Tainted data used as the length argument to memcpy. That's not even a mistake; it's laziness, pure and simple.
Of course even in this code snippet we have C code written by someone who doesn't know that sizeof is an operator, not a function, and its argument does not need to be parenthesized unless it's a type name.
Most developers simply don't have the discipline to write in C.
And an unconstrained overflow of an automatic-storage-class1 very likely is an RCE vulnerability on popular platforms. It's the classic RCE, going back to Levi and to Morris before him.
1"Stack", though C does not require a traditional contiguous stack, and the language does not use that term.