The following issues were found
fs/crypto/policy.c
4 issues
Line: 280
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ctx->master_key_descriptor,
policy->master_key_descriptor,
sizeof(ctx->master_key_descriptor));
memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
return sizeof(*ctx);
}
case FSCRYPT_POLICY_V2: {
const struct fscrypt_policy_v2 *policy = &policy_u->v2;
struct fscrypt_context_v2 *ctx = &ctx_u->v2;
Reported by FlawFinder.
Line: 296
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ctx->master_key_identifier,
policy->master_key_identifier,
sizeof(ctx->master_key_identifier));
memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
return sizeof(*ctx);
}
}
BUG();
}
Reported by FlawFinder.
Line: 763
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case FSCRYPT_POLICY_V1:
policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
memcpy(policy->v1.master_key_descriptor, key_spec.u.descriptor,
FSCRYPT_KEY_DESCRIPTOR_SIZE);
break;
case FSCRYPT_POLICY_V2:
policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
Reported by FlawFinder.
Line: 769
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case FSCRYPT_POLICY_V2:
policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
memcpy(policy->v2.master_key_identifier, key_spec.u.identifier,
FSCRYPT_KEY_IDENTIFIER_SIZE);
break;
default:
WARN_ON(1);
err = -EINVAL;
Reported by FlawFinder.
fs/d_path.c
4 issues
Line: 277
Column: 7
CWE codes:
134
Suggestion:
Use a constant for the format specification
int sz;
va_start(args, fmt);
sz = vsnprintf(temp, sizeof(temp), fmt, args) + 1;
va_end(args);
if (sz > sizeof(temp) || sz > buflen)
return ERR_PTR(-ENAMETOOLONG);
Reported by FlawFinder.
Line: 30
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p->len -= namelen;
if (likely(p->len >= 0)) {
p->buf -= namelen;
memcpy(p->buf, str, namelen);
}
}
/**
* prepend_name - prepend a pathname in front of current buffer pointer
Reported by FlawFinder.
Line: 273
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fmt, ...)
{
va_list args;
char temp[64];
int sz;
va_start(args, fmt);
sz = vsnprintf(temp, sizeof(temp), fmt, args) + 1;
va_end(args);
Reported by FlawFinder.
Line: 284
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-ENAMETOOLONG);
buffer += buflen - sz;
return memcpy(buffer, temp, sz);
}
char *simple_dname(struct dentry *dentry, char *buffer, int buflen)
{
DECLARE_BUFFER(b, buffer, buflen);
Reported by FlawFinder.
fs/dlm/ast.c
4 issues
Line: 126
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* oldest undelivered cb is callbacks[0] */
memcpy(cb, &lkb->lkb_callbacks[0], sizeof(struct dlm_callback));
memset(&lkb->lkb_callbacks[0], 0, sizeof(struct dlm_callback));
/* shift others down */
for (i = 1; i < DLM_CALLBACKS_SIZE; i++) {
Reported by FlawFinder.
Line: 134
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 1; i < DLM_CALLBACKS_SIZE; i++) {
if (!lkb->lkb_callbacks[i].seq)
break;
memcpy(&lkb->lkb_callbacks[i-1], &lkb->lkb_callbacks[i],
sizeof(struct dlm_callback));
memset(&lkb->lkb_callbacks[i], 0, sizeof(struct dlm_callback));
(*resid)++;
}
Reported by FlawFinder.
Line: 160
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (cb->flags & DLM_CB_CAST) {
memcpy(&lkb->lkb_last_cast, cb, sizeof(struct dlm_callback));
lkb->lkb_last_cast_time = ktime_get();
}
if (cb->flags & DLM_CB_BAST) {
memcpy(&lkb->lkb_last_bast, cb, sizeof(struct dlm_callback));
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (cb->flags & DLM_CB_BAST) {
memcpy(&lkb->lkb_last_bast, cb, sizeof(struct dlm_callback));
lkb->lkb_last_bast_time = ktime_get();
}
rv = 0;
out:
return rv;
Reported by FlawFinder.
fs/dlm/lowcomms.c
4 issues
Line: 337
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&dlm_node_addrs_spin);
na = find_node_addr(nodeid);
if (na && na->addr_count) {
memcpy(&sas, na->addr[na->curr_addr_index],
sizeof(struct sockaddr_storage));
if (try_new_addr) {
na->curr_addr_index++;
if (na->curr_addr_index == na->addr_count)
Reported by FlawFinder.
Line: 357
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*mark = na->mark;
if (sas_out)
memcpy(sas_out, &sas, sizeof(struct sockaddr_storage));
if (!sa_out)
return 0;
if (dlm_local_addr[0]->ss_family == AF_INET) {
Reported by FlawFinder.
Line: 431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(new_addr, addr, len);
spin_lock(&dlm_node_addrs_spin);
na = find_node_addr(nodeid);
if (!na) {
new_node->nodeid = nodeid;
Reported by FlawFinder.
