The following issues were found
include/linux/ipmi_smi.h
4 issues
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *user_data;
int data_size;
unsigned char data[IPMI_MAX_MSG_LENGTH];
int rsp_size;
unsigned char rsp[IPMI_MAX_MSG_LENGTH];
/*
Reported by FlawFinder.
Line: 64
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char data[IPMI_MAX_MSG_LENGTH];
int rsp_size;
unsigned char rsp[IPMI_MAX_MSG_LENGTH];
/*
* Will be called when the system is done with the message
* (presumably to free it).
*/
Reported by FlawFinder.
Line: 167
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char additional_device_support;
unsigned int manufacturer_id;
unsigned int product_id;
unsigned char aux_firmware_revision[4];
unsigned int aux_firmware_revision_set : 1;
};
#define ipmi_version_major(v) ((v)->ipmi_version & 0xf)
#define ipmi_version_minor(v) ((v)->ipmi_version >> 4)
Reported by FlawFinder.
Line: 211
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
id->product_id = 0;
}
if (data_len >= 15) {
memcpy(id->aux_firmware_revision, data+11, 4);
id->aux_firmware_revision_set = 1;
} else
id->aux_firmware_revision_set = 0;
return 0;
Reported by FlawFinder.
fs/nfsd/nfs4layouts.c
4 issues
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
map->fsid_type = fh->fh_fsid_type;
memcpy(&map->fsid, fh->fh_fsid, fsid_len);
spin_lock(&nfsd_devid_lock);
if (fhp->fh_export->ex_devid_map)
goto out_unlock;
Reported by FlawFinder.
Line: 424
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new = kmem_cache_alloc(nfs4_layout_cache, GFP_KERNEL);
if (!new)
return nfserr_jukebox;
memcpy(&new->lo_seg, seg, sizeof(lp->lo_seg));
new->lo_state = ls;
spin_lock(&fp->fi_lock);
nfserr = nfsd4_recall_conflict(ls);
if (nfserr)
Reported by FlawFinder.
Line: 610
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nfsd4_cb_layout_fail(struct nfs4_layout_stateid *ls)
{
struct nfs4_client *clp = ls->ls_stid.sc_client;
char addr_str[INET6_ADDRSTRLEN];
static char const nfsd_recall_failed[] = "/sbin/nfsd-recall-failed";
static char *envp[] = {
"HOME=/",
"TERM=linux",
"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
Reported by FlawFinder.
Line: 618
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"PATH=/sbin:/usr/sbin:/bin:/usr/bin",
NULL
};
char *argv[8];
int error;
rpc_ntop((struct sockaddr *)&clp->cl_addr, addr_str, sizeof(addr_str));
printk(KERN_WARNING
Reported by FlawFinder.
include/linux/rtsx_pci.h
4 issues
Line: 1308
Column: 20
CWE codes:
120
20
void rtsx_pci_send_cmd_no_wait(struct rtsx_pcr *pcr);
int rtsx_pci_send_cmd(struct rtsx_pcr *pcr, int timeout);
int rtsx_pci_transfer_data(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read, int timeout);
int rtsx_pci_dma_map_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
void rtsx_pci_dma_unmap_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
int rtsx_pci_dma_transfer(struct rtsx_pcr *pcr, struct scatterlist *sglist,
Reported by FlawFinder.
Line: 1310
Column: 20
CWE codes:
120
20
int rtsx_pci_transfer_data(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read, int timeout);
int rtsx_pci_dma_map_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
void rtsx_pci_dma_unmap_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
int rtsx_pci_dma_transfer(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int count, bool read, int timeout);
int rtsx_pci_read_ppbuf(struct rtsx_pcr *pcr, u8 *buf, int buf_len);
Reported by FlawFinder.
Line: 1312
Column: 20
CWE codes:
120
20
int rtsx_pci_dma_map_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
void rtsx_pci_dma_unmap_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
int rtsx_pci_dma_transfer(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int count, bool read, int timeout);
int rtsx_pci_read_ppbuf(struct rtsx_pcr *pcr, u8 *buf, int buf_len);
int rtsx_pci_write_ppbuf(struct rtsx_pcr *pcr, u8 *buf, int buf_len);
int rtsx_pci_card_pull_ctl_enable(struct rtsx_pcr *pcr, int card);
Reported by FlawFinder.
