The following issues were found
net/netrom/af_netrom.c
3 issues
Line: 1278
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_device *dev;
struct nr_sock *nr;
const char *devname;
char buf[11];
if (v == SEQ_START_TOKEN)
seq_puts(seq,
"user_addr dest_node src_node dev my your st vs vr va t1 t2 t4 idle n2 wnd Snd-Q Rcv-Q inode\n");
Reported by FlawFinder.
Line: 1403
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
for (i = 0; i < nr_ndevs; i++) {
char name[IFNAMSIZ];
struct net_device *dev;
sprintf(name, "nr%d", i);
dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup);
if (!dev) {
Reported by FlawFinder.
Line: 1406
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char name[IFNAMSIZ];
struct net_device *dev;
sprintf(name, "nr%d", i);
dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup);
if (!dev) {
rc = -ENOMEM;
goto fail;
}
Reported by FlawFinder.
net/netrom/nr_dev.c
3 issues
Line: 71
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
unsigned char *buff = skb_push(skb, NR_NETWORK_LEN + NR_TRANSPORT_LEN);
memcpy(buff, (saddr != NULL) ? saddr : dev->dev_addr, dev->addr_len);
buff[6] &= ~AX25_CBIT;
buff[6] &= ~AX25_EBIT;
buff[6] |= AX25_SSSID_SPARE;
buff += AX25_ADDR_LEN;
Reported by FlawFinder.
Line: 78
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buff += AX25_ADDR_LEN;
if (daddr != NULL)
memcpy(buff, daddr, dev->addr_len);
buff[6] &= ~AX25_CBIT;
buff[6] |= AX25_EBIT;
buff[6] |= AX25_SSSID_SPARE;
buff += AX25_ADDR_LEN;
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ax25_listen_release((ax25_address *)dev->dev_addr, NULL);
}
memcpy(dev->dev_addr, sa->sa_data, dev->addr_len);
return 0;
}
static int nr_open(struct net_device *dev)
Reported by FlawFinder.
net/netrom/nr_out.c
3 issues
Line: 35
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void nr_output(struct sock *sk, struct sk_buff *skb)
{
struct sk_buff *skbn;
unsigned char transport[NR_TRANSPORT_LEN];
int err, frontlen, len;
if (skb->len - NR_TRANSPORT_LEN > NR_MAX_PACKET_SIZE) {
/* Save a copy of the Transport Header */
skb_copy_from_linear_data(skb, transport, NR_TRANSPORT_LEN);
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
dptr = skb_push(skb, NR_NETWORK_LEN);
memcpy(dptr, &nr->source_addr, AX25_ADDR_LEN);
dptr[6] &= ~AX25_CBIT;
dptr[6] &= ~AX25_EBIT;
dptr[6] |= AX25_SSSID_SPARE;
dptr += AX25_ADDR_LEN;
Reported by FlawFinder.
Line: 201
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dptr[6] |= AX25_SSSID_SPARE;
dptr += AX25_ADDR_LEN;
memcpy(dptr, &nr->dest_addr, AX25_ADDR_LEN);
dptr[6] &= ~AX25_CBIT;
dptr[6] |= AX25_EBIT;
dptr[6] |= AX25_SSSID_SPARE;
dptr += AX25_ADDR_LEN;
Reported by FlawFinder.
net/nfc/digital_dep.c
3 issues
Line: 500
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
atr_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
atr_req->cmd = DIGITAL_CMD_ATR_REQ;
if (target->nfcid2_len)
memcpy(atr_req->nfcid3, target->nfcid2, NFC_NFCID2_MAXSIZE);
else
get_random_bytes(atr_req->nfcid3, NFC_NFCID3_MAXSIZE);
atr_req->did = 0;
atr_req->bs = 0;
Reported by FlawFinder.
Line: 1513
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
atr_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
atr_res->cmd = DIGITAL_CMD_ATR_RES;
memcpy(atr_res->nfcid3, atr_req->nfcid3, sizeof(atr_req->nfcid3));
atr_res->to = DIGITAL_NFC_DEP_TG_MAX_WT;
ddev->local_payload_max = DIGITAL_PAYLOAD_SIZE_MAX;
payload_bits = digital_payload_size_to_bits(ddev->local_payload_max);
atr_res->pp = DIGITAL_PAYLOAD_BITS_TO_PP(payload_bits);
Reported by FlawFinder.
Line: 1524
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_put(skb, gb_len);
atr_res->pp |= DIGITAL_GB_BIT;
memcpy(atr_res->gb, gb, gb_len);
}
digital_skb_push_dep_sod(ddev, skb);
ddev->skb_add_crc(skb);
Reported by FlawFinder.
net/nfc/llcp_sock.c
3 issues
Line: 76
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&llcp_addr, 0, sizeof(llcp_addr));
len = min_t(unsigned int, sizeof(llcp_addr), alen);
memcpy(&llcp_addr, addr, len);
/* This is going to be a listening socket, dsap must be 0 */
if (llcp_addr.dsap != 0)
return -EINVAL;
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&llcp_addr, 0, sizeof(llcp_addr));
len = min_t(unsigned int, sizeof(llcp_addr), alen);
memcpy(&llcp_addr, addr, len);
lock_sock(sk);
if (sk->sk_state != LLCP_CLOSED) {
ret = -EBADFD;
Reported by FlawFinder.
