The following issues were found
fs/reiserfs/item_ops.c
4 issues
Line: 378
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int namelen;
struct reiserfs_de_head *deh;
char *name;
static char namebuf[80];
printk("\n # %-15s%-30s%-15s%-15s%-15s\n", "Name",
"Key of pointed object", "Hash", "Gen number", "Status");
deh = (struct reiserfs_de_head *)item;
Reported by FlawFinder.
Line: 398
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
namebuf[sizeof(namebuf) - 2] = '"';
namebuf[sizeof(namebuf) - 1] = 0;
} else {
memcpy(namebuf + 1, name, namelen);
namebuf[namelen + 1] = '"';
namebuf[namelen + 2] = 0;
}
printk("%d: %-15s%-15d%-15d%-15lld%-15lld(%s)\n",
Reported by FlawFinder.
Line: 391
Column: 14
CWE codes:
126
deh_location(deh);
name = item + deh_location(deh);
if (name[namelen - 1] == 0)
namelen = strlen(name);
namebuf[0] = '"';
if (namelen > sizeof(namebuf) - 3) {
strncpy(namebuf + 1, name, sizeof(namebuf) - 3);
namebuf[sizeof(namebuf) - 2] = '"';
namebuf[sizeof(namebuf) - 1] = 0;
Reported by FlawFinder.
Line: 394
Column: 4
CWE codes:
120
namelen = strlen(name);
namebuf[0] = '"';
if (namelen > sizeof(namebuf) - 3) {
strncpy(namebuf + 1, name, sizeof(namebuf) - 3);
namebuf[sizeof(namebuf) - 2] = '"';
namebuf[sizeof(namebuf) - 1] = 0;
} else {
memcpy(namebuf + 1, name, namelen);
namebuf[namelen + 1] = '"';
Reported by FlawFinder.
fs/isofs/inode.c
4 issues
Line: 1253
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tmpde)
goto out_nomem;
}
memcpy(tmpde, de, slop);
offset &= bufsize - 1;
block++;
brelse(bh);
bh = NULL;
if (offset) {
Reported by FlawFinder.
Line: 1262
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bh = sb_bread(inode->i_sb, block);
if (!bh)
goto out_noread;
memcpy((void *)tmpde+slop, bh->b_data, offset);
}
de = tmpde;
}
inode->i_size += isonum_733(de->size);
Reported by FlawFinder.
Line: 1335
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -ENOMEM;
goto fail;
}
memcpy(tmpde, bh->b_data + offset, frag1);
brelse(bh);
bh = sb_bread(inode->i_sb, ++block);
if (!bh)
goto out_badread;
memcpy((char *)tmpde+frag1, bh->b_data, de_len - frag1);
Reported by FlawFinder.
Line: 1340
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bh = sb_bread(inode->i_sb, ++block);
if (!bh)
goto out_badread;
memcpy((char *)tmpde+frag1, bh->b_data, de_len - frag1);
de = tmpde;
}
inode->i_ino = isofs_get_ino(ei->i_iget5_block,
ei->i_iget5_offset,
Reported by FlawFinder.
fs/reiserfs/inode.c
4 issues
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
chars = ih_item_len(ih) - path.pos_in_item;
}
memcpy(p, ih_item_body(bh, ih) + path.pos_in_item, chars);
if (done)
break;
p += chars;
Reported by FlawFinder.
Line: 1804
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode *dir)
{
struct super_block *sb = th->t_super;
char empty_dir[EMPTY_DIR_SIZE];
char *body = empty_dir;
struct cpu_key key;
int retval;
BUG_ON(!th->t_trans_id);
Reported by FlawFinder.
Line: 1964
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
make_le_item_head(&ih, NULL, KEY_FORMAT_3_6, SD_OFFSET,
TYPE_STAT_DATA, SD_SIZE, MAX_US_INT);
memcpy(INODE_PKEY(inode), &ih.ih_key, KEY_SIZE);
args.dirid = le32_to_cpu(ih.ih_key.k_dir_id);
depth = reiserfs_write_unlock_nested(inode->i_sb);
err = insert_inode_locked4(inode, args.objectid,
reiserfs_find_actor, &args);
Reported by FlawFinder.
