The following issues were found
net/mac80211/wep.c
4 issues
Line: 149
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = skb->len - (iv + IEEE80211_WEP_IV_LEN - skb->data);
/* Prepend 24-bit IV to RC4 key */
memcpy(rc4key, iv, 3);
/* Copy rest of the WEP key (the secret part) */
memcpy(rc4key + 3, key, keylen);
/* Add room for ICV */
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rc4key, iv, 3);
/* Copy rest of the WEP key (the secret part) */
memcpy(rc4key + 3, key, keylen);
/* Add room for ICV */
skb_put(skb, IEEE80211_WEP_ICV_LEN);
return ieee80211_wep_encrypt_data(&local->wep_tx_ctx, rc4key, keylen + 3,
Reported by FlawFinder.
Line: 220
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
klen = 3 + key->conf.keylen;
/* Prepend 24-bit IV to RC4 key */
memcpy(rc4key, skb->data + hdrlen, 3);
/* Copy rest of the WEP key (the secret part) */
memcpy(rc4key + 3, key->conf.key, key->conf.keylen);
if (ieee80211_wep_decrypt_data(&local->wep_rx_ctx, rc4key, klen,
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rc4key, skb->data + hdrlen, 3);
/* Copy rest of the WEP key (the secret part) */
memcpy(rc4key + 3, key->conf.key, key->conf.keylen);
if (ieee80211_wep_decrypt_data(&local->wep_rx_ctx, rc4key, klen,
skb->data + hdrlen +
IEEE80211_WEP_IV_LEN, len))
ret = -1;
Reported by FlawFinder.
kernel/seccomp.c
4 issues
Line: 2257
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int read_actions_logged(struct ctl_table *ro_table, void *buffer,
size_t *lenp, loff_t *ppos)
{
char names[sizeof(seccomp_actions_avail)];
struct ctl_table table;
memset(names, 0, sizeof(names));
if (!seccomp_names_from_actions_logged(names, sizeof(names),
Reported by FlawFinder.
Line: 2275
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int write_actions_logged(struct ctl_table *ro_table, void *buffer,
size_t *lenp, loff_t *ppos, u32 *actions_logged)
{
char names[sizeof(seccomp_actions_avail)];
struct ctl_table table;
int ret;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
Reported by FlawFinder.
Line: 2304
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void audit_actions_logged(u32 actions_logged, u32 old_actions_logged,
int ret)
{
char names[sizeof(seccomp_actions_avail)];
char old_names[sizeof(seccomp_actions_avail)];
const char *new = names;
const char *old = old_names;
if (!audit_enabled)
Reported by FlawFinder.
Line: 2305
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret)
{
char names[sizeof(seccomp_actions_avail)];
char old_names[sizeof(seccomp_actions_avail)];
const char *new = names;
const char *old = old_names;
if (!audit_enabled)
return;
Reported by FlawFinder.
kernel/bpf/lpm_trie.c
4 issues
Line: 295
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
node->flags = 0;
if (value)
memcpy(node->data + trie->data_size, value,
trie->map.value_size);
return node;
}
Reported by FlawFinder.
Line: 340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_node->prefixlen = key->prefixlen;
RCU_INIT_POINTER(new_node->child[0], NULL);
RCU_INIT_POINTER(new_node->child[1], NULL);
memcpy(new_node->data, key->data, trie->data_size);
/* Now find a slot to attach the new node. To do that, walk the tree
* from the root and match as many bits as possible for each node until
* we either find an empty slot or a slot that needs to be replaced by
* an intermediate node.
Reported by FlawFinder.
Line: 404
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
im_node->prefixlen = matchlen;
im_node->flags |= LPM_TREE_NODE_FLAG_IM;
memcpy(im_node->data, node->data, trie->data_size);
/* Now determine which child to install in which slot */
if (extract_bit(key->data, matchlen)) {
rcu_assign_pointer(im_node->child[0], node);
rcu_assign_pointer(im_node->child[1], new_node);
Reported by FlawFinder.
Line: 705
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
do_copy:
next_key->prefixlen = next_node->prefixlen;
memcpy((void *)next_key + offsetof(struct bpf_lpm_trie_key, data),
next_node->data, trie->data_size);
free_stack:
kfree(node_stack);
return err;
}
Reported by FlawFinder.
include/trace/events/rpcrdma.h
4 issues
Line: 507
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->inline_recv = ep->re_inline_recv;
__entry->max_send = ep->re_max_inline_send;
__entry->max_recv = ep->re_max_inline_recv;
memcpy(__entry->srcaddr, &id->route.addr.src_addr,
sizeof(struct sockaddr_in6));
memcpy(__entry->dstaddr, &id->route.addr.dst_addr,
sizeof(struct sockaddr_in6));
),
Reported by FlawFinder.
