The following issues were found
fs/fuse/xattr.c
3 issues
Line: 36
Column: 25
CWE codes:
126
args.in_args[0].size = fm->fc->setxattr_ext ?
sizeof(inarg) : FUSE_COMPAT_SETXATTR_IN_SIZE;
args.in_args[0].value = &inarg;
args.in_args[1].size = strlen(name) + 1;
args.in_args[1].value = name;
args.in_args[2].size = size;
args.in_args[2].value = value;
err = fuse_simple_request(fm, &args);
if (err == -ENOSYS) {
Reported by FlawFinder.
Line: 71
Column: 25
CWE codes:
126
args.in_numargs = 2;
args.in_args[0].size = sizeof(inarg);
args.in_args[0].value = &inarg;
args.in_args[1].size = strlen(name) + 1;
args.in_args[1].value = name;
/* This is really two different operations rolled into one */
args.out_numargs = 1;
if (size) {
args.out_argvar = true;
Reported by FlawFinder.
Line: 169
Column: 25
CWE codes:
126
args.opcode = FUSE_REMOVEXATTR;
args.nodeid = get_node_id(inode);
args.in_numargs = 1;
args.in_args[0].size = strlen(name) + 1;
args.in_args[0].value = name;
err = fuse_simple_request(fm, &args);
if (err == -ENOSYS) {
fm->fc->no_removexattr = 1;
err = -EOPNOTSUPP;
Reported by FlawFinder.
include/linux/sockptr.h
3 issues
Line: 49
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (!sockptr_is_kernel(src))
return copy_from_user(dst, src.user + offset, size);
memcpy(dst, src.kernel + offset, size);
return 0;
}
static inline int copy_from_sockptr(void *dst, sockptr_t src, size_t size)
{
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (!sockptr_is_kernel(dst))
return copy_to_user(dst.user + offset, src, size);
memcpy(dst.kernel + offset, src, size);
return 0;
}
static inline void *memdup_sockptr(sockptr_t src, size_t len)
{
Reported by FlawFinder.
Line: 99
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sockptr_is_kernel(src)) {
size_t len = min(strnlen(src.kernel, count - 1) + 1, count);
memcpy(dst, src.kernel, len);
return len;
}
return strncpy_from_user(dst, src.user, count);
}
Reported by FlawFinder.
fs/gfs2/bmap.c
3 issues
Line: 67
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dsize > gfs2_max_stuffed_size(ip))
dsize = gfs2_max_stuffed_size(ip);
memcpy(kaddr, dibh->b_data + sizeof(struct gfs2_dinode), dsize);
memset(kaddr + dsize, 0, PAGE_SIZE - dsize);
kunmap(page);
SetPageUptodate(page);
}
Reported by FlawFinder.
Line: 1819
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
find_metapath(sdp, lend, &mp, ip->i_height);
end_list = __end_list;
memcpy(end_list, mp.mp_list, sizeof(mp.mp_list));
for (mp_h = ip->i_height - 1; mp_h > 0; mp_h--) {
if (end_list[mp_h])
break;
}
Reported by FlawFinder.
Line: 1929
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
stripping the previous level of metadata. */
if (mp_h == 0) {
strip_h--;
memcpy(mp.mp_list, start_list, sizeof(start_list));
mp_h = strip_h;
state = DEALLOC_FILL_MP;
break;
}
mp.mp_list[mp_h] = 0;
Reported by FlawFinder.
fs/xfs/libxfs/xfs_dir2_block.c
3 issues
Line: 572
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
dep->inumber = cpu_to_be64(args->inumber);
dep->namelen = args->namelen;
memcpy(dep->name, args->name, args->namelen);
xfs_dir2_data_put_ftype(dp->i_mount, dep, args->filetype);
tagp = xfs_dir2_data_entry_tag_p(dp->i_mount, dep);
*tagp = cpu_to_be16((char *)dep - (char *)hdr);
/*
* Clean up the bestfree array and log the header, tail, and entry.
