Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/cracklib2-2.9.6/python/_cracklib.c
Examining data/cracklib2-2.9.6/util/testlib.c
Examining data/cracklib2-2.9.6/util/unpacker.c
Examining data/cracklib2-2.9.6/util/packer.c
Examining data/cracklib2-2.9.6/util/testnum.c
Examining data/cracklib2-2.9.6/util/teststr.c
Examining data/cracklib2-2.9.6/util/check.c
Examining data/cracklib2-2.9.6/lib/stringlib.c
Examining data/cracklib2-2.9.6/lib/packer.h
Examining data/cracklib2-2.9.6/lib/crack.h
Examining data/cracklib2-2.9.6/lib/packlib.c
Examining data/cracklib2-2.9.6/lib/fascist.c
Examining data/cracklib2-2.9.6/lib/rules.c
Examining data/cracklib2-2.9.6/debian/examples/cracklib_example.c
FINAL RESULTS:
data/cracklib2-2.9.6/lib/fascist.c:523:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(gbuffer, Lowercase(tbuffer));
data/cracklib2-2.9.6/lib/fascist.c:588:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(longbuffer, uwords[i]);
data/cracklib2-2.9.6/lib/fascist.c:589:3: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(longbuffer, uwords[j]);
data/cracklib2-2.9.6/lib/fascist.c:596:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(longbuffer, uwords[j]);
data/cracklib2-2.9.6/lib/fascist.c:597:3: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(longbuffer, uwords[i]);
data/cracklib2-2.9.6/lib/fascist.c:609:3: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(longbuffer, uwords[j]);
data/cracklib2-2.9.6/lib/fascist.c:621:3: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(longbuffer, uwords[i]);
data/cracklib2-2.9.6/lib/fascist.c:743:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(password, (char *)Lowercase(password));
data/cracklib2-2.9.6/lib/fascist.c:814:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(password, (char *)Reverse(password));
data/cracklib2-2.9.6/lib/packlib.c:536:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(nstr, ostr);
data/cracklib2-2.9.6/lib/rules.c:27:5: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, a, b, c, d, e, f, g);
data/cracklib2-2.9.6/lib/rules.c:160:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, string);
data/cracklib2-2.9.6/lib/rules.c:439:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, input);
data/cracklib2-2.9.6/lib/rules.c:448:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Reverse(area));
data/cracklib2-2.9.6/lib/rules.c:451:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Uppercase(area));
data/cracklib2-2.9.6/lib/rules.c:454:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Lowercase(area));
data/cracklib2-2.9.6/lib/rules.c:457:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Capitalise(area));
data/cracklib2-2.9.6/lib/rules.c:460:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Pluralise(area));
data/cracklib2-2.9.6/lib/rules.c:463:6: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(area, Reverse(area));
data/cracklib2-2.9.6/lib/rules.c:466:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area2, area);
data/cracklib2-2.9.6/lib/rules.c:467:6: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(area, area2);
data/cracklib2-2.9.6/lib/rules.c:515:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area2 + 1, area);
data/cracklib2-2.9.6/lib/rules.c:516:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, area2);
data/cracklib2-2.9.6/lib/rules.c:550:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area2, area);
data/cracklib2-2.9.6/lib/rules.c:608:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(p2, p1);
data/cracklib2-2.9.6/lib/rules.c:609:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, area2);
data/cracklib2-2.9.6/lib/rules.c:621:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Purge(area, *(++ptr)));
data/cracklib2-2.9.6/lib/rules.c:624:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, PolyPurge(area, ptr[2]));
data/cracklib2-2.9.6/lib/rules.c:635:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, Substitute(area, ptr[1], ptr[2]));
data/cracklib2-2.9.6/lib/rules.c:639:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(area, PolySubst(area, ptr[2], ptr[3]));
data/cracklib2-2.9.6/lib/stringlib.c:56:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(retval, string);
data/cracklib2-2.9.6/python/_cracklib.c:114:9: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf(dictfile, "%s" DICT_SUFFIX, dict);
data/cracklib2-2.9.6/python/_cracklib.c:136:9: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf(dictfile, "%s" DICT_SUFFIX, defaultdict);
data/cracklib2-2.9.6/util/packer.c:72:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(prev, buffer);
data/cracklib2-2.9.6/debian/examples/cracklib_example.c:25:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char password[80U] = "";
data/cracklib2-2.9.6/lib/fascist.c:502:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char gbuffer[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:503:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tbuffer[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:504:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *uwords[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:505:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char longbuffer[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:704:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char junk[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:706:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char rpassword[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:852:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pwtrunced[STRINGSIZE];
data/cracklib2-2.9.6/lib/fascist.c:904:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char pwtrunced[STRINGSIZE];
data/cracklib2-2.9.6/lib/packer.h:71:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data_put[NUMWORDS][MAXWORDLEN];
data/cracklib2-2.9.6/lib/packer.h:72:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data_get[NUMWORDS][MAXWORDLEN];
data/cracklib2-2.9.6/lib/packlib.c:45:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data_put[NUMWORDS][MAXWORDLEN];
data/cracklib2-2.9.6/lib/packlib.c:46:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data_get[NUMWORDS][MAXWORDLEN];
data/cracklib2-2.9.6/lib/packlib.c:73:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char iname[STRINGSIZE];
data/cracklib2-2.9.6/lib/packlib.c:74:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dname[STRINGSIZE];
data/cracklib2-2.9.6/lib/packlib.c:75:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char wname[STRINGSIZE];
data/cracklib2-2.9.6/lib/packlib.c:97:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!(pdesc.dfp = fopen(dname, mode)))