Line: 509
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->max_recv = ep->re_max_inline_recv;
memcpy(__entry->srcaddr, &id->route.addr.src_addr,
sizeof(struct sockaddr_in6));
memcpy(__entry->dstaddr, &id->route.addr.dst_addr,
sizeof(struct sockaddr_in6));
),
TP_printk("%pISpc -> %pISpc neg send/recv=%u/%u, calc send/recv=%u/%u",
__entry->srcaddr, __entry->dstaddr,
Reported by FlawFinder.
Line: 639
Column: 19
CWE codes:
120
20
)
);
DEFINE_RDCH_EVENT(read);
DEFINE_WRCH_EVENT(write);
DEFINE_WRCH_EVENT(reply);
TRACE_DEFINE_ENUM(rpcrdma_noch);
TRACE_DEFINE_ENUM(rpcrdma_noch_pullup);
Reported by FlawFinder.
Line: 1895
Column: 25
CWE codes:
120
20
), \
TP_ARGS(cid, sqecount))
DEFINE_POST_CHUNK_EVENT(read);
DEFINE_POST_CHUNK_EVENT(write);
DEFINE_POST_CHUNK_EVENT(reply);
DEFINE_COMPLETION_EVENT(svcrdma_wc_read);
DEFINE_COMPLETION_EVENT(svcrdma_wc_write);
Reported by FlawFinder.
net/bluetooth/rfcomm/tty.c
4 issues
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tty_port port;
struct list_head list;
char name[12];
int id;
unsigned long flags;
int err;
unsigned long status; /* don't export to userspace */
Reported by FlawFinder.
Line: 205
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
return sprintf(buf, "%pMR\n", &dev->dst);
}
static ssize_t channel_show(struct device *tty_dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 212
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
return sprintf(buf, "%d\n", dev->channel);
}
static DEVICE_ATTR_RO(address);
static DEVICE_ATTR_RO(channel);
Reported by FlawFinder.
Line: 262
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto out;
}
sprintf(dev->name, "rfcomm%d", dev->id);
list_add(&dev->list, head);
bacpy(&dev->src, &req->src);
bacpy(&dev->dst, &req->dst);
Reported by FlawFinder.
net/netfilter/nft_tunnel.c
4 issues
Line: 207
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
if (tb[NFTA_TUNNEL_KEY_IP6_SRC]) {
memcpy(&info->key.u.ipv6.src,
nla_data(tb[NFTA_TUNNEL_KEY_IP6_SRC]),
sizeof(struct in6_addr));
}
if (tb[NFTA_TUNNEL_KEY_IP6_DST]) {
memcpy(&info->key.u.ipv6.dst,
Reported by FlawFinder.
Line: 212
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct in6_addr));
}
if (tb[NFTA_TUNNEL_KEY_IP6_DST]) {
memcpy(&info->key.u.ipv6.dst,
nla_data(tb[NFTA_TUNNEL_KEY_IP6_DST]),
sizeof(struct in6_addr));
}
if (tb[NFTA_TUNNEL_KEY_IP6_FLOWLABEL])
info->key.label = nla_get_be32(tb[NFTA_TUNNEL_KEY_IP6_FLOWLABEL]);
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (opts->len > IP_TUNNEL_OPTS_MAX)
return -EINVAL;
memcpy(opt->opt_data, nla_data(attr), data_len);
opt->length = data_len / 4;
opt->opt_class = nla_get_be16(tb[NFTA_TUNNEL_KEY_GENEVE_CLASS]);
opt->type = nla_get_u8(tb[NFTA_TUNNEL_KEY_GENEVE_TYPE]);
opts->flags = TUNNEL_GENEVE_OPT;
Reported by FlawFinder.
Line: 480
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!md)
return -ENOMEM;
memcpy(&md->u.tun_info, &info, sizeof(info));
#ifdef CONFIG_DST_CACHE
err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL);
if (err < 0) {
metadata_dst_free(md);
return err;
Reported by FlawFinder.
net/netfilter/nft_meta.c
4 issues
Line: 189
Column: 3
CWE codes:
120
case NFT_META_IIFKIND:
if (!in || !in->rtnl_link_ops)
return false;
strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ);
break;
case NFT_META_OIFKIND:
if (!out || !out->rtnl_link_ops)
return false;
strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
Reported by FlawFinder.
