The following issues were found
fs/btrfs/compression.c
2 issues
Line: 1637
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Don't sample any garbage from the last page */
if (start > end - SAMPLING_READ_SIZE)
break;
memcpy(&ws->sample[curr_sample_pos], &in_data[i],
SAMPLING_READ_SIZE);
i += SAMPLING_INTERVAL;
start += SAMPLING_INTERVAL;
curr_sample_pos += SAMPLING_READ_SIZE;
}
Reported by FlawFinder.
Line: 55
Column: 21
CWE codes:
126
int i;
for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
size_t comp_len = strlen(btrfs_compress_types[i]);
if (len < comp_len)
continue;
if (!strncmp(btrfs_compress_types[i], str, comp_len))
Reported by FlawFinder.
fs/btrfs/rcu-string.h
2 issues
Line: 16
Column: 15
CWE codes:
126
static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask)
{
size_t len = strlen(src) + 1;
struct rcu_string *ret = kzalloc(sizeof(struct rcu_string) +
(len * sizeof(char)), mask);
if (!ret)
return ret;
strncpy(ret->str, src, len);
Reported by FlawFinder.
Line: 21
Column: 2
CWE codes:
120
(len * sizeof(char)), mask);
if (!ret)
return ret;
strncpy(ret->str, src, len);
return ret;
}
static inline void rcu_string_free(struct rcu_string *str)
{
Reported by FlawFinder.
fs/btrfs/super.c
2 issues
Line: 219
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __cold btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...)
{
char lvl[PRINTK_MAX_SINGLE_HEADER_LEN + 1] = "\0";
struct va_format vaf;
va_list args;
int kern_level;
const char *type = logtypes[4];
struct ratelimit_state *ratelimit = &printk_limits[4];
Reported by FlawFinder.
Line: 232
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t size = printk_skip_level(fmt) - fmt;
if (kern_level >= '0' && kern_level <= '7') {
memcpy(lvl, fmt, size);
lvl[size] = '\0';
type = logtypes[kern_level - '0'];
ratelimit = &printk_limits[kern_level - '0'];
}
fmt += size;
Reported by FlawFinder.
fs/cachefiles/daemon.c
2 issues
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct cachefiles_daemon_cmd {
char name[8];
int (*handler)(struct cachefiles_cache *cache, char *args);
};
static const struct cachefiles_daemon_cmd cachefiles_daemon_cmds[] = {
{ "bind", cachefiles_daemon_bind },
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cachefiles_cache *cache = file->private_data;
unsigned long long b_released;
unsigned f_released;
char buffer[256];
int n;
//_enter(",,%zu,", buflen);
if (!test_bit(CACHEFILES_READY, &cache->flags))
Reported by FlawFinder.
fs/cachefiles/xattr.c
2 issues
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cachefiles_check_object_type(struct cachefiles_object *object)
{
struct dentry *dentry = object->dentry;
char type[3], xtype[3];
int ret;
ASSERT(dentry);
ASSERT(d_backing_inode(dentry));
Reported by FlawFinder.
Line: 35
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ASSERT(d_backing_inode(dentry));
if (!object->fscache.cookie)
strcpy(type, "C3");
else
snprintf(type, 3, "%02x", object->fscache.cookie->def->type);
_enter("%p{%s}", object, type);
Reported by FlawFinder.
fs/ceph/acl.c
2 issues
Line: 209
Column: 16
CWE codes:
126
ceph_pagelist_encode_32(pagelist, acl && default_acl ? 2 : 1);
if (acl) {
size_t len = strlen(XATTR_NAME_POSIX_ACL_ACCESS);
err = ceph_pagelist_reserve(pagelist, len + val_size1 + 8);
if (err)
goto out_err;
ceph_pagelist_encode_string(pagelist, XATTR_NAME_POSIX_ACL_ACCESS,
len);
Reported by FlawFinder.
Line: 223
Column: 16
CWE codes:
126
ceph_pagelist_append(pagelist, tmp_buf, val_size1);
}
if (default_acl) {
size_t len = strlen(XATTR_NAME_POSIX_ACL_DEFAULT);
err = ceph_pagelist_reserve(pagelist, len + val_size2 + 8);
if (err)
goto out_err;
ceph_pagelist_encode_string(pagelist,
XATTR_NAME_POSIX_ACL_DEFAULT, len);
Reported by FlawFinder.
fs/ceph/caps.c
2 issues
Line: 55
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Generate readable cap strings for debugging output.
*/
#define MAX_CAP_STR 20
static char cap_str[MAX_CAP_STR][40];
static DEFINE_SPINLOCK(cap_str_lock);
static int last_cap_str;
static char *gcap_string(char *s, int c)
{
Reported by FlawFinder.
Line: 4474
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dout("encode_dentry_release %p mds%d seq %d\n",
dentry, mds, (int)di->lease_seq);
rel->dname_len = cpu_to_le32(dentry->d_name.len);
memcpy(*p, dentry->d_name.name, dentry->d_name.len);
*p += dentry->d_name.len;
rel->dname_seq = cpu_to_le32(di->lease_seq);
__ceph_mdsc_drop_dentry_lease(dentry);
}
spin_unlock(&dentry->d_lock);
Reported by FlawFinder.
fs/ceph/snap.c
2 issues
Line: 384
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (parent->cached_context->seq > snapc->seq)
snapc->seq = parent->cached_context->seq;
}
memcpy(snapc->snaps + num, realm->snaps,
sizeof(u64)*realm->num_snaps);
num += realm->num_snaps;
memcpy(snapc->snaps + num, realm->prior_parent_snaps,
sizeof(u64)*realm->num_prior_parent_snaps);
num += realm->num_prior_parent_snaps;
Reported by FlawFinder.
Line: 387
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(snapc->snaps + num, realm->snaps,
sizeof(u64)*realm->num_snaps);
num += realm->num_snaps;
memcpy(snapc->snaps + num, realm->prior_parent_snaps,
sizeof(u64)*realm->num_prior_parent_snaps);
num += realm->num_prior_parent_snaps;
sort(snapc->snaps, num, sizeof(u64), cmpu64_rev, NULL);
snapc->num_snaps = num;
Reported by FlawFinder.
fs/cifs/asn1.c
2 issues
Line: 29
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
oid = look_up_OID(value, vlen);
if (oid != OID_spnego) {
char buf[50];
sprint_oid(value, vlen, buf, sizeof(buf));
cifs_dbg(FYI, "Error decoding negTokenInit header: unexpected OID %s\n",
buf);
return -EBADMSG;
Reported by FlawFinder.
Line: 56
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
else if (oid == OID_ntlmssp)
server->sec_ntlmssp = true;
else {
char buf[50];
sprint_oid(value, vlen, buf, sizeof(buf));
cifs_dbg(FYI, "Decoding negTokenInit: unsupported OID %s\n",
buf);
}
Reported by FlawFinder.
fs/cifs/cifs_debug.c
2 issues
Line: 787
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t cifsFYI_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
char c[2] = { '\0' };
bool bv;
int rc;
rc = get_user(c[0], buffer);
if (rc)
Reported by FlawFinder.
Line: 949
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int rc;
unsigned int flags;
char flags_string[12];
bool bv;
if ((count < 1) || (count > 11))
return -EINVAL;
Reported by FlawFinder.