To meet requirements of Common Criteria certification vulnerablility
assessment. Static code analysis has been run and found the following
Error: DC.STREAM_BUFFER (CWE-120): [#def46]
mdadm-4.2: dont_call: "fscanf" assumes an arbitrarily
long string, so callers must use correct precision specifiers or
never use "fscanf".
The change is to define a value for string %s.
Signed-off-by: Nigel Croxon <ncroxon@xxxxxxxxxx>
---
Monitor.c | 2 +-
policy.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Monitor.c b/Monitor.c
index f5412299..8bd3b5a1 100644
--- a/Monitor.c
+++ b/Monitor.c
@@ -359,7 +359,7 @@ static int check_one_sharer(int scan)
"/proc/%d/comm", pid);
comm_fp = fopen(comm_path, "r");
if (comm_fp) {
- if (fscanf(comm_fp, "%s", comm) &&
+ if (fscanf(comm_fp, "%19s", comm) &&
strncmp(basename(comm), Name, strlen(Name)) == 0) {
if (scan) {
pr_err("Only one autorebuild process allowed in scan mode, aborting\n");
diff --git a/policy.c b/policy.c
index 3c53bd35..e9760a65 100644
--- a/policy.c
+++ b/policy.c
@@ -784,7 +784,7 @@ int policy_check_path(struct mdinfo *disk, struct map_ent *array)
if (!f)
continue;
- rv = fscanf(f, " %s %x:%x:%x:%x\n",
+ rv = fscanf(f, " %255s %x:%x:%x:%x\n",
array->metadata,
array->uuid,
array->uuid+1,
--
2.29.2