Line: 194
Column: 3
CWE codes:
120
case NFT_META_OIFKIND:
if (!out || !out->rtnl_link_ops)
return false;
strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
break;
default:
return false;
}
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
120
static void nft_meta_store_ifname(u32 *dest, const struct net_device *dev)
{
strncpy((char *)dest, dev ? dev->name : "", IFNAMSIZ);
}
static bool nft_meta_store_iftype(u32 *dest, const struct net_device *dev)
{
if (!dev)
Reported by FlawFinder.
Line: 815
Column: 44
CWE codes:
126
u32 tmp_secid = 0;
int err;
err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
if (err)
return err;
if (!tmp_secid)
return -ENOENT;
Reported by FlawFinder.
net/bridge/netfilter/ebt_log.c
4 issues
Line: 46
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct arppayload {
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
Reported by FlawFinder.
Line: 47
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arppayload {
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
static void
Reported by FlawFinder.
Line: 48
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arppayload {
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
static void
print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
Reported by FlawFinder.
Line: 49
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mac_src[ETH_ALEN];
unsigned char ip_src[4];
unsigned char mac_dst[ETH_ALEN];
unsigned char ip_dst[4];
};
static void
print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
{
Reported by FlawFinder.
include/trace/events/ib_mad.h
4 issues
Line: 319
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->mkey = smp->mkey;
__entry->dr_slid = smp->route.dr.dr_slid;
__entry->dr_dlid = smp->route.dr.dr_dlid;
memcpy(__entry->initial_path, smp->route.dr.initial_path,
OPA_SMP_MAX_PATH_HOPS);
memcpy(__entry->return_path, smp->route.dr.return_path,
OPA_SMP_MAX_PATH_HOPS);
),
Reported by FlawFinder.
Line: 321
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->dr_dlid = smp->route.dr.dr_dlid;
memcpy(__entry->initial_path, smp->route.dr.initial_path,
OPA_SMP_MAX_PATH_HOPS);
memcpy(__entry->return_path, smp->route.dr.return_path,
OPA_SMP_MAX_PATH_HOPS);
),
TP_printk("OPA SMP: hop_ptr %d hop_cnt %d " \
"mkey 0x%016llx dr_slid 0x%08x dr_dlid 0x%08x " \
Reported by FlawFinder.
Line: 364
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->mkey = smp->mkey;
__entry->dr_slid = smp->dr_slid;
__entry->dr_dlid = smp->dr_dlid;
memcpy(__entry->initial_path, smp->initial_path,
IB_SMP_MAX_PATH_HOPS);
memcpy(__entry->return_path, smp->return_path,
IB_SMP_MAX_PATH_HOPS);
),
Reported by FlawFinder.
Line: 366
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->dr_dlid = smp->dr_dlid;
memcpy(__entry->initial_path, smp->initial_path,
IB_SMP_MAX_PATH_HOPS);
memcpy(__entry->return_path, smp->return_path,
IB_SMP_MAX_PATH_HOPS);
),
TP_printk("OPA SMP: hop_ptr %d hop_cnt %d " \
"mkey 0x%016llx dr_slid 0x%04x dr_dlid 0x%04x " \
Reported by FlawFinder.
net/can/isotp.c
4 issues
Line: 431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nskb)
return 1;
memcpy(skb_put(nskb, len), &cf->data[pcilen], len);
nskb->tstamp = skb->tstamp;
nskb->dev = skb->dev;
isotp_rcv_skb(nskb, sk);
return 0;
Reported by FlawFinder.
Line: 570
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nskb)
return 1;
memcpy(skb_put(nskb, so->rx.len), so->rx.buf,
so->rx.len);
nskb->tstamp = skb->tstamp;
nskb->dev = skb->dev;
isotp_rcv_skb(nskb, sk);
Reported by FlawFinder.
Line: 999
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msg->msg_name) {
__sockaddr_check_size(ISOTP_MIN_NAMELEN);
msg->msg_namelen = ISOTP_MIN_NAMELEN;
memcpy(msg->msg_name, skb->cb, msg->msg_namelen);
}
skb_free_datagram(sk, skb);
return size;
Reported by FlawFinder.
Line: 1250
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(ll.tx_dl > CAN_MAX_DLEN || ll.tx_flags != 0))
return -EINVAL;
memcpy(&so->ll, &ll, sizeof(ll));
/* set ll_dl for tx path to similar place as for rx */
so->tx.ll_dl = ll.tx_dl;
} else {
return -EINVAL;
Reported by FlawFinder.