The following issues were found
lib/xz/xz_dec_bcj.c
3 issues
Line: 404
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t copy_size;
copy_size = min_t(size_t, s->temp.filtered, b->out_size - b->out_pos);
memcpy(b->out + b->out_pos, s->temp.buf, copy_size);
b->out_pos += copy_size;
s->temp.filtered -= copy_size;
s->temp.size -= copy_size;
memmove(s->temp.buf, s->temp.buf + copy_size, s->temp.size);
Reported by FlawFinder.
Line: 451
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (s->temp.size < b->out_size - b->out_pos || s->temp.size == 0) {
out_start = b->out_pos;
memcpy(b->out + b->out_pos, s->temp.buf, s->temp.size);
b->out_pos += s->temp.size;
s->ret = xz_dec_lzma2_run(lzma2, b);
if (s->ret != XZ_STREAM_END
&& (s->ret != XZ_OK || s->single_call))
Reported by FlawFinder.
Line: 471
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->temp.size = b->out_pos - out_start;
b->out_pos -= s->temp.size;
memcpy(s->temp.buf, b->out + b->out_pos, s->temp.size);
/*
* If there wasn't enough input to the next filter to fill
* the output buffer with unfiltered data, there's no point
* to try decoding more data to temp.
Reported by FlawFinder.
lib/zlib_deflate/deflate.c
3 issues
Line: 817
s->ins_h = s->window[s->strstart];
UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
#if MIN_MATCH != 3
Call UPDATE_HASH() MIN_MATCH-3 more times
#endif
}
/* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,
* but this is not important since only literal bytes will be emitted.
*/
Reported by Cppcheck.
Line: 513
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (!((deflate_state *)(strm->state))->noheader) {
strm->adler = zlib_adler32(strm->adler, strm->next_in, len);
}
memcpy(buf, strm->next_in, len);
strm->next_in += len;
strm->total_in += len;
return (int)len;
}
Reported by FlawFinder.
Line: 764
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
} else if (s->strstart >= wsize+MAX_DIST(s)) {
memcpy((char *)s->window, (char *)s->window+wsize,
(unsigned)wsize);
s->match_start -= wsize;
s->strstart -= wsize; /* we now have strstart >= MAX_DIST */
s->block_start -= (long) wsize;
Reported by FlawFinder.
mm/nommu.c
3 issues
Line: 209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((unsigned long) buf + count < count)
count = -(unsigned long) buf;
memcpy(buf, addr, count);
return count;
}
/*
* vmalloc - allocate virtually contiguous memory
Reported by FlawFinder.
Line: 1382
Column: 34
CWE codes:
362
region->vm_pgoff = new->vm_pgoff += npages;
}
if (new->vm_ops && new->vm_ops->open)
new->vm_ops->open(new);
delete_vma_from_mm(vma);
down_write(&nommu_region_sem);
delete_nommu_region(vma->vm_region);
Reported by FlawFinder.
Line: 1383
Column: 16
CWE codes:
362
}
if (new->vm_ops && new->vm_ops->open)
new->vm_ops->open(new);
delete_vma_from_mm(vma);
down_write(&nommu_region_sem);
delete_nommu_region(vma->vm_region);
if (new_below) {
Reported by FlawFinder.
net/6lowpan/debugfs.c
3 issues
Line: 127
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user *user_buf, size_t count,
loff_t *ppos)
{
char buf[128] = {};
struct seq_file *file = fp->private_data;
struct lowpan_iphc_ctx *ctx = file->private;
struct lowpan_iphc_ctx_table *t =
container_of(ctx, struct lowpan_iphc_ctx_table, table[ctx->id]);
int status = count, n, i;
Reported by FlawFinder.
Line: 171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct lowpan_dev *ldev = lowpan_dev(dev);
struct dentry *root;
char buf[32];
WARN_ON_ONCE(id > LOWPAN_IPHC_CTX_TABLE_SIZE);
sprintf(buf, "%d", id);
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
WARN_ON_ONCE(id > LOWPAN_IPHC_CTX_TABLE_SIZE);
sprintf(buf, "%d", id);
root = debugfs_create_dir(buf, ctx);
debugfs_create_file("active", 0644, root, &ldev->ctx.table[id],
&lowpan_ctx_flag_active_fops);
Reported by FlawFinder.
net/802/fc.c
3 issues
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if(saddr)
memcpy(fch->saddr,saddr,dev->addr_len);
else
memcpy(fch->saddr,dev->dev_addr,dev->addr_len);
if(daddr)
{
Reported by FlawFinder.
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(saddr)
memcpy(fch->saddr,saddr,dev->addr_len);
else
memcpy(fch->saddr,dev->dev_addr,dev->addr_len);
if(daddr)
{
memcpy(fch->daddr,daddr,dev->addr_len);
return hdr_len;
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(daddr)
{
memcpy(fch->daddr,daddr,dev->addr_len);
return hdr_len;
}
return -hdr_len;
}
Reported by FlawFinder.
net/802/fddi.c
3 issues
Line: 73
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set the source and destination hardware addresses */
if (saddr != NULL)
memcpy(fddi->saddr, saddr, dev->addr_len);
else
memcpy(fddi->saddr, dev->dev_addr, dev->addr_len);
if (daddr != NULL)
{
Reported by FlawFinder.
