Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/argon2-0~20171227/include/argon2.h Examining data/argon2-0~20171227/src/argon2.c Examining data/argon2-0~20171227/src/bench.c Examining data/argon2-0~20171227/src/blake2/blake2-impl.h Examining data/argon2-0~20171227/src/blake2/blake2.h Examining data/argon2-0~20171227/src/blake2/blake2b.c Examining data/argon2-0~20171227/src/blake2/blamka-round-opt.h Examining data/argon2-0~20171227/src/blake2/blamka-round-ref.h Examining data/argon2-0~20171227/src/core.c Examining data/argon2-0~20171227/src/core.h Examining data/argon2-0~20171227/src/encoding.c Examining data/argon2-0~20171227/src/encoding.h Examining data/argon2-0~20171227/src/genkat.c Examining data/argon2-0~20171227/src/genkat.h Examining data/argon2-0~20171227/src/opt.c Examining data/argon2-0~20171227/src/ref.c Examining data/argon2-0~20171227/src/run.c Examining data/argon2-0~20171227/src/test.c Examining data/argon2-0~20171227/src/thread.c Examining data/argon2-0~20171227/src/thread.h FINAL RESULTS: data/argon2-0~20171227/src/argon2.c:161:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hash, out, hashlen); data/argon2-0~20171227/src/bench.c:56:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out[BENCH_OUTLEN]; data/argon2-0~20171227/src/bench.c:57:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char pwd_array[BENCH_INLEN]; data/argon2-0~20171227/src/bench.c:58:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char salt_array[BENCH_INLEN]; data/argon2-0~20171227/src/blake2/blake2-impl.h:51:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&w, src, sizeof w); data/argon2-0~20171227/src/blake2/blake2-impl.h:66:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&w, src, sizeof w); data/argon2-0~20171227/src/blake2/blake2-impl.h:84:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &w, sizeof w); data/argon2-0~20171227/src/blake2/blake2-impl.h:99:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, &w, sizeof w); data/argon2-0~20171227/src/blake2/blake2b.c:158:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(block, key, keylen); data/argon2-0~20171227/src/blake2/blake2b.c:245:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&S->buf[left], pin, fill); data/argon2-0~20171227/src/blake2/blake2b.c:259:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&S->buf[S->buflen], pin, inlen); data/argon2-0~20171227/src/blake2/blake2b.c:287:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, buffer, S->outlen); data/argon2-0~20171227/src/blake2/blake2b.c:367:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2); data/argon2-0~20171227/src/blake2/blake2b.c:372:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES); data/argon2-0~20171227/src/blake2/blake2b.c:375:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2); data/argon2-0~20171227/src/blake2/blake2b.c:380:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES); data/argon2-0~20171227/src/blake2/blake2b.c:383:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(out, out_buffer, toproduce); data/argon2-0~20171227/src/core.c:60:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK); data/argon2-0~20171227/src/core.c:323:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&(thr_data[l].pos), &position, data/argon2-0~20171227/src/encoding.c:381:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, str, pp_len + 1); \ data/argon2-0~20171227/src/encoding.c:388:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[30]; \ data/argon2-0~20171227/src/encoding.c:389:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tmp, "%lu", (unsigned long)(x)); \ data/argon2-0~20171227/src/genkat.c:85:41: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. printf("%2.2x ", ((unsigned char *)blockhash)[i]); data/argon2-0~20171227/src/genkat.c:137:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out[TEST_OUTLEN]; data/argon2-0~20171227/src/genkat.c:138:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char pwd[TEST_PWDLEN]; data/argon2-0~20171227/src/genkat.c:139:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char salt[TEST_SALTLEN]; data/argon2-0~20171227/src/genkat.c:140:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char secret[TEST_SECRETLEN]; data/argon2-0~20171227/src/genkat.c:141:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char ad[TEST_ADLEN]; data/argon2-0~20171227/src/opt.c:233:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(state, ((instance->memory + prev_offset)->v), ARGON2_BLOCK_SIZE); data/argon2-0~20171227/src/run.c:184:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pwd[MAX_PASS_LEN], *salt; data/argon2-0~20171227/src/test.c:39:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out[OUT_LEN]; data/argon2-0~20171227/src/test.c:40:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char hex_out[OUT_LEN * 2 + 4]; data/argon2-0~20171227/src/test.c:41:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char encoded[ENCODED_LEN]; data/argon2-0~20171227/src/test.c:52:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf((char *)(hex_out + i * 2), "%02x", out[i]); data/argon2-0~20171227/src/test.c:70:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char out[OUT_LEN]; data/argon2-0~20171227/src/argon2.c:268:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). encoded_len = strlen(encoded); data/argon2-0~20171227/src/argon2.c:449:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return strlen("$$v=$m=,t=,p=$$") + strlen(argon2_type2string(type, 0)) + data/argon2-0~20171227/src/argon2.c:449:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return strlen("$$v=$m=,t=,p=$$") + strlen(argon2_type2string(type, 0)) + data/argon2-0~20171227/src/encoding.c:263:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t cc_len = strlen(prefix); \ data/argon2-0~20171227/src/encoding.c:273:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t cc_len = strlen(prefix); \ data/argon2-0~20171227/src/encoding.c:377:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t pp_len = strlen(str); \ data/argon2-0~20171227/src/run.c:114:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). saltlen = strlen(salt); data/argon2-0~20171227/src/test.c:47:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_hash(t, 1 << m, p, pwd, strlen(pwd), salt, strlen(salt), out, data/argon2-0~20171227/src/test.c:47:61: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_hash(t, 1 << m, p, pwd, strlen(pwd), salt, strlen(salt), out, data/argon2-0~20171227/src/test.c:57:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(memcmp(encoded, mcfref, strlen(mcfref)) == 0); data/argon2-0~20171227/src/test.c:60:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_verify(encoded, pwd, strlen(pwd), Argon2_i); data/argon2-0~20171227/src/test.c:62:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_verify(mcfref, pwd, strlen(pwd), Argon2_i); data/argon2-0~20171227/src/test.c:122:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:129:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:136:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:143:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:201:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:208:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:215:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:222:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "password", strlen("password"), Argon2_i); data/argon2-0~20171227/src/test.c:235:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_hash(2, 1, 1, "password", strlen("password"), data/argon2-0~20171227/src/test.c:236:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "diffsalt", strlen("diffsalt"), data/argon2-0~20171227/src/test.c:241:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_hash(2, 1 << 12, 1, NULL, strlen("password"), data/argon2-0~20171227/src/test.c:242:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). "diffsalt", strlen("diffsalt"), data/argon2-0~20171227/src/test.c:247:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ret = argon2_hash(2, 1 << 12, 1, "password", strlen("password"), "s", 1, ANALYSIS SUMMARY: Hits = 60 Lines analyzed = 4991 in approximately 0.16 seconds (31519 lines/second) Physical Source Lines of Code (SLOC) = 3324 Hits@level = [0] 77 [1] 25 [2] 35 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 137 [1+] 60 [2+] 35 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 41.2154 [1+] 18.0505 [2+] 10.5295 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.