The following issues were found
net/atm/resources.c
3 issues
Line: 269
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fallthrough;
case ATM_SETESIF:
{
unsigned char esi[ESI_LEN];
if (!capable(CAP_NET_ADMIN)) {
error = -EPERM;
goto done;
}
Reported by FlawFinder.
Line: 279
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
error = -EFAULT;
goto done;
}
memcpy(dev->esi, esi, ESI_LEN);
error = ESI_LEN;
goto done;
}
case ATM_GETSTATZ:
if (!capable(CAP_NET_ADMIN)) {
Reported by FlawFinder.
Line: 243
Column: 10
CWE codes:
126
switch (cmd) {
case ATM_GETTYPE:
size = strlen(dev->type) + 1;
if (copy_to_user(buf, dev->type, size)) {
error = -EFAULT;
goto done;
}
break;
Reported by FlawFinder.
net/ax25/ax25_ip.c
3 issues
Line: 60
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*buff++ = 0x00; /* KISS DATA */
if (daddr != NULL)
memcpy(buff, daddr, dev->addr_len); /* Address specified */
buff[6] &= ~AX25_CBIT;
buff[6] &= ~AX25_EBIT;
buff[6] |= AX25_SSSID_SPARE;
buff += AX25_ADDR_LEN;
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buff += AX25_ADDR_LEN;
if (saddr != NULL)
memcpy(buff, saddr, dev->addr_len);
else
memcpy(buff, dev->dev_addr, dev->addr_len);
buff[6] &= ~AX25_CBIT;
buff[6] |= AX25_EBIT;
Reported by FlawFinder.
Line: 70
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (saddr != NULL)
memcpy(buff, saddr, dev->addr_len);
else
memcpy(buff, dev->dev_addr, dev->addr_len);
buff[6] &= ~AX25_CBIT;
buff[6] |= AX25_EBIT;
buff[6] |= AX25_SSSID_SPARE;
buff += AX25_ADDR_LEN;
Reported by FlawFinder.
net/bluetooth/6lowpan.c
3 issues
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct l2cap_chan *chan;
/* peer addresses in various formats */
unsigned char lladdr[ETH_ALEN];
struct in6_addr peer_addr;
};
struct lowpan_btle_dev {
struct list_head list;
Reported by FlawFinder.
Line: 162
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* by bt_xmit() when sending the packet. In bt_xmit(), the
* destination routing info is not set.
*/
memcpy(&lowpan_cb(skb)->gw, nexthop, sizeof(struct in6_addr));
}
BT_DBG("gw %pI6c", nexthop);
rcu_read_lock();
Reported by FlawFinder.
Line: 1085
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count,
loff_t *position)
{
char buf[32];
size_t buf_size = min(count, sizeof(buf) - 1);
int ret;
bdaddr_t addr;
u8 addr_type;
struct l2cap_conn *conn = NULL;
Reported by FlawFinder.
net/bluetooth/a2mp.c
3 issues
Line: 37
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->ident = ident;
cmd->len = cpu_to_le16(len);
memcpy(cmd->data, data, len);
return cmd;
}
static void a2mp_send(struct amp_mgr *mgr, u8 code, u8 ident, u16 len, void *data)
Reported by FlawFinder.
Line: 960
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rsp->status = A2MP_STATUS_INVALID_CTRL_ID;
} else {
rsp->status = A2MP_STATUS_SUCCESS;
memcpy(rsp->amp_assoc, loc_assoc->data, loc_assoc->len);
}
a2mp_send(mgr, A2MP_GETAMPASSOC_RSP, mgr->ident, len, rsp);
amp_mgr_put(mgr);
kfree(rsp);
Reported by FlawFinder.
Line: 996
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->local_id = hdev->id;
req->remote_id = bredr_chan->remote_amp_id;
memcpy(req->amp_assoc, loc_assoc->data, loc_assoc->len);
a2mp_send(mgr, A2MP_CREATEPHYSLINK_REQ, __next_ident(mgr), len, req);
clean:
amp_mgr_put(mgr);
Reported by FlawFinder.
net/bluetooth/hidp/hidp.h
3 issues
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u16 version;
__u32 flags;
__u32 idle_to;
char name[128];
};
struct hidp_conndel_req {
bdaddr_t bdaddr;
__u32 flags;
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u16 vendor;
__u16 product;
__u16 version;
char name[128];
};
struct hidp_connlist_req {
__u32 cnum;
struct hidp_conninfo __user *ci;
Reported by FlawFinder.
Line: 171
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint rd_size;
/* session data */
unsigned char keys[8];
unsigned char leds;
/* Used in hidp_get_raw_report() */
int waiting_report_type; /* HIDP_DATA_RTYPE_* */
int waiting_report_number; /* -1 for not numbered */
Reported by FlawFinder.
net/bluetooth/l2cap_sock.c
3 issues
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&la, 0, sizeof(la));
len = min_t(unsigned int, sizeof(la), alen);
memcpy(&la, addr, len);
if (la.l2_cid && la.l2_psm)
return -EINVAL;
if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&la, 0, sizeof(la));
len = min_t(unsigned int, sizeof(la), alen);
memcpy(&la, addr, len);
if (la.l2_cid && la.l2_psm)
return -EINVAL;
if (!bdaddr_type_is_valid(la.l2_bdaddr_type))
Reported by FlawFinder.
