The following issues were found
net/can/j1939/transport.c
4 issues
Line: 649
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return PTR_ERR(skb);
skdat = skb_put(skb, 8);
memcpy(skdat, dat, 5);
skdat[5] = (pgn >> 0);
skdat[6] = (pgn >> 8);
skdat[7] = (pgn >> 16);
return j1939_send_one(priv, skb);
Reported by FlawFinder.
Line: 821
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(&dat[1], &tpdat[offset], len);
ret = j1939_tp_tx_dat(session, dat, len + 1);
if (ret < 0) {
/* ENOBUS == CAN interface TX queue is full */
if (ret != -ENOBUFS)
netdev_alert(priv->ndev,
Reported by FlawFinder.
Line: 1522
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
can_skb_prv(skb)->ifindex = priv->ndev->ifindex;
can_skb_prv(skb)->skbcnt = 0;
skcb = j1939_skb_to_cb(skb);
memcpy(skcb, rel_skcb, sizeof(*skcb));
session = j1939_session_new(priv, skb, size);
if (!session) {
kfree_skb(skb);
return NULL;
Reported by FlawFinder.
Line: 1838
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tpdat = se_skb->data;
if (!session->transmission) {
memcpy(&tpdat[offset], &dat[1], nbytes);
} else {
int err;
err = memcmp(&tpdat[offset], &dat[1], nbytes);
if (err)
Reported by FlawFinder.
include/trace/events/bridge.h
4 issues
Line: 29
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__assign_str(dev, dev->name);
memcpy(__entry->addr, addr, ETH_ALEN);
__entry->vid = vid;
__entry->nlh_flags = nlh_flags;
__entry->ndm_flags = ndm->ndm_flags;
),
Reported by FlawFinder.
Line: 59
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__assign_str(br_dev, br->dev->name);
__assign_str(dev, p ? p->dev->name : "null");
memcpy(__entry->addr, addr, ETH_ALEN);
__entry->vid = vid;
),
TP_printk("br_dev %s port %s addr %02x:%02x:%02x:%02x:%02x:%02x vid %u",
__get_str(br_dev), __get_str(dev), __entry->addr[0],
Reported by FlawFinder.
Line: 85
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__assign_str(br_dev, br->dev->name);
__assign_str(dev, f->dst ? f->dst->dev->name : "null");
memcpy(__entry->addr, f->key.addr.addr, ETH_ALEN);
__entry->vid = f->key.vlan_id;
),
TP_printk("br_dev %s dev %s addr %02x:%02x:%02x:%02x:%02x:%02x vid %u",
__get_str(br_dev), __get_str(dev), __entry->addr[0],
Reported by FlawFinder.
Line: 113
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__assign_str(br_dev, br->dev->name);
__assign_str(dev, source->dev->name);
memcpy(__entry->addr, addr, ETH_ALEN);
__entry->vid = vid;
__entry->flags = flags;
),
TP_printk("br_dev %s source %s addr %02x:%02x:%02x:%02x:%02x:%02x vid %u flags 0x%lx",
Reported by FlawFinder.
include/trace/trace_events.h
4 issues
Line: 675
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#undef __assign_str
#define __assign_str(dst, src) \
strcpy(__get_str(dst), (src) ? (const char *)(src) : "(null)");
#undef __bitmask
#define __bitmask(item, nr_bits) __dynamic_array(unsigned long, item, -1)
#undef __get_bitmask
Reported by FlawFinder.
Line: 116
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct trace_event_raw_##name { \
struct trace_entry ent; \
tstruct \
char __data[0]; \
}; \
\
static struct trace_event_class event_class_##name;
#undef DEFINE_EVENT
Reported by FlawFinder.
Line: 685
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#undef __assign_bitmask
#define __assign_bitmask(dst, src, nr_bits) \
memcpy(__get_bitmask(dst), (src), __bitmask_size_in_bytes(nr_bits))
#undef TP_fast_assign
#define TP_fast_assign(args...) args
#undef __perf_count
Reported by FlawFinder.
Line: 508
Column: 7
CWE codes:
126
#undef __string
#define __string(item, src) __dynamic_array(char, item, \
strlen((src) ? (const char *)(src) : "(null)") + 1)
/*
* __bitmask_size_in_bytes_raw is the number of bytes needed to hold
* num_possible_cpus().
*/
Reported by FlawFinder.
kernel/sched/core.c
4 issues
Line: 2598
CWE codes:
562
.pending = &my_pending,
};
p->migration_pending = &my_pending;
} else {
pending = p->migration_pending;
refcount_inc(&pending->refs);
/*
* Affinity has changed, but we've already installed a
Reported by Cppcheck.
Line: 8284
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ftrace_graph_init_idle_task(idle, cpu);
vtime_init_idle(idle, cpu);
#ifdef CONFIG_SMP
sprintf(idle->comm, "%s/%d", INIT_TASK_COMM, cpu);
#endif
}
#ifdef CONFIG_SMP
Reported by FlawFinder.
