The following issues were found
fs/ntfs/runlist.c
4 issues
Line: 37
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
runlist_element *srcbase, int src, int size)
{
if (likely(size > 0))
memcpy(dstbase + dst, srcbase + src, size * sizeof(*dstbase));
}
/**
* ntfs_rl_realloc - Reallocate memory for runlists
* @rl: original runlist
Reported by FlawFinder.
Line: 77
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (likely(rl != NULL)) {
if (unlikely(old_size > new_size))
old_size = new_size;
memcpy(new_rl, rl, old_size);
ntfs_free(rl);
}
return new_rl;
}
Reported by FlawFinder.
Line: 122
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (likely(rl != NULL)) {
if (unlikely(old_size > new_size))
old_size = new_size;
memcpy(new_rl, rl, old_size);
ntfs_free(rl);
}
return new_rl;
}
Reported by FlawFinder.
Line: 798
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ntfs_free(rl);
return ERR_PTR(-ENOMEM);
}
memcpy(rl2, rl, rlsize);
ntfs_free(rl);
rl = rl2;
rlsize += PAGE_SIZE;
}
/* Enter the current vcn into the current runlist element. */
Reported by FlawFinder.
drivers/xen/xen-acpi-processor.c
4 issues
Line: 153
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_perf->state_count = _pr->performance->state_count;
for (i = 0; i < _pr->performance->state_count; i++) {
/* Fortunatly for us, they are both the same size */
memcpy(&(dst_states[i]), &(_pr->performance->states[i]),
sizeof(struct acpi_processor_px));
}
return dst_states;
}
static int xen_copy_psd_data(struct acpi_processor *_pr,
Reported by FlawFinder.
Line: 185
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst->shared_type = CPUFREQ_SHARED_TYPE_ANY;
}
memcpy(&(dst->domain_info), pdomain, sizeof(struct acpi_psd_package));
return 0;
}
static int xen_copy_pct_data(struct acpi_pct_register *pct,
struct xen_pct_register *dst_pct)
{
Reported by FlawFinder.
Line: 437
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_backup->flags.power = test_bit(i, acpi_id_cst_present);
/* num_entries is non-zero if we evaluated _PSD */
if (acpi_psd[i].num_entries) {
memcpy(&pr_backup->performance->domain_info,
&acpi_psd[i],
sizeof(struct acpi_psd_package));
}
(void)upload_pm_data(pr_backup);
}
Reported by FlawFinder.
Line: 479
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!pr_backup) {
pr_backup = kzalloc(sizeof(struct acpi_processor), GFP_KERNEL);
if (pr_backup)
memcpy(pr_backup, _pr, sizeof(struct acpi_processor));
}
(void)upload_pm_data(_pr);
}
rc = check_acpi_ids(pr_backup);
Reported by FlawFinder.
drivers/xen/xen-pciback/pci_stub.c
4 issues
Line: 382
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
* Setup name for fake IRQ handler. It will only be enabled
* once the device is turned on by the guest.
*/
sprintf(dev_data->irq_name, DRV_NAME "[%s]", pci_name(dev));
dev_dbg(&dev->dev, "initializing config\n");
init_waitqueue_head(&xen_pcibk_aer_wait_queue);
err = xen_pcibk_config_init_dev(dev);
Reported by FlawFinder.
Line: 667
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xenbus_transaction xbt;
int err;
char nodename[PCI_NODENAME_MAX];
BUG_ON(!psdev);
snprintf(nodename, PCI_NODENAME_MAX, "/local/domain/0/backend/pci/%d/0",
psdev->pdev->xdev->otherend_id);
Reported by FlawFinder.
Line: 370
Column: 42
CWE codes:
126
* would need to be called somewhere to free the memory allocated
* here and then to call kfree(pci_get_drvdata(psdev->dev)).
*/
dev_data = kzalloc(sizeof(*dev_data) + strlen(DRV_NAME "[]")
+ strlen(pci_name(dev)) + 1, GFP_KERNEL);
if (!dev_data) {
err = -ENOMEM;
goto out;
}
Reported by FlawFinder.
Line: 371
Column: 7
CWE codes:
126
* here and then to call kfree(pci_get_drvdata(psdev->dev)).
*/
dev_data = kzalloc(sizeof(*dev_data) + strlen(DRV_NAME "[]")
+ strlen(pci_name(dev)) + 1, GFP_KERNEL);
if (!dev_data) {
err = -ENOMEM;
goto out;
}
pci_set_drvdata(dev, dev_data);
Reported by FlawFinder.
include/linux/hid.h
4 issues
Line: 606
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *hiddev; /* The hiddev structure */
void *hidraw;
char name[128]; /* Device name */
char phys[64]; /* Device physical location */
char uniq[64]; /* Device unique identifier (serial #) */
void *driver_data;
Reported by FlawFinder.
