The following issues were found

src/mongo/db/dbmessage.cpp
4 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 73 Column: 29 CWE codes: 120 20 

                  const char* p = _nsStart + _nsLen + 1;
    checkRead<int>(p, 2);

    return ConstDataView(p).read<LittleEndian<int32_t>>(sizeof(int32_t));
}

int DbMessage::pullInt() {
    return readAndAdvance<int32_t>();
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 128 Column: 14 CWE codes: 120 20 

              }

template <typename T>
T DbMessage::read() const {
    checkRead<T>(_nextjsobj, 1);

    return ConstDataView(_nextjsobj).read<LittleEndian<T>>();
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 131 Column: 38 CWE codes: 120 20 

              T DbMessage::read() const {
    checkRead<T>(_nextjsobj, 1);

    return ConstDataView(_nextjsobj).read<LittleEndian<T>>();
}

template <typename T>
T DbMessage::readAndAdvance() {
    T t = read<T>();

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 136 Column: 11 CWE codes: 120 20 

              
template <typename T>
T DbMessage::readAndAdvance() {
    T t = read<T>();
    _nextjsobj += sizeof(T);
    return t;
}

Reported by FlawFinder.

src/third_party/gperftools/dist/src/base/atomicops-internals-x86.cc
4 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 83 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
  // Get vendor string (issue CPUID with eax = 0)
  cpuid(eax, ebx, ecx, edx, 0);
  char vendor[13];
  memcpy(vendor, &ebx, 4);
  memcpy(vendor + 4, &edx, 4);
  memcpy(vendor + 8, &ecx, 4);
  vendor[12] = 0;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 84 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                // Get vendor string (issue CPUID with eax = 0)
  cpuid(eax, ebx, ecx, edx, 0);
  char vendor[13];
  memcpy(vendor, &ebx, 4);
  memcpy(vendor + 4, &edx, 4);
  memcpy(vendor + 8, &ecx, 4);
  vendor[12] = 0;

  // get feature flags in ecx/edx, and family/model in eax

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 85 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                cpuid(eax, ebx, ecx, edx, 0);
  char vendor[13];
  memcpy(vendor, &ebx, 4);
  memcpy(vendor + 4, &edx, 4);
  memcpy(vendor + 8, &ecx, 4);
  vendor[12] = 0;

  // get feature flags in ecx/edx, and family/model in eax
  cpuid(eax, ebx, ecx, edx, 1);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 86 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                char vendor[13];
  memcpy(vendor, &ebx, 4);
  memcpy(vendor + 4, &edx, 4);
  memcpy(vendor + 8, &ecx, 4);
  vendor[12] = 0;

  // get feature flags in ecx/edx, and family/model in eax
  cpuid(eax, ebx, ecx, edx, 1);

Reported by FlawFinder.

src/third_party/fmt/dist/src/os.cc
4 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 154 Column: 35 CWE codes: 362 

              }

buffered_file::buffered_file(cstring_view filename, cstring_view mode) {
  FMT_RETRY_VAL(file_, FMT_SYSTEM(fopen(filename.c_str(), mode.c_str())),
                nullptr);
  if (!file_)
    FMT_THROW(system_error(errno, "cannot open file {}", filename.c_str()));
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 183 Column: 33 CWE codes: 362 

                fd_ = -1;
  FMT_POSIX_CALL(sopen_s(&fd_, path.c_str(), oflag, _SH_DENYNO, mode));
#  else
  FMT_RETRY(fd_, FMT_POSIX_CALL(open(path.c_str(), oflag, mode)));
#  endif
  if (fd_ == -1)
    FMT_THROW(system_error(errno, "cannot open file {}", path.c_str()));
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 231 Column: 19 CWE codes: 120 20 

              #  endif
}

std::size_t file::read(void* buffer, std::size_t count) {
  RWResult result = 0;
  FMT_RETRY(result, FMT_POSIX_CALL(read(fd_, buffer, convert_rwcount(count))));
  if (result < 0) FMT_THROW(system_error(errno, "cannot read from file"));
  return detail::to_unsigned(result);
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 233 Column: 36 CWE codes: 120 20 

              
std::size_t file::read(void* buffer, std::size_t count) {
  RWResult result = 0;
  FMT_RETRY(result, FMT_POSIX_CALL(read(fd_, buffer, convert_rwcount(count))));
  if (result < 0) FMT_THROW(system_error(errno, "cannot read from file"));
  return detail::to_unsigned(result);
}

std::size_t file::write(const void* buffer, std::size_t count) {

Reported by FlawFinder.

src/mongo/util/bufreader.h
4 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 65 Column: 10 CWE codes: 120 20 

              
    /** read in the object specified, and advance buffer pointer */
    template <typename T>
    void read(T& t) {
        ConstDataRangeCursor cdrc(_pos, _end);
        cdrc.readAndAdvance(&t);
        _pos = cdrc.data();
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 73 Column: 7 CWE codes: 120 20 

