The following issues were found
lib/decompress_unlzo.c
2 issues
Line: 163
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fill) {
/* Move the unused data to the beginning of the buffer. */
memcpy(in_buf_save, in_buf, in_len);
in_buf = in_buf_save;
}
if (posp)
*posp = skip;
Reported by FlawFinder.
Line: 232
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* lzo1x_decompress_safe will fail, so call memcpy()
* instead */
if (unlikely(dst_len == src_len))
memcpy(out_buf, in_buf, src_len);
else {
r = lzo1x_decompress_safe((u8 *) in_buf, src_len,
out_buf, &tmp);
if (r != LZO_E_OK || dst_len != tmp) {
Reported by FlawFinder.
net/atm/signaling.c
2 issues
Line: 82
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
clear_bit(ATM_VF_WAITING, &vcc->flags);
if (!*vcc->local.sas_addr.prv && !*vcc->local.sas_addr.pub) {
vcc->local.sas_family = AF_ATMSVC;
memcpy(vcc->local.sas_addr.prv,
msg->local.sas_addr.prv, ATM_ESA_LEN);
memcpy(vcc->local.sas_addr.pub,
msg->local.sas_addr.pub, ATM_E164_LEN + 1);
}
session_vcc = vcc->session ? vcc->session : vcc;
Reported by FlawFinder.
Line: 84
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vcc->local.sas_family = AF_ATMSVC;
memcpy(vcc->local.sas_addr.prv,
msg->local.sas_addr.prv, ATM_ESA_LEN);
memcpy(vcc->local.sas_addr.pub,
msg->local.sas_addr.pub, ATM_E164_LEN + 1);
}
session_vcc = vcc->session ? vcc->session : vcc;
if (session_vcc->vpi || session_vcc->vci)
break;
Reported by FlawFinder.
include/sound/ac97_codec.h
2 issues
Line: 395
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
unsigned short slots; /* driver input: requested AC97 slot numbers */
unsigned short rslots[4]; /* allocated slots per codecs */
unsigned char rate_table[4];
struct snd_ac97 *codec[4]; /* allocated codecs */
} r[2]; /* 0 = standard rates, 1 = double rates */
unsigned long private_value; /* used by the hardware driver */
};
Reported by FlawFinder.
Line: 193
Column: 19
CWE codes:
120
20
void (*reset) (struct snd_ac97 *ac97);
void (*warm_reset)(struct snd_ac97 *ac97);
void (*write) (struct snd_ac97 *ac97, unsigned short reg, unsigned short val);
unsigned short (*read) (struct snd_ac97 *ac97, unsigned short reg);
void (*wait) (struct snd_ac97 *ac97);
void (*init) (struct snd_ac97 *ac97);
};
struct snd_ac97_bus {
Reported by FlawFinder.
lib/xarray.c
2 issues
Line: 2288
CWE codes:
476
void xa_dump(const struct xarray *xa)
{
void *entry = xa->xa_head;
unsigned int shift = 0;
pr_info("xarray: %px head %px flags %x marks %d %d %d\n", xa, entry,
xa->xa_flags, xa_marked(xa, XA_MARK_0),
xa_marked(xa, XA_MARK_1), xa_marked(xa, XA_MARK_2));
Reported by Cppcheck.
Line: 2288
CWE codes:
476
void xa_dump(const struct xarray *xa)
{
void *entry = xa->xa_head;
unsigned int shift = 0;
pr_info("xarray: %px head %px flags %x marks %d %d %d\n", xa, entry,
xa->xa_flags, xa_marked(xa, XA_MARK_0),
xa_marked(xa, XA_MARK_1), xa_marked(xa, XA_MARK_2));
Reported by Cppcheck.
include/xen/interface/io/xs_wire.h
2 issues
Line: 86
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef uint32_t XENSTORE_RING_IDX;
#define MASK_XENSTORE_IDX(idx) ((idx) & (XENSTORE_RING_SIZE-1))
struct xenstore_domain_interface {
char req[XENSTORE_RING_SIZE]; /* Requests to xenstore daemon. */
char rsp[XENSTORE_RING_SIZE]; /* Replies and async watch events. */
XENSTORE_RING_IDX req_cons, req_prod;
XENSTORE_RING_IDX rsp_cons, rsp_prod;
};
Reported by FlawFinder.