Line: 607
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *hidraw;
char name[128]; /* Device name */
char phys[64]; /* Device physical location */
char uniq[64]; /* Device unique identifier (serial #) */
void *driver_data;
/* temporary hid_ff handling (until moved to the drivers) */
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[128]; /* Device name */
char phys[64]; /* Device physical location */
char uniq[64]; /* Device unique identifier (serial #) */
void *driver_data;
/* temporary hid_ff handling (until moved to the drivers) */
int (*ff_init)(struct hid_device *);
Reported by FlawFinder.
Line: 810
Column: 8
CWE codes:
362
int (*start)(struct hid_device *hdev);
void (*stop)(struct hid_device *hdev);
int (*open)(struct hid_device *hdev);
void (*close)(struct hid_device *hdev);
int (*power)(struct hid_device *hdev, int level);
int (*parse)(struct hid_device *hdev);
Reported by FlawFinder.
drivers/zorro/zorro-sysfs.c
4 issues
Line: 32
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
struct zorro_dev *z; \
\
z = to_zorro_dev(dev); \
return sprintf(buf, format_string, z->field); \
} \
static DEVICE_ATTR_RO(name);
zorro_config_attr(id, id, "0x%08x\n");
zorro_config_attr(type, rom.er_Type, "0x%02x\n");
Reported by FlawFinder.
Line: 68
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
{
struct zorro_dev *z = to_zorro_dev(dev);
return sprintf(buf, ZORRO_DEVICE_MODALIAS_FMT "\n", z->id);
}
static DEVICE_ATTR_RO(modalias);
static struct attribute *zorro_device_attrs[] = {
&dev_attr_id.attr,
Reported by FlawFinder.
Line: 47
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct zorro_dev *z;
z = to_zorro_dev(dev);
return sprintf(buf, "0x%08x\n", be32_to_cpu(z->rom.er_SerialNumber));
}
static DEVICE_ATTR_RO(serial);
static ssize_t resource_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 56
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct zorro_dev *z = to_zorro_dev(dev);
return sprintf(buf, "0x%08lx 0x%08lx 0x%08lx\n",
(unsigned long)zorro_resource_start(z),
(unsigned long)zorro_resource_end(z),
zorro_resource_flags(z));
}
static DEVICE_ATTR_RO(resource);
Reported by FlawFinder.
include/linux/hdlcdrv.h
4 issues
Line: 37
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int rd;
unsigned int wr;
unsigned int shreg;
unsigned char buffer[HDLCDRV_BITBUFFER];
};
static inline void hdlcdrv_add_bitbuffer(struct hdlcdrv_bitbuffer *buf,
unsigned int bit)
{
Reported by FlawFinder.
Line: 80
Column: 8
CWE codes:
362
/*
* the routines called by the hdlcdrv routines
*/
int (*open)(struct net_device *);
int (*close)(struct net_device *);
int (*ioctl)(struct net_device *, struct ifreq *,
struct hdlcdrv_ioctl *, int);
};
Reported by FlawFinder.
Line: 118
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int len;
unsigned char *bp;
unsigned char buffer[HDLCDRV_MAXFLEN+2];
} hdlcrx;
struct hdlcdrv_hdlctx {
struct hdlcdrv_hdlcbuffer hbuf;
unsigned long in_hdlc_tx;
Reported by FlawFinder.
Line: 141
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int len;
unsigned char *bp;
unsigned char buffer[HDLCDRV_MAXFLEN+2];
} hdlctx;
#ifdef HDLCDRV_DEBUG
struct hdlcdrv_bitbuffer bitbuf_channel;
struct hdlcdrv_bitbuffer bitbuf_hdlc;
Reported by FlawFinder.
fs/affs/file.c
4 issues
Line: 548
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp = min(bsize - boff, to - pos);
BUG_ON(pos + tmp > to || tmp > bsize);
data = kmap_atomic(page);
memcpy(data + pos, AFFS_DATA(bh) + boff, tmp);
kunmap_atomic(data);
affs_brelse(bh);
bidx++;
pos += tmp;
boff = 0;
Reported by FlawFinder.
Line: 728
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
tmp = min(bsize - boff, to - from);
BUG_ON(boff + tmp > bsize || tmp > bsize);
memcpy(AFFS_DATA(bh) + boff, data + from, tmp);
be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp);
affs_fix_checksum(sb, bh);
mark_buffer_dirty_inode(bh, inode);
written += tmp;
from += tmp;
Reported by FlawFinder.