Line: 2456
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto research;
}
memcpy(ih_item_body(bh, ih) + pos_in_item, p + bytes_copied,
copy_size);
journal_mark_dirty(&th, bh);
bytes_copied += copy_size;
set_block_dev_mapped(bh_result, 0, inode);
Reported by FlawFinder.
drivers/w1/slaves/w1_ds250x.c
4 issues
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int (*read)(struct w1_slave *sl, int pageno);
u8 eprom[W1_DS2505_SIZE];
DECLARE_BITMAP(page_present, W1_DS2505_SIZE / W1_PAGE_SIZE);
char nvmem_name[64];
};
static int w1_ds2502_read_page(struct w1_slave *sl, int pageno)
{
struct w1_eprom_data *data = sl->family_data;
Reported by FlawFinder.
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
} while (i < OFF2PG(off + count));
memcpy(buf, &data->eprom[off], count);
return 0;
}
static int w1_eprom_add_slave(struct w1_slave *sl)
{
Reported by FlawFinder.
Line: 40
Column: 8
CWE codes:
120
20
struct w1_eprom_data {
size_t size;
int (*read)(struct w1_slave *sl, int pageno);
u8 eprom[W1_DS2505_SIZE];
DECLARE_BITMAP(page_present, W1_DS2505_SIZE / W1_PAGE_SIZE);
char nvmem_name[64];
};
Reported by FlawFinder.
fs/jbd2/journal.c
4 issues
Line: 425
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
jh_in->b_frozen_data = tmp;
mapped_data = kmap_atomic(new_page);
memcpy(tmp, mapped_data + new_offset, bh_in->b_size);
kunmap_atomic(mapped_data);
new_page = virt_to_page(tmp);
new_offset = offset_in_page(tmp);
done_copy_out = 1;
Reported by FlawFinder.
Line: 1227
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
spin_lock(&journal->j_history_lock);
memcpy(s->stats, &journal->j_stats, size);
s->journal = journal;
spin_unlock(&journal->j_history_lock);
rc = seq_open(file, &jbd2_seq_info_ops);
if (rc == 0) {
Reported by FlawFinder.
Line: 1506
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
journal->j_inode = inode;
bdevname(journal->j_dev, journal->j_devname);
p = strreplace(journal->j_devname, '/', '!');
sprintf(p, "-%lu", journal->j_inode->i_ino);
jbd2_stats_proc_init(journal);
return journal;
}
Reported by FlawFinder.
Line: 2735
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define JBD2_MAX_SLABS 8
static struct kmem_cache *jbd2_slab[JBD2_MAX_SLABS];
static const char *jbd2_slab_names[JBD2_MAX_SLABS] = {
"jbd2_1k", "jbd2_2k", "jbd2_4k", "jbd2_8k",
"jbd2_16k", "jbd2_32k", "jbd2_64k", "jbd2_128k"
};
Reported by FlawFinder.
include/linux/serio.h
4 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct serio {
void *port_data;
char name[32];
char phys[32];
char firmware_id[128];
bool manual_bind;
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *port_data;
char name[32];
char phys[32];
char firmware_id[128];
bool manual_bind;
struct serio_device_id id;
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[32];
char phys[32];
char firmware_id[128];
bool manual_bind;
struct serio_device_id id;
Reported by FlawFinder.
Line: 35
Column: 8
CWE codes:
362
spinlock_t lock;
int (*write)(struct serio *, unsigned char);
int (*open)(struct serio *);
void (*close)(struct serio *);
int (*start)(struct serio *);
void (*stop)(struct serio *);
struct serio *parent;
Reported by FlawFinder.
fs/readdir.c
4 issues
Line: 134
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long d_ino;
unsigned long d_offset;
unsigned short d_namlen;
char d_name[1];
};
struct readdir_callback {
struct dir_context ctx;
struct old_linux_dirent __user * dirent;
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long d_ino;
unsigned long d_off;
unsigned short d_reclen;
char d_name[1];
};
struct getdents_callback {
struct dir_context ctx;
struct linux_dirent __user * current_dir;
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
compat_ulong_t d_ino;
compat_ulong_t d_offset;
unsigned short d_namlen;
char d_name[1];
};
struct compat_readdir_callback {
struct dir_context ctx;
struct compat_old_linux_dirent __user *dirent;
Reported by FlawFinder.
