The following issues were found
net/ipv6/seg6_hmac.c
4 issues
Line: 194
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
off = ring;
/* source address */
memcpy(off, saddr, 16);
off += 16;
/* first_segment value */
*off++ = hdr->first_segment;
Reported by FlawFinder.
Line: 204
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*off++ = hdr->flags;
/* HMAC Key ID */
memcpy(off, &hmackeyid, 4);
off += 4;
/* all segments in the list */
for (i = 0; i < hdr->first_segment + 1; i++) {
memcpy(off, hdr->segments + i, 16);
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* all segments in the list */
for (i = 0; i < hdr->first_segment + 1; i++) {
memcpy(off, hdr->segments + i, 16);
off += 16;
}
dgsize = __do_hmac(hinfo, ring, plen, tmp_out,
SEG6_HMAC_MAX_DIGESTSIZE);
Reported by FlawFinder.
Line: 225
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wrsize = dgsize;
memset(output, 0, SEG6_HMAC_FIELD_LEN);
memcpy(output, tmp_out, wrsize);
return 0;
}
EXPORT_SYMBOL(seg6_hmac_compute);
Reported by FlawFinder.
include/uapi/sound/asound_fm.h
4 issues
Line: 129
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sbi_patch {
unsigned char prog;
unsigned char bank;
char key[4];
char name[25];
char extension[7];
unsigned char data[32];
};
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char prog;
unsigned char bank;
char key[4];
char name[25];
char extension[7];
unsigned char data[32];
};
#endif /* __SOUND_ASOUND_FM_H */
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char bank;
char key[4];
char name[25];
char extension[7];
unsigned char data[32];
};
#endif /* __SOUND_ASOUND_FM_H */
Reported by FlawFinder.
Line: 132
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char key[4];
char name[25];
char extension[7];
unsigned char data[32];
};
#endif /* __SOUND_ASOUND_FM_H */
Reported by FlawFinder.
include/uapi/linux/netfilter/xt_hashlimit.h
4 issues
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo;
union {
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xt_hashlimit_mtinfo1 {
char name[IFNAMSIZ];
struct hashlimit_cfg1 cfg;
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
Reported by FlawFinder.
Line: 108
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xt_hashlimit_mtinfo2 {
char name[NAME_MAX];
struct hashlimit_cfg2 cfg;
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xt_hashlimit_mtinfo3 {
char name[NAME_MAX];
struct hashlimit_cfg3 cfg;
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
Reported by FlawFinder.
net/openvswitch/actions.c
4 issues
Line: 423
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
update_ipv6_checksum(skb, l4_proto, addr, new_addr);
skb_clear_hash(skb);
memcpy(addr, new_addr, sizeof(__be32[4]));
}
static void set_ipv6_fl(struct ipv6hdr *nh, u32 fl, u32 mask)
{
/* Bits 21-24 are always unmasked, so this retains their values. */
Reported by FlawFinder.
Line: 615
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
OVS_MASKED(nh->md1.context[i], key.context[i],
mask.context[i]);
}
memcpy(flow_key->nsh.context, nh->md1.context,
sizeof(nh->md1.context));
break;
case NSH_M_TYPE2:
memset(flow_key->nsh.context, 0,
sizeof(flow_key->nsh.context));
Reported by FlawFinder.
Line: 761
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Reconstruct the MAC header. */
skb_push(skb, data->l2_len);
memcpy(skb->data, &data->l2_data, data->l2_len);
skb_postpush_rcsum(skb, skb->data, data->l2_len);
skb_reset_mac_header(skb);
if (eth_p_mpls(skb->protocol)) {
skb->inner_network_header = skb->network_header;
Reported by FlawFinder.
Line: 808
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data->vlan_proto = skb->vlan_proto;
data->mac_proto = mac_proto;
data->l2_len = hlen;
memcpy(&data->l2_data, skb->data, hlen);
memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
skb_pull(skb, hlen);
}
Reported by FlawFinder.
kernel/trace/trace_probe.h
4 issues
Line: 66
CWE codes:
476
static nokprobe_inline void *get_loc_data(u32 *dl, void *ent)
{
return (u8 *)ent + get_loc_offs(*dl);
}
static nokprobe_inline u32 update_data_loc(u32 loc, int consumed)
{
u32 maxlen = get_loc_len(loc);
Reported by Cppcheck.
