The following issues were found
drivers/crypto/padlock-sha.c
16 issues
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* We can't store directly to *out as it may be unaligned. */
/* BTW Don't reduce the buffer size below 128 Bytes!
* PadLock microcode needs it that big. */
char buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
((aligned(STACK_ALIGN)));
char *result = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
struct sha1_state state;
unsigned int space;
Reported by FlawFinder.
Line: 105
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count -= space;
in += space;
} else {
memcpy(state.buffer + leftover, in, count);
in = state.buffer;
count += leftover;
state.count &= ~(SHA1_BLOCK_SIZE - 1);
}
}
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(result, &state.state, SHA1_DIGEST_SIZE);
asm volatile (".byte 0xf3,0x0f,0xa6,0xc8" /* rep xsha1 */
: \
: "c"((unsigned long)state.count + count), \
"a"((unsigned long)state.count), \
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* We can't store directly to *out as it may be unaligned. */
/* BTW Don't reduce the buffer size below 128 Bytes!
* PadLock microcode needs it that big. */
char buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
((aligned(STACK_ALIGN)));
char *result = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
struct sha256_state state;
unsigned int space;
Reported by FlawFinder.
Line: 166
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count -= space;
in += space;
} else {
memcpy(state.buf + leftover, in, count);
in = state.buf;
count += leftover;
state.count &= ~(SHA1_BLOCK_SIZE - 1);
}
}
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(result, &state.state, SHA256_DIGEST_SIZE);
asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */
: \
: "c"((unsigned long)state.count + count), \
"a"((unsigned long)state.count), \
Reported by FlawFinder.
Line: 295
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sctx->count += len;
done = 0;
src = data;
memcpy(dst, (u8 *)(sctx->state), SHA1_DIGEST_SIZE);
if ((partial + len) >= SHA1_BLOCK_SIZE) {
/* Append the bytes in state's buffer to a block to handle */
if (partial) {
Reported by FlawFinder.
Line: 302
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Append the bytes in state's buffer to a block to handle */
if (partial) {
done = -partial;
memcpy(sctx->buffer + partial, data,
done + SHA1_BLOCK_SIZE);
src = sctx->buffer;
asm volatile (".byte 0xf3,0x0f,0xa6,0xc8"
: "+S"(src), "+D"(dst) \
: "a"((long)-1), "c"((unsigned long)1));
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
partial = 0;
}
memcpy((u8 *)(sctx->state), dst, SHA1_DIGEST_SIZE);
memcpy(sctx->buffer + partial, src, len - done);
return 0;
}
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
partial = 0;
}
memcpy((u8 *)(sctx->state), dst, SHA1_DIGEST_SIZE);
memcpy(sctx->buffer + partial, src, len - done);
return 0;
}
static int padlock_sha1_final_nano(struct shash_desc *desc, u8 *out)
Reported by FlawFinder.
arch/s390/kernel/crash_dump.c
16 issues
Line: 111
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy lower halves of vector registers 0-15 */
for (i = 0; i < 16; i++)
memcpy(&sa->vxrs_low[i], &vxrs[i].u[2], 8);
/* Copy vector registers 16-31 */
memcpy(sa->vxrs_high, vxrs + 16, 16 * sizeof(__vector128));
}
/*
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 16; i++)
memcpy(&sa->vxrs_low[i], &vxrs[i].u[2], 8);
/* Copy vector registers 16-31 */
memcpy(sa->vxrs_high, vxrs + 16, 16 * sizeof(__vector128));
}
/*
* Return physical address for virtual address
*/
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
note->n_type = type;
len = sizeof(Elf64_Nhdr);
memcpy(buf + len, name, note->n_namesz);
len = roundup(len + note->n_namesz, 4);
memcpy(buf + len, desc, note->n_descsz);
len = roundup(len + note->n_descsz, 4);
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + len, name, note->n_namesz);
len = roundup(len + note->n_namesz, 4);
memcpy(buf + len, desc, note->n_descsz);
len = roundup(len + note->n_descsz, 4);
return PTR_ADD(buf, len);
}
Reported by FlawFinder.
Line: 365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Prepare prstatus note */
memset(&nt_prstatus, 0, sizeof(nt_prstatus));
memcpy(&nt_prstatus.pr_reg.gprs, sa->gprs, sizeof(sa->gprs));
memcpy(&nt_prstatus.pr_reg.psw, sa->psw, sizeof(sa->psw));
memcpy(&nt_prstatus.pr_reg.acrs, sa->acrs, sizeof(sa->acrs));
nt_prstatus.common.pr_pid = cpu;
/* Prepare fpregset (floating point) note */
memset(&nt_fpregset, 0, sizeof(nt_fpregset));
Reported by FlawFinder.
