Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/argon2-0~20171227/include/argon2.h
Examining data/argon2-0~20171227/src/argon2.c
Examining data/argon2-0~20171227/src/bench.c
Examining data/argon2-0~20171227/src/blake2/blake2-impl.h
Examining data/argon2-0~20171227/src/blake2/blake2.h
Examining data/argon2-0~20171227/src/blake2/blake2b.c
Examining data/argon2-0~20171227/src/blake2/blamka-round-opt.h
Examining data/argon2-0~20171227/src/blake2/blamka-round-ref.h
Examining data/argon2-0~20171227/src/core.c
Examining data/argon2-0~20171227/src/core.h
Examining data/argon2-0~20171227/src/encoding.c
Examining data/argon2-0~20171227/src/encoding.h
Examining data/argon2-0~20171227/src/genkat.c
Examining data/argon2-0~20171227/src/genkat.h
Examining data/argon2-0~20171227/src/opt.c
Examining data/argon2-0~20171227/src/ref.c
Examining data/argon2-0~20171227/src/run.c
Examining data/argon2-0~20171227/src/test.c
Examining data/argon2-0~20171227/src/thread.c
Examining data/argon2-0~20171227/src/thread.h
FINAL RESULTS:
data/argon2-0~20171227/src/argon2.c:161:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(hash, out, hashlen);
data/argon2-0~20171227/src/bench.c:56:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char out[BENCH_OUTLEN];
data/argon2-0~20171227/src/bench.c:57:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char pwd_array[BENCH_INLEN];
data/argon2-0~20171227/src/bench.c:58:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char salt_array[BENCH_INLEN];
data/argon2-0~20171227/src/blake2/blake2-impl.h:51:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&w, src, sizeof w);
data/argon2-0~20171227/src/blake2/blake2-impl.h:66:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&w, src, sizeof w);
data/argon2-0~20171227/src/blake2/blake2-impl.h:84:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, &w, sizeof w);
data/argon2-0~20171227/src/blake2/blake2-impl.h:99:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, &w, sizeof w);
data/argon2-0~20171227/src/blake2/blake2b.c:158:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(block, key, keylen);
data/argon2-0~20171227/src/blake2/blake2b.c:245:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&S->buf[left], pin, fill);
data/argon2-0~20171227/src/blake2/blake2b.c:259:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&S->buf[S->buflen], pin, inlen);
data/argon2-0~20171227/src/blake2/blake2b.c:287:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(out, buffer, S->outlen);
data/argon2-0~20171227/src/blake2/blake2b.c:367:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2);
data/argon2-0~20171227/src/blake2/blake2b.c:372:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES);
data/argon2-0~20171227/src/blake2/blake2b.c:375:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2);
data/argon2-0~20171227/src/blake2/blake2b.c:380:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES);
data/argon2-0~20171227/src/blake2/blake2b.c:383:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(out, out_buffer, toproduce);
data/argon2-0~20171227/src/core.c:60:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);
data/argon2-0~20171227/src/core.c:323:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(thr_data[l].pos), &position,
data/argon2-0~20171227/src/encoding.c:381:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, str, pp_len + 1); \
data/argon2-0~20171227/src/encoding.c:388:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[30]; \
data/argon2-0~20171227/src/encoding.c:389:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(tmp, "%lu", (unsigned long)(x)); \
data/argon2-0~20171227/src/genkat.c:85:41: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
printf("%2.2x ", ((unsigned char *)blockhash)[i]);
data/argon2-0~20171227/src/genkat.c:137:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char out[TEST_OUTLEN];
data/argon2-0~20171227/src/genkat.c:138:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char pwd[TEST_PWDLEN];
data/argon2-0~20171227/src/genkat.c:139:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char salt[TEST_SALTLEN];
data/argon2-0~20171227/src/genkat.c:140:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char secret[TEST_SECRETLEN];
data/argon2-0~20171227/src/genkat.c:141:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char ad[TEST_ADLEN];
data/argon2-0~20171227/src/opt.c:233:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state, ((instance->memory + prev_offset)->v), ARGON2_BLOCK_SIZE);
data/argon2-0~20171227/src/run.c:184:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pwd[MAX_PASS_LEN], *salt;
data/argon2-0~20171227/src/test.c:39:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char out[OUT_LEN];
data/argon2-0~20171227/src/test.c:40:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hex_out[OUT_LEN * 2 + 4];
data/argon2-0~20171227/src/test.c:41:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char encoded[ENCODED_LEN];
data/argon2-0~20171227/src/test.c:52:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf((char *)(hex_out + i * 2), "%02x", out[i]);
data/argon2-0~20171227/src/test.c:70:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char out[OUT_LEN];
data/argon2-0~20171227/src/argon2.c:268:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
encoded_len = strlen(encoded);
data/argon2-0~20171227/src/argon2.c:449:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen("$$v=$m=,t=,p=$$") + strlen(argon2_type2string(type, 0)) +
data/argon2-0~20171227/src/argon2.c:449:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen("$$v=$m=,t=,p=$$") + strlen(argon2_type2string(type, 0)) +
data/argon2-0~20171227/src/encoding.c:263:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t cc_len = strlen(prefix); \
data/argon2-0~20171227/src/encoding.c:273:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t cc_len = strlen(prefix); \
data/argon2-0~20171227/src/encoding.c:377:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t pp_len = strlen(str); \
data/argon2-0~20171227/src/run.c:114:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
saltlen = strlen(salt);
data/argon2-0~20171227/src/test.c:47:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_hash(t, 1 << m, p, pwd, strlen(pwd), salt, strlen(salt), out,
data/argon2-0~20171227/src/test.c:47:61: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_hash(t, 1 << m, p, pwd, strlen(pwd), salt, strlen(salt), out,
data/argon2-0~20171227/src/test.c:57:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
assert(memcmp(encoded, mcfref, strlen(mcfref)) == 0);
data/argon2-0~20171227/src/test.c:60:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_verify(encoded, pwd, strlen(pwd), Argon2_i);
data/argon2-0~20171227/src/test.c:62:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_verify(mcfref, pwd, strlen(pwd), Argon2_i);
data/argon2-0~20171227/src/test.c:122:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:129:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:136:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:143:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:201:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:208:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:215:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:222:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"password", strlen("password"), Argon2_i);
data/argon2-0~20171227/src/test.c:235:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_hash(2, 1, 1, "password", strlen("password"),
data/argon2-0~20171227/src/test.c:236:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"diffsalt", strlen("diffsalt"),
data/argon2-0~20171227/src/test.c:241:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_hash(2, 1 << 12, 1, NULL, strlen("password"),
data/argon2-0~20171227/src/test.c:242:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
"diffsalt", strlen("diffsalt"),
data/argon2-0~20171227/src/test.c:247:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ret = argon2_hash(2, 1 << 12, 1, "password", strlen("password"), "s", 1,
ANALYSIS SUMMARY:
Hits = 60
Lines analyzed = 4991 in approximately 0.16 seconds (31519 lines/second)
Physical Source Lines of Code (SLOC) = 3324
Hits@level = [0] 77 [1] 25 [2] 35 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 137 [1+] 60 [2+] 35 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 41.2154 [1+] 18.0505 [2+] 10.5295 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.