The following issues were found
tools/perf/util/fncache.c
3 issues
Line: 48
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!n)
return;
strcpy(n->name, name);
n->res = res;
hlist_add_head(&n->nd, &fncache_hash[h]);
}
/* No LRU, only use when bounded in some other way. */
Reported by FlawFinder.
Line: 60
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (lookup_fncache(name, &res))
return res;
res = access(name, R_OK) == 0;
update_fncache(name, res);
return res;
}
Reported by FlawFinder.
Line: 43
Column: 54
CWE codes:
126
static void update_fncache(const char *name, bool res)
{
struct fncache *n = malloc(sizeof(struct fncache) + strlen(name) + 1);
int h = shash((const unsigned char *)name) % FNHSIZE;
if (!n)
return;
strcpy(n->name, name);
Reported by FlawFinder.
tools/testing/selftests/bpf/progs/test_xdp.c
3 issues
Line: 174
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vip.protocol = ip6h->nexthdr;
vip.family = AF_INET6;
memcpy(vip.daddr.v6, ip6h->daddr.s6_addr32, sizeof(vip.daddr));
vip.dport = dport;
payload_len = ip6h->payload_len;
tnl = bpf_map_lookup_elem(&vip2tnl, &vip);
/* It only does v6-in-v6 */
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h->payload_len = bpf_htons(bpf_ntohs(payload_len) + sizeof(*ip6h));
ip6h->nexthdr = IPPROTO_IPV6;
ip6h->hop_limit = 8;
memcpy(ip6h->saddr.s6_addr32, tnl->saddr.v6, sizeof(tnl->saddr.v6));
memcpy(ip6h->daddr.s6_addr32, tnl->daddr.v6, sizeof(tnl->daddr.v6));
count_tx(vip.protocol);
return XDP_TX;
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h->nexthdr = IPPROTO_IPV6;
ip6h->hop_limit = 8;
memcpy(ip6h->saddr.s6_addr32, tnl->saddr.v6, sizeof(tnl->saddr.v6));
memcpy(ip6h->daddr.s6_addr32, tnl->daddr.v6, sizeof(tnl->daddr.v6));
count_tx(vip.protocol);
return XDP_TX;
}
Reported by FlawFinder.
tools/io_uring/io_uring-bench.c
3 issues
Line: 474
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct file *f = &s->files[i];
if (i + 1 == s->nr_files)
p += sprintf(p, "%d", f->pending_ios);
else
p += sprintf(p, "%d, ", f->pending_ios);
}
}
Reported by FlawFinder.
Line: 476
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i + 1 == s->nr_files)
p += sprintf(p, "%d", f->pending_ios);
else
p += sprintf(p, "%d, ", f->pending_ios);
}
}
int main(int argc, char *argv[])
{
Reported by FlawFinder.
Line: 505
Column: 8
CWE codes:
362
printf("Max number of files (%d) reached\n", MAX_FDS);
break;
}
fd = open(argv[i], flags);
if (fd < 0) {
perror("open");
return 1;
}
Reported by FlawFinder.
tools/perf/util/string.c
3 issues
Line: 203
Column: 11
CWE codes:
126
*/
int strtailcmp(const char *s1, const char *s2)
{
int i1 = strlen(s1);
int i2 = strlen(s2);
while (--i1 >= 0 && --i2 >= 0) {
if (s1[i1] != s2[i2])
return s1[i1] - s2[i2];
}
Reported by FlawFinder.
Line: 204
Column: 11
CWE codes:
126
int strtailcmp(const char *s1, const char *s2)
{
int i1 = strlen(s1);
int i2 = strlen(s2);
while (--i1 >= 0 && --i2 >= 0) {
if (s1[i1] != s2[i2])
return s1[i1] - s2[i2];
}
return 0;
Reported by FlawFinder.
Line: 291
Column: 18
CWE codes:
126
d += p - s;
s = p + 1;
} else
memmove(d, s, strlen(s) + 1);
} while (p);
return ret;
}
Reported by FlawFinder.
tools/testing/selftests/bpf/progs/test_lwt_seg6local.c
3 issues
Line: 50
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sr6_tlv_t {
unsigned char type;
unsigned char len;
unsigned char value[0];
} BPF_PACKET_HEADER;
static __always_inline struct ip6_srh_t *get_srh(struct __sk_buff *skb)
{
void *cursor, *data_end;
Reported by FlawFinder.
Line: 101
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if (new_pad > 0) {
char pad_tlv_buf[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0};
struct sr6_tlv_t *pad_tlv = (struct sr6_tlv_t *) pad_tlv_buf;
pad_tlv->type = SR6_TLV_PADDING;
pad_tlv->len = new_pad - 2;
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long long hi = 0xfd00000000000000;
struct ip6_addr_t *seg;
struct ip6_srh_t *srh;
char srh_buf[72]; // room for 4 segments
int err;
srh = (struct ip6_srh_t *)srh_buf;
srh->nexthdr = 0;
srh->hdrlen = 8;
Reported by FlawFinder.
tools/testing/selftests/memfd/fuse_mnt.c
3 issues
Line: 93
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset + size > len)
size = len - offset;
memcpy(buf, memfd_content + offset, size);
} else {
size = 0;
}
return size;
Reported by FlawFinder.