Line: 366
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Prepare prstatus note */
memset(&nt_prstatus, 0, sizeof(nt_prstatus));
memcpy(&nt_prstatus.pr_reg.gprs, sa->gprs, sizeof(sa->gprs));
memcpy(&nt_prstatus.pr_reg.psw, sa->psw, sizeof(sa->psw));
memcpy(&nt_prstatus.pr_reg.acrs, sa->acrs, sizeof(sa->acrs));
nt_prstatus.common.pr_pid = cpu;
/* Prepare fpregset (floating point) note */
memset(&nt_fpregset, 0, sizeof(nt_fpregset));
memcpy(&nt_fpregset.fpc, &sa->fpc, sizeof(sa->fpc));
Reported by FlawFinder.
Line: 367
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&nt_prstatus, 0, sizeof(nt_prstatus));
memcpy(&nt_prstatus.pr_reg.gprs, sa->gprs, sizeof(sa->gprs));
memcpy(&nt_prstatus.pr_reg.psw, sa->psw, sizeof(sa->psw));
memcpy(&nt_prstatus.pr_reg.acrs, sa->acrs, sizeof(sa->acrs));
nt_prstatus.common.pr_pid = cpu;
/* Prepare fpregset (floating point) note */
memset(&nt_fpregset, 0, sizeof(nt_fpregset));
memcpy(&nt_fpregset.fpc, &sa->fpc, sizeof(sa->fpc));
memcpy(&nt_fpregset.fprs, &sa->fprs, sizeof(sa->fprs));
Reported by FlawFinder.
Line: 371
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nt_prstatus.common.pr_pid = cpu;
/* Prepare fpregset (floating point) note */
memset(&nt_fpregset, 0, sizeof(nt_fpregset));
memcpy(&nt_fpregset.fpc, &sa->fpc, sizeof(sa->fpc));
memcpy(&nt_fpregset.fprs, &sa->fprs, sizeof(sa->fprs));
/* Create ELF notes for the CPU */
ptr = nt_init(ptr, NT_PRSTATUS, &nt_prstatus, sizeof(nt_prstatus));
ptr = nt_init(ptr, NT_PRFPREG, &nt_fpregset, sizeof(nt_fpregset));
ptr = nt_init(ptr, NT_S390_TIMER, &sa->timer, sizeof(sa->timer));
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Prepare fpregset (floating point) note */
memset(&nt_fpregset, 0, sizeof(nt_fpregset));
memcpy(&nt_fpregset.fpc, &sa->fpc, sizeof(sa->fpc));
memcpy(&nt_fpregset.fprs, &sa->fprs, sizeof(sa->fprs));
/* Create ELF notes for the CPU */
ptr = nt_init(ptr, NT_PRSTATUS, &nt_prstatus, sizeof(nt_prstatus));
ptr = nt_init(ptr, NT_PRFPREG, &nt_fpregset, sizeof(nt_fpregset));
ptr = nt_init(ptr, NT_S390_TIMER, &sa->timer, sizeof(sa->timer));
ptr = nt_init(ptr, NT_S390_TODCMP, &sa->todcmp, sizeof(sa->todcmp));
Reported by FlawFinder.
Line: 422
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(&prpsinfo, 0, sizeof(prpsinfo));
prpsinfo.pr_sname = 'R';
strcpy(prpsinfo.pr_fname, "vmlinux");
return nt_init(ptr, NT_PRPSINFO, &prpsinfo, sizeof(prpsinfo));
}
/*
* Get vmcoreinfo using lowcore->vmcore_info (new kernel)
Reported by FlawFinder.
fs/udf/inode.c
16 issues
Line: 662
CWE codes:
908
extent.extLocation.partitionReferenceNum = 0;
extent.extLength = EXT_NOT_RECORDED_NOT_ALLOCATED;
} else {
epos.offset -= adsize;
etype = udf_next_aext(inode, &epos, &extent.extLocation,
&extent.extLength, 0);
extent.extLength |= etype << 30;
}
Reported by Cppcheck.