Line: 284
Column: 32
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
static inline const char *trace_probe_group_name(struct trace_probe *tp)
{
return tp->event->call.class->system;
}
static inline struct trace_event_call *
trace_probe_event_call(struct trace_probe *tp)
{
Reported by FlawFinder.
Line: 66
CWE codes:
476
static nokprobe_inline void *get_loc_data(u32 *dl, void *ent)
{
return (u8 *)ent + get_loc_offs(*dl);
}
static nokprobe_inline u32 update_data_loc(u32 loc, int consumed)
{
u32 maxlen = get_loc_len(loc);
Reported by Cppcheck.
Line: 66
CWE codes:
476
static nokprobe_inline void *get_loc_data(u32 *dl, void *ent)
{
return (u8 *)ent + get_loc_offs(*dl);
}
static nokprobe_inline u32 update_data_loc(u32 loc, int consumed)
{
u32 maxlen = get_loc_len(loc);
Reported by Cppcheck.
drivers/net/ethernet/cavium/thunder/thunder_bgx.c
4 issues
Line: 1235
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct device *dev = &bgx->pdev->dev;
struct lmac *lmac;
char str[27];
if (!bgx->is_dlm && lmacid)
return;
lmac = &bgx->lmac[lmacid];
Reported by FlawFinder.
Line: 1242
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
lmac = &bgx->lmac[lmacid];
if (!bgx->is_dlm)
sprintf(str, "BGX%d QLM mode", bgx->bgx_id);
else
sprintf(str, "BGX%d LMAC%d mode", bgx->bgx_id, lmacid);
switch (lmac->lmac_type) {
case BGX_MODE_SGMII:
Reported by FlawFinder.
Line: 1244
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!bgx->is_dlm)
sprintf(str, "BGX%d QLM mode", bgx->bgx_id);
else
sprintf(str, "BGX%d LMAC%d mode", bgx->bgx_id, lmacid);
switch (lmac->lmac_type) {
case BGX_MODE_SGMII:
dev_info(dev, "%s: SGMII\n", (char *)str);
break;
Reported by FlawFinder.
Line: 1430
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL };
struct bgx *bgx = context;
char bgx_sel[5];
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) {
pr_warn("Invalid link device\n");
return AE_OK;
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
4 issues
Line: 116
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_add_tail(&ce->list, &ctbl->hash_list[hash]);
if (v6) {
ce->addr6.sin6_family = AF_INET6;
memcpy(ce->addr6.sin6_addr.s6_addr,
lip, sizeof(struct in6_addr));
ret = clip6_get_mbox(dev, (const struct in6_addr *)lip);
if (ret) {
write_unlock_bh(&ctbl->lock);
dev_err(adap->pdev_dev,
Reported by FlawFinder.
Line: 130
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else {
ce->addr.sin_family = AF_INET;
memcpy((char *)(&ce->addr.sin_addr), lip,
sizeof(struct in_addr));
}
} else {
write_unlock_bh(&ctbl->lock);
dev_info(adap->pdev_dev, "CLIP table overflow, "
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct adapter *adapter = seq->private;
struct clip_tbl *ctbl = adapter->clipt;
struct clip_entry *ce;
char ip[60];
int i;
read_lock_bh(&ctbl->lock);
seq_puts(seq, "IP Address Users\n");
Reported by FlawFinder.
Line: 264
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0 ; i < ctbl->clipt_size; ++i) {
list_for_each_entry(ce, &ctbl->hash_list[i], list) {
ip[0] = '\0';
sprintf(ip, "%pISc", &ce->addr);
seq_printf(seq, "%-25s %u\n", ip,
refcount_read(&ce->refcnt));
}
}
seq_printf(seq, "Free clip entries : %d\n", atomic_read(&ctbl->nfree));
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
4 issues
Line: 513
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u64 cmd[MBOX_LEN / 8]; /* a Firmware Mailbox Command/Reply */
u64 timestamp; /* OS-dependent timestamp */
u32 seqno; /* sequence number */
s16 access; /* time (ms) to access mailbox */
s16 execute; /* time (ms) to execute */
};
struct mbox_cmd_log {
unsigned int size; /* number of entries in the log */
Reported by FlawFinder.