Line: 37
Column: 17
CWE codes:
126
} else if (!strcmp(path, memfd_path)) {
st->st_mode = S_IFREG | 0444;
st->st_nlink = 1;
st->st_size = strlen(memfd_content);
} else {
return -ENOENT;
}
return 0;
Reported by FlawFinder.
Line: 88
Column: 8
CWE codes:
126
sleep(1);
len = strlen(memfd_content);
if (offset < len) {
if (offset + size > len)
size = len - offset;
memcpy(buf, memfd_content + offset, size);
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/align.c
3 issues
Line: 590
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return len + 1;
}
static char bpf_vlog[32768];
static int do_test_single(struct bpf_align_test *test)
{
struct bpf_insn *prog = test->insns;
int prog_type = test->prog_type;
Reported by FlawFinder.
Line: 596
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bpf_insn *prog = test->insns;
int prog_type = test->prog_type;
char bpf_vlog_copy[32768];
const char *line_ptr;
int cur_line = -1;
int prog_len, i;
int fd_prog;
int ret;
Reported by FlawFinder.
Line: 619
Column: 3
CWE codes:
120
} else {
ret = 0;
/* We make a local copy so that we can strtok() it */
strncpy(bpf_vlog_copy, bpf_vlog, sizeof(bpf_vlog_copy));
line_ptr = strtok(bpf_vlog_copy, "\n");
for (i = 0; i < MAX_MATCHES; i++) {
struct bpf_reg_match m = test->matches[i];
if (!m.match)
Reported by FlawFinder.
sound/usb/usx2y/usX2Yhwdep.c
3 issues
Line: 111
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (id < 0)
return -ENODEV;
strcpy(info->id, type_ids[id]);
info->num_dsps = 2; // 0: Prepad Data, 1: FPGA Code
if (us428->chip_status & USX2Y_STAT_CHIP_INIT)
info->chip_ready = 1;
info->version = USX2Y_DRIVER_VERSION;
return 0;
Reported by FlawFinder.
Line: 90
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int snd_usx2y_hwdep_dsp_status(struct snd_hwdep *hw,
struct snd_hwdep_dsp_status *info)
{
static const char * const type_ids[USX2Y_TYPE_NUMS] = {
[USX2Y_TYPE_122] = "us122",
[USX2Y_TYPE_224] = "us224",
[USX2Y_TYPE_428] = "us428",
};
struct usx2ydev *us428 = hw->private_data;
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
hw->ops.mmap = snd_us428ctls_mmap;
hw->ops.poll = snd_us428ctls_poll;
hw->exclusive = 1;
sprintf(hw->name, "/dev/bus/usb/%03d/%03d", device->bus->busnum, device->devnum);
us428->us428ctls_sharedmem = alloc_pages_exact(US428_SHAREDMEM_PAGES, GFP_KERNEL);
if (!us428->us428ctls_sharedmem)
return -ENOMEM;
memset(us428->us428ctls_sharedmem, -1, US428_SHAREDMEM_PAGES);
Reported by FlawFinder.
tools/lib/bpf/netlink.c
3 issues
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool multipart = true;
struct nlmsgerr *err;
struct nlmsghdr *nh;
char buf[4096];
int len, ret;
while (multipart) {
start:
multipart = false;
Reported by FlawFinder.
Line: 336
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ret) {
size_t sz = min(info_size, sizeof(xdp_id.info));
memcpy(info, &xdp_id.info, sz);
memset((void *) info + sz, 0, info_size - sz);
}
return libbpf_err(ret);
}
Reported by FlawFinder.
Line: 538
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bpf_prog_info info = {};
__u32 info_len = sizeof(info);
char name[256];
int len, ret;
ret = bpf_obj_get_info_by_fd(fd, &info, &info_len);
if (ret < 0)
return ret;
Reported by FlawFinder.
tools/testing/selftests/breakpoints/breakpoint_test.c
3 issues
Line: 322
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
set_breakpoint_addr(&dummy_var[i], i);
toggle_breakpoint(i, mode, len, local, global, 1);
ptrace(PTRACE_CONT, child_pid, NULL, 0);
sprintf(buf,
"Test %s watchpoint %d with len: %d local: %d global: %d\n",
mode_str, i, len, local, global);
check_success(buf);
toggle_breakpoint(i, mode, len, local, global, 0);
}
Reported by FlawFinder.
Line: 300
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
set_breakpoint_addr(dummy_funcs[i], i);
toggle_breakpoint(i, BP_X, 1, local, global, 1);
ptrace(PTRACE_CONT, child_pid, NULL, 0);
sprintf(buf, "Test breakpoint %d with local: %d global: %d\n",
i, local, global);
check_success(buf);
toggle_breakpoint(i, BP_X, 1, local, global, 0);
}
}
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Set the breakpoints and check the child successfully trigger them */
static void launch_tests(void)
{
char buf[1024];
unsigned int tests = 0;
int len, local, global, i;
tests += 3 * COUNT_ISN_BPS;
tests += sizeof(long) / 2 * 3 * COUNT_WPS;
Reported by FlawFinder.