Line: 1764
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
eid = (struct regid *)dsea->impUse;
memset(eid, 0, sizeof(*eid));
strcpy(eid->ident, UDF_ID_DEVELOPER);
eid->identSuffix[0] = UDF_OS_CLASS_UNIX;
eid->identSuffix[1] = UDF_OS_ID_LINUX;
dsea->majorDeviceIdent = cpu_to_le32(imajor(inode));
dsea->minorDeviceIdent = cpu_to_le32(iminor(inode));
}
Reported by FlawFinder.
Line: 1788
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
udf_time_to_disk_stamp(&fe->modificationTime, inode->i_mtime);
udf_time_to_disk_stamp(&fe->attrTime, inode->i_ctime);
memset(&(fe->impIdent), 0, sizeof(struct regid));
strcpy(fe->impIdent.ident, UDF_ID_DEVELOPER);
fe->impIdent.identSuffix[0] = UDF_OS_CLASS_UNIX;
fe->impIdent.identSuffix[1] = UDF_OS_ID_LINUX;
fe->uniqueID = cpu_to_le64(iinfo->i_unique);
fe->lengthExtendedAttr = cpu_to_le32(iinfo->i_lenEAttr);
fe->lengthAllocDescs = cpu_to_le32(iinfo->i_lenAlloc);
Reported by FlawFinder.
Line: 1825
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
udf_time_to_disk_stamp(&efe->attrTime, inode->i_ctime);
memset(&(efe->impIdent), 0, sizeof(efe->impIdent));
strcpy(efe->impIdent.ident, UDF_ID_DEVELOPER);
efe->impIdent.identSuffix[0] = UDF_OS_CLASS_UNIX;
efe->impIdent.identSuffix[1] = UDF_OS_ID_LINUX;
efe->uniqueID = cpu_to_le64(iinfo->i_unique);
efe->lengthExtendedAttr = cpu_to_le32(iinfo->i_lenEAttr);
efe->lengthAllocDescs = cpu_to_le32(iinfo->i_lenAlloc);
Reported by FlawFinder.
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(iinfo->cached_extent.lstart != -1)) {
/* Cache hit */
*lbcount = iinfo->cached_extent.lstart;
memcpy(pos, &iinfo->cached_extent.epos,
sizeof(struct extent_position));
if (pos->bh)
get_bh(pos->bh);
ret = 1;
}
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__udf_clear_extent_cache(inode);
if (pos->bh)
get_bh(pos->bh);
memcpy(&iinfo->cached_extent.epos, pos, sizeof(*pos));
iinfo->cached_extent.lstart = estart;
switch (iinfo->i_alloc_type) {
case ICBTAG_FLAG_AD_SHORT:
iinfo->cached_extent.epos.offset -= sizeof(struct short_ad);
break;
Reported by FlawFinder.
Line: 292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kaddr = kmap_atomic(page);
memset(kaddr + iinfo->i_lenAlloc, 0x00,
PAGE_SIZE - iinfo->i_lenAlloc);
memcpy(kaddr, iinfo->i_data + iinfo->i_lenEAttr,
iinfo->i_lenAlloc);
flush_dcache_page(page);
SetPageUptodate(page);
kunmap_atomic(kaddr);
}
Reported by FlawFinder.
Line: 315
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lock_page(page);
down_write(&iinfo->i_data_sem);
kaddr = kmap_atomic(page);
memcpy(iinfo->i_data + iinfo->i_lenEAttr, kaddr, inode->i_size);
kunmap_atomic(kaddr);
unlock_page(page);
iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
inode->i_data.a_ops = &udf_adinicb_aops;
up_write(&iinfo->i_data_sem);
Reported by FlawFinder.
Line: 1374
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ie->indirectICB.extLength) {
brelse(ibh);
memcpy(&iinfo->i_location, &loc,
sizeof(struct kernel_lb_addr));
if (++indirections > UDF_MAX_ICB_NESTING) {
udf_err(inode->i_sb,
"too many ICBs in ICB hierarchy"
" (max %d supported)\n",
Reported by FlawFinder.
Line: 1419
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct extendedFileEntry));
if (ret)
goto out;
memcpy(iinfo->i_data,
bh->b_data + sizeof(struct extendedFileEntry),
bs - sizeof(struct extendedFileEntry));
} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
iinfo->i_efe = 0;
iinfo->i_use = 0;
Reported by FlawFinder.
sound/core/oss/mixer_oss.c
16 issues
Line: 977
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GLOBAL);
if (err)
return err;
sprintf(str, "%s Switch", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_GSWITCH);
if (err)
return err;
sprintf(str, "%s Route", ptr->name);
Reported by FlawFinder.
