The following issues were found
fs/cifs/cifs_unicode.h
2 issues
Line: 83
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif /* UNICASERANGE_DEFINED */
#ifndef UNIUPR_NOUPPER
extern signed char CifsUniUpperTable[512];
extern const struct UniCaseRange CifsUniUpperRange[];
#endif /* UNIUPR_NOUPPER */
#ifndef UNIUPR_NOLOWER
extern signed char CifsUniLowerTable[512];
Reported by FlawFinder.
Line: 88
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif /* UNIUPR_NOUPPER */
#ifndef UNIUPR_NOLOWER
extern signed char CifsUniLowerTable[512];
extern const struct UniCaseRange CifsUniLowerRange[];
#endif /* UNIUPR_NOLOWER */
#ifdef __KERNEL__
int cifs_from_utf16(char *to, const __le16 *from, int tolen, int fromlen,
Reported by FlawFinder.
fs/cifs/dns_resolve.c
2 issues
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
name = kmalloc(len + 1, GFP_KERNEL);
if (!name)
return -ENOMEM;
memcpy(name, hostname, len);
name[len] = 0;
cifs_dbg(FYI, "%s: unc is IP, skipping dns upcall: %s\n",
__func__, name);
*ip_addr = name;
return 0;
Reported by FlawFinder.
Line: 45
Column: 8
CWE codes:
126
if (!ip_addr || !unc)
return -EINVAL;
len = strlen(unc);
if (len < 3) {
cifs_dbg(FYI, "%s: unc is too short: %s\n", __func__, unc);
return -EINVAL;
}
Reported by FlawFinder.
fs/cifs/fs_context.h
2 issues
Line: 175
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *UNC;
char *nodename;
char *iocharset; /* local code page for mapping to and from Unicode */
char source_rfc1001_name[RFC1001_NAME_LEN_WITH_NULL]; /* clnt nb name */
char target_rfc1001_name[RFC1001_NAME_LEN_WITH_NULL]; /* srvr nb name */
kuid_t cred_uid;
kuid_t linux_uid;
kgid_t linux_gid;
kuid_t backupuid;
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *nodename;
char *iocharset; /* local code page for mapping to and from Unicode */
char source_rfc1001_name[RFC1001_NAME_LEN_WITH_NULL]; /* clnt nb name */
char target_rfc1001_name[RFC1001_NAME_LEN_WITH_NULL]; /* srvr nb name */
kuid_t cred_uid;
kuid_t linux_uid;
kgid_t linux_gid;
kuid_t backupuid;
kgid_t backupgid;
Reported by FlawFinder.
fs/cifs/netmisc.c
2 issues
Line: 156
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int rc, alen, slen;
const char *pct;
char scope_id[13];
struct sockaddr_in *s4 = (struct sockaddr_in *) dst;
struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) dst;
/* IPv4 address */
if (cifs_inet_pton(AF_INET, src, len, &s4->sin_addr.s_addr)) {
Reported by FlawFinder.
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
slen = len - (alen + 1);
if (slen <= 0 || slen > 12)
return 0;
memcpy(scope_id, pct + 1, slen);
scope_id[slen] = '\0';
rc = kstrtouint(scope_id, 0, &s6->sin6_scope_id);
rc = (rc == 0) ? 1 : 0;
}
Reported by FlawFinder.
fs/cifs/ntlmssp.h
2 issues
Line: 87
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SECURITY_BUFFER WorkstationName; /* RFC 1001 and ASCII */
/* SECURITY_BUFFER for version info not present since we
do not set the version is present flag */
char DomainString[0];
/* followed by WorkstationString */
} __attribute__((packed)) NEGOTIATE_MESSAGE, *PNEGOTIATE_MESSAGE;
typedef struct _CHALLENGE_MESSAGE {
__u8 Signature[sizeof(NTLMSSP_SIGNATURE)];
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 NegotiateFlags;
/* SECURITY_BUFFER for version info not present since we
do not set the version is present flag */
char UserString[0];
} __attribute__((packed)) AUTHENTICATE_MESSAGE, *PAUTHENTICATE_MESSAGE;
/*
* Size of the session key (crypto key encrypted with the password
*/
Reported by FlawFinder.
fs/cifs/unc.c
2 issues
Line: 43
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dst == NULL)
return ERR_PTR(-ENOMEM);
memcpy(dst, src, len);
dst[len] = '\0';
return dst;
}
Reported by FlawFinder.
Line: 26
Column: 6
CWE codes:
126
/* skip double chars at beginning of string */
/* BB: check validity of these bytes? */
if (strlen(unc) < 3)
return ERR_PTR(-EINVAL);
for (src = unc; *src && *src == '\\'; src++)
;
if (!*src)
return ERR_PTR(-EINVAL);
Reported by FlawFinder.
fs/coda/coda_linux.c
2 issues
Line: 30
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* print a fid */
char * coda_f2s(struct CodaFid *f)
{
static char s[60];
sprintf(s, "(%08x.%08x.%08x.%08x)", f->opaque[0], f->opaque[1], f->opaque[2], f->opaque[3]);
return s;
}
Reported by FlawFinder.
Line: 32
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
static char s[60];
sprintf(s, "(%08x.%08x.%08x.%08x)", f->opaque[0], f->opaque[1], f->opaque[2], f->opaque[3]);
return s;
}
/* recognize special .CONTROL name */
Reported by FlawFinder.
fs/coda/file.c
2 issues
Line: 103
Column: 52
CWE codes:
362
atomic_inc(&cvm_ops->refcnt);
if (cvm_ops->host_vm_ops && cvm_ops->host_vm_ops->open)
cvm_ops->host_vm_ops->open(vma);
}
static void
coda_vm_close(struct vm_area_struct *vma)
Reported by FlawFinder.
Line: 104
Column: 25
CWE codes:
362
atomic_inc(&cvm_ops->refcnt);
if (cvm_ops->host_vm_ops && cvm_ops->host_vm_ops->open)
cvm_ops->host_vm_ops->open(vma);
}
static void
coda_vm_close(struct vm_area_struct *vma)
{
Reported by FlawFinder.
fs/crypto/hkdf.c
2 issues
Line: 128
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
desc->tfm = hkdf->hmac_tfm;
memcpy(prefix, "fscrypt\0", 8);
prefix[8] = context;
for (i = 0; i < okmlen; i += HKDF_HASHLEN) {
err = crypto_shash_init(desc);
Reported by FlawFinder.
Line: 156
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = crypto_shash_finup(desc, &counter, 1, tmp);
if (err)
goto out;
memcpy(&okm[i], tmp, okmlen - i);
memzero_explicit(tmp, sizeof(tmp));
} else {
err = crypto_shash_finup(desc, &counter, 1, &okm[i]);
if (err)
goto out;
Reported by FlawFinder.
fs/devpts/inode.c
2 issues
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode *inode;
struct dentry *root;
struct pts_mount_opts *opts;
char s[12];
root = sb->s_root;
opts = &fsi->mount_opts;
inode = new_inode(sb);
Reported by FlawFinder.
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
init_special_inode(inode, S_IFCHR|opts->mode, MKDEV(UNIX98_PTY_SLAVE_MAJOR, index));
sprintf(s, "%d", index);
dentry = d_alloc_name(root, s);
if (dentry) {
dentry->d_fsdata = priv;
d_add(dentry, inode);
Reported by FlawFinder.