The following issues were found
net/ceph/crypto.c
4 issues
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
const struct ceph_crypto_key *src)
{
memcpy(dst, src, sizeof(struct ceph_crypto_key));
return set_secret(dst, src->key);
}
int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end)
{
Reported by FlawFinder.
Line: 225
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SYNC_SKCIPHER_REQUEST_ON_STACK(req, key->tfm);
struct sg_table sgt;
struct scatterlist prealloc_sg;
char iv[AES_BLOCK_SIZE] __aligned(8);
int pad_byte = AES_BLOCK_SIZE - (in_len & (AES_BLOCK_SIZE - 1));
int crypt_len = encrypt ? in_len + pad_byte : in_len;
int ret;
WARN_ON(crypt_len > buf_len);
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(iv, aes_iv, AES_BLOCK_SIZE);
skcipher_request_set_sync_tfm(req, key->tfm);
skcipher_request_set_callback(req, 0, NULL, NULL);
skcipher_request_set_crypt(req, sgt.sgl, sgt.sgl, crypt_len, iv);
/*
Reported by FlawFinder.
Line: 110
Column: 14
CWE codes:
126
int ceph_crypto_key_unarmor(struct ceph_crypto_key *key, const char *inkey)
{
int inlen = strlen(inkey);
int blen = inlen * 3 / 4;
void *buf, *p;
int ret;
dout("crypto_key_unarmor %s\n", inkey);
Reported by FlawFinder.
kernel/rcu/tree_plugin.h
4 issues
Line: 2801
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Dump out nocb kthread state for the specified rcu_data structure. */
static void show_rcu_nocb_state(struct rcu_data *rdp)
{
char bufw[20];
char bufr[20];
struct rcu_segcblist *rsclp = &rdp->cblist;
bool waslocked;
bool wassleep;
Reported by FlawFinder.
Line: 2802
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_rcu_nocb_state(struct rcu_data *rdp)
{
char bufw[20];
char bufr[20];
struct rcu_segcblist *rsclp = &rdp->cblist;
bool waslocked;
bool wassleep;
if (rdp->nocb_gp_rdp == rdp)
Reported by FlawFinder.
Line: 2810
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rdp->nocb_gp_rdp == rdp)
show_rcu_nocb_gp_state(rdp);
sprintf(bufw, "%ld", rsclp->gp_seq[RCU_WAIT_TAIL]);
sprintf(bufr, "%ld", rsclp->gp_seq[RCU_NEXT_READY_TAIL]);
pr_info(" CB %d^%d->%d %c%c%c%c%c%c F%ld L%ld C%d %c%c%s%c%s%c%c q%ld %c CPU %d%s\n",
rdp->cpu, rdp->nocb_gp_rdp->cpu,
rdp->nocb_next_cb_rdp ? rdp->nocb_next_cb_rdp->cpu : -1,
"kK"[!!rdp->nocb_cb_kthread],
Reported by FlawFinder.
Line: 2811
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
show_rcu_nocb_gp_state(rdp);
sprintf(bufw, "%ld", rsclp->gp_seq[RCU_WAIT_TAIL]);
sprintf(bufr, "%ld", rsclp->gp_seq[RCU_NEXT_READY_TAIL]);
pr_info(" CB %d^%d->%d %c%c%c%c%c%c F%ld L%ld C%d %c%c%s%c%s%c%c q%ld %c CPU %d%s\n",
rdp->cpu, rdp->nocb_gp_rdp->cpu,
rdp->nocb_next_cb_rdp ? rdp->nocb_next_cb_rdp->cpu : -1,
"kK"[!!rdp->nocb_cb_kthread],
"bB"[raw_spin_is_locked(&rdp->nocb_bypass_lock)],
Reported by FlawFinder.
net/9p/trans_xen.c
4 issues
Line: 234
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
memcpy(&req->rc, &h, sizeof(h));
req->rc.offset = 0;
masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE(ring));
/* Then, read the whole packet (including the header) */
xen_9pfs_read_packet(req->rc.sdata, ring->data.in, h.size,
Reported by FlawFinder.
Line: 451
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (ret)
goto error_xenbus;
for (i = 0; i < priv->num_rings; i++) {
char str[16];
BUILD_BUG_ON(XEN_9PFS_NUM_RINGS > 9);
sprintf(str, "ring-ref%d", i);
ret = xenbus_printf(xbt, dev->nodename, str, "%d",
priv->rings[i].ref);
Reported by FlawFinder.
Line: 454
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char str[16];
BUILD_BUG_ON(XEN_9PFS_NUM_RINGS > 9);
sprintf(str, "ring-ref%d", i);
ret = xenbus_printf(xbt, dev->nodename, str, "%d",
priv->rings[i].ref);
if (ret)
goto error_xenbus;
Reported by FlawFinder.
