Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/binstats-1.08/derefsymlink.c
FINAL RESULTS:
data/binstats-1.08/derefsymlink.c:112:3: [5] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is high; the length parameter
appears to be a constant, instead of computing the number of characters
left.
strncat(curdir, "/", FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:116:7: [5] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is high; the length parameter
appears to be a constant, instead of computing the number of characters
left.
strncat(cname, name, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:130:13: [5] (race) readlink:
This accepts filename arguments; if an attacker can move those files or
change the link content, a race condition results. Also, it does not
terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
len = readlink(cname, tempa, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:138:3: [5] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is high; the length parameter
appears to be a constant, instead of computing the number of characters
left.
strncat(cname, tempa, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:161:7: [5] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is high; the length parameter
appears to be a constant, instead of computing the number of characters
left.
strncat(name, tempa, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:183:7: [5] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is high; the length parameter
appears to be a constant, instead of computing the number of characters
left.
strncat(tempa, tempb, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:189:7: [5] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is high; the length parameter
appears to be a constant, instead of computing the number of characters
left.
strncat(tempa, tempb, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:72:19: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while ((i = fscanf(fi, "%s", cname)) != EOF) {
data/binstats-1.08/derefsymlink.c:231:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(iname, argv[++i]);
data/binstats-1.08/derefsymlink.c:235:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(oname, argv[++i]);
data/binstats-1.08/derefsymlink.c:44:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char iname[FILENAME_MAX], oname[FILENAME_MAX],
data/binstats-1.08/derefsymlink.c:57:17: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fo = fopen(oname, "w")) == NULL) {
data/binstats-1.08/derefsymlink.c:67:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fi = fopen(iname, "r")) == NULL) {
data/binstats-1.08/derefsymlink.c:89:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char curdir[FILENAME_MAX];
data/binstats-1.08/derefsymlink.c:94:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tempa[FILENAME_MAX], cname[FILENAME_MAX];
data/binstats-1.08/derefsymlink.c:171:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char tempa[FILENAME_MAX], tempb[FILENAME_MAX];
data/binstats-1.08/derefsymlink.c:79:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(cname, argv[al++], FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:108:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(cname, name, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:115:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(cname, curdir, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:140:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(cname, tempa, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:156:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(tempa, ptra, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:160:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(name, cname, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:162:11: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
} else strncpy(name, cname, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:174:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(tempa, name, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:182:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(tempb, ptra+4, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:188:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(tempb, ptra+2, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:191:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(name, tempa, FILENAME_MAX-1);
data/binstats-1.08/derefsymlink.c:215:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
olen = strlen(argv[i])-1;
ANALYSIS SUMMARY:
Hits = 28
Lines analyzed = 251 in approximately 0.02 seconds (13505 lines/second)
Physical Source Lines of Code (SLOC) = 186
Hits@level = [0] 16 [1] 12 [2] 6 [3] 0 [4] 3 [5] 7
Hits@level+ = [0+] 44 [1+] 28 [2+] 16 [3+] 10 [4+] 10 [5+] 7
Hits/KSLOC@level+ = [0+] 236.559 [1+] 150.538 [2+] 86.0215 [3+] 53.7634 [4+] 53.7634 [5+] 37.6344
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.