Line: 463
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
compat_ulong_t d_ino;
compat_ulong_t d_off;
unsigned short d_reclen;
char d_name[1];
};
struct compat_getdents_callback {
struct dir_context ctx;
struct compat_linux_dirent __user *current_dir;
Reported by FlawFinder.
include/linux/kmsg_dump.h
4 issues
Line: 60
Column: 59
CWE codes:
134
Suggestion:
Use a constant format string for syslog
#ifdef CONFIG_PRINTK
void kmsg_dump(enum kmsg_dump_reason reason);
bool kmsg_dump_get_line(struct kmsg_dump_iter *iter, bool syslog,
char *line, size_t size, size_t *len);
bool kmsg_dump_get_buffer(struct kmsg_dump_iter *iter, bool syslog,
char *buf, size_t size, size_t *len_out);
Reported by FlawFinder.
Line: 63
Column: 61
CWE codes:
134
Suggestion:
Use a constant format string for syslog
bool kmsg_dump_get_line(struct kmsg_dump_iter *iter, bool syslog,
char *line, size_t size, size_t *len);
bool kmsg_dump_get_buffer(struct kmsg_dump_iter *iter, bool syslog,
char *buf, size_t size, size_t *len_out);
void kmsg_dump_rewind(struct kmsg_dump_iter *iter);
int kmsg_dump_register(struct kmsg_dumper *dumper);
Reported by FlawFinder.
Line: 78
Column: 73
CWE codes:
134
Suggestion:
Use a constant format string for syslog
{
}
static inline bool kmsg_dump_get_line(struct kmsg_dump_iter *iter, bool syslog,
const char *line, size_t size, size_t *len)
{
return false;
}
Reported by FlawFinder.
Line: 84
Column: 75
CWE codes:
134
Suggestion:
Use a constant format string for syslog
return false;
}
static inline bool kmsg_dump_get_buffer(struct kmsg_dump_iter *iter, bool syslog,
char *buf, size_t size, size_t *len)
{
return false;
}
Reported by FlawFinder.
drivers/w1/slaves/w1_ds28e17.c
4 issues
Line: 723
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
data->adapter.algo = &w1_f19_i2c_algorithm;
data->adapter.algo_data = sl;
strcpy(data->adapter.name, "w1-");
strcat(data->adapter.name, sl->name);
data->adapter.dev.parent = &sl->dev;
data->adapter.quirks = &w1_f19_i2c_adapter_quirks;
return i2c_add_adapter(&data->adapter);
}
Reported by FlawFinder.
Line: 586
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return result;
/* Return current speed value. */
return sprintf(buf, "%d\n", result);
}
static ssize_t speed_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 636
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct w1_f19_data *data = sl->family_data;
/* Return current stretch value. */
return sprintf(buf, "%d\n", data->stretch);
}
static ssize_t stretch_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 722
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
data->adapter.owner = THIS_MODULE;
data->adapter.algo = &w1_f19_i2c_algorithm;
data->adapter.algo_data = sl;
strcpy(data->adapter.name, "w1-");
strcat(data->adapter.name, sl->name);
data->adapter.dev.parent = &sl->dev;
data->adapter.quirks = &w1_f19_i2c_adapter_quirks;
return i2c_add_adapter(&data->adapter);
Reported by FlawFinder.
fs/jffs2/wbuf.c
4 issues
Line: 382
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* Read succeeded. Copy the remaining data from the wbuf */
memcpy(buf + (c->wbuf_ofs - start), c->wbuf, end - c->wbuf_ofs);
}
}
/* OK... we're to rewrite (end-start) bytes of data from first_raw onwards.
Either 'buf' contains the data, or we find it in the wbuf */
Reported by FlawFinder.
Line: 451
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* OK, now we're left with the dregs in whichever buffer we're using */
if (buf) {
memcpy(c->wbuf, buf, end-start);
} else {
memmove(c->wbuf, c->wbuf + (start - c->wbuf_ofs), end - start);
}
c->wbuf_ofs = ofs;
c->wbuf_len = end - start;
Reported by FlawFinder.
Line: 789
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > (c->wbuf_pagesize - c->wbuf_len))
len = c->wbuf_pagesize - c->wbuf_len;
memcpy(c->wbuf + c->wbuf_len, buf, len);
c->wbuf_len += (uint32_t) len;
return len;
}
int jffs2_flash_writev(struct jffs2_sb_info *c, const struct kvec *invecs,
Reported by FlawFinder.
Line: 1010
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lwbf = c->wbuf_len;
}
if (lwbf > 0)
memcpy(buf+orbf,c->wbuf+owbf,lwbf);
exit:
up_read(&c->wbuf_sem);
return ret;
}
Reported by FlawFinder.