Line: 526
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = chan->conn->hcon->handle;
memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
len = min_t(unsigned int, len, sizeof(cinfo));
if (copy_to_user(optval, (char *) &cinfo, len))
err = -EFAULT;
Reported by FlawFinder.
net/bpf/test_run.c
3 issues
Line: 238
ALLOW_ERROR_INJECTION(bpf_modify_return_test, ERRNO);
BTF_SET_START(test_sk_kfunc_ids)
BTF_ID(func, bpf_kfunc_call_test1)
BTF_ID(func, bpf_kfunc_call_test2)
BTF_ID(func, bpf_kfunc_call_test3)
BTF_SET_END(test_sk_kfunc_ids)
Reported by Cppcheck.
Line: 520
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb->mark = __skb->mark;
skb->priority = __skb->priority;
skb->tstamp = __skb->tstamp;
memcpy(&cb->data, __skb->cb, QDISC_CB_PRIV_LEN);
if (__skb->wire_len == 0) {
cb->pkt_len = skb->len;
} else {
if (__skb->wire_len < skb->len ||
Reported by FlawFinder.
Line: 550
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__skb->priority = skb->priority;
__skb->ifindex = skb->dev->ifindex;
__skb->tstamp = skb->tstamp;
memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN);
__skb->wire_len = cb->pkt_len;
__skb->gso_segs = skb_shinfo(skb)->gso_segs;
}
int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
Reported by FlawFinder.
net/bridge/br_netlink.c
3 issues
Line: 714
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!br_vlan_valid_range(vinfo_curr, *vinfo_last, extack))
return -EINVAL;
memcpy(&tmp_vinfo, *vinfo_last,
sizeof(struct bridge_vlan_info));
for (v = (*vinfo_last)->vid; v <= vinfo_curr->vid; v++) {
bool curr_change = false;
tmp_vinfo.vid = v;
Reported by FlawFinder.
Line: 1268
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nla_len(data[IFLA_BR_GROUP_ADDR]) != ETH_ALEN)
return -EINVAL;
memcpy(new_addr, nla_data(data[IFLA_BR_GROUP_ADDR]), ETH_ALEN);
if (!is_link_local_ether_addr(new_addr))
return -EINVAL;
if (new_addr[5] == 1 || /* 802.3x Pause address */
new_addr[5] == 2 || /* 802.3ad Slow protocols */
new_addr[5] == 3) /* 802.1X PAE address */
Reported by FlawFinder.
Line: 1741
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto nla_put_failure;
spin_lock_bh(&br->lock);
memcpy(nla_data(nla), &p->stp_xstats, sizeof(p->stp_xstats));
spin_unlock_bh(&br->lock);
}
nla_nest_end(skb, nest);
*prividx = 0;
Reported by FlawFinder.
net/caif/cfctrl.c
3 issues
Line: 49
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
atomic_set(&this->req_seq_no, 1);
atomic_set(&this->rsp_seq_no, 1);
this->serv.layer.receive = cfctrl_recv;
sprintf(this->serv.layer.name, "ctrl");
this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
#ifndef CAIF_NO_LOOP
spin_lock_init(&this->loop_linkid_lock);
this->loop_linkid = 1;
#endif
Reported by FlawFinder.
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 tmp8;
struct cfctrl_request_info *req;
int ret;
char utility_name[16];
struct cfpkt *pkt;
struct cflayer *dn = cfctrl->serv.layer.dn;
if (!dn) {
pr_debug("not able to send linkup request\n");
Reported by FlawFinder.
Line: 253
Column: 11
CWE codes:
126
cfpkt_add_body(pkt, &tmp32, 4);
/* Add volume name, including zero termination... */
cfpkt_add_body(pkt, param->u.rfm.volume,
strlen(param->u.rfm.volume) + 1);
break;
case CFCTRL_SRV_UTIL:
tmp16 = cpu_to_le16(param->u.utility.fifosize_kb);
cfpkt_add_body(pkt, &tmp16, 2);
tmp16 = cpu_to_le16(param->u.utility.fifosize_bufs);
Reported by FlawFinder.
net/ceph/ceph_common.c
3 issues
Line: 53
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_supported_features(char *buffer,
const struct kernel_param *kp)
{
return sprintf(buffer, "0x%llx", CEPH_FEATURES_SUPPORTED_DEFAULT);
}
static const struct kernel_param_ops param_ops_supported_features = {
.get = param_get_supported_features,
};
module_param_cb(supported_features, ¶m_ops_supported_features, NULL,
Reported by FlawFinder.
Line: 114
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
} else {
memcpy(&client->fsid, fsid, sizeof(*fsid));
}
return 0;
}
EXPORT_SYMBOL(ceph_check_fsid);
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int parse_fsid(const char *str, struct ceph_fsid *fsid)
{
int i = 0;
char tmp[3];
int err = -EINVAL;
int d;
dout("parse_fsid '%s'\n", str);
tmp[2] = 0;
Reported by FlawFinder.