Line: 982
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GSWITCH);
if (err)
return err;
sprintf(str, "%s Route", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_GROUTE);
if (err)
return err;
sprintf(str, "%s Volume", ptr->name);
Reported by FlawFinder.
Line: 987
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GROUTE);
if (err)
return err;
sprintf(str, "%s Volume", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_GVOLUME);
if (err)
return err;
sprintf(str, "%s Playback Switch", ptr->name);
Reported by FlawFinder.
Line: 992
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GVOLUME);
if (err)
return err;
sprintf(str, "%s Playback Switch", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_PSWITCH);
if (err)
return err;
sprintf(str, "%s Playback Route", ptr->name);
Reported by FlawFinder.
Line: 997
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_PSWITCH);
if (err)
return err;
sprintf(str, "%s Playback Route", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_PROUTE);
if (err)
return err;
sprintf(str, "%s Playback Volume", ptr->name);
Reported by FlawFinder.
Line: 1002
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_PROUTE);
if (err)
return err;
sprintf(str, "%s Playback Volume", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_PVOLUME);
if (err)
return err;
sprintf(str, "%s Capture Switch", ptr->name);
Reported by FlawFinder.
Line: 1007
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_PVOLUME);
if (err)
return err;
sprintf(str, "%s Capture Switch", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_CSWITCH);
if (err)
return err;
sprintf(str, "%s Capture Route", ptr->name);
Reported by FlawFinder.
Line: 1012
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_CSWITCH);
if (err)
return err;
sprintf(str, "%s Capture Route", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_CROUTE);
if (err)
return err;
sprintf(str, "%s Capture Volume", ptr->name);
Reported by FlawFinder.
Line: 1017
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_CROUTE);
if (err)
return err;
sprintf(str, "%s Capture Volume", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_CVOLUME);
if (err)
return err;
Reported by FlawFinder.
Line: 1067
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
kfree(uinfo);
return 0;
}
strcpy(str, ptr->name);
if (!strcmp(str, "Master"))
strcpy(str, "Mix");
if (!strcmp(str, "Master Mono"))
strcpy(str, "Mix Mono");
slot.capture_item = 0;
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
16 issues
Line: 299
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ste_info->offset = offset;
if (copy_data) {
memcpy(ste_info->data_cont, data, size);
ste_info->data = ste_info->data_cont;
} else {
ste_info->data = data;
}
Reported by FlawFinder.
Line: 375
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(dmn->send_ring->signal_th - 1)) *
send_ring->max_post_send_size;
/* Copy to ring mr */
memcpy(send_ring->buf + buff_offset,
(void *)(uintptr_t)send_info->write.addr,
send_info->write.length);
send_info->write.addr = (uintptr_t)send_ring->mr->dma_addr + buff_offset;
send_info->write.lkey = send_ring->mr->mkey.key;
}
Reported by FlawFinder.
Line: 481
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 ste_off = j * DR_STE_SIZE;
if (mlx5dr_ste_is_not_used(ste)) {
memcpy(data + ste_off,
formatted_ste, DR_STE_SIZE);
} else {
/* Copy data */
memcpy(data + ste_off,
htbl->ste_arr[ste_index + j].hw_ste,
Reported by FlawFinder.
Line: 485
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
formatted_ste, DR_STE_SIZE);
} else {
/* Copy data */
memcpy(data + ste_off,
htbl->ste_arr[ste_index + j].hw_ste,
DR_STE_SIZE_REDUCED);
/* Copy bit_mask */
memcpy(data + ste_off + DR_STE_SIZE_REDUCED,
mask, DR_STE_SIZE_MASK);
Reported by FlawFinder.
Line: 489
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
htbl->ste_arr[ste_index + j].hw_ste,
DR_STE_SIZE_REDUCED);
/* Copy bit_mask */
memcpy(data + ste_off + DR_STE_SIZE_REDUCED,
mask, DR_STE_SIZE_MASK);
/* Only when we have mask we need to re-arrange the STE */
mlx5dr_ste_prepare_for_postsend(dmn->ste_ctx,
data + (j * DR_STE_SIZE),
DR_STE_SIZE);
Reported by FlawFinder.