Line: 525
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
llcp_addr->dsap = llcp_sock->dsap;
llcp_addr->ssap = llcp_sock->ssap;
llcp_addr->service_name_len = llcp_sock->service_name_len;
memcpy(llcp_addr->service_name, llcp_sock->service_name,
llcp_addr->service_name_len);
release_sock(sk);
return sizeof(struct sockaddr_nfc_llcp);
}
Reported by FlawFinder.
net/nfc/nci/uart.c
3 issues
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nu)
return -ENOMEM;
memcpy(nu, nci_uart_drivers[driver], sizeof(struct nci_uart));
nu->tty = tty;
tty->disc_data = nu;
skb_queue_head_init(&nu->tx_q);
INIT_WORK(&nu->write_work, nci_uart_write_work);
spin_lock_init(&nu->rx_lock);
Reported by FlawFinder.
Line: 139
Column: 16
CWE codes:
362
INIT_WORK(&nu->write_work, nci_uart_write_work);
spin_lock_init(&nu->rx_lock);
ret = nu->ops.open(nu);
if (ret) {
tty->disc_data = NULL;
kfree(nu);
} else if (!try_module_get(nu->owner)) {
nu->ops.close(nu);
Reported by FlawFinder.
Line: 392
Column: 22
CWE codes:
362
int nci_uart_register(struct nci_uart *nu)
{
if (!nu || !nu->ops.open ||
!nu->ops.recv || !nu->ops.close)
return -EINVAL;
/* Set the send callback */
nu->ops.send = nci_uart_send;
Reported by FlawFinder.
net/openvswitch/flow.c
3 issues
Line: 515
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case NSH_M_TYPE1:
if (length != NSH_M_TYPE1_LEN)
return -EINVAL;
memcpy(key->nsh.context, nh->md1.context,
sizeof(nh->md1));
break;
case NSH_M_TYPE2:
memset(key->nsh.context, 0,
sizeof(nh->md1));
Reported by FlawFinder.
Line: 657
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(error))
return 0;
memcpy(&lse, skb_inner_network_header(skb), MPLS_HLEN);
if (label_count <= MPLS_LABEL_DEPTH)
memcpy(&key->mpls.lse[label_count - 1], &lse,
MPLS_HLEN);
Reported by FlawFinder.
Line: 660
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&lse, skb_inner_network_header(skb), MPLS_HLEN);
if (label_count <= MPLS_LABEL_DEPTH)
memcpy(&key->mpls.lse[label_count - 1], &lse,
MPLS_HLEN);
skb_set_inner_network_header(skb, skb->mac_len +
label_count * MPLS_HLEN);
if (lse & htonl(MPLS_LS_S_MASK))
Reported by FlawFinder.
net/rds/bind.c
3 issues
Line: 59
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void __rds_create_bind_key(u8 *key, const struct in6_addr *addr,
__be16 port, __u32 scope_id)
{
memcpy(key, addr, sizeof(*addr));
key += sizeof(*addr);
memcpy(key, &port, sizeof(port));
key += sizeof(port);
memcpy(key, &scope_id, sizeof(scope_id));
}
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy(key, addr, sizeof(*addr));
key += sizeof(*addr);
memcpy(key, &port, sizeof(port));
key += sizeof(port);
memcpy(key, &scope_id, sizeof(scope_id));
}
/*
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key += sizeof(*addr);
memcpy(key, &port, sizeof(port));
key += sizeof(port);
memcpy(key, &scope_id, sizeof(scope_id));
}
/*
* Return the rds_sock bound at the given local address.
*
Reported by FlawFinder.
arch/x86/mm/tlb.c
3 issues
Line: 1228
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t tlbflush_read_file(struct file *file, char __user *user_buf,
size_t count, loff_t *ppos)
{
char buf[32];
unsigned int len;
len = sprintf(buf, "%ld\n", tlb_single_page_flush_ceiling);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
Reported by FlawFinder.
Line: 1231
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[32];
unsigned int len;
len = sprintf(buf, "%ld\n", tlb_single_page_flush_ceiling);
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
static ssize_t tlbflush_write_file(struct file *file,
const char __user *user_buf, size_t count, loff_t *ppos)
Reported by FlawFinder.
Line: 1238
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t tlbflush_write_file(struct file *file,
const char __user *user_buf, size_t count, loff_t *ppos)
{
char buf[32];
ssize_t len;
int ceiling;
len = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, user_buf, len))
Reported by FlawFinder.
arch/x86/kernel/cpu/intel.c
3 issues
Line: 701
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (p)
strcpy(c->x86_model_id, p);
}
if (c->x86 == 15)
set_cpu_cap(c, X86_FEATURE_P4);
if (c->x86 == 6)
Reported by FlawFinder.
Line: 1049
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init sld_state_setup(void)
{
enum split_lock_detect_state state = sld_warn;
char arg[20];
int i, ret;
if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) &&
!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT))
return;
Reported by FlawFinder.
Line: 1011
Column: 12
CWE codes:
126
static inline bool match_option(const char *arg, int arglen, const char *opt)
{
int len = strlen(opt), ratelimit;
if (strncmp(arg, opt, len))
return false;
/*
Reported by FlawFinder.