}
static int xattr_namelist(struct xattr_iter *_it,
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct listxattr_iter *it =
container_of(_it, struct listxattr_iter, it);
memcpy(it->buffer + it->buffer_ofs, buf, len);
it->buffer_ofs += len;
return 0;
}
static int xattr_skipvalue(struct xattr_iter *_it,
Reported by FlawFinder.
Line: 456
Column: 16
CWE codes:
126
it.index = index;
it.name.len = strlen(name);
if (it.name.len > EROFS_NAME_LEN)
return -ERANGE;
it.name.name = name;
it.buffer = buffer;
Reported by FlawFinder.
Line: 551
Column: 15
CWE codes:
126
return 1;
prefix = xattr_prefix(h);
prefix_len = strlen(prefix);
if (!it->buffer) {
it->buffer_ofs += prefix_len + entry->e_name_len + 1;
return 1;
}
Reported by FlawFinder.
fs/xfs/xfs_quota.h
5 issues
Line: 122
CWE codes:
476
prid_t prid, uint flags, struct xfs_dquot **udqp,
struct xfs_dquot **gdqp, struct xfs_dquot **pdqp)
{
*udqp = NULL;
*gdqp = NULL;
*pdqp = NULL;
return 0;
}
#define xfs_trans_dup_dqinfo(tp, tp2)
Reported by Cppcheck.
Line: 123
CWE codes:
476
struct xfs_dquot **gdqp, struct xfs_dquot **pdqp)
{
*udqp = NULL;
*gdqp = NULL;
*pdqp = NULL;
return 0;
}
#define xfs_trans_dup_dqinfo(tp, tp2)
#define xfs_trans_free_dqinfo(tp)
Reported by Cppcheck.
Line: 124
CWE codes:
476
{
*udqp = NULL;
*gdqp = NULL;
*pdqp = NULL;
return 0;
}
#define xfs_trans_dup_dqinfo(tp, tp2)
#define xfs_trans_free_dqinfo(tp)
#define xfs_trans_mod_dquot_byino(tp, ip, fields, delta) do { } while (0)
Reported by Cppcheck.
Line: 122
CWE codes:
476
prid_t prid, uint flags, struct xfs_dquot **udqp,
struct xfs_dquot **gdqp, struct xfs_dquot **pdqp)
{
*udqp = NULL;
*gdqp = NULL;
*pdqp = NULL;
return 0;
}
#define xfs_trans_dup_dqinfo(tp, tp2)
Reported by Cppcheck.
Line: 124
CWE codes:
476
{
*udqp = NULL;
*gdqp = NULL;
*pdqp = NULL;
return 0;
}
#define xfs_trans_dup_dqinfo(tp, tp2)
#define xfs_trans_free_dqinfo(tp)
#define xfs_trans_mod_dquot_byino(tp, ip, fields, delta) do { } while (0)
Reported by Cppcheck.