Line: 1639
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kref_get(&msg->ref);
msg_resend->orig_msg = msg;
memcpy(ppc, msg->ppc, msg->len);
_dlm_lowcomms_commit_msg(msg_resend);
dlm_lowcomms_put_msg(msg_resend);
return 0;
}
Reported by FlawFinder.
fs/xfs/scrub/agheader_repair.c
4 issues
Line: 187
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct xfs_mount *mp = sc->mp;
struct xfs_agf *agf = agf_bp->b_addr;
memcpy(old_agf, agf, sizeof(*old_agf));
memset(agf, 0, BBTOB(agf_bp->b_length));
agf->agf_magicnum = cpu_to_be32(XFS_AGF_MAGIC);
agf->agf_versionnum = cpu_to_be32(XFS_AGF_VERSION);
agf->agf_seqno = cpu_to_be32(sc->sa.agno);
agf->agf_length = cpu_to_be32(xfs_ag_block_count(mp, sc->sa.agno));
Reported by FlawFinder.
Line: 425
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out_revert:
/* Mark the incore AGF state stale and revert the AGF. */
sc->sa.pag->pagf_init = 0;
memcpy(agf, &old_agf, sizeof(old_agf));
return error;
}
/* AGFL */
Reported by FlawFinder.
Line: 760
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct xfs_agi *agi = agi_bp->b_addr;
struct xfs_mount *mp = sc->mp;
memcpy(old_agi, agi, sizeof(*old_agi));
memset(agi, 0, BBTOB(agi_bp->b_length));
agi->agi_magicnum = cpu_to_be32(XFS_AGI_MAGIC);
agi->agi_versionnum = cpu_to_be32(XFS_AGI_VERSION);
agi->agi_seqno = cpu_to_be32(sc->sa.agno);
agi->agi_length = cpu_to_be32(xfs_ag_block_count(mp, sc->sa.agno));
Reported by FlawFinder.
Line: 930
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out_revert:
/* Mark the incore AGI state stale and revert the AGI. */
sc->sa.pag->pagi_init = 0;
memcpy(agi, &old_agi, sizeof(old_agi));
return error;
}
Reported by FlawFinder.
include/linux/netfilter_bridge/ebtables.h
4 issues
Line: 22
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ebt_match {
struct list_head list;
const char name[EBT_FUNCTION_MAXNAMELEN];
bool (*match)(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop);
bool (*checkentry)(const char *table, const void *entry,
Reported by FlawFinder.
Line: 39
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ebt_watcher {
struct list_head list;
const char name[EBT_FUNCTION_MAXNAMELEN];
unsigned int (*target)(struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
unsigned int hook_num, const struct xt_target *target,
const void *targinfo);
bool (*checkentry)(const char *table, const void *entry,
Reported by FlawFinder.
Line: 56
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ebt_target {
struct list_head list;
const char name[EBT_FUNCTION_MAXNAMELEN];
/* returns one of the standard EBT_* verdicts */
unsigned int (*target)(struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
unsigned int hook_num, const struct xt_target *target,
const void *targinfo);
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ebt_table {
struct list_head list;
char name[EBT_TABLE_MAXNAMELEN];
struct ebt_replace_kernel *table;
unsigned int valid_hooks;
rwlock_t lock;
/* e.g. could be the table explicitly only allows certain
* matches, targets, ... 0 == let it in */
Reported by FlawFinder.
fs/ecryptfs/miscdev.c
4 issues
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg_ctx->msg->index = msg_ctx->index;
msg_ctx->msg->data_len = data_size;
msg_ctx->type = msg_type;
memcpy(msg_ctx->msg->data, data, data_size);
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
mutex_unlock(&msg_ctx->mux);
mutex_lock(&daemon->mux);
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ecryptfs_daemon *daemon = file->private_data;
struct ecryptfs_msg_ctx *msg_ctx;
size_t packet_length_size;
char packet_length[ECRYPTFS_MAX_PKT_LEN_SIZE];
size_t i;
size_t total_length;
int rc;
mutex_lock(&daemon->mux);
Reported by FlawFinder.
Line: 360
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 seq;
size_t packet_size, packet_size_length;
char *data;
unsigned char packet_size_peek[ECRYPTFS_MAX_PKT_LEN_SIZE];
ssize_t rc;
if (count == 0) {
return 0;
} else if (count == MIN_NON_MSG_PKT_SIZE) {
Reported by FlawFinder.
Line: 417
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = -EINVAL;
goto out_free;
}
memcpy(&counter_nbo, &data[PKT_CTR_OFFSET], PKT_CTR_SIZE);
seq = be32_to_cpu(counter_nbo);
rc = ecryptfs_miscdev_response(file->private_data,
&data[PKT_LEN_OFFSET + packet_size_length],
packet_size, seq);
if (rc) {
Reported by FlawFinder.
fs/xfs/libxfs/xfs_dir2_node.c
4 issues
Line: 999
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* Copy the leaf entries from source to destination.
