The following issues were found
net/ncsi/ncsi-manage.c
3 issues
Line: 696
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca)
{
unsigned char data[NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN];
int ret = 0;
nca->payload = NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN;
memset(data, 0, NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN);
Reported by FlawFinder.
Line: 726
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* NCSI OEM Command APIs */
static int ncsi_oem_gma_handler_bcm(struct ncsi_cmd_arg *nca)
{
unsigned char data[NCSI_OEM_BCM_CMD_GMA_LEN];
int ret = 0;
nca->payload = NCSI_OEM_BCM_CMD_GMA_LEN;
memset(data, 0, NCSI_OEM_BCM_CMD_GMA_LEN);
Reported by FlawFinder.
Line: 782
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u.data_u32[0] = ntohl((__force __be32)NCSI_OEM_MFR_MLX_ID);
u.data_u8[5] = NCSI_OEM_MLX_CMD_SMAF;
u.data_u8[6] = NCSI_OEM_MLX_CMD_SMAF_PARAM;
memcpy(&u.data_u8[MLX_SMAF_MAC_ADDR_OFFSET],
nca->ndp->ndev.dev->dev_addr, ETH_ALEN);
u.data_u8[MLX_SMAF_MED_SUPPORT_OFFSET] =
(MLX_MC_RBT_AVL | MLX_MC_RBT_SUPPORT);
nca->payload = NCSI_OEM_MLX_CMD_SMAF_LEN;
Reported by FlawFinder.
net/netfilter/ipset/ip_set_bitmap_ipmac.c
3 issues
Line: 58
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ADT structure for generic function args */
struct bitmap_ipmac_adt_elem {
unsigned char ether[ETH_ALEN] __aligned(2);
u16 id;
u16 add_mac;
};
struct bitmap_ipmac_elem {
Reported by FlawFinder.
Line: 64
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct bitmap_ipmac_elem {
unsigned char ether[ETH_ALEN];
unsigned char filled;
} __aligned(__alignof__(u64));
static u32
ip_to_id(const struct bitmap_ipmac *m, u32 ip)
Reported by FlawFinder.
Line: 272
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tb[IPSET_ATTR_ETHER]) {
if (nla_len(tb[IPSET_ATTR_ETHER]) != ETH_ALEN)
return -IPSET_ERR_PROTOCOL;
memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN);
e.add_mac = 1;
}
ret = adtfn(set, &e, &ext, &ext, flags);
return ip_set_eexist(ret, flags) ? 0 : ret;
Reported by FlawFinder.
net/netfilter/ipvs/ip_vs_ftp.c
3 issues
Line: 103
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u16 af, char **start, char **end)
{
char *s, c;
unsigned char p[6];
char edelim;
__u16 hport;
int i = 0;
if (data_limit - data < plen) {
Reported by FlawFinder.
Line: 257
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union nf_inet_addr from;
__be16 port;
struct ip_vs_conn *n_cp;
char buf[24]; /* xxx.xxx.xxx.xxx,ppp,ppp\000 */
unsigned int buf_len;
int ret = 0;
enum ip_conntrack_info ctinfo;
struct nf_conn *ct;
Reported by FlawFinder.
Line: 362
Column: 12
CWE codes:
126
} else {
*buf = 0;
}
buf_len = strlen(buf);
ct = nf_ct_get(skb, &ctinfo);
if (ct) {
bool mangled;
Reported by FlawFinder.
net/netfilter/nf_conntrack_helper.c
3 issues
Line: 499
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
helper->help = help;
helper->from_nlattr = from_nlattr;
helper->me = module;
snprintf(helper->nat_mod_name, sizeof(helper->nat_mod_name),
NF_NAT_HELPER_PREFIX "%s", name);
if (spec_port == default_port)
snprintf(helper->name, sizeof(helper->name), "%s", name);
else
Reported by FlawFinder.
Line: 154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct nf_conntrack_helper *h;
struct nf_conntrack_nat_helper *nat;
char mod_name[NF_CT_HELPER_NAME_LEN];
int ret = 0;
rcu_read_lock();
h = __nf_conntrack_helper_find(name, l3num, protonum);
if (!h) {
Reported by FlawFinder.
Line: 406
Column: 9
CWE codes:
126
BUG_ON(me->expect_policy == NULL);
BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
return -EINVAL;
mutex_lock(&nf_ct_helper_mutex);
Reported by FlawFinder.
net/netfilter/nf_nat_amanda.c
3 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int matchlen,
struct nf_conntrack_expect *exp)
{
char buffer[sizeof("65535")];
u_int16_t port;
/* Connection comes from client. */
exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
exp->dir = IP_CT_DIR_ORIGINAL;
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return NF_DROP;
}
sprintf(buffer, "%u", port);
if (!nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
protoff, matchoff, matchlen,
buffer, strlen(buffer))) {
nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
nf_ct_unexpect_related(exp);
Reported by FlawFinder.
Line: 68
Column: 19
CWE codes:
126
sprintf(buffer, "%u", port);
if (!nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
protoff, matchoff, matchlen,
buffer, strlen(buffer))) {
nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
nf_ct_unexpect_related(exp);
return NF_DROP;
}
return NF_ACCEPT;
Reported by FlawFinder.
net/netfilter/nf_tables_trace.c
3 issues
Line: 195
Column: 18
CWE codes:
126
return;
size = nlmsg_total_size(sizeof(struct nfgenmsg)) +
nla_total_size(strlen(info->chain->table->name)) +
nla_total_size(strlen(info->chain->name)) +
nla_total_size_64bit(sizeof(__be64)) + /* rule handle */
nla_total_size(sizeof(__be32)) + /* trace type */
nla_total_size(0) + /* VERDICT, nested */
nla_total_size(sizeof(u32)) + /* verdict code */
Reported by FlawFinder.