Line: 900
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} ____cacheline_aligned_in_smp;
struct sge_uld_rxq_info {
char name[IFNAMSIZ]; /* name of ULD driver */
struct sge_ofld_rxq *uldrxq; /* Rxq's for ULD */
u16 *rspq_id; /* response queue id's of rxq */
u16 nrxq; /* # of ingress uld queues */
u16 nciq; /* # of completion queues */
u8 uld; /* uld type */
Reported by FlawFinder.
Line: 1054
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct msix_info {
unsigned short vec;
char desc[IFNAMSIZ + 10];
unsigned int idx;
cpumask_var_t aff_mask;
};
struct vf_info {
Reported by FlawFinder.
Line: 1060
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct vf_info {
unsigned char vf_mac_addr[ETH_ALEN];
unsigned int tx_rate;
bool pf_set_mac;
u16 vlan;
int link_state;
};
Reported by FlawFinder.
drivers/media/cec/usb/pulse8/pulse8-cec.c
4 issues
Line: 154
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *pulse8_msgname(u8 cmd)
{
static char unknown_msg[5];
if ((cmd & 0x3f) < ARRAY_SIZE(pulse8_msgnames))
return pulse8_msgnames[cmd & 0x3f];
snprintf(unknown_msg, sizeof(unknown_msg), "0x%02x", cmd);
return unknown_msg;
Reported by FlawFinder.
Line: 418
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
pulse8->rx_msg_num++;
memcpy(pulse8->rx_msg[idx].msg, pulse8->new_rx_msg,
pulse8->new_rx_msg_len);
pulse8->rx_msg[idx].len = pulse8->new_rx_msg_len;
spin_unlock_irqrestore(&pulse8->msg_lock, irq_flags);
schedule_work(&pulse8->irq_work);
pulse8->new_rx_msg_len = 0;
Reported by FlawFinder.
Line: 459
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
default:
if (pulse8->idx == 0)
break;
memcpy(pulse8->data, pulse8->buf, pulse8->idx);
pulse8->len = pulse8->idx;
complete(&pulse8->cmd_done);
break;
}
pulse8->idx = 0;
Reported by FlawFinder.
Line: 596
Column: 20
CWE codes:
126
}
if (adap->log_addrs.osd_name[0]) {
size_t osd_len = strlen(adap->log_addrs.osd_name);
char *osd_str = cmd + 1;
cmd[0] = MSGCODE_SET_OSD_NAME;
strscpy(cmd + 1, adap->log_addrs.osd_name, sizeof(cmd) - 1);
if (osd_len < 4) {
Reported by FlawFinder.
drivers/media/tuners/mxl5007t.c
4 issues
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct mxl5007t_config *cfg = state->config;
memcpy(&state->tab_init, &init_tab, sizeof(init_tab));
memcpy(&state->tab_init_cable, &init_tab_cable, sizeof(init_tab_cable));
mxl5007t_set_mode_bits(state, mode, cfg->if_diff_out_level);
mxl5007t_set_if_freq_bits(state, cfg->if_freq_hz, cfg->invert_if);
mxl5007t_set_xtal_freq_bits(state, cfg->xtal_freq_hz);
Reported by FlawFinder.
Line: 356
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mxl5007t_config *cfg = state->config;
memcpy(&state->tab_init, &init_tab, sizeof(init_tab));
memcpy(&state->tab_init_cable, &init_tab_cable, sizeof(init_tab_cable));
mxl5007t_set_mode_bits(state, mode, cfg->if_diff_out_level);
mxl5007t_set_if_freq_bits(state, cfg->if_freq_hz, cfg->invert_if);
mxl5007t_set_xtal_freq_bits(state, cfg->xtal_freq_hz);
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 frac_divider = 1000000;
unsigned int i;
memcpy(&state->tab_rftune, ®_pair_rftune, sizeof(reg_pair_rftune));
mxl5007t_set_bw_bits(state, bw);
/* Convert RF frequency into 16 bits =>
* 10 bit integer (MHz) + 6 bit fraction */
Reported by FlawFinder.
Line: 909
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&mxl5007t_list_mutex);
memcpy(&fe->ops.tuner_ops, &mxl5007t_tuner_ops,
sizeof(struct dvb_tuner_ops));
return fe;
fail:
mutex_unlock(&mxl5007t_list_mutex);
Reported by FlawFinder.