The following issues were found
net/l2tp/l2tp_netlink.c
2 issues
Line: 592
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_tunnel;
}
cfg.cookie_len = len;
memcpy(&cfg.cookie[0], nla_data(info->attrs[L2TP_ATTR_COOKIE]), len);
}
if (info->attrs[L2TP_ATTR_PEER_COOKIE]) {
u16 len = nla_len(info->attrs[L2TP_ATTR_PEER_COOKIE]);
if (len > 8) {
Reported by FlawFinder.
Line: 602
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_tunnel;
}
cfg.peer_cookie_len = len;
memcpy(&cfg.peer_cookie[0], nla_data(info->attrs[L2TP_ATTR_PEER_COOKIE]), len);
}
if (info->attrs[L2TP_ATTR_IFNAME])
cfg.ifname = nla_data(info->attrs[L2TP_ATTR_IFNAME]);
}
Reported by FlawFinder.
lib/reed_solomon/decode_rs.c
2 issues
Line: 177
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(&b[1], b, nroots * sizeof(b[0]));
b[0] = nn;
}
memcpy(lambda, t, (nroots + 1) * sizeof(t[0]));
}
}
/* Convert lambda to index form and compute deg(lambda(x)) */
deg_lambda = 0;
Reported by FlawFinder.
Line: 198
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Find roots of error+erasure locator polynomial by Chien search */
memcpy(®[1], &lambda[1], nroots * sizeof(reg[0]));
count = 0; /* Number of roots of lambda(x) */
for (i = 1, k = iprim - 1; i <= nn; i++, k = rs_modnn(rs, k + iprim)) {
q = 1; /* lambda[0] is always 0 */
for (j = deg_lambda; j > 0; j--) {
if (reg[j] != nn) {
Reported by FlawFinder.
include/uapi/linux/nfsd/cld.h
2 issues
Line: 50
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* representation of long-form NFSv4 client ID */
struct cld_name {
__u16 cn_len; /* length of cm_id */
unsigned char cn_id[NFS4_OPAQUE_LIMIT]; /* client-provided */
} __attribute__((packed));
/* sha256 hash of the kerberos principal */
struct cld_princhash {
__u8 cp_len; /* length of cp_data */
Reported by FlawFinder.
Line: 56
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* sha256 hash of the kerberos principal */
struct cld_princhash {
__u8 cp_len; /* length of cp_data */
unsigned char cp_data[SHA256_DIGEST_SIZE]; /* hash of principal */
} __attribute__((packed));
struct cld_clntinfo {
struct cld_name cc_name;
struct cld_princhash cc_princhash;
Reported by FlawFinder.
mm/memblock.c
2 issues
Line: 464
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* reserved region since it may be our reserved array itself that is
* full.
*/
memcpy(new_array, type->regions, old_size);
memset(new_array + type->max, 0, old_size);
old_array = type->regions;
type->regions = new_array;
type->max <<= 1;
Reported by FlawFinder.
Line: 1853
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
pr_info(" %s.cnt = 0x%lx\n", type->name, type->cnt);
for_each_memblock_type(idx, type, rgn) {
char nid_buf[32] = "";
base = rgn->base;
size = rgn->size;
end = base + size - 1;
flags = rgn->flags;
Reported by FlawFinder.
kernel/sysctl-test.c
2 issues
Line: 263
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *buffer = kunit_kzalloc(test, len, GFP_USER);
char __user *user_buffer = (char __user *)buffer;
memcpy(buffer, input, len);
KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE,
user_buffer, &len, &pos));
KUNIT_EXPECT_EQ(test, sizeof(input) - 1, len);
KUNIT_EXPECT_EQ(test, sizeof(input) - 1, pos);
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *buffer = kunit_kzalloc(test, len, GFP_USER);
char __user *user_buffer = (char __user *)buffer;
memcpy(buffer, input, len);
KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE,
user_buffer, &len, &pos));
KUNIT_EXPECT_EQ(test, sizeof(input) - 1, len);
KUNIT_EXPECT_EQ(test, sizeof(input) - 1, pos);
Reported by FlawFinder.
net/mac80211/aead_api.c
2 issues
Line: 33
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
__aad = (u8 *)aead_req + reqsize;
memcpy(__aad, aad, aad_len);
sg_init_table(sg, 3);
sg_set_buf(&sg[0], __aad, aad_len);
sg_set_buf(&sg[1], data, data_len);
sg_set_buf(&sg[2], mic, mic_len);
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
__aad = (u8 *)aead_req + reqsize;
memcpy(__aad, aad, aad_len);
sg_init_table(sg, 3);
sg_set_buf(&sg[0], __aad, aad_len);
sg_set_buf(&sg[1], data, data_len);
sg_set_buf(&sg[2], mic, mic_len);
Reported by FlawFinder.
lib/scatterlist.c
2 issues
Line: 944
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = min(miter.length, buflen - offset);
if (to_buffer)
memcpy(buf + offset, miter.addr, len);
else
memcpy(miter.addr, buf + offset, len);
offset += len;
}
Reported by FlawFinder.
Line: 946
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (to_buffer)
memcpy(buf + offset, miter.addr, len);
else
memcpy(miter.addr, buf + offset, len);
offset += len;
}
sg_miter_stop(&miter);
Reported by FlawFinder.
net/mac80211/aes_gmac.c
2 issues
Line: 36
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
zero = (u8 *)aead_req + reqsize;
__aad = zero + GMAC_MIC_LEN;
memcpy(__aad, aad, GMAC_AAD_LEN);
fc = (const __le16 *)aad;
if (ieee80211_is_beacon(*fc)) {
/* mask Timestamp field to zero */
sg_init_table(sg, 5);
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sg_set_buf(&sg[3], mic, GMAC_MIC_LEN);
}
memcpy(iv, nonce, GMAC_NONCE_LEN);
memset(iv + GMAC_NONCE_LEN, 0, sizeof(iv) - GMAC_NONCE_LEN);
iv[AES_BLOCK_SIZE - 1] = 0x01;
aead_request_set_tfm(aead_req, tfm);
aead_request_set_crypt(aead_req, sg, sg, 0, iv);
Reported by FlawFinder.
include/net/devlink.h
2 issues
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 reload_failed:1,
reload_enabled:1,
registered:1;
char priv[0] __aligned(NETDEV_ALIGN);
};
struct devlink_port_phys_attrs {
u32 port_number; /* Same value as "split group".
* A physical port which is visible to the user
Reported by FlawFinder.
Line: 446
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 vu8;
u16 vu16;
u32 vu32;
char vstr[__DEVLINK_PARAM_MAX_STRING_VALUE];
bool vbool;
};
struct devlink_param_gset_ctx {
union devlink_param_value val;
Reported by FlawFinder.
mm/memory-failure.c
2 issues
Line: 287
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* Unknown page type encountered. Try to check whether it can turn PageLRU by
* lru_add_drain_all, or a free page by reclaiming slabs when possible.
*/
void shake_page(struct page *p, int access)
{
if (PageHuge(p))
return;
if (!PageSlab(p)) {
Reported by FlawFinder.
Line: 302
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* Only call shrink_node_slabs here (which would also shrink
* other caches) if access is not potentially fatal.
*/
if (access)
drop_slab_node(page_to_nid(p));
}
EXPORT_SYMBOL_GPL(shake_page);
static unsigned long dev_pagemap_mapping_shift(struct page *page,
Reported by FlawFinder.