Line: 538
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the reduced STE to hash table ste_arr */
for (i = 0; i < num_stes; i++) {
copy_dst = htbl->hw_ste_arr + i * DR_STE_SIZE_REDUCED;
memcpy(copy_dst, ste_init_data, DR_STE_SIZE_REDUCED);
}
}
mlx5dr_ste_prepare_for_postsend(dmn->ste_ctx, ste_init_data, DR_STE_SIZE);
Reported by FlawFinder.
Line: 547
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the same STE on the data buffer */
for (i = 0; i < num_stes; i++) {
copy_dst = data + i * DR_STE_SIZE;
memcpy(copy_dst, ste_init_data, DR_STE_SIZE);
}
/* Send the data iteration times */
for (i = 0; i < iterations; i++) {
u8 ste_index = i * (byte_size / DR_STE_SIZE);
Reported by FlawFinder.
Line: 644
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX5_SET(qpc, qpc, mtu, attr->mtu);
MLX5_SET(qpc, qpc, log_msg_max, DR_CHUNK_SIZE_MAX - 1);
MLX5_SET(qpc, qpc, remote_qpn, attr->qp_num);
memcpy(MLX5_ADDR_OF(qpc, qpc, primary_address_path.rmac_47_32),
attr->dgid_attr.mac, sizeof(attr->dgid_attr.mac));
memcpy(MLX5_ADDR_OF(qpc, qpc, primary_address_path.rgid_rip),
attr->dgid_attr.gid, sizeof(attr->dgid_attr.gid));
MLX5_SET(qpc, qpc, primary_address_path.src_addr_index,
attr->sgid_index);
Reported by FlawFinder.
Line: 646
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX5_SET(qpc, qpc, remote_qpn, attr->qp_num);
memcpy(MLX5_ADDR_OF(qpc, qpc, primary_address_path.rmac_47_32),
attr->dgid_attr.mac, sizeof(attr->dgid_attr.mac));
memcpy(MLX5_ADDR_OF(qpc, qpc, primary_address_path.rgid_rip),
attr->dgid_attr.gid, sizeof(attr->dgid_attr.gid));
MLX5_SET(qpc, qpc, primary_address_path.src_addr_index,
attr->sgid_index);
if (attr->dgid_attr.roce_ver == MLX5_ROCE_VERSION_2)
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/main.c
16 issues
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (cap_mode) {
case HCA_CAP_OPMOD_GET_MAX:
memcpy(dev->caps.hca_max[cap_type], hca_caps,
MLX5_UN_SZ_BYTES(hca_cap_union));
break;
case HCA_CAP_OPMOD_GET_CUR:
memcpy(dev->caps.hca_cur[cap_type], hca_caps,
MLX5_UN_SZ_BYTES(hca_cap_union));
Reported by FlawFinder.
Line: 396
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX5_UN_SZ_BYTES(hca_cap_union));
break;
case HCA_CAP_OPMOD_GET_CUR:
memcpy(dev->caps.hca_cur[cap_type], hca_caps,
MLX5_UN_SZ_BYTES(hca_cap_union));
break;
default:
mlx5_core_warn(dev,
"Tried to query dev cap type(%x) with wrong opmode(%x)\n",
Reported by FlawFinder.
Line: 472
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
set_hca_cap = MLX5_ADDR_OF(set_hca_cap_in, set_ctx, capability);
memcpy(set_hca_cap, dev->caps.hca_cur[MLX5_CAP_ODP],
MLX5_ST_SZ_BYTES(odp_cap));
#define ODP_CAP_SET_MAX(dev, field) \
do { \
u32 _res = MLX5_CAP_ODP_MAX(dev, field); \
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_hca_cap = MLX5_ADDR_OF(set_hca_cap_in, set_ctx,
capability);
memcpy(set_hca_cap, dev->caps.hca_cur[MLX5_CAP_GENERAL],
MLX5_ST_SZ_BYTES(cmd_hca_cap));
mlx5_core_dbg(dev, "Current Pkey table size %d Setting new size %d\n",
mlx5_to_sw_pkey_sz(MLX5_CAP_GEN(dev, pkey_table_size)),
128);
Reported by FlawFinder.
Line: 599
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
set_hca_cap = MLX5_ADDR_OF(set_hca_cap_in, set_ctx, capability);
memcpy(set_hca_cap, dev->caps.hca_cur[MLX5_CAP_ROCE],
MLX5_ST_SZ_BYTES(roce_cap));
MLX5_SET(roce_cap, set_hca_cap, sw_r_roce_src_udp_port, 1);
err = set_caps(dev, set_ctx, MLX5_SET_HCA_CAP_OP_MOD_ROCE);
return err;
Reported by FlawFinder.