Line: 460
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
goto error_xenbus;
sprintf(str, "event-channel-%d", i);
ret = xenbus_printf(xbt, dev->nodename, str, "%u",
priv->rings[i].evtchn);
if (ret)
goto error_xenbus;
}
Reported by FlawFinder.
net/ceph/messenger_v1.c
4 issues
Line: 738
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* did we learn our address?
*/
if (ceph_addr_is_blank(my_addr)) {
memcpy(&my_addr->in_addr,
&con->v1.peer_addr_for_me.in_addr,
sizeof(con->v1.peer_addr_for_me.in_addr));
ceph_addr_set_port(my_addr, 0);
ceph_encode_my_addr(con->msgr);
dout("process_banner learned my addr is %s\n",
Reported by FlawFinder.
Line: 356
Column: 24
CWE codes:
126
*/
static void prepare_write_banner(struct ceph_connection *con)
{
con_out_kvec_add(con, strlen(CEPH_BANNER), CEPH_BANNER);
con_out_kvec_add(con, sizeof (con->msgr->my_enc_addr),
&con->msgr->my_enc_addr);
con->v1.out_more = 0;
ceph_con_flag_set(con, CEPH_CON_F_WRITE_PENDING);
Reported by FlawFinder.
Line: 631
Column: 9
CWE codes:
126
dout("read_partial_banner %p at %d\n", con, con->v1.in_base_pos);
/* peer's banner */
size = strlen(CEPH_BANNER);
end = size;
ret = read_partial(con, end, size, con->v1.in_banner);
if (ret <= 0)
goto out;
Reported by FlawFinder.
Line: 698
Column: 45
CWE codes:
126
*/
static int verify_hello(struct ceph_connection *con)
{
if (memcmp(con->v1.in_banner, CEPH_BANNER, strlen(CEPH_BANNER))) {
pr_err("connect to %s got bad banner\n",
ceph_pr_addr(&con->peer_addr));
con->error_msg = "protocol error, bad banner";
return -1;
}
Reported by FlawFinder.
include/uapi/linux/auto_fs.h
4 issues
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct autofs_packet_hdr hdr;
autofs_wqt_t wait_queue_token;
int len;
char name[NAME_MAX+1];
};
/* v3 expire (via ioctl) */
struct autofs_packet_expire {
struct autofs_packet_hdr hdr;
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct autofs_packet_expire {
struct autofs_packet_hdr hdr;
int len;
char name[NAME_MAX+1];
};
#define AUTOFS_IOCTL 0x93
enum {
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct autofs_packet_hdr hdr;
autofs_wqt_t wait_queue_token;
int len;
char name[NAME_MAX+1];
};
union autofs_packet_union {
struct autofs_packet_hdr hdr;
struct autofs_packet_missing missing;
Reported by FlawFinder.
Line: 201
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 pid;
__u32 tgid;
__u32 len;
char name[NAME_MAX+1];
};
typedef struct autofs_v5_packet autofs_packet_missing_indirect_t;
typedef struct autofs_v5_packet autofs_packet_expire_indirect_t;
typedef struct autofs_v5_packet autofs_packet_missing_direct_t;
Reported by FlawFinder.
net/802/hippi.c
4 issues
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hip->le.dest_addr_type = 2; /* 12 bit SC address */
hip->le.src_addr_type = 2; /* 12 bit SC address */
memcpy(hip->le.src_switch_addr, dev->dev_addr + 3, 3);
memset(&hip->le.reserved, 0, 16);
hip->snap.dsap = HIPPI_EXTENDED_SAP;
hip->snap.ssap = HIPPI_EXTENDED_SAP;
hip->snap.ctrl = HIPPI_UI_CMD;
Reported by FlawFinder.
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (daddr)
{
memcpy(hip->le.dest_switch_addr, daddr + 3, 3);
memcpy(&hcb->ifield, daddr + 2, 4);
return HIPPI_HLEN;
}
hcb->ifield = 0;
return -((int)HIPPI_HLEN);
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (daddr)
{
memcpy(hip->le.dest_switch_addr, daddr + 3, 3);
memcpy(&hcb->ifield, daddr + 2, 4);
return HIPPI_HLEN;
}
hcb->ifield = 0;
return -((int)HIPPI_HLEN);
}
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sockaddr *addr = p;
if (netif_running(dev))
return -EBUSY;
memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
return 0;
}
EXPORT_SYMBOL(hippi_mac_addr);
int hippi_neigh_setup_dev(struct net_device *dev, struct neigh_parms *p)
Reported by FlawFinder.
net/netfilter/xt_recent.c
4 issues
Line: 403
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
t->nstamps_max_mask = nstamp_mask;
memcpy(&t->mask, &info->mask, sizeof(t->mask));
strcpy(t->name, info->name);
INIT_LIST_HEAD(&t->lru_list);
for (i = 0; i < ip_list_hash_size; i++)
INIT_LIST_HEAD(&t->iphash[i]);
#ifdef CONFIG_PROC_FS
uid = make_kuid(&init_user_ns, ip_list_uid);
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct recent_table {
struct list_head list;
char name[XT_RECENT_NAME_LEN];
union nf_inet_addr mask;
unsigned int refcnt;
unsigned int entries;
u8 nstamps_max_mask;
struct list_head lru_list;
Reported by FlawFinder.