Line: 10260
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __maybe_unused cpu_period_quota_parse(char *buf,
u64 *periodp, u64 *quotap)
{
char tok[21]; /* U64_MAX */
if (sscanf(buf, "%20s %llu", tok, periodp) < 1)
return -EINVAL;
*periodp *= NSEC_PER_USEC;
Reported by FlawFinder.
Line: 10262
Column: 6
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
{
char tok[21]; /* U64_MAX */
if (sscanf(buf, "%20s %llu", tok, periodp) < 1)
return -EINVAL;
*periodp *= NSEC_PER_USEC;
if (sscanf(tok, "%llu", quotap))
Reported by FlawFinder.
net/batman-adv/tvlv.c
4 issues
Line: 242
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tvlv_new->tvlv_hdr.type = type;
tvlv_new->tvlv_hdr.len = htons(tvlv_value_len);
memcpy(tvlv_new + 1, tvlv_value, ntohs(tvlv_new->tvlv_hdr.len));
INIT_HLIST_NODE(&tvlv_new->list);
kref_init(&tvlv_new->refcount);
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
tvlv_old = batadv_tvlv_container_get(bat_priv, type, version);
Reported by FlawFinder.
Line: 283
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new_buff)
return false;
memcpy(new_buff, *packet_buff, min_packet_len);
kfree(*packet_buff);
*packet_buff = new_buff;
*packet_buff_len = min_packet_len + additional_packet_len;
return true;
Reported by FlawFinder.
Line: 335
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tvlv_hdr->version = tvlv->tvlv_hdr.version;
tvlv_hdr->len = tvlv->tvlv_hdr.len;
tvlv_value = tvlv_hdr + 1;
memcpy(tvlv_value, tvlv + 1, ntohs(tvlv->tvlv_hdr.len));
tvlv_value = (u8 *)tvlv_value + ntohs(tvlv->tvlv_hdr.len);
}
end:
spin_unlock_bh(&bat_priv->tvlv.container_list_lock);
Reported by FlawFinder.
Line: 626
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tvlv_hdr->type = type;
tvlv_hdr->len = htons(tvlv_value_len);
tvlv_buff += sizeof(*tvlv_hdr);
memcpy(tvlv_buff, tvlv_value, tvlv_value_len);
batadv_send_skb_to_orig(skb, orig_node, NULL);
out:
batadv_orig_node_put(orig_node);
}
Reported by FlawFinder.
ipc/mqueue.c
4 issues
Line: 627
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *off)
{
struct mqueue_inode_info *info = MQUEUE_I(file_inode(filp));
char buffer[FILENT_SIZE];
ssize_t ret;
spin_lock(&info->lock);
snprintf(buffer, sizeof(buffer),
"QSIZE:%-10lu NOTIFY:%-5d SIGNO:%-5d NOTIFY_PID:%-6d\n",
Reported by FlawFinder.
Line: 643
Column: 5
CWE codes:
126
buffer[sizeof(buffer)-1] = '\0';
ret = simple_read_from_buffer(u_data, count, off, buffer,
strlen(buffer));
if (ret <= 0)
return ret;
file_inode(filp)->i_atime = file_inode(filp)->i_ctime = current_time(file_inode(filp));
return ret;
Reported by FlawFinder.
Line: 902
Column: 49
CWE codes:
126
ro = mnt_want_write(mnt); /* we'll drop it in any case */
inode_lock(d_inode(root));
path.dentry = lookup_one_len(name->name, root, strlen(name->name));
if (IS_ERR(path.dentry)) {
error = PTR_ERR(path.dentry);
goto out_putfd;
}
path.mnt = mntget(mnt);
Reported by FlawFinder.
Line: 959
Column: 5
CWE codes:
126
goto out_name;
inode_lock_nested(d_inode(mnt->mnt_root), I_MUTEX_PARENT);
dentry = lookup_one_len(name->name, mnt->mnt_root,
strlen(name->name));
if (IS_ERR(dentry)) {
err = PTR_ERR(dentry);
goto out_unlock;
}
Reported by FlawFinder.
net/ceph/auth_x.c
4 issues
Line: 396
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_a->ticket_blob.secret_id = cpu_to_le64(th->secret_id);
msg_a->ticket_blob.blob_len = cpu_to_le32(ticket_blob_len);
if (ticket_blob_len) {
memcpy(msg_a->ticket_blob.blob, th->ticket_blob->vec.iov_base,
th->ticket_blob->vec.iov_len);
}
dout(" th %p secret_id %lld %lld\n", th, th->secret_id,
le64_to_cpu(msg_a->ticket_blob.secret_id));
Reported by FlawFinder.
Line: 586
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("connection secret too big %d\n", len);
goto bad_memzero;
}
memcpy(con_secret, *p, len);
*con_secret_len = len;
}
memzero_explicit(*p, len);
*p += len;
return 0;
Reported by FlawFinder.
Line: 628
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return PTR_ERR(th);
if (session_key) {
memcpy(session_key, th->session_key.key, th->session_key.len);
*session_key_len = th->session_key.len;
}
/* connection secret */
ceph_decode_32_safe(p, end, len, e_inval);
Reported by FlawFinder.