              
    /** read in and return an object of the specified type, and advance buffer pointer */
    template <typename T>
    T read() {
        T out{};
        read(out);
        return out;
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 75 Column: 9 CWE codes: 120 20 

                  template <typename T>
    T read() {
        T out{};
        read(out);
        return out;
    }

    /** read in the object specified, but do not advance buffer pointer */
    template <typename T>

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 118 Column: 22 CWE codes: 120 20 

              
    /// reads a NUL terminated string
    StringData readCStr() {
        auto range = read<Terminated<'\0', ConstDataRange>>().value;

        return StringData(range.data(), range.length());
    }

    void readStr(std::string& s) {

Reported by FlawFinder.

src/third_party/boost/libs/serialization/src/basic_xml_grammar.ipp
4 issues
Shifting 32-bit value by 61 bits is undefined behaviour
Error

Line: 260 CWE codes: 758 

                  ;

    Eq =
        !S >> '=' >> !S
    ;

    AttributeList = 
        *(S >> Attribute)
    ;

Reported by Cppcheck.

Shifting 32-bit value by 61 bits is undefined behaviour
Error

Line: 260 CWE codes: 758 

                  ;

    Eq =
        !S >> '=' >> !S
    ;

    AttributeList = 
        *(S >> Attribute)
    ;

Reported by Cppcheck.

Shifting 32-bit value by 60 bits is undefined behaviour
Error

Line: 269 CWE codes: 758 

                  
    STag =
        !S
        >> '<'
        >> Name  [xml::assign_object(rv.object_name)]
        >> AttributeList
        >> !S
        >> '>'
    ;

Reported by Cppcheck.

Shifting 32-bit value by 60 bits is undefined behaviour
Error

Line: 269 CWE codes: 758 

                  
    STag =
        !S
        >> '<'
        >> Name  [xml::assign_object(rv.object_name)]
        >> AttributeList
        >> !S
        >> '>'
    ;

Reported by Cppcheck.

src/third_party/boost/libs/log/src/windows/ipc_sync_wrappers.hpp
4 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 64 Column: 10 CWE codes: 362 

              public:
    void create(const wchar_t* name, bool manual_reset, permissions const& perms = permissions());
    void create_or_open(const wchar_t* name, bool manual_reset, permissions const& perms = permissions());
    void open(const wchar_t* name);

    boost::winapi::HANDLE_ get_handle() const BOOST_NOEXCEPT { return m_event.get(); }

    void set()
    {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 146 Column: 10 CWE codes: 362 

              
public:
    void create_or_open(const wchar_t* name, permissions const& perms = permissions());
    void open(const wchar_t* name);

    boost::winapi::HANDLE_ get_handle() const BOOST_NOEXCEPT { return m_sem.get(); }

    void post(uint32_t count)
    {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 290 Column: 10 CWE codes: 362 

                      m_shared_state = shared;
    }

    void open(const wchar_t* name, shared_state* shared)
    {
        m_event.open(name);
        m_shared_state = shared;
    }

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 292 Column: 17 CWE codes: 362 

              
    void open(const wchar_t* name, shared_state* shared)
    {
        m_event.open(name);
        m_shared_state = shared;
    }

    bool try_lock()
    {

Reported by FlawFinder.

src/third_party/boost/libs/log/src/windows/event_log_registry.hpp
4 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 67 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
    static std::string make_default_source_name()
    {
        char buf[MAX_PATH];
        DWORD size = GetModuleFileNameA(NULL, buf, sizeof(buf) / sizeof(*buf));

        std::string source_name(buf, buf + size);
        if (source_name.empty())
        {

Reported by FlawFinder.

wchar_t - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 183 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
    static std::wstring make_default_source_name()
    {
        wchar_t buf[MAX_PATH];
        DWORD size = GetModuleFileNameW(NULL, buf, sizeof(buf) / sizeof(*buf));

        std::wstring source_name(buf, buf + size);
        if (source_name.empty())
        {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 155 Column: 27 CWE codes: 126 

              
        value.resize(size);
        res = RegQueryValueExA(hKey, lpValueName, NULL, &type, reinterpret_cast< LPBYTE >(&value[0]), &size);
        value.resize(std::strlen(value.c_str())); // remove extra terminating zero

        return res;
    }

    static const char* get_event_message_file_param_name() { return "EventMessageFile"; }

Reported by FlawFinder.

wcslen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 272 Column: 27 CWE codes: 126 

              
        value.resize(size);
        res = RegQueryValueExW(hKey, lpValueName, NULL, &type, reinterpret_cast< LPBYTE >(&value[0]), &size);
        value.resize(std::wcslen(value.c_str())); // remove extra terminating zero

        return res;
    }

    static const wchar_t* get_event_message_file_param_name() { return L"EventMessageFile"; }

Reported by FlawFinder.