Line: 87
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MASK_XENSTORE_IDX(idx) ((idx) & (XENSTORE_RING_SIZE-1))
struct xenstore_domain_interface {
char req[XENSTORE_RING_SIZE]; /* Requests to xenstore daemon. */
char rsp[XENSTORE_RING_SIZE]; /* Replies and async watch events. */
XENSTORE_RING_IDX req_cons, req_prod;
XENSTORE_RING_IDX rsp_cons, rsp_prod;
};
/* Violating this is very bad. See docs/misc/xenstore.txt. */
Reported by FlawFinder.
kernel/capability.c
2 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void warn_legacy_capability_use(void)
{
char name[sizeof(current->comm)];
pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n",
get_task_comm(name, current));
}
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void warn_deprecated_v2(void)
{
char name[sizeof(current->comm)];
pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n",
get_task_comm(name, current));
}
Reported by FlawFinder.
include/uapi/drm/i915_drm.h
2 issues
Line: 2207
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct drm_i915_perf_oa_config {
/** String formatted like "%08x-%04x-%04x-%04x-%012x" */
char uuid[36];
__u32 n_mux_regs;
__u32 n_boolean_regs;
__u32 n_flex_regs;
Reported by FlawFinder.
Line: 2445
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*
* String formatted like "%08x-%04x-%04x-%04x-%012x"
*/
char uuid[36];
};
/*
* Unused for now. Must be cleared to zero.
*/
Reported by FlawFinder.
include/uapi/drm/etnaviv_drm.h
2 issues
Line: 256
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 iter; /* in/out, select pm domain at index iter */
__u8 id; /* out, id of domain */
__u16 nr_signals; /* out, how many signals does this domain provide */
char name[64]; /* out, name of domain */
};
struct drm_etnaviv_pm_signal {
__u32 pipe; /* in */
__u8 domain; /* in, pm domain index */
Reported by FlawFinder.
Line: 265
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 pad;
__u16 iter; /* in/out, select pm source at index iter */
__u16 id; /* out, id of signal */
char name[64]; /* out, name of domain */
};
#define DRM_ETNAVIV_GET_PARAM 0x00
/* placeholder:
#define DRM_ETNAVIV_SET_PARAM 0x01
Reported by FlawFinder.
net/ax25/ax25_dev.c
2 issues
Line: 34
CWE codes:
908
ax25_dev *ax25_addr_ax25dev(ax25_address *addr)
{
ax25_dev *ax25_dev, *res = NULL;
spin_lock_bh(&ax25_dev_lock);
for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next)
if (ax25cmp(addr, (ax25_address *)ax25_dev->dev->dev_addr) == 0) {
res = ax25_dev;
Reported by Cppcheck.
Line: 140
CWE codes:
908
int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd)
{
ax25_dev *ax25_dev, *fwd_dev;
if ((ax25_dev = ax25_addr_ax25dev(&fwd->port_from)) == NULL)
return -EINVAL;
switch (cmd) {
Reported by Cppcheck.
include/xen/interface/io/kbdif.h
2 issues
Line: 505
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xenkbd_key key;
struct xenkbd_position pos;
struct xenkbd_mtouch mtouch;
char pad[XENKBD_IN_EVENT_SIZE];
};
/*
*****************************************************************************
* Frontend to backend events
Reported by FlawFinder.
Line: 530
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union xenkbd_out_event {
uint8_t type;
char pad[XENKBD_OUT_EVENT_SIZE];
};
/*
*****************************************************************************
* Shared page
Reported by FlawFinder.