The following issues were found
fs/ceph/export.c
3 issues
Line: 440
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto out;
if (ceph_snap(inode) == CEPH_SNAPDIR) {
if (ceph_snap(dir) == CEPH_NOSNAP) {
strcpy(name, fsc->mount_options->snapdir_name);
err = 0;
}
goto out;
}
if (ceph_snap(dir) != CEPH_SNAPDIR)
Reported by FlawFinder.
Line: 490
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(!rde->inode.in);
if (ceph_snap(inode) ==
le64_to_cpu(rde->inode.in->snapid)) {
memcpy(name, rde->name, rde->name_len);
name[rde->name_len] = '\0';
err = 0;
goto out;
}
}
Reported by FlawFinder.
Line: 554
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!err) {
struct ceph_mds_reply_info_parsed *rinfo = &req->r_reply_info;
memcpy(name, rinfo->dname, rinfo->dname_len);
name[rinfo->dname_len] = 0;
dout("get_name %p ino %llx.%llx name %s\n",
child, ceph_vinop(inode), name);
} else {
dout("get_name %p ino %llx.%llx err %d\n",
Reported by FlawFinder.
drivers/watchdog/wdrtas.c
3 issues
Line: 56
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define WDRTAS_DEFAULT_INTERVAL 300
#define WDRTAS_LOGBUFFER_LEN 128
static char wdrtas_logbuffer[WDRTAS_LOGBUFFER_LEN];
/*** watchdog access functions */
/**
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int wdrtas_get_interval(int fallback_value)
{
long result;
char value[WDRTAS_SP_SPI_LEN];
spin_lock(&rtas_data_buf_lock);
memset(rtas_data_buf, 0, WDRTAS_SP_SPI_LEN);
result = rtas_call(wdrtas_token_get_sp, 3, 1, NULL,
WDRTAS_SP_SPI, __pa(rtas_data_buf),
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
WDRTAS_SP_SPI, __pa(rtas_data_buf),
WDRTAS_SP_SPI_LEN);
memcpy(value, rtas_data_buf, WDRTAS_SP_SPI_LEN);
spin_unlock(&rtas_data_buf_lock);
if (value[0] != 0 || value[1] != 2 || value[3] != 0 || result < 0) {
pr_warn("could not get sp_spi watchdog timeout (%li). Continuing\n",
result);
Reported by FlawFinder.
include/acpi/actbl2.h
3 issues
Line: 110
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 identifier;
u32 mapping_count;
u32 mapping_offset;
char node_data[1];
};
/* Values for subtable Type above */
enum acpi_iort_node_type {
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 node_flags;
u64 memory_properties; /* Memory access properties */
u8 memory_address_limit; /* Memory address size limit */
char device_name[1]; /* Path of namespace object */
};
/* Masks for Flags field above */
#define ACPI_IORT_NC_STALL_SUPPORTED (1)
Reported by FlawFinder.
Line: 655
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 reserved[3]; /* Reserved, must be zero */
u32 lapic_flags;
u32 uid; /* Numeric UID - ACPI 3.0 */
char uid_string[1]; /* String UID - ACPI 3.0 */
};
/* 8: Platform Interrupt Source */
struct acpi_madt_interrupt_source {
Reported by FlawFinder.
include/asm-generic/uaccess.h
3 issues
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline __must_check unsigned long
raw_copy_from_user(void *to, const void __user * from, unsigned long n)
{
memcpy(to, (const void __force *)from, n);
return 0;
}
static inline __must_check unsigned long
raw_copy_to_user(void __user *to, const void *from, unsigned long n)
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline __must_check unsigned long
raw_copy_to_user(void __user *to, const void *from, unsigned long n)
{
memcpy((void __force *)to, from, n);
return 0;
}
#define INLINE_COPY_FROM_USER
#define INLINE_COPY_TO_USER
#endif /* CONFIG_UACCESS_MEMCPY */
Reported by FlawFinder.
Line: 254
Column: 2
CWE codes:
120
__strncpy_from_user(char *dst, const char __user *src, long count)
{
char *tmp;
strncpy(dst, (const char __force *)src, count);
for (tmp = dst; *tmp && count > 0; tmp++, count--)
;
return (tmp - dst);
}
#endif
Reported by FlawFinder.
fs/jffs2/dir.c
3 issues
Line: 103
Column: 7
CWE codes:
126
for (fd_list = dir_f->dents; fd_list && fd_list->nhash <= nhash; fd_list = fd_list->next) {
if (fd_list->nhash == nhash &&
(!fd || fd_list->version > fd->version) &&
strlen(fd_list->name) == target->d_name.len &&
!strncmp(fd_list->name, target->d_name.name, target->d_name.len)) {
fd = fd_list;
}
}
if (fd)
Reported by FlawFinder.
Line: 152
Column: 32
CWE codes:
126
}
jffs2_dbg(2, "Dirent %ld: \"%s\", ino #%u, type %d\n",
(unsigned long)ctx->pos, fd->name, fd->ino, fd->type);
if (!dir_emit(ctx, fd->name, strlen(fd->name), fd->ino, fd->type))
break;
ctx->pos++;
}
mutex_unlock(&f->sem);
return 0;
Reported by FlawFinder.
Line: 294
Column: 23
CWE codes:
126
struct jffs2_full_dirent *fd;
int namelen;
uint32_t alloclen;
int ret, targetlen = strlen(target);
/* FIXME: If you care. We'd need to use frags for the target
if it grows much more than this */
if (targetlen > 254)
return -ENAMETOOLONG;
Reported by FlawFinder.
fs/ntfs/file.c
3 issues
Line: 1608
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kattr = (u8*)a + le16_to_cpu(a->data.resident.value_offset);
kaddr = kmap_atomic(page);
/* Copy the received data from the page to the mft record. */
memcpy(kattr + pos, kaddr + pos, bytes);
/* Update the attribute length if necessary. */
if (end > attr_len) {
attr_len = end;
a->data.resident.value_length = cpu_to_le32(attr_len);
}
Reported by FlawFinder.