Line: 227
Column: 2
CWE codes:
120
string = MLX5_ADDR_OF(set_driver_version_in, in, driver_version);
strncpy(string, "Linux", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, ",", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
Reported by FlawFinder.
Line: 229
Column: 49
CWE codes:
126
strncpy(string, "Linux", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, ",", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, KBUILD_MODNAME, remaining_size);
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
strncpy(string, "Linux", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, ",", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, KBUILD_MODNAME, remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
Reported by FlawFinder.
Line: 232
Column: 49
CWE codes:
126
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, ",", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, KBUILD_MODNAME, remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, ",", remaining_size);
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
strncat(string, ",", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, KBUILD_MODNAME, remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
strncat(string, ",", remaining_size);
remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
Reported by FlawFinder.
net/ipv4/arp.c
16 issues
Line: 202
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
default:
if (dir) {
memcpy(haddr, dev->broadcast, dev->addr_len);
return 0;
}
}
return -EINVAL;
}
Reported by FlawFinder.
Line: 231
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 inaddr_any = INADDR_ANY;
if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len);
addr = *(__be32 *)neigh->primary_key;
rcu_read_lock();
in_dev = __in_dev_get_rcu(dev);
if (!in_dev) {
Reported by FlawFinder.
Line: 273
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
arp_mc_map(addr, neigh->ha, dev, 1);
} else if (dev->flags & (IFF_NOARP | IFF_LOOPBACK)) {
neigh->nud_state = NUD_NOARP;
memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
} else if (neigh->type == RTN_BROADCAST ||
(dev->flags & IFF_POINTOPOINT)) {
neigh->nud_state = NUD_NOARP;
memcpy(neigh->ha, dev->broadcast, dev->addr_len);
}
Reported by FlawFinder.
Line: 277
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (neigh->type == RTN_BROADCAST ||
(dev->flags & IFF_POINTOPOINT)) {
neigh->nud_state = NUD_NOARP;
memcpy(neigh->ha, dev->broadcast, dev->addr_len);
}
if (dev->header_ops->cache)
neigh->ops = &arp_hh_ops;
else
Reported by FlawFinder.
Line: 603
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
arp_ptr = (unsigned char *)(arp + 1);
memcpy(arp_ptr, src_hw, dev->addr_len);
arp_ptr += dev->addr_len;
memcpy(arp_ptr, &src_ip, 4);
arp_ptr += 4;
switch (dev->type) {
Reported by FlawFinder.
Line: 605
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(arp_ptr, src_hw, dev->addr_len);
arp_ptr += dev->addr_len;
memcpy(arp_ptr, &src_ip, 4);
arp_ptr += 4;
switch (dev->type) {
#if IS_ENABLED(CONFIG_FIREWIRE_NET)
case ARPHRD_IEEE1394:
Reported by FlawFinder.
Line: 615
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
default:
if (target_hw)
memcpy(arp_ptr, target_hw, dev->addr_len);
else
memset(arp_ptr, 0, dev->addr_len);
arp_ptr += dev->addr_len;
}
memcpy(arp_ptr, &dest_ip, 4);
Reported by FlawFinder.
Line: 620
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(arp_ptr, 0, dev->addr_len);
arp_ptr += dev->addr_len;
}
memcpy(arp_ptr, &dest_ip, 4);
return skb;
out:
kfree_skb(skb);
Reported by FlawFinder.
Line: 749
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
arp_ptr = (unsigned char *)(arp + 1);
sha = arp_ptr;
arp_ptr += dev->addr_len;
memcpy(&sip, arp_ptr, 4);
arp_ptr += 4;
switch (dev_type) {
#if IS_ENABLED(CONFIG_FIREWIRE_NET)
case ARPHRD_IEEE1394:
break;
Reported by FlawFinder.
Line: 760
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tha = arp_ptr;
arp_ptr += dev->addr_len;
}
memcpy(&tip, arp_ptr, 4);
/*
* Check for bad requests for 127.x.x.x and requests for multicast
* addresses. If this is one such, delete it.