Line: 886
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret;
if (session_key) {
memcpy(session_key, au->session_key.key, au->session_key.len);
*session_key_len = au->session_key.len;
}
ret = decrypt_authorizer_reply(&au->session_key, &reply,
reply + reply_len, &nonce_plus_one,
Reported by FlawFinder.
net/atm/mpoa_proc.c
4 issues
Line: 138
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
in_cache_entry *in_entry;
eg_cache_entry *eg_entry;
time64_t now;
unsigned char ip_string[16];
if (v == SEQ_START_TOKEN) {
atm_mpoa_disp_qos(m);
return 0;
}
Reported by FlawFinder.
Line: 152
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (in_entry = mpc->in_cache; in_entry; in_entry = in_entry->next) {
unsigned long seconds_delta = now - in_entry->time;
sprintf(ip_string, "%pI4", &in_entry->ctrl_info.in_dst_ip);
seq_printf(m, "%-16s%s%-14lu%-12u",
ip_string,
ingress_state_string(in_entry->entry_state),
in_entry->ctrl_info.holding_time -
seconds_delta,
Reported by FlawFinder.
Line: 181
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
eg_entry->packets_rcvd);
/* latest IP address */
sprintf(ip_string, "%pI4", &eg_entry->latest_ip_addr);
seq_printf(m, "%-16s", ip_string);
if (eg_entry->shortcut)
seq_printf(m, " %-3d %-3d",
eg_entry->shortcut->vpi,
Reported by FlawFinder.
Line: 246
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* possible lines look like this
* add 130.230.54.142 tx=max_pcr,max_sdu rx=max_pcr,max_sdu
*/
unsigned char ip[4];
int tx_pcr, tx_sdu, rx_pcr, rx_sdu;
__be32 ipaddr;
struct atm_qos qos;
memset(&qos, 0, sizeof(struct atm_qos));
Reported by FlawFinder.
include/trace/events/rcu.h
4 issues
Line: 551
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__entry->ctx = ctx;
memcpy(__entry->seglen, rs->seglen, RCU_CBLIST_NSEGS * sizeof(long));
memcpy(__entry->gp_seq, rs->gp_seq, RCU_CBLIST_NSEGS * sizeof(unsigned long));
),
TP_printk("%s seglen: (DONE=%ld, WAIT=%ld, NEXT_READY=%ld, NEXT=%ld) "
Reported by FlawFinder.
Line: 552
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(
__entry->ctx = ctx;
memcpy(__entry->seglen, rs->seglen, RCU_CBLIST_NSEGS * sizeof(long));
memcpy(__entry->gp_seq, rs->gp_seq, RCU_CBLIST_NSEGS * sizeof(unsigned long));
),
TP_printk("%s seglen: (DONE=%ld, WAIT=%ld, NEXT_READY=%ld, NEXT=%ld) "
"gp_seq: (DONE=%lu, WAIT=%lu, NEXT_READY=%lu, NEXT=%lu)", __entry->ctx,
Reported by FlawFinder.
Line: 765
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define RCUTORTURENAME_LEN 8
TRACE_EVENT_RCU(rcu_torture_read,
TP_PROTO(const char *rcutorturename, struct rcu_head *rhp,
unsigned long secs, unsigned long c_old, unsigned long c),
TP_ARGS(rcutorturename, rhp, secs, c_old, c),
TP_STRUCT__entry(
Reported by FlawFinder.
Line: 779
Column: 3
CWE codes:
120
),
TP_fast_assign(
strncpy(__entry->rcutorturename, rcutorturename,
RCUTORTURENAME_LEN);
__entry->rcutorturename[RCUTORTURENAME_LEN - 1] = 0;
__entry->rhp = rhp;
__entry->secs = secs;
__entry->c_old = c_old;
Reported by FlawFinder.
net/atm/lec.h
4 issues
Line: 19
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lecdatahdr_8023 {
__be16 le_header;
unsigned char h_dest[ETH_ALEN];
unsigned char h_source[ETH_ALEN];
__be16 h_type;
};
struct lecdatahdr_8025 {
Reported by FlawFinder.
Line: 20
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lecdatahdr_8023 {
__be16 le_header;
unsigned char h_dest[ETH_ALEN];
unsigned char h_source[ETH_ALEN];
__be16 h_type;
};
struct lecdatahdr_8025 {
__be16 le_header;
Reported by FlawFinder.
Line: 28
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be16 le_header;
unsigned char ac_pad;
unsigned char fc;
unsigned char h_dest[ETH_ALEN];
unsigned char h_source[ETH_ALEN];
};
#define LEC_MINIMUM_8023_SIZE 62
#define LEC_MINIMUM_8025_SIZE 16
Reported by FlawFinder.
Line: 29
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ac_pad;
unsigned char fc;
unsigned char h_dest[ETH_ALEN];
unsigned char h_source[ETH_ALEN];
};
#define LEC_MINIMUM_8023_SIZE 62
#define LEC_MINIMUM_8025_SIZE 16
Reported by FlawFinder.