Line: 1314
Column: 19
CWE codes:
120
20
void rtsx_pci_dma_unmap_sg(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int num_sg, bool read);
int rtsx_pci_dma_transfer(struct rtsx_pcr *pcr, struct scatterlist *sglist,
int count, bool read, int timeout);
int rtsx_pci_read_ppbuf(struct rtsx_pcr *pcr, u8 *buf, int buf_len);
int rtsx_pci_write_ppbuf(struct rtsx_pcr *pcr, u8 *buf, int buf_len);
int rtsx_pci_card_pull_ctl_enable(struct rtsx_pcr *pcr, int card);
int rtsx_pci_card_pull_ctl_disable(struct rtsx_pcr *pcr, int card);
int rtsx_pci_switch_clock(struct rtsx_pcr *pcr, unsigned int card_clock,
Reported by FlawFinder.
fs/ocfs2/ocfs2.h
4 issues
Line: 165
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head l_holders;
unsigned long l_flags;
char l_name[OCFS2_LOCK_ID_MAX_LEN];
unsigned int l_ro_holders;
unsigned int l_ex_holders;
signed char l_level;
signed char l_requested;
signed char l_blocking;
Reported by FlawFinder.
Line: 386
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ocfs2_blockcheck_stats osb_ecc_stats;
struct ocfs2_alloc_stats alloc_stats;
char dev_str[20]; /* "major,minor" of the device */
u8 osb_stackflags;
char osb_cluster_stack[OCFS2_STACK_LABEL_LEN + 1];
char osb_cluster_name[OCFS2_CLUSTER_NAME_LEN + 1];
Reported by FlawFinder.
Line: 390
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 osb_stackflags;
char osb_cluster_stack[OCFS2_STACK_LABEL_LEN + 1];
char osb_cluster_name[OCFS2_CLUSTER_NAME_LEN + 1];
struct ocfs2_cluster_connection *cconn;
struct ocfs2_lock_res osb_super_lockres;
struct ocfs2_lock_res osb_rename_lockres;
struct ocfs2_lock_res osb_nfs_sync_lockres;
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 osb_stackflags;
char osb_cluster_stack[OCFS2_STACK_LABEL_LEN + 1];
char osb_cluster_name[OCFS2_CLUSTER_NAME_LEN + 1];
struct ocfs2_cluster_connection *cconn;
struct ocfs2_lock_res osb_super_lockres;
struct ocfs2_lock_res osb_rename_lockres;
struct ocfs2_lock_res osb_nfs_sync_lockres;
struct rw_semaphore nfs_sync_rwlock;
Reported by FlawFinder.
fs/nilfs2/btree.c
4 issues
Line: 198
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rdptrs = nilfs_btree_node_dptrs(right, rncmax);
rnchildren = nilfs_btree_node_get_nchildren(right);
memcpy(ldkeys + lnchildren, rdkeys, n * sizeof(*rdkeys));
memcpy(ldptrs + lnchildren, rdptrs, n * sizeof(*rdptrs));
memmove(rdkeys, rdkeys + n, (rnchildren - n) * sizeof(*rdkeys));
memmove(rdptrs, rdptrs + n, (rnchildren - n) * sizeof(*rdptrs));
lnchildren += n;
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rnchildren = nilfs_btree_node_get_nchildren(right);
memcpy(ldkeys + lnchildren, rdkeys, n * sizeof(*rdkeys));
memcpy(ldptrs + lnchildren, rdptrs, n * sizeof(*rdptrs));
memmove(rdkeys, rdkeys + n, (rnchildren - n) * sizeof(*rdkeys));
memmove(rdptrs, rdptrs + n, (rnchildren - n) * sizeof(*rdptrs));
lnchildren += n;
rnchildren -= n;
Reported by FlawFinder.