*/
if (ipv4_is_multicast(tip) ||
Reported by FlawFinder.
fs/notify/fanotify/fanotify_user.c
16 issues
Line: 317
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct fanotify_event_info_fid info = { };
struct file_handle handle = { };
unsigned char bounce[FANOTIFY_INLINE_FH_LEN], *fh_buf;
size_t fh_len = fh ? fh->len : 0;
size_t info_len = fanotify_fid_info_len(fh_len, name_len);
size_t len = info_len;
pr_debug("%s: fh_len=%zu name_len=%zu, info_len=%zu, count=%zu\n",
Reported by FlawFinder.
Line: 376
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
fh_buf = fanotify_fh_buf(fh);
if (fh_len <= FANOTIFY_INLINE_FH_LEN) {
memcpy(bounce, fh_buf, fh_len);
fh_buf = bounce;
}
if (copy_to_user(buf, fh_buf, fh_len))
return -EFAULT;
Reported by FlawFinder.
Line: 819
Column: 16
CWE codes:
732
static __u32 fanotify_mark_remove_from_mask(struct fsnotify_mark *fsn_mark,
__u32 mask, unsigned int flags,
__u32 umask, int *destroy)
{
__u32 oldmask = 0;
/* umask bits cannot be removed by user */
mask &= ~umask;
Reported by FlawFinder.
Line: 824
Column: 11
CWE codes:
732
__u32 oldmask = 0;
/* umask bits cannot be removed by user */
mask &= ~umask;
spin_lock(&fsn_mark->lock);
if (!(flags & FAN_MARK_IGNORED_MASK)) {
oldmask = fsn_mark->mask;
fsn_mark->mask &= ~mask;
} else {
Reported by FlawFinder.
Line: 838
Column: 60
CWE codes:
732
* changes to the mask.
* Destroy mark when only umask bits remain.
*/
*destroy = !((fsn_mark->mask | fsn_mark->ignored_mask) & ~umask);
spin_unlock(&fsn_mark->lock);
return mask & oldmask;
}
Reported by FlawFinder.
Line: 846
Column: 31
CWE codes:
732
static int fanotify_remove_mark(struct fsnotify_group *group,
fsnotify_connp_t *connp, __u32 mask,
unsigned int flags, __u32 umask)
{
struct fsnotify_mark *fsn_mark = NULL;
__u32 removed;
int destroy_mark;
Reported by FlawFinder.
Line: 860
Column: 8
CWE codes:
732
}
removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
umask, &destroy_mark);
if (removed & fsnotify_conn_mask(fsn_mark->connector))
fsnotify_recalc_mask(fsn_mark->connector);
if (destroy_mark)
fsnotify_detach_mark(fsn_mark);
mutex_unlock(&group->mark_mutex);
Reported by FlawFinder.
Line: 876
Column: 33
CWE codes:
732
static int fanotify_remove_vfsmount_mark(struct fsnotify_group *group,
struct vfsmount *mnt, __u32 mask,
unsigned int flags, __u32 umask)
{
return fanotify_remove_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
mask, flags, umask);
}
Reported by FlawFinder.
Line: 879
Column: 22
CWE codes:
732
unsigned int flags, __u32 umask)
{
return fanotify_remove_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
mask, flags, umask);
}
static int fanotify_remove_sb_mark(struct fsnotify_group *group,
struct super_block *sb, __u32 mask,
unsigned int flags, __u32 umask)
Reported by FlawFinder.
Line: 884
Column: 34
CWE codes:
732
static int fanotify_remove_sb_mark(struct fsnotify_group *group,
struct super_block *sb, __u32 mask,
unsigned int flags, __u32 umask)
{
return fanotify_remove_mark(group, &sb->s_fsnotify_marks, mask,
flags, umask);
}
Reported by FlawFinder.
tools/lib/traceevent/parse-filter.c
16 issues
Line: 1746
CWE codes:
562
}
}
return val;
}
static int test_str(struct tep_event *event, struct tep_filter_arg *arg,
struct tep_record *record, enum tep_errno *err)
{
Reported by Cppcheck.
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
len = input ? strlen(input) : 0;
if (len) {
strcpy(error_buf, input);
error_buf[len] = '\n';
for (i = 1; i < len && i < index; i++)
error_buf[len+i] = ' ';
error_buf[len + i] = '^';
error_buf[len + i + 1] = '\n';
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
va_start(ap, fmt);
vsnprintf(error_buf + len, TEP_FILTER_ERROR_BUFSZ - len, fmt, ap);
va_end(ap);
}
static enum tep_event_type filter_read_token(char **tok)
{
Reported by FlawFinder.