Reported by FlawFinder.
Line: 1114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Then pitch the incore inode data so we can make extents.
*/
sfp = kmem_alloc(ifp->if_bytes, 0);
memcpy(sfp, oldsfp, ifp->if_bytes);
xfs_idata_realloc(dp, -ifp->if_bytes, XFS_DATA_FORK);
xfs_bmap_local_to_extents_empty(tp, dp, XFS_DATA_FORK);
dp->i_disk_size = 0;
Reported by FlawFinder.
Line: 1242
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dep->namelen = sfep->namelen;
xfs_dir2_data_put_ftype(mp, dep,
xfs_dir2_sf_get_ftype(mp, sfep));
memcpy(dep->name, sfep->name, dep->namelen);
tagp = xfs_dir2_data_entry_tag_p(mp, dep);
*tagp = cpu_to_be16(newoffset);
xfs_dir2_data_log_entry(args, bp, dep);
name.name = sfep->name;
name.len = sfep->namelen;
Reported by FlawFinder.
include/linux/netfilter/ipset/ip_set.h
3 issues
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head list;
/* Typename */
char name[IPSET_MAXNAMELEN];
/* Protocol version */
u8 protocol;
/* Set type dimension */
u8 dimension;
/*
Reported by FlawFinder.
Line: 246
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* A generic IP set */
struct ip_set {
/* The name of the set */
char name[IPSET_MAXNAMELEN];
/* Lock protecting the set data */
spinlock_t lock;
/* References to the set */
u32 ref;
/* References to the set for netlink events like dump,
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void
ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr)
{
memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr,
sizeof(*addr));
}
/* How often should the gc be run by default */
#define IPSET_GC_TIME (3 * 60)
Reported by FlawFinder.
fs/squashfs/xattr.c
3 issues
Line: 66
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -ERANGE;
goto failed;
}
memcpy(buffer, prefix, prefix_size);
buffer += prefix_size;
}
err = squashfs_read_metadata(sb, buffer, &start,
&offset, name_size);
if (err < 0)
Reported by FlawFinder.
Line: 59
Column: 25
CWE codes:
126
handler = squashfs_xattr_handler(le16_to_cpu(entry.type));
if (handler && (!handler->list || handler->list(d))) {
const char *prefix = handler->prefix ?: handler->name;
size_t prefix_size = strlen(prefix);
if (buffer) {
if (prefix_size + name_size + 1 > rest) {
err = -ERANGE;
goto failed;
Reported by FlawFinder.
Line: 114
Column: 17
CWE codes:
126
+ msblk->xattr_table;
int offset = SQUASHFS_XATTR_OFFSET(squashfs_i(inode)->xattr);
int count = squashfs_i(inode)->xattr_count;
int name_len = strlen(name);
int err, vsize;
char *target = kmalloc(name_len, GFP_KERNEL);
if (target == NULL)
return -ENOMEM;
Reported by FlawFinder.
include/linux/i2c.h
3 issues
Line: 335
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short addr; /* chip address - NOTE: 7bit */
/* addresses are stored in the */
/* _LOWER_ 7 bits */
char name[I2C_NAME_SIZE];
struct i2c_adapter *adapter; /* the adapter we sit on */
struct device dev; /* the device structure */
int init_irq; /* irq set at initialization */
int irq; /* irq issued by device */
struct list_head detected;
Reported by FlawFinder.
Line: 418
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* i2c_new_client_device() does this dynamically with the adapter already known.
*/
struct i2c_board_info {
char type[I2C_NAME_SIZE];
unsigned short flags;
unsigned short addr;
const char *dev_name;
void *platform_data;
struct device_node *of_node;
Reported by FlawFinder.