Line: 75
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (saddr != NULL)
memcpy(fddi->saddr, saddr, dev->addr_len);
else
memcpy(fddi->saddr, dev->dev_addr, dev->addr_len);
if (daddr != NULL)
{
memcpy(fddi->daddr, daddr, dev->addr_len);
return hl;
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (daddr != NULL)
{
memcpy(fddi->daddr, daddr, dev->addr_len);
return hl;
}
return -hl;
}
Reported by FlawFinder.
net/802/mrp.c
3 issues
Line: 282
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
attr->state = MRP_APPLICANT_VO;
attr->type = type;
attr->len = len;
memcpy(attr->value, value, len);
rb_link_node(&attr->node, parent, p);
rb_insert_color(&attr->node, &app->mad);
return attr;
}
Reported by FlawFinder.
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
vah = __skb_put(app->pdu, sizeof(*vah) + attrlen);
put_unaligned(0, &vah->lenflags);
memcpy(vah->firstattrvalue, firstattrvalue, attrlen);
mrp_cb(app->pdu)->vah = vah;
memcpy(mrp_cb(app->pdu)->attrvalue, firstattrvalue, attrlen);
return 0;
}
Reported by FlawFinder.
Line: 399
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
put_unaligned(0, &vah->lenflags);
memcpy(vah->firstattrvalue, firstattrvalue, attrlen);
mrp_cb(app->pdu)->vah = vah;
memcpy(mrp_cb(app->pdu)->attrvalue, firstattrvalue, attrlen);
return 0;
}
static int mrp_pdu_append_vecattr_event(struct mrp_applicant *app,
const struct mrp_attr *attr,
Reported by FlawFinder.
net/9p/protocol.c
3 issues
Line: 49
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t pdu_read(struct p9_fcall *pdu, void *data, size_t size)
{
size_t len = min(pdu->size - pdu->offset, size);
memcpy(data, &pdu->sdata[pdu->offset], len);
pdu->offset += len;
return size - len;
}
static size_t pdu_write(struct p9_fcall *pdu, const void *data, size_t size)
Reported by FlawFinder.
Line: 57
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static size_t pdu_write(struct p9_fcall *pdu, const void *data, size_t size)
{
size_t len = min(pdu->capacity - pdu->size, size);
memcpy(&pdu->sdata[pdu->size], data, len);
pdu->size += len;
return size - len;
}
static size_t
Reported by FlawFinder.
Line: 387
Column: 26
CWE codes:
126
const char *sptr = va_arg(ap, const char *);
uint16_t len = 0;
if (sptr)
len = min_t(size_t, strlen(sptr),
USHRT_MAX);
errcode = p9pdu_writef(pdu, proto_version,
"w", len);
if (!errcode && pdu_write(pdu, sptr, len))
Reported by FlawFinder.
net/appletalk/ddp.c
3 issues
Line: 658
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Device configuration ioctl calls */
static int atif_ioctl(int cmd, void __user *arg)
{
static char aarp_mcast[6] = { 0x09, 0x00, 0x00, 0xFF, 0xFF, 0xFF };
struct ifreq atreq;
struct atalk_netrange *nr;
struct sockaddr_at *sa;
struct net_device *dev;
struct atalk_iface *atif;
Reported by FlawFinder.
Line: 876
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_device *dev = NULL;
if (rt->rt_dev) {
char name[IFNAMSIZ];
if (copy_from_user(name, rt->rt_dev, IFNAMSIZ-1))
return -EFAULT;
name[IFNAMSIZ-1] = '\0';
Reported by FlawFinder.
Line: 1279
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
sat.sat_family = AF_APPLETALK;
memcpy(uaddr, &sat, sizeof(sat));
err = sizeof(struct sockaddr_at);
out:
release_sock(sk);
return err;
Reported by FlawFinder.
net/atm/clip.c
3 issues
Line: 382
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *here;
here = skb_push(skb, RFC1483LLC_LEN);
memcpy(here, llc_oui, sizeof(llc_oui));
((__be16 *) here)[3] = skb->protocol;
}
atm_account_tx(vcc, skb);
entry->vccs->last_use = jiffies;
pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n", skb, vcc, vcc->dev);
Reported by FlawFinder.
Line: 531
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!dev)
return -ENOMEM;
clip_priv = PRIV(dev);
sprintf(dev->name, "atm%d", number);
spin_lock_init(&clip_priv->xoff_lock);
clip_priv->number = number;
error = register_netdev(dev);
if (error) {
free_netdev(dev);
Reported by FlawFinder.
Line: 741
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct net_device *dev = n->dev;
unsigned long exp;
char buf[17];
int svc, llc, off;
svc = ((clip_vcc == SEQ_NO_VCC_TOKEN) ||
(sk_atm(clip_vcc->vcc)->sk_family == AF_ATMSVC));
Reported by FlawFinder.