Line: 228
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(rdkeys + n, rdkeys, rnchildren * sizeof(*rdkeys));
memmove(rdptrs + n, rdptrs, rnchildren * sizeof(*rdptrs));
memcpy(rdkeys, ldkeys + lnchildren - n, n * sizeof(*rdkeys));
memcpy(rdptrs, ldptrs + lnchildren - n, n * sizeof(*rdptrs));
lnchildren -= n;
rnchildren += n;
nilfs_btree_node_set_nchildren(left, lnchildren);
Reported by FlawFinder.
Line: 229
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(rdkeys + n, rdkeys, rnchildren * sizeof(*rdkeys));
memmove(rdptrs + n, rdptrs, rnchildren * sizeof(*rdptrs));
memcpy(rdkeys, ldkeys + lnchildren - n, n * sizeof(*rdkeys));
memcpy(rdptrs, ldptrs + lnchildren - n, n * sizeof(*rdptrs));
lnchildren -= n;
rnchildren += n;
nilfs_btree_node_set_nchildren(left, lnchildren);
nilfs_btree_node_set_nchildren(right, rnchildren);
Reported by FlawFinder.
fs/ocfs2/dlmglue.c
4 issues
Line: 603
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__be64 inode_blkno_be;
memcpy(&inode_blkno_be, &lockres->l_name[OCFS2_DENTRY_LOCK_INO_START],
sizeof(__be64));
return be64_to_cpu(inode_blkno_be);
}
Reported by FlawFinder.
Line: 648
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(len != (OCFS2_DENTRY_LOCK_INO_START - 1));
memcpy(&lockres->l_name[OCFS2_DENTRY_LOCK_INO_START], &inode_blkno_be,
sizeof(__be64));
ocfs2_lock_res_init_common(OCFS2_SB(inode->i_sb), lockres,
OCFS2_LOCK_TYPE_DENTRY, &ocfs2_dentry_lops,
dl);
Reported by FlawFinder.
Line: 3348
Column: 12
CWE codes:
126
/* for now, uuid == domain */
status = ocfs2_cluster_connect(osb->osb_cluster_stack,
osb->osb_cluster_name,
strlen(osb->osb_cluster_name),
osb->uuid_str,
strlen(osb->uuid_str),
&lproto, ocfs2_do_node_down, osb,
&conn);
if (status) {
Reported by FlawFinder.
Line: 3350
Column: 12
CWE codes:
126
osb->osb_cluster_name,
strlen(osb->osb_cluster_name),
osb->uuid_str,
strlen(osb->uuid_str),
&lproto, ocfs2_do_node_down, osb,
&conn);
if (status) {
mlog_errno(status);
goto bail;
Reported by FlawFinder.
fs/ntfs/attrib.c
4 issues
Line: 755
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (al + block_size >= al_end)
goto do_final;
memcpy(al, bh->b_data, block_size);
brelse(bh);
al += block_size;
} while (++block < max_block);
rl++;
}
Reported by FlawFinder.
Line: 778
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* two people running Windows XP, thus we cannot do any
* truncation sanity checking here. (AIA)
*/
memcpy(al, bh->b_data, al_end - al);
brelse(bh);
if (initialized_size < size)
goto initialize;
goto done;
}
Reported by FlawFinder.
Line: 1646
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(attr_size != data_size);
if (page && !PageUptodate(page)) {
kaddr = kmap_atomic(page);
memcpy(kaddr, (u8*)a +
le16_to_cpu(a->data.resident.value_offset),
attr_size);
memset(kaddr + attr_size, 0, PAGE_SIZE - attr_size);
kunmap_atomic(kaddr);
flush_dcache_page(page);
Reported by FlawFinder.