data/cracklib2-2.9.6/lib/packlib.c:118:21: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!(pdesc.dfp = fopen(dname, mode)))
data/cracklib2-2.9.6/lib/packlib.c:125:23: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!(pdesc.ifp = fopen(iname, mode)))
data/cracklib2-2.9.6/lib/packlib.c:137:22: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((pdesc.wfp = fopen(wname, mode)))
data/cracklib2-2.9.6/lib/packlib.c:455:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[NUMWORDS * MAXWORDLEN];
data/cracklib2-2.9.6/lib/rules.c:90:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:105:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:122:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:139:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:158:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:169:2: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(area, "es");
data/cracklib2-2.9.6/lib/rules.c:179:6: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(area + length - 1, "ies");
data/cracklib2-2.9.6/lib/rules.c:184:2: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(area, "es");
data/cracklib2-2.9.6/lib/rules.c:201:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:218:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:381:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:398:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE];
data/cracklib2-2.9.6/lib/rules.c:437:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char area[STRINGSIZE * 2] = {0};
data/cracklib2-2.9.6/lib/rules.c:438:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char area2[STRINGSIZE * 2] = {0};
data/cracklib2-2.9.6/python/_cracklib.c:79:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char errmsg[255];
data/cracklib2-2.9.6/util/check.c:20:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[LINE_MAX];
data/cracklib2-2.9.6/util/packer.c:23:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[STRINGSIZE], prev[STRINGSIZE];
data/cracklib2-2.9.6/util/testlib.c:18:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[1024];
data/cracklib2-2.9.6/util/testnum.c:21:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[STRINGSIZE];
data/cracklib2-2.9.6/util/teststr.c:16:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[STRINGSIZE];
data/cracklib2-2.9.6/debian/examples/cracklib_example.c:30:5: [1] (buffer) scanf:
It's unclear if the %s limit in the format string is small enough
(CWE-120). Check that the limit is sufficiently small, or use a different
input function.
scanf( "%79s", password );
data/cracklib2-2.9.6/lib/fascist.c:446:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(password);
data/cracklib2-2.9.6/lib/fascist.c:512:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(tbuffer, user, STRINGSIZE);
data/cracklib2-2.9.6/lib/fascist.c:521:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(tbuffer, gecos, STRINGSIZE);
data/cracklib2-2.9.6/lib/fascist.c:586:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
data/cracklib2-2.9.6/lib/fascist.c:586:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
data/cracklib2-2.9.6/lib/fascist.c:605:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(uwords[j]) < STRINGSIZE - 1)
data/cracklib2-2.9.6/lib/fascist.c:617:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(uwords[i]) < STRINGSIZE - 1)
data/cracklib2-2.9.6/lib/fascist.c:712:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(rpassword, instring, TRUNCSTRINGSIZE);
data/cracklib2-2.9.6/lib/fascist.c:716:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(password) < 4)
data/cracklib2-2.9.6/lib/fascist.c:721:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(password) < MINLEN)
data/cracklib2-2.9.6/lib/fascist.c:738:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(junk) < MINDIFF)
data/cracklib2-2.9.6/lib/fascist.c:770:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
maxrepeat = 3+(0.09*strlen(password));
data/cracklib2-2.9.6/lib/fascist.c:866:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(pwtrunced, password, TRUNCSTRINGSIZE);
data/cracklib2-2.9.6/lib/fascist.c:918:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(pwtrunced, password, TRUNCSTRINGSIZE);
data/cracklib2-2.9.6/lib/fascist.c:933:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(errstr, error, errstr_len);
data/cracklib2-2.9.6/lib/packlib.c:394:2: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(pwp->data_put[pwp->count], string, MAXWORDLEN);
data/cracklib2-2.9.6/lib/rules.c:72:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
i = strlen(myword);
data/cracklib2-2.9.6/lib/rules.c:73:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
j = strlen(suffix);
data/cracklib2-2.9.6/lib/rules.c:91:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
j = i = strlen(str);
data/cracklib2-2.9.6/lib/rules.c:159:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
length = strlen(string);
data/cracklib2-2.9.6/lib/rules.c:175:6: [1] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant character.
strcat(area, "s");
data/cracklib2-2.9.6/lib/rules.c:188:2: [1] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant character.
strcat(area, "s");
data/cracklib2-2.9.6/lib/rules.c:482:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ( (int) strlen(area) <= limit)
data/cracklib2-2.9.6/lib/rules.c:501:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ( (int) strlen(area) >= limit)
data/cracklib2-2.9.6/lib/stringlib.c:53:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
retval = (char *) malloc(strlen(string) + 1);
data/cracklib2-2.9.6/python/_cracklib.c:108:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dictfile = malloc(strlen(dict) + sizeof(DICT_SUFFIX));
data/cracklib2-2.9.6/python/_cracklib.c:129:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dictfile = malloc(strlen(defaultdict) + sizeof(DICT_SUFFIX));
data/cracklib2-2.9.6/python/_cracklib.c:164:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((errmsg != NULL) && (strlen(errmsg) > 0))
data/cracklib2-2.9.6/util/check.c:31:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
while (((i = strlen(buf)) > 0) && (i > 0)) {
data/cracklib2-2.9.6/util/check.c:43:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((why != NULL) && (strlen(why) > 0)) {
ANALYSIS SUMMARY:
Hits = 106
Lines analyzed = 3221 in approximately 0.19 seconds (17067 lines/second)
Physical Source Lines of Code (SLOC) = 2652
Hits@level = [0] 59 [1] 31 [2] 41 [3] 0 [4] 34 [5] 0
Hits@level+ = [0+] 165 [1+] 106 [2+] 75 [3+] 34 [4+] 34 [5+] 0
Hits/KSLOC@level+ = [0+] 62.2172 [1+] 39.9698 [2+] 28.2805 [3+] 12.8205 [4+] 12.8205 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.