Line: 196
Column: 18
CWE codes:
126
size = nlmsg_total_size(sizeof(struct nfgenmsg)) +
nla_total_size(strlen(info->chain->table->name)) +
nla_total_size(strlen(info->chain->name)) +
nla_total_size_64bit(sizeof(__be64)) + /* rule handle */
nla_total_size(sizeof(__be32)) + /* trace type */
nla_total_size(0) + /* VERDICT, nested */
nla_total_size(sizeof(u32)) + /* verdict code */
nla_total_size(sizeof(u32)) + /* id */
Reported by FlawFinder.
Line: 214
Column: 26
CWE codes:
126
nla_total_size(sizeof(u32)); /* policy */
if (nft_trace_have_verdict_chain(info))
size += nla_total_size(strlen(info->verdict->chain->name)); /* jump target */
skb = nlmsg_new(size, GFP_ATOMIC);
if (!skb)
return;
Reported by FlawFinder.
net/netfilter/nfnetlink_hook.c
3 issues
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct nfnl_dump_hook_data {
char devname[IFNAMSIZ];
unsigned long headv;
u8 hook;
};
static int nfnl_hook_put_nft_chain_info(struct sk_buff *nlskb,
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret = -EMSGSIZE;
u32 hooknum;
#ifdef CONFIG_KALLSYMS
char sym[KSYM_SYMBOL_LEN];
char *module_name;
#endif
nlh = nfnl_msg_put(nlskb, portid, seq, event,
NLM_F_MULTI, family, NFNETLINK_V0, 0);
if (!nlh)
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nfnl_dump_hook_data *ctx = NULL;
struct net *net = sock_net(cb->skb->sk);
u8 family = nfmsg->nfgen_family;
char name[IFNAMSIZ] = "";
const void *head;
u32 hooknum;
hooknum = ntohl(nla_get_be32(nla[NFNLA_HOOK_HOOKNUM]));
if (hooknum > 255)
Reported by FlawFinder.
net/netfilter/nfnetlink_osf.c
3 issues
Line: 204
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct iphdr *ip = ip_hdr(skb);
const struct nf_osf_user_finger *f;
unsigned char opts[MAX_IPOPTLEN];
const struct nf_osf_finger *kf;
int fcount = 0, ttl_check;
int fmatch = FMATCH_WRONG;
struct nf_osf_hdr_ctx ctx;
const struct tcphdr *tcp;
Reported by FlawFinder.
Line: 267
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct iphdr *ip = ip_hdr(skb);
const struct nf_osf_user_finger *f;
unsigned char opts[MAX_IPOPTLEN];
const struct nf_osf_finger *kf;
struct nf_osf_hdr_ctx ctx;
const struct tcphdr *tcp;
struct tcphdr _tcph;
Reported by FlawFinder.
Line: 320
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!kf)
return -ENOMEM;
memcpy(&kf->finger, f, sizeof(struct nf_osf_user_finger));
list_for_each_entry(sf, &nf_osf_fingers[!!f->df], finger_entry) {
if (memcmp(&sf->finger, f, sizeof(struct nf_osf_user_finger)))
continue;
Reported by FlawFinder.
net/netfilter/nft_compat.c
3 issues
Line: 188
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int pad;
memcpy(out, in, t->targetsize);
pad = XT_ALIGN(t->targetsize) - t->targetsize;
if (pad > 0)
memset(out + t->targetsize, 0, pad);
}
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
info_size = user_size ? : size;
memcpy(nla_data(nla), info, info_size);
memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
return 0;
}
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int pad;
memcpy(out, in, m->matchsize);
pad = XT_ALIGN(m->matchsize) - m->matchsize;
if (pad > 0)
memset(out + m->matchsize, 0, pad);
}
Reported by FlawFinder.
net/netfilter/nft_osf.c
3 issues
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nft_osf *priv = nft_expr_priv(expr);
u32 *dest = ®s->data[priv->dreg];
struct sk_buff *skb = pkt->skb;
char os_match[NFT_OSF_MAXGENRELEN + 1];
const struct tcphdr *tcp;
struct nf_osf_data data;
struct tcphdr _tcph;
if (pkt->tprot != IPPROTO_TCP) {
Reported by FlawFinder.
Line: 48
Column: 3
CWE codes:
120
}
if (!nf_osf_find(skb, nf_osf_fingers, priv->ttl, &data)) {
strncpy((char *)dest, "unknown", NFT_OSF_MAXGENRELEN);
} else {
if (priv->flags & NFT_OSF_F_VERSION)
snprintf(os_match, NFT_OSF_MAXGENRELEN, "%s:%s",
data.genre, data.version);
else
Reported by FlawFinder.
Line: 56
Column: 3
CWE codes:
120
else
strlcpy(os_match, data.genre, NFT_OSF_MAXGENRELEN);
strncpy((char *)dest, os_match, NFT_OSF_MAXGENRELEN);
}
}
static int nft_osf_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
Reported by FlawFinder.