*/
memcpy(&dents[start_d], &sents[start_s],
count * sizeof(xfs_dir2_leaf_entry_t));
xfs_dir3_leaf_log_ents(args, dhdr, bp_d, start_d, start_d + count - 1);
/*
* If there are source entries after the ones we copied,
Reported by FlawFinder.
Line: 1534
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* path point to the block we want to drop (this one).
*/
forward = (leafhdr.forw != 0);
memcpy(&state->altpath, &state->path, sizeof(state->path));
error = xfs_da3_path_shift(state, &state->altpath, forward, 0,
&rval);
if (error)
return error;
*action = rval ? 2 : 0;
Reported by FlawFinder.
Line: 1595
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Make altpath point to the block we want to keep (the lower
* numbered block) and path point to the block we want to drop.
*/
memcpy(&state->altpath, &state->path, sizeof(state->path));
if (blkno < blk->blkno)
error = xfs_da3_path_shift(state, &state->altpath, forward, 0,
&rval);
else
error = xfs_da3_path_shift(state, &state->path, forward, 0,
Reported by FlawFinder.
Line: 1973
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dep = (xfs_dir2_data_entry_t *)dup;
dep->inumber = cpu_to_be64(args->inumber);
dep->namelen = args->namelen;
memcpy(dep->name, args->name, dep->namelen);
xfs_dir2_data_put_ftype(dp->i_mount, dep, args->filetype);
tagp = xfs_dir2_data_entry_tag_p(dp->i_mount, dep);
*tagp = cpu_to_be16((char *)dep - (char *)hdr);
xfs_dir2_data_log_entry(args, dbp, dep);
Reported by FlawFinder.
fs/xfs/libxfs/xfs_bmap_btree.c
4 issues
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fpp = XFS_BMDR_PTR_ADDR(dblock, 1, dmxr);
tpp = XFS_BMAP_BROOT_PTR_ADDR(mp, rblock, 1, rblocklen);
dmxr = be16_to_cpu(dblock->bb_numrecs);
memcpy(tkp, fkp, sizeof(*fkp) * dmxr);
memcpy(tpp, fpp, sizeof(*fpp) * dmxr);
}
void
xfs_bmbt_disk_get_all(
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tpp = XFS_BMAP_BROOT_PTR_ADDR(mp, rblock, 1, rblocklen);
dmxr = be16_to_cpu(dblock->bb_numrecs);
memcpy(tkp, fkp, sizeof(*fkp) * dmxr);
memcpy(tpp, fpp, sizeof(*fpp) * dmxr);
}
void
xfs_bmbt_disk_get_all(
struct xfs_bmbt_rec *rec,
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fpp = XFS_BMAP_BROOT_PTR_ADDR(mp, rblock, 1, rblocklen);
tpp = XFS_BMDR_PTR_ADDR(dblock, 1, dmxr);
dmxr = be16_to_cpu(dblock->bb_numrecs);
memcpy(tkp, fkp, sizeof(*fkp) * dmxr);
memcpy(tpp, fpp, sizeof(*fpp) * dmxr);
}
STATIC struct xfs_btree_cur *
xfs_bmbt_dup_cursor(
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tpp = XFS_BMDR_PTR_ADDR(dblock, 1, dmxr);
dmxr = be16_to_cpu(dblock->bb_numrecs);
memcpy(tkp, fkp, sizeof(*fkp) * dmxr);
memcpy(tpp, fpp, sizeof(*fpp) * dmxr);
}
STATIC struct xfs_btree_cur *
xfs_bmbt_dup_cursor(
struct xfs_btree_cur *cur)
Reported by FlawFinder.
fs/exportfs/expfs.c
4 issues
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf->sequence++;
if (buf->ino == ino && len <= NAME_MAX) {
memcpy(buf->name, name, len);
buf->name[len] = '\0';
buf->found = 1;
result = -1;
}
return result;
Reported by FlawFinder.
Line: 428
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct export_operations *nop = mnt->mnt_sb->s_export_op;
struct dentry *result, *alias;
char nbuf[NAME_MAX+1];
int err;
/*
* Try to get any dentry for the given file handle from the filesystem.
*/
Reported by FlawFinder.
Line: 148
Column: 46
CWE codes:
126
if (err)
goto out_err;
dprintk("%s: found name: %s\n", __func__, nbuf);
tmp = lookup_one_len_unlocked(nbuf, parent, strlen(nbuf));
if (IS_ERR(tmp)) {
dprintk("%s: lookup failed: %d\n", __func__, PTR_ERR(tmp));
err = PTR_ERR(tmp);
goto out_err;
}
Reported by FlawFinder.
Line: 528
Column: 46
CWE codes:
126
}
inode_lock(target_dir->d_inode);
nresult = lookup_one_len(nbuf, target_dir, strlen(nbuf));
if (!IS_ERR(nresult)) {
if (unlikely(nresult->d_inode != result->d_inode)) {
dput(nresult);
nresult = ERR_PTR(-ESTALE);
}
Reported by FlawFinder.