Line: 245
Column: 32
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
regex_t *sreg, regex_t *ereg)
{
if (sreg) {
return !regexec(sreg, event->system, 0, NULL, 0) &&
!regexec(ereg, event->name, 0, NULL, 0);
}
return !regexec(ereg, event->system, 0, NULL, 0) ||
!regexec(ereg, event->name, 0, NULL, 0);
Reported by FlawFinder.
Line: 249
Column: 31
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
!regexec(ereg, event->name, 0, NULL, 0);
}
return !regexec(ereg, event->system, 0, NULL, 0) ||
!regexec(ereg, event->name, 0, NULL, 0);
}
static enum tep_errno
find_event(struct tep_handle *tep, struct event_list **events,
Reported by FlawFinder.
Line: 1460
Column: 28
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
char *str;
/* Can't assume that the tep's are the same */
sys = filter_type->event->system;
name = filter_type->event->name;
event = tep_find_event_by_name(filter->tep, sys, name);
if (!event)
return -1;
Reported by FlawFinder.
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
free_token(token);
return TEP_EVENT_ERROR;
}
sprintf(*tok, "%c%c", *token, '~');
free_token(token);
/* Now remove the '~' from the buffer */
read_token(&token);
free_token(token);
} else
Reported by FlawFinder.
Line: 1294
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
free_events(events);
return TEP_ERRNO__MEM_ALLOC_FAILED;
}
memcpy(this_event, filter_str, len);
this_event[len] = 0;
if (next_event)
next_event++;
Reported by FlawFinder.
Line: 1706
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long long addr;
const char *val = NULL;
unsigned int size;
char hex[64];
/* If the field is not a string convert it */
if (arg->str.field->flags & TEP_FIELD_IS_STRING) {
val = record->data + arg->str.field->offset;
size = arg->str.field->size;
Reported by FlawFinder.
Line: 1725
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (*(val + size - 1)) {
/* copy it */
memcpy(arg->str.buffer, val, arg->str.field->size);
/* the buffer is already NULL terminated */
val = arg->str.buffer;
}
} else {
Reported by FlawFinder.
arch/sparc/kernel/prom_32.c
16 issues
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
regs = rprop->value;
sprintf(tmp_buf, "%s@%x,%x",
name,
regs->which_io, regs->phys_addr);
}
/* "name@slot,offset" */
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
regs = prop->value;
sprintf(tmp_buf, "%s@%x,%x",
name,
regs->which_io,
regs->phys_addr);
}
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
regs = prop->value;
devfn = (regs->phys_hi >> 8) & 0xff;
if (devfn & 0x07) {
sprintf(tmp_buf, "%s@%x,%x",
name,
devfn >> 3,
devfn & 0x07);
} else {
sprintf(tmp_buf, "%s@%x",
Reported by FlawFinder.
Line: 111
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
devfn >> 3,
devfn & 0x07);
} else {
sprintf(tmp_buf, "%s@%x",
name,
devfn >> 3);
}
}
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
regs = prop->value;
sprintf(tmp_buf, "%s@%x,%x",
name,
regs->which_io, regs->phys_addr);
}
/* "name@irq,addrlo" */
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
intr = prop->value;
sprintf(tmp_buf, "%s@%x,%x", name, *intr, reg0);
}
static void __init __build_path_component(struct device_node *dp, char *tmp_buf)
{
struct device_node *parent = dp->parent;
Reported by FlawFinder.
Line: 196
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
tmp_buf[0] = '\0';
__build_path_component(dp, tmp_buf);
if (tmp_buf[0] == '\0')
strcpy(tmp_buf, name);
n = prom_early_alloc(strlen(tmp_buf) + 1);
strcpy(n, tmp_buf);
return n;
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp_buf, name);
n = prom_early_alloc(strlen(tmp_buf) + 1);
strcpy(n, tmp_buf);
return n;
}
extern void restore_current(void);
Reported by FlawFinder.
Line: 252
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sprintf(of_console_path, "%pOF", dp);
if (!strcmp(type, "serial")) {
strcat(of_console_path,
(skip ? ":b" : ":a"));
}
break;
default:
Reported by FlawFinder.
Line: 302
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
prom_printf("No stdout-path in root node.\n");
prom_halt();
}
strcpy(of_console_path, path);
}
break;
}
of_console_options = strrchr(of_console_path, ':');
Reported by FlawFinder.