Line: 747
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bh = affs_getemptyblk_ino(inode, bidx);
if (IS_ERR(bh))
goto err_bh;
memcpy(AFFS_DATA(bh), data + from, bsize);
if (buffer_new(bh)) {
AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize);
Reported by FlawFinder.
Line: 781
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_bh;
tmp = min(bsize, to - from);
BUG_ON(tmp > bsize);
memcpy(AFFS_DATA(bh), data + from, tmp);
if (buffer_new(bh)) {
AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
Reported by FlawFinder.
fs/affs/super.c
4 issues
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("Cannot read boot block\n");
return -EINVAL;
}
memcpy(sig, boot_bh->b_data, 4);
brelse(boot_bh);
chksum = be32_to_cpu(*(__be32 *)sig);
/* Dircache filesystems are compatible with non-dircache ones
* when reading. As long as they aren't supported, writing is
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int root_block;
unsigned long mount_flags;
int res = 0;
char volume[32];
char *prefix = NULL;
pr_debug("%s(flags=0x%x,opts=\"%s\")\n", __func__, *flags, data);
sync_filesystem(sb);
Reported by FlawFinder.
Line: 572
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sync_filesystem(sb);
*flags |= SB_NODIRATIME;
memcpy(volume, sbi->s_volume, 32);
if (!parse_options(data, &uid, &gid, &mode, &reserved, &root_block,
&blocksize, &prefix, volume,
&mount_flags)) {
kfree(prefix);
return -EINVAL;
Reported by FlawFinder.
Line: 592
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(sbi->s_prefix);
sbi->s_prefix = prefix;
}
memcpy(sbi->s_volume, volume, 32);
spin_unlock(&sbi->symlink_lock);
if ((bool)(*flags & SB_RDONLY) == sb_rdonly(sb))
return 0;
Reported by FlawFinder.
fs/afs/dir.c
4 issues
Line: 987
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto out_s;
}
strcpy(p, name);
ret = lookup_one_len(buf, dentry->d_parent, len);
if (IS_ERR(ret) || d_is_positive(ret))
goto out_s;
dput(ret);
}
Reported by FlawFinder.
Line: 969
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buf)
goto out_p;
if (dentry->d_name.len > 4) {
memcpy(p, dentry->d_name.name, dentry->d_name.len - 4);
p += dentry->d_name.len - 4;
}
/* There is an ordered list of substitutes that we have to try. */
read_lock(&net->sysnames_lock);
Reported by FlawFinder.
Line: 981
Column: 34
CWE codes:
126
for (i = 0; i < subs->nr; i++) {
name = subs->subs[i];
len = dentry->d_name.len - 4 + strlen(name);
if (len >= AFSNAMEMAX) {
ret = ERR_PTR(-ENAMETOOLONG);
goto out_s;
}
Reported by FlawFinder.
Line: 1842
Column: 6
CWE codes:
126
goto error;
ret = -EINVAL;
if (strlen(content) >= AFSPATHMAX)
goto error;
op = afs_alloc_operation(NULL, dvnode->volume);
if (IS_ERR(op)) {
ret = PTR_ERR(op);
Reported by FlawFinder.
fs/afs/flock.c
4 issues
Line: 415
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static int afs_do_setlk_check(struct afs_vnode *vnode, struct key *key,
enum afs_flock_mode mode, afs_lock_type_t type)
{
afs_access_t access;
int ret;
/* Make sure we've got a callback on this file and that our view of the
* data version is up to date.
*/
Reported by FlawFinder.
Line: 428
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* Check the permission set to see if we're actually going to be
* allowed to get a lock on this file.
*/
ret = afs_check_permit(vnode, key, &access);
if (ret < 0)
return ret;
/* At a rough estimation, you need LOCK, WRITE or INSERT perm to
* read-lock a file and WRITE or INSERT perm to write-lock a file.
Reported by FlawFinder.
Line: 439
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* share a read lock that we already have, we won't go the server.
*/
if (type == AFS_LOCK_READ) {
if (!(access & (AFS_ACE_INSERT | AFS_ACE_WRITE | AFS_ACE_LOCK)))
return -EACCES;
} else {
if (!(access & (AFS_ACE_INSERT | AFS_ACE_WRITE)))
return -EACCES;
}
Reported by FlawFinder.
Line: 442
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (!(access & (AFS_ACE_INSERT | AFS_ACE_WRITE | AFS_ACE_LOCK)))
return -EACCES;
} else {
if (!(access & (AFS_ACE_INSERT | AFS_ACE_WRITE)))
return -EACCES;
}
return 0;
}
Reported by FlawFinder.