Line: 439
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct xt_recent_mtinfo_v1 info_v1;
/* Copy revision 0 structure to revision 1 */
memcpy(&info_v1, info_v0, sizeof(struct xt_recent_mtinfo));
/* Set default mask to ensure backward compatible behaviour */
memset(info_v1.mask.all, 0xFF, sizeof(info_v1.mask.all));
return recent_mt_check(par, &info_v1);
}
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct recent_table *t = PDE_DATA(file_inode(file));
struct recent_entry *e;
char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")];
const char *c = buf;
union nf_inet_addr addr = {};
u_int16_t family;
bool add, succ;
Reported by FlawFinder.
include/uapi/linux/sync_file.h
4 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @pad: padding for 64-bit alignment, should always be zero
*/
struct sync_merge_data {
char name[32];
__s32 fd2;
__s32 fence;
__u32 flags;
__u32 pad;
};
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @timestamp_ns: timestamp of status change in nanoseconds
*/
struct sync_fence_info {
char obj_name[32];
char driver_name[32];
__s32 status;
__u32 flags;
__u64 timestamp_ns;
};
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct sync_fence_info {
char obj_name[32];
char driver_name[32];
__s32 status;
__u32 flags;
__u64 timestamp_ns;
};
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* fences in the sync_file
*/
struct sync_file_info {
char name[32];
__s32 status;
__u32 flags;
__u32 num_fences;
__u32 pad;
Reported by FlawFinder.
net/netrom/nr_route.c
4 issues
Line: 192
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
nr_node->callsign = *nr;
strcpy(nr_node->mnemonic, mnemonic);
nr_node->which = 0;
nr_node->count = 1;
refcount_set(&nr_node->refcount, 1);
spin_lock_init(&nr_node->node_lock);
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
nr_node_lock(nr_node);
if (quality != 0)
strcpy(nr_node->mnemonic, mnemonic);
for (found = 0, i = 0; i < nr_node->count; i++) {
if (nr_node->routes[i].neighbour == nr_neigh) {
nr_node->routes[i].quality = quality;
nr_node->routes[i].obs_count = obs_count;
Reported by FlawFinder.
Line: 865
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int nr_node_show(struct seq_file *seq, void *v)
{
char buf[11];
int i;
if (v == SEQ_START_TOKEN)
seq_puts(seq,
"callsign mnemonic w n qual obs neigh qual obs neigh qual obs neigh\n");
Reported by FlawFinder.
Line: 922
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int nr_neigh_show(struct seq_file *seq, void *v)
{
char buf[11];
int i;
if (v == SEQ_START_TOKEN)
seq_puts(seq, "addr callsign dev qual lock count failed digipeaters\n");
else {
Reported by FlawFinder.
kernel/bpf/preload/iterators/iterators.skel.h
4 issues
Line: 25
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_link *dump_bpf_prog;
} links;
struct iterators_bpf__rodata {
char dump_bpf_map____fmt[35];
char dump_bpf_map____fmt_1[14];
char dump_bpf_prog____fmt[32];
char dump_bpf_prog____fmt_2[17];
} *rodata;
};
Reported by FlawFinder.
Line: 26
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} links;
struct iterators_bpf__rodata {
char dump_bpf_map____fmt[35];
char dump_bpf_map____fmt_1[14];
char dump_bpf_prog____fmt[32];
char dump_bpf_prog____fmt_2[17];
} *rodata;
};
Reported by FlawFinder.
Line: 27
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iterators_bpf__rodata {
char dump_bpf_map____fmt[35];
char dump_bpf_map____fmt_1[14];
char dump_bpf_prog____fmt[32];
char dump_bpf_prog____fmt_2[17];
} *rodata;
};
static void
Reported by FlawFinder.
Line: 28
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char dump_bpf_map____fmt[35];
char dump_bpf_map____fmt_1[14];
char dump_bpf_prog____fmt[32];
char dump_bpf_prog____fmt_2[17];
} *rodata;
};
static void
iterators_bpf__destroy(struct iterators_bpf *obj)
Reported by FlawFinder.