The following issues were found
net/ceph/messenger.c
3 issues
Line: 158
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define ADDR_STR_COUNT_MASK (ADDR_STR_COUNT - 1)
#define MAX_ADDR_STR_LEN 64 /* 54 is enough */
static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN];
static atomic_t addr_str_seq = ATOMIC_INIT(0);
struct page *ceph_zero_page; /* used in certain error cases */
const char *ceph_pr_addr(const struct ceph_entity_addr *addr)
Reported by FlawFinder.
Line: 601
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
con->peer_name.type = (__u8) entity_type;
con->peer_name.num = cpu_to_le64(entity_num);
memcpy(&con->peer_addr, addr, sizeof(*addr));
con->delay = 0; /* reset backoff memory */
mutex_unlock(&con->mutex);
queue_con(con);
}
EXPORT_SYMBOL(ceph_con_open);
Reported by FlawFinder.
Line: 2040
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
con->error_msg = "error allocating memory for incoming message";
return -ENOMEM;
}
memcpy(&con->in_msg->hdr, hdr, sizeof(*hdr));
if (middle_len && !con->in_msg->middle) {
ret = ceph_alloc_middle(con, con->in_msg);
if (ret < 0) {
ceph_msg_put(con->in_msg);
Reported by FlawFinder.
net/core/sock_map.c
3 issues
Line: 968
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
atomic_dec(&htab->count);
return ERR_PTR(-ENOMEM);
}
memcpy(new->key, key, key_size);
new->sk = sk;
new->hash = hash;
return new;
}
Reported by FlawFinder.
Line: 1059
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
elem_next = hlist_entry_safe(rcu_dereference(hlist_next_rcu(&elem->node)),
struct bpf_shtab_elem, node);
if (elem_next) {
memcpy(key_next, elem_next->key, key_size);
return 0;
}
i = hash & (htab->buckets_num - 1);
i++;
Reported by FlawFinder.
Line: 1071
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
elem_next = hlist_entry_safe(rcu_dereference(hlist_first_rcu(head)),
struct bpf_shtab_elem, node);
if (elem_next) {
memcpy(key_next, elem_next->key, key_size);
return 0;
}
}
return -ENOENT;
Reported by FlawFinder.
net/dcb/dcbnl.c
3 issues
Line: 707
Column: 26
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!tb[DCB_ATTR_STATE])
return -EINVAL;
if (!netdev->dcbnl_ops->setstate)
return -EOPNOTSUPP;
value = nla_get_u8(tb[DCB_ATTR_STATE]);
return nla_put_u8(skb, DCB_ATTR_STATE,
Reported by FlawFinder.
Line: 713
Column: 25
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
value = nla_get_u8(tb[DCB_ATTR_STATE]);
return nla_put_u8(skb, DCB_ATTR_STATE,
netdev->dcbnl_ops->setstate(netdev, value));
}
static int dcbnl_setpfccfg(struct net_device *netdev, struct nlmsghdr *nlh,
u32 seq, struct nlattr **tb, struct sk_buff *skb)
{
Reported by FlawFinder.
Line: 1823
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!entry)
return -ENOMEM;
memcpy(&entry->app, app, sizeof(*app));
entry->ifindex = ifindex;
list_add(&entry->list, &dcb_app_list);
return 0;
}
Reported by FlawFinder.
net/dns_resolver/dns_query.c
3 issues
Line: 112
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cp = desc;
if (type) {
memcpy(cp, type, typelen);
cp += typelen;
*cp++ = ':';
}
memcpy(cp, name, namelen);
cp += namelen;
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cp += typelen;
*cp++ = ':';
}
memcpy(cp, name, namelen);
cp += namelen;
*cp = '\0';
if (!options)
options = "";
Reported by FlawFinder.
Line: 96
Column: 13
CWE codes:
126
typelen = 0;
desclen = 0;
if (type) {
typelen = strlen(type);
if (typelen < 1)
return -EINVAL;
desclen += typelen + 1;
}
Reported by FlawFinder.
net/dsa/master.c
3 issues
Line: 281
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct net_device *dev = to_net_dev(d);
struct dsa_port *cpu_dp = dev->dsa_ptr;
return sprintf(buf, "%s\n",
dsa_tag_protocol_to_str(cpu_dp->tag_ops));
}
static ssize_t tagging_store(struct device *d, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 185
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < count; i++) {
memmove(ndata + (i * len + sizeof(pfx)),
ndata + i * len, len - sizeof(pfx));
memcpy(ndata + i * len, pfx, sizeof(pfx));
}
}
}
static int dsa_master_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
Reported by FlawFinder.
Line: 235
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_dp->orig_ethtool_ops = dev->ethtool_ops;
if (cpu_dp->orig_ethtool_ops)
memcpy(ops, cpu_dp->orig_ethtool_ops, sizeof(*ops));
ops->get_regs_len = dsa_master_get_regs_len;
ops->get_regs = dsa_master_get_regs;
ops->get_sset_count = dsa_master_get_sset_count;
ops->get_ethtool_stats = dsa_master_get_ethtool_stats;
Reported by FlawFinder.
net/ethtool/bitset.c
3 issues
Line: 256
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!attr)
goto nla_put_failure;
dst = nla_data(attr);
memcpy(dst, val, nbytes);
if (nbits % 32)
dst[nwords - 1] &= ethnl_lower_bits(nbits);
if (mask) {
attr = nla_reserve(skb, ETHTOOL_A_BITSET_MASK, nbytes);
Reported by FlawFinder.
