The following issues were found

fs/lockd/clnt4xdr.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 158 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	if (unlikely(p == NULL))
		goto out_overflow;
	cookie->len = length;
	memcpy(cookie->data, p, length);
	return 0;
out_hpux:
	cookie->len = 4;
	memset(cookie->data, 0, 4);
	return 0;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 308 Column: 15 CWE codes: 126 

              static void encode_caller_name(struct xdr_stream *xdr, const char *name)
{
	/* NB: client-side does not set lock->len */
	u32 length = strlen(name);
	__be32 *p;

	p = xdr_reserve_space(xdr, 4 + length);
	xdr_encode_opaque(p, name, length);
}

Reported by FlawFinder.

fs/lockd/clntproc.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 46 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              {
	u32	cookie = atomic_inc_return(&nlm_cookie);

	memcpy(c->data, &cookie, 4);
	c->len=4;
}

static struct nlm_lockowner *
nlmclnt_get_lockowner(struct nlm_lockowner *lockowner)

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 133 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	char *nodename = req->a_host->h_rpcclnt->cl_nodename;

	nlmclnt_next_cookie(&argp->cookie);
	memcpy(&lock->fh, NFS_FH(locks_inode(fl->fl_file)), sizeof(struct nfs_fh));
	lock->caller  = nodename;
	lock->oh.data = req->a_owner;
	lock->oh.len  = snprintf(req->a_owner, sizeof(req->a_owner), "%u@%s",
				(unsigned int)fl->fl_u.nfs_fl.owner->pid,
				nodename);

Reported by FlawFinder.

fs/lockd/clntxdr.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 155 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	if (unlikely(p == NULL))
		goto out_overflow;
	cookie->len = length;
	memcpy(cookie->data, p, length);
	return 0;
out_hpux:
	cookie->len = 4;
	memset(cookie->data, 0, 4);
	return 0;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 302 Column: 15 CWE codes: 126 

              static void encode_caller_name(struct xdr_stream *xdr, const char *name)
{
	/* NB: client-side does not set lock->len */
	u32 length = strlen(name);
	__be32 *p;

	p = xdr_reserve_space(xdr, 4 + length);
	xdr_encode_opaque(p, name, length);
}

Reported by FlawFinder.

fs/lockd/svcsubs.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 109 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	if (!file)
		goto out_unlock;

	memcpy(&file->f_handle, f, sizeof(struct nfs_fh));
	mutex_init(&file->f_mutex);
	INIT_HLIST_NODE(&file->f_list);
	INIT_LIST_HEAD(&file->f_blocks);

	/* Open the file. Note that this must not sleep for too long, else

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 120 Column: 28 CWE codes: 362 

              	 * We have to make sure we have the right credential to open
	 * the file.
	 */
	if ((nfserr = nlmsvc_ops->fopen(rqstp, f, &file->f_file)) != 0) {
		dprintk("lockd: open failed (error %d)\n", nfserr);
		goto out_free;
	}

	hlist_add_head(&file->f_list, &nlm_files[hash]);

Reported by FlawFinder.

fs/nfs/blocklayout/dev.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 90 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			p = xdr_inline_decode(xdr, b->simple.sigs[i].sig_len);
			if (!p)
				return -EIO;
			memcpy(&b->simple.sigs[i].sig, p,
				b->simple.sigs[i].sig_len);

			b->simple.len += 8 + 4 + \
				(XDR_QUADLEN(b->simple.sigs[i].sig_len) << 2);
		}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 152 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			return -EIO;
		if (b->scsi.designator_len > 256)
			return -EIO;
		memcpy(&b->scsi.designator, p, b->scsi.designator_len);
		p = xdr_inline_decode(xdr, 8);
		if (!p)
			return -EIO;
		p = xdr_decode_hyper(p, &b->scsi.pr_key);
		break;

Reported by FlawFinder.

fs/nfs/callback_proc.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 699 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	cp_state->error = args->error;
	if (!args->error) {
		cp_state->verf.committed = args->wr_writeverf.committed;
		memcpy(&cp_state->verf.verifier.data[0],
			&args->wr_writeverf.verifier.data[0],
			NFS4_VERIFIER_SIZE);
	}
}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 735 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              out:
	rcu_read_unlock();
	if (!found) {
		memcpy(&copy->stateid, &args->coa_stateid, NFS4_STATEID_SIZE);
		nfs4_copy_cb_args(copy, args);
		list_add_tail(&copy->copies, &cps->clp->pending_cb_stateids);
	} else
		kfree(copy);
	spin_unlock(&cps->clp->cl_lock);

Reported by FlawFinder.

fs/nfs/nfs2xdr.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 190 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	__be32 *p;

	p = xdr_reserve_space(xdr, NFS2_FHSIZE);
	memcpy(p, fh->data, NFS2_FHSIZE);
}

static int decode_fhandle(struct xdr_stream *xdr, struct nfs_fh *fh)
{
	__be32 *p;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 201 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	if (unlikely(!p))
		return -EIO;
	fh->size = NFS2_FHSIZE;
	memcpy(fh->data, p, NFS2_FHSIZE);
	return 0;
}

/*
 * 2.3.4.  timeval

Reported by FlawFinder.

fs/nfs/nfs3acl.c
2 issues
strcpy - Does not check for buffer overflows when copying to destination [MS-banned]
Security

Line: 325 Column: 2 CWE codes: 120
Suggestion: Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused) 

              	if (*result > size)
		return -ERANGE;

	strcpy(p, name);
	return 0;
}

ssize_t
nfs3_listxattr(struct dentry *dentry, char *data, size_t size)

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 318 Column: 13 CWE codes: 126 

              
	posix_acl_release(acl);

	*result += strlen(name);
	*result += 1;
	if (!size)
		return 0;
	if (*result > size)
		return -ERANGE;

Reported by FlawFinder.

fs/nfs/nfs3proc.c
2 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 249 Column: 34 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              	status = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
	nfs_refresh_inode(inode, res.fattr);
	if (status == 0)
		nfs_access_set_mask(entry, res.access);
	nfs_free_fattr(res.fattr);
out:
	dprintk("NFS reply access: %d\n", status);
	return status;
}

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 216 Column: 21 CWE codes: 126 

              			     struct nfs_fattr *fattr, struct nfs4_label *label)
{
	const char dotdot[] = "..";
	const size_t len = strlen(dotdot);
	unsigned short task_flags = 0;

	if (NFS_SERVER(inode)->flags & NFS_MOUNT_SOFTREVAL)
		task_flags |= RPC_TASK_TIMEOUT;

Reported by FlawFinder.

fs/nfs/nfs42proc.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 203 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		goto out;
	}

	memcpy(&copy->stateid, &res->write_res.stateid, NFS4_STATEID_SIZE);
	init_completion(&copy->completion);
	copy->parent_dst_state = dst_ctx->state;
	copy->parent_src_state = src_ctx->state;

	list_add_tail(&copy->copies, &dst_server->ss_copies);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 235 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	}
out:
	res->write_res.count = copy->count;
	memcpy(&res->write_res.verifier, &copy->verf, sizeof(copy->verf));
	status = -copy->error;

out_free:
	kfree(copy);
	return status;

Reported by FlawFinder.