Line: 1795
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the data from the page back to the attribute value. */
if (page) {
kaddr = kmap_atomic(page);
memcpy((u8*)a + mp_ofs, kaddr, attr_size);
kunmap_atomic(kaddr);
}
/* Setup the allocated size in the ntfs inode in case it changed. */
write_lock_irqsave(&ni->size_lock, flags);
ni->allocated_size = arec_size - mp_ofs;
Reported by FlawFinder.
fs/ntfs/debug.c
4 issues
Line: 123
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ntfs_debug_dump_runlist(const runlist_element *rl)
{
int i;
const char *lcn_str[5] = { "LCN_HOLE ", "LCN_RL_NOT_MAPPED",
"LCN_ENOENT ", "LCN_unknown " };
if (!debug_msgs)
return;
pr_debug("Dumping runlist (values in hex):\n");
Reported by FlawFinder.
Line: 41
Column: 10
CWE codes:
126
return;
#endif
if (function)
flen = strlen(function);
va_start(args, fmt);
vaf.fmt = fmt;
vaf.va = &args;
if (sb)
pr_warn("(device %s): %s(): %pV\n",
Reported by FlawFinder.
Line: 84
Column: 10
CWE codes:
126
return;
#endif
if (function)
flen = strlen(function);
va_start(args, fmt);
vaf.fmt = fmt;
vaf.va = &args;
if (sb)
pr_err("(device %s): %s(): %pV\n",
Reported by FlawFinder.
Line: 111
Column: 10
CWE codes:
126
if (!debug_msgs)
return;
if (function)
flen = strlen(function);
va_start(args, fmt);
vaf.fmt = fmt;
vaf.va = &args;
pr_debug("(%s, %d): %s(): %pV", file, line, flen ? function : "", &vaf);
va_end(args);
Reported by FlawFinder.
fs/ntfs/dir.c
4 issues
Line: 1297
CWE codes:
682
kaddr = (u8*)page_address(ia_page);
}
/* Get the current index buffer. */
ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_MASK &
~(s64)(ndir->itype.index.block_size - 1)));
/* Bounds checks. */
if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_SIZE)) {
ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
"inode 0x%lx or driver bug.", vdir->i_ino);
Reported by Cppcheck.
Line: 224
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
name->type = type;
if (type != FILE_NAME_DOS) {
name->len = len;
memcpy(name->name, ie->key.file_name.file_name,
len * sizeof(ntfschar));
} else
name->len = 0;
*res = name;
}
Reported by FlawFinder.
Line: 486
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
name->type = type;
if (type != FILE_NAME_DOS) {
name->len = len;
memcpy(name->name, ie->key.file_name.file_name,
len * sizeof(ntfschar));
} else
name->len = 0;
*res = name;
}
Reported by FlawFinder.
Line: 1168
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_out;
}
/* Copy the index root value (it has been verified in read_inode). */
memcpy(ir, (u8*)ctx->attr +
le16_to_cpu(ctx->attr->data.resident.value_offset), rc);
ntfs_attr_put_search_ctx(ctx);
unmap_mft_record(ndir);
ctx = NULL;
m = NULL;
Reported by FlawFinder.
fs/ntfs/inode.c
4 issues
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ni->name = kmalloc(i + sizeof(ntfschar), GFP_ATOMIC);
if (!ni->name)
return -ENOMEM;
memcpy(ni->name, na->name, i);
ni->name[na->name_len] = 0;
}
return 0;
}
Reported by FlawFinder.
Line: 749
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto unm_err_out;
}
/* Now copy the attribute list. */
memcpy(ni->attr_list, (u8*)a + le16_to_cpu(
a->data.resident.value_offset),
le32_to_cpu(
a->data.resident.value_length));
}
}
Reported by FlawFinder.
Line: 1814
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ntfs_error(sb, "Device read failed.");
goto err_out;
}
memcpy((char*)m + (i << sb->s_blocksize_bits), bh->b_data,
sb->s_blocksize);
brelse(bh);
}
if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
Reported by FlawFinder.
Line: 1930
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto put_err_out;
}
/* Now copy the attribute list. */
memcpy(ni->attr_list, (u8*)a + le16_to_cpu(
a->data.resident.value_offset),
le32_to_cpu(
a->data.resident.value_length));
}
/* The attribute list is now setup in memory. */
Reported by FlawFinder.