Line: 1620
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (!PageUptodate(page)) {
if (pos > 0)
memcpy(kaddr, kattr, pos);
if (end < attr_len)
memcpy(kaddr + end, kattr + end, attr_len - end);
/* Zero the region outside the end of the attribute value. */
memset(kaddr + attr_len, 0, PAGE_SIZE - attr_len);
flush_dcache_page(page);
Reported by FlawFinder.
Line: 1622
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos > 0)
memcpy(kaddr, kattr, pos);
if (end < attr_len)
memcpy(kaddr + end, kattr + end, attr_len - end);
/* Zero the region outside the end of the attribute value. */
memset(kaddr + attr_len, 0, PAGE_SIZE - attr_len);
flush_dcache_page(page);
SetPageUptodate(page);
}
Reported by FlawFinder.
fs/qnx6/inode.c
3 issues
Line: 181
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static const char *qnx6_checkroot(struct super_block *s)
{
static char match_root[2][3] = {".\0\0", "..\0"};
int i, error = 0;
struct qnx6_dir_entry *dir_entry;
struct inode *root = d_inode(s->s_root);
struct address_space *mapping = root->i_mapping;
struct page *page = read_mapping_page(mapping, 0, NULL);
Reported by FlawFinder.
Line: 512
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct qnx6_inode_info *ei = QNX6_I(inode);
struct qnx6_sb_info *sbi = QNX6_SB(s);
inode->i_size = fs64_to_cpu(sbi, p->size);
memcpy(ei->di_block_ptr, p->ptr, sizeof(p->ptr));
ei->di_filelevels = p->levels;
inode->i_mode = S_IFREG | S_IRUSR; /* probably wrong */
inode->i_mapping->a_ops = &qnx6_aops;
}
return inode;
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* calc blocks based on 512 byte blocksize */
inode->i_blocks = (inode->i_size + 511) >> 9;
memcpy(&ei->di_block_ptr, &raw_inode->di_block_ptr,
sizeof(raw_inode->di_block_ptr));
ei->di_filelevels = raw_inode->di_filelevels;
if (S_ISREG(inode->i_mode)) {
inode->i_fop = &generic_ro_fops;
Reported by FlawFinder.
fs/ceph/cache.c
3 issues
Line: 82
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_unlock;
}
memcpy(&ent->fsid, fsid, sizeof(*fsid));
if (uniq_len > 0) {
memcpy(&ent->uniquifier, fscache_uniq, uniq_len);
ent->uniq_len = uniq_len;
}
Reported by FlawFinder.
Line: 84
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&ent->fsid, fsid, sizeof(*fsid));
if (uniq_len > 0) {
memcpy(&ent->uniquifier, fscache_uniq, uniq_len);
ent->uniq_len = uniq_len;
}
fsc->fscache = fscache_acquire_cookie(ceph_cache_netfs.primary_index,
&ceph_fscache_fsid_object_def,
Reported by FlawFinder.
Line: 57
Column: 35
CWE codes:
126
{
const struct ceph_fsid *fsid = &fsc->client->fsid;
const char *fscache_uniq = fsc->mount_options->fscache_uniq;
size_t uniq_len = fscache_uniq ? strlen(fscache_uniq) : 0;
struct ceph_fscache_entry *ent;
int err = 0;
mutex_lock(&ceph_fscache_lock);
list_for_each_entry(ent, &ceph_fscache_list, list) {
Reported by FlawFinder.
fs/ocfs2/dlm/dlmunlock.c
3 issues
Line: 151
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & LKM_VALBLK) {
/* make the final update to the lvb */
if (master_node)
memcpy(res->lvb, lksb->lvb, DLM_LVB_LEN);
else
flags |= LKM_PUT_LVB; /* let the send function
* handle it. */
}
Reported by FlawFinder.
Line: 338
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unlock.flags = cpu_to_be32(flags);
unlock.cookie = lock->ml.cookie;
unlock.namelen = res->lockname.len;
memcpy(unlock.name, res->lockname.name, unlock.namelen);
vec[0].iov_len = sizeof(struct dlm_unlock_lock);
vec[0].iov_base = &unlock;
if (flags & LKM_PUT_LVB) {
Reported by FlawFinder.
Line: 492
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* unlockast only called on originating node */
if (flags & LKM_PUT_LVB) {
lksb->flags |= DLM_LKSB_PUT_LVB;
memcpy(&lksb->lvb[0], &unlock->lvb[0], DLM_LVB_LEN);
}
/* if this is in-progress, propagate the DLM_FORWARD
* all the way back out */
status = dlmunlock_master(dlm, res, lock, lksb, flags, &ignore);
Reported by FlawFinder.
drivers/video/fbdev/valkyriefb.h
3 issues
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct cmap_regs {
unsigned char addr;
char pad1[VALKYRIE_REG_PADSIZE];
unsigned char lut;
};
/*
* Structure of the registers for the "valkyrie" display adaptor.
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vpreg { /* padded register */
unsigned char r;
char pad[VALKYRIE_REG_PADSIZE];
};
struct valkyrie_regs {
struct vpreg mode;
Reported by FlawFinder.
Line: 83
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct valkyrie_regvals {
unsigned char mode;
unsigned char clock_params[3];
int pitch[2]; /* bytes/line, indexed by color_mode */
int hres;
int vres;
};
Reported by FlawFinder.