src/third_party/boost/libs/log/src/setup/default_formatter_factory.cpp
4 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 102 Column: 13 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
        void operator() (std::tm const& value) const
        {
            char buf[32];
            std::size_t len = std::strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", &value);
            m_strm.write(buf, len);
        }

        void operator() (boost::posix_time::ptime const& value) const

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 112 Column: 17 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                          if (!value.is_special())
            {
                std::tm t = boost::posix_time::to_tm(value);
                char buf[32];
                std::size_t len = std::strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", &t);
                std::size_t size = sizeof(buf) - len;
                int res = boost::log::aux::snprintf(buf + len, size, ".%.6u", static_cast< unsigned int >(value.time_of_day().total_microseconds() % 1000000));
                if (res < 0)
                    buf[len] = '\0';

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 149 Column: 17 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                          if (!value.is_special())
            {
                std::tm t = boost::gregorian::to_tm(value);
                char buf[32];
                std::size_t len = std::strftime(buf, sizeof(buf), "%Y-%m-%d", &t);
                m_strm.write(buf, len);
            }
            else
            {

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 174 Column: 17 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                              unsigned int minutes = static_cast< unsigned int >(total_useconds / (60ull * 1000000ull) % 60ull);
                unsigned int seconds = static_cast< unsigned int >(total_useconds / 1000000ull % 60ull);
                unsigned int useconds = static_cast< unsigned int >(total_useconds % 1000000ull);
                char buf[64];
                int len = boost::log::aux::snprintf(buf, sizeof(buf), "%.2llu:%.2u:%.2u.%.6u", hours, minutes, seconds, useconds);
                if (len > 0)
                {
                    unsigned int size = static_cast< unsigned int >(len) >= sizeof(buf) ? static_cast< unsigned int >(sizeof(buf)) : static_cast< unsigned int >(len);
                    m_strm.write(buf, size);

Reported by FlawFinder.

src/mongo/transport/transport_layer_asio.cpp
4 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 1020 Column: 19 CWE codes: 362
Suggestion: Use fchmod( ) instead 

              
#ifndef _WIN32
        if (addr.family() == AF_UNIX) {
            if (::chmod(addr.toString().c_str(), serverGlobalParams.unixSocketPermissions) == -1) {
                LOGV2_ERROR(23026,
                            "Failed to chmod socket file {path} {error}",
                            "Failed to chmod socket file",
                            "path"_attr = addr.toString().c_str(),
                            "error"_attr = errnoWithDescription(errno));

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 536 Column: 10 CWE codes: 362 

                  std::error_code ec;

    const auto protocol = endpoint->protocol();
    sock.open(protocol);

#ifdef TCP_FASTOPEN_CONNECT
    const auto family = protocol.family();
    if ((family == AF_INET) || (family == AF_INET6)) {
        setSocketOption(

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 685 Column: 35 CWE codes: 362 

                              stdx::lock_guard<Latch> lk(connector->mutex);

                connector->resolvedEndpoint = results.front();
                connector->socket.open(connector->resolvedEndpoint->protocol());
                connector->socket.non_blocking(true);
            } catch (asio::system_error& ex) {
                return futurize(ex.code());
            }

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 975 Column: 22 CWE codes: 362 

              
        GenericAcceptor acceptor(*_acceptorReactor);
        try {
            acceptor.open(addr->protocol());
        } catch (std::exception&) {
            // Allow the server to start when "ipv6: true" and "bindIpAll: true", but the platform
            // does not support ipv6 (e.g., ipv6 kernel module is not loaded in Linux).
            const auto bindAllIPv6Addr = ":::"_sd + std::to_string(_listenerPort);
            if (errno == EAFNOSUPPORT && _listenerOptions.enableIPv6 && addr.family() == AF_INET6 &&

Reported by FlawFinder.

src/third_party/boost/libs/log/src/thread_specific.cpp
4 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 189 Column: 14 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                          BOOST_LOG_THROW_DESCR_PARAMS(system_error, "TLS capacity depleted", (res));
        }
        std::memset(&stg, 0, sizeof(stg));
        std::memcpy(&stg, &key, sizeof(pthread_key_type));
    }

    static void deallocate(void* stg)
    {
        pthread_key_type key;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 195 Column: 14 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  static void deallocate(void* stg)
    {
        pthread_key_type key;
        std::memcpy(&key, &stg, sizeof(pthread_key_type));
        pthread_key_delete(key);
    }

    static void set_value(void* stg, void* value)
    {

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 202 Column: 14 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  static void set_value(void* stg, void* value)
    {
        pthread_key_type key;
        std::memcpy(&key, &stg, sizeof(pthread_key_type));
        const int res = pthread_setspecific(key, value);
        if (BOOST_UNLIKELY(res != 0))
        {
            BOOST_LOG_THROW_DESCR_PARAMS(system_error, "Failed to set TLS value", (res));
        }

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 213 Column: 14 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  static void* get_value(void* stg)
    {
        pthread_key_type key;
        std::memcpy(&key, &stg, sizeof(pthread_key_type));
        return pthread_getspecific(key);
    }
};

template< typename KeyT >

Reported by FlawFinder.