Line: 730
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define I2C_ALF_SUSPEND_REPORTED 1
int nr;
char name[48];
struct completion dev_released;
struct mutex userspace_clients_lock;
struct list_head userspace_clients;
Reported by FlawFinder.
fs/xfs/libxfs/xfs_dir2_leaf.c
3 issues
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Could compact these but I think we always do the conversion
* after squeezing out stale entries.
*/
memcpy(leafhdr.ents, blp,
be32_to_cpu(btp->count) * sizeof(struct xfs_dir2_leaf_entry));
xfs_dir3_leaf_log_ents(args, &leafhdr, lbp, 0, leafhdr.count - 1);
needscan = 0;
needlog = 1;
/*
Reported by FlawFinder.
Line: 864
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dep = (xfs_dir2_data_entry_t *)dup;
dep->inumber = cpu_to_be64(args->inumber);
dep->namelen = args->namelen;
memcpy(dep->name, args->name, dep->namelen);
xfs_dir2_data_put_ftype(dp->i_mount, dep, args->filetype);
tagp = xfs_dir2_data_entry_tag_p(dp->i_mount, dep);
*tagp = cpu_to_be16((char *)dep - (char *)hdr);
/*
* Need to scan fix up the bestfree table.
Reported by FlawFinder.
Line: 1785
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* Set up the leaf bests table.
*/
memcpy(xfs_dir2_leaf_bests_p(ltp), freehdr.bests,
freehdr.nvalid * sizeof(xfs_dir2_data_off_t));
xfs_dir2_leaf_hdr_to_disk(mp, leaf, &leafhdr);
xfs_dir3_leaf_log_header(args, lbp);
xfs_dir3_leaf_log_bests(args, lbp, 0, be32_to_cpu(ltp->bestcount) - 1);
Reported by FlawFinder.
fs/gfs2/inode.c
3 issues
Line: 506
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gfs2_init_dir(dibh, dip);
break;
case S_IFLNK:
memcpy(dibh->b_data + sizeof(struct gfs2_dinode), symname, ip->i_inode.i_size);
break;
}
set_buffer_uptodate(dibh);
brelse(dibh);
Reported by FlawFinder.
Line: 1826
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buf)
buf = ERR_PTR(-ENOMEM);
else
memcpy(buf, dibh->b_data + sizeof(struct gfs2_dinode), size);
brelse(dibh);
out:
gfs2_glock_dq_uninit(&i_gh);
if (!IS_ERR(buf))
set_delayed_call(done, kfree_link, buf);
Reported by FlawFinder.
Line: 1216
Column: 9
CWE codes:
126
{
unsigned int size;
size = strlen(symname);
if (size >= gfs2_max_stuffed_size(GFS2_I(dir)))
return -ENAMETOOLONG;
return gfs2_create_inode(dir, dentry, NULL, S_IFLNK | S_IRWXUGO, 0, symname, size, 0);
}
Reported by FlawFinder.
fs/efs/efs.h
3 issues
Line: 38
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* layout of an extent, in memory and on disk. 8 bytes exactly.
*/
typedef union extent_u {
unsigned char raw[8];
struct extent_s {
unsigned int ex_magic:8; /* magic # (zero) */
unsigned int ex_bn:24; /* basic block */
unsigned int ex_length:8; /* numblocks in this extent */
unsigned int ex_offset:24; /* logical offset into file */
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct efs_dentry {
__be32 inode;
unsigned char namelen;
char name[3];
};
#define EFS_DENTSIZE (sizeof(struct efs_dentry) - 3 + 1)
#define EFS_MAXNAMELEN ((1 << (sizeof(char) * 8)) - 1)
Reported by FlawFinder.
Line: 106
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char firstused;
unsigned char slots;
unsigned char space[EFS_DIRBSIZE - EFS_DIRBLK_HEADERSIZE];
};
#define EFS_MAXENTS \
((EFS_DIRBSIZE - EFS_DIRBLK_HEADERSIZE) / \
(EFS_DENTSIZE + sizeof(char)))
Reported by FlawFinder.