Line: 265
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!attr)
goto nla_put_failure;
dst = nla_data(attr);
memcpy(dst, mask, nbytes);
if (nbits % 32)
dst[nwords - 1] &= ethnl_lower_bits(nbits);
}
} else {
struct nlattr *bits;
Reported by FlawFinder.
Line: 370
Column: 7
CWE codes:
126
for (i = 0; i < n_names; i++) {
/* names[i] may not be null terminated */
if (!strncmp(names[i], name, ETH_GSTRING_LEN) &&
strlen(name) <= ETH_GSTRING_LEN)
return i;
}
return -ENOENT;
}
Reported by FlawFinder.
net/ipv4/icmp.c
3 issues
Line: 562
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
XFRM_LOOKUP_ICMP);
if (!IS_ERR(rt2)) {
dst_release(&rt->dst);
memcpy(fl4, &fl4_dec, sizeof(*fl4));
rt = rt2;
} else if (PTR_ERR(rt2) == -EPERM) {
if (rt)
dst_release(&rt->dst);
return rt2;
Reported by FlawFinder.
Line: 1032
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct icmp_ext_echo_iio *iio, _iio;
struct net *net = dev_net(skb->dev);
struct net_device *dev;
char buff[IFNAMSIZ];
u16 ident_len;
u8 status;
if (!net->ipv4.sysctl_icmp_echo_enable_probe)
return false;
Reported by FlawFinder.
Line: 1068
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ident_len >= IFNAMSIZ)
goto send_mal_query;
memset(buff, 0, sizeof(buff));
memcpy(buff, &iio->ident.name, ident_len);
dev = dev_get_by_name(net, buff);
break;
case ICMP_EXT_ECHO_CTYPE_INDEX:
iio = skb_header_pointer(skb, sizeof(_ext_hdr), sizeof(iio->extobj_hdr) +
sizeof(iio->ident.ifindex), &_iio);
Reported by FlawFinder.
net/ipv4/ip_output.c
3 issues
Line: 449
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
BUILD_BUG_ON(offsetof(typeof(*fl4), daddr) !=
offsetof(typeof(*fl4), saddr) + sizeof(fl4->saddr));
memcpy(&iph->saddr, &fl4->saddr,
sizeof(fl4->saddr) + sizeof(fl4->daddr));
}
/* Note: skb->sk can be different from sk, in case of tunnels */
int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
Reported by FlawFinder.
Line: 640
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reset_transport_header(frag);
__skb_push(frag, hlen);
skb_reset_network_header(frag);
memcpy(skb_network_header(frag), iph, hlen);
iter->iph = ip_hdr(frag);
iph = iter->iph;
iph->tot_len = htons(frag->len);
ip_copy_metadata(frag, skb);
iter->offset += skb->len - hlen;
Reported by FlawFinder.
Line: 1266
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!cork->opt))
return -ENOBUFS;
}
memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
cork->flags |= IPCORK_OPT;
cork->addr = ipc->addr;
}
cork->fragsize = ip_sk_use_pmtu(sk) ?
Reported by FlawFinder.
net/ipv4/raw.c
3 issues
Line: 83
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct msghdr *msg;
union {
struct icmphdr icmph;
char c[1];
} hdr;
int hlen;
};
struct raw_hashinfo raw_v4_hashinfo = {
Reported by FlawFinder.
Line: 477
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int copy = min(rfv->hlen - offset, len);
if (skb->ip_summed == CHECKSUM_PARTIAL)
memcpy(to, rfv->hdr.c + offset, copy);
else
skb->csum = csum_block_add(
skb->csum,
csum_partial_copy_nocheck(rfv->hdr.c + offset,
to, copy),
Reported by FlawFinder.
Line: 582
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_lock();
inet_opt = rcu_dereference(inet->inet_opt);
if (inet_opt) {
memcpy(&opt_copy, inet_opt,
sizeof(*inet_opt) + inet_opt->opt.optlen);
ipc.opt = &opt_copy.opt;
}
rcu_read_unlock();
}
Reported by FlawFinder.
net/ipv4/tcp.c
3 issues
Line: 2641
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* closed.
*/
static const unsigned char new_state[16] = {
/* current state: new state: action: */
[0 /* (Invalid) */] = TCP_CLOSE,
[TCP_ESTABLISHED] = TCP_FIN_WAIT1 | TCP_ACTION_FIN,
[TCP_SYN_SENT] = TCP_CLOSE,
[TCP_SYN_RECV] = TCP_FIN_WAIT1 | TCP_ACTION_FIN,
Reported by FlawFinder.
Line: 3360
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* These are data/string values, all the others are ints */
switch (optname) {
case TCP_CONGESTION: {
char name[TCP_CA_NAME_MAX];
if (optlen < 1)
return -EINVAL;
val = strncpy_from_sockptr(name, optval,
Reported by FlawFinder.
Line: 3379
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return err;
}
case TCP_ULP: {
char name[TCP_ULP_NAME_MAX];
if (optlen < 1)
return -EINVAL;
val = strncpy_from_sockptr(name, optval,
Reported by FlawFinder.