To meet requirements of Common Criteria certification vulnerablility assessment. Static code analysis has been run and found the following Error: DC.STREAM_BUFFER (CWE-120): [#def46] mdadm-4.2: dont_call: "fscanf" assumes an arbitrarily long string, so callers must use correct precision specifiers or never use "fscanf". The change is to define a value for string %s. Signed-off-by: Nigel Croxon <ncroxon@xxxxxxxxxx> --- Monitor.c | 2 +- policy.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Monitor.c b/Monitor.c index f5412299..8bd3b5a1 100644 --- a/Monitor.c +++ b/Monitor.c @@ -359,7 +359,7 @@ static int check_one_sharer(int scan) "/proc/%d/comm", pid); comm_fp = fopen(comm_path, "r"); if (comm_fp) { - if (fscanf(comm_fp, "%s", comm) && + if (fscanf(comm_fp, "%19s", comm) && strncmp(basename(comm), Name, strlen(Name)) == 0) { if (scan) { pr_err("Only one autorebuild process allowed in scan mode, aborting\n"); diff --git a/policy.c b/policy.c index 3c53bd35..e9760a65 100644 --- a/policy.c +++ b/policy.c @@ -784,7 +784,7 @@ int policy_check_path(struct mdinfo *disk, struct map_ent *array) if (!f) continue; - rv = fscanf(f, " %s %x:%x:%x:%x\n", + rv = fscanf(f, " %255s %x:%x:%x:%x\n", array->metadata, array->uuid, array->uuid+1, -- 2.29.2