Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/http-parser-2.9.3/bench.c Examining data/http-parser-2.9.3/contrib/parsertrace.c Examining data/http-parser-2.9.3/contrib/url_parser.c Examining data/http-parser-2.9.3/http_parser.c Examining data/http-parser-2.9.3/http_parser.h Examining data/http-parser-2.9.3/test.c FINAL RESULTS: data/http-parser-2.9.3/test.c:3905:20: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. size_t buf1len = sprintf(buf1, "%s\r\nConnection: Keep-Alive\r\nContent-Length: %lu\r\n\r\n", data/http-parser-2.9.3/test.c:3942:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(total, r1->raw); data/http-parser-2.9.3/test.c:3943:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(total, r2->raw); data/http-parser-2.9.3/test.c:3944:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(total, r3->raw); data/http-parser-2.9.3/test.c:3993:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(total, r1->raw); data/http-parser-2.9.3/test.c:3994:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(total, r2->raw); data/http-parser-2.9.3/test.c:3995:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(total, r3->raw); data/http-parser-2.9.3/test.c:4454:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "%s / HTTP/1.1\r\n\r\n", *this_method); data/http-parser-2.9.3/test.c:4474:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "%s / HTTP/1.1\r\n\r\n", *this_method); data/http-parser-2.9.3/contrib/parsertrace.c:108:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE* file = fopen(filename, "r"); data/http-parser-2.9.3/http_parser.c:189:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char tokens[256] = { data/http-parser-2.9.3/test.c:54:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char response_status[MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:55:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char request_path[MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:56:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char request_url[MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:57:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fragment[MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:58:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char query_string[MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:59:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char body[MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:66:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char headers [MAX_HEADERS][2][MAX_ELEMENT_SIZE]; data/http-parser-2.9.3/test.c:2079:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst + dlen, src, ncpy); data/http-parser-2.9.3/test.c:2097:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, src, ncpy); data/http-parser-2.9.3/test.c:2632:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ubuf[256]; \ data/http-parser-2.9.3/test.c:2635:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ubuf, (found)->request_url + (u)->field_data[(fn)].off, \ data/http-parser-2.9.3/test.c:3904:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf1[3000]; data/http-parser-2.9.3/test.c:3935:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char total[ strlen(r1->raw) data/http-parser-2.9.3/test.c:3988:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char total[80*1024] = "\0"; data/http-parser-2.9.3/test.c:3989:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf1[80*1024] = "\0"; data/http-parser-2.9.3/test.c:3990:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf2[80*1024] = "\0"; data/http-parser-2.9.3/test.c:3991:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf3[80*1024] = "\0"; data/http-parser-2.9.3/test.c:4119:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, headers, headers_len); data/http-parser-2.9.3/test.c:4124:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf + wrote, "400\r\n", 5); data/http-parser-2.9.3/test.c:4128:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(buf + wrote, "\r\n"); data/http-parser-2.9.3/test.c:4132:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf + wrote, "0\r\n\r\n", 6); data/http-parser-2.9.3/test.c:4453:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[200]; data/http-parser-2.9.3/test.c:4473:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[200]; data/http-parser-2.9.3/contrib/url_parser.c:34:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(argv[2]); data/http-parser-2.9.3/test.c:2680:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (http_parser_parse_url(m->request_url, strlen(m->request_url), 0, &u)) { data/http-parser-2.9.3/test.c:2776:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). off += strlen(m->raw); data/http-parser-2.9.3/test.c:2779:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). off -= strlen(m->upgrade); data/http-parser-2.9.3/test.c:2788:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *(body + nread + strlen(m->upgrade)) = '\0'; data/http-parser-2.9.3/test.c:2809:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t i, j, len = strlen(raw), error_location_line = 0; data/http-parser-2.9.3/test.c:3451:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). test->url ? strlen(test->url) : 0, data/http-parser-2.9.3/test.c:3502:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t raw_len = strlen(message->raw); data/http-parser-2.9.3/test.c:3507:12: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size_t read; data/http-parser-2.9.3/test.c:3518:70: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (!messages[0].headers_complete_cb_called && parser.nread != read) { data/http-parser-2.9.3/test.c:3519:32: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). assert(parser.nread == read); data/http-parser-2.9.3/test.c:3520:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(msg1, read); data/http-parser-2.9.3/test.c:3525:53: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). messages[num_messages - 1].upgrade = msg1 + read; data/http-parser-2.9.3/test.c:3529:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != msg1len) { data/http-parser-2.9.3/test.c:3530:27: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(msg1, read); data/http-parser-2.9.3/test.c:3539:51: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). messages[num_messages - 1].upgrade = msg2 + read; data/http-parser-2.9.3/test.c:3543:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != msg2len) { data/http-parser-2.9.3/test.c:3544:25: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(msg2, read); data/http-parser-2.9.3/test.c:3550:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != 0) { data/http-parser-2.9.3/test.c:3551:33: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(message->raw, read); data/http-parser-2.9.3/test.c:3571:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size_t read; data/http-parser-2.9.3/test.c:3572:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t l = strlen(message->raw); data/http-parser-2.9.3/test.c:3579:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != toread) { data/http-parser-2.9.3/test.c:3580:33: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(message->raw, read); data/http-parser-2.9.3/test.c:3587:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != 0) { data/http-parser-2.9.3/test.c:3588:31: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(message->raw, read); data/http-parser-2.9.3/test.c:3609:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parse(buf, strlen(buf)); data/http-parser-2.9.3/test.c:3643:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3644:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3647:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(buf); data/http-parser-2.9.3/test.c:3677:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3678:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3681:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(buf); data/http-parser-2.9.3/test.c:3711:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3712:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3715:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(buf); data/http-parser-2.9.3/test.c:3738:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3739:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3742:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(buf); data/http-parser-2.9.3/test.c:3765:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3766:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3769:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(buf); data/http-parser-2.9.3/test.c:3814:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3815:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3818:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(buf); data/http-parser-2.9.3/test.c:3843:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf)); data/http-parser-2.9.3/test.c:3844:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parsed == strlen(buf)); data/http-parser-2.9.3/test.c:3846:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert(parser.nread == strlen(buf)); data/http-parser-2.9.3/test.c:3935:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char total[ strlen(r1->raw) data/http-parser-2.9.3/test.c:3936:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + strlen(r2->raw) data/http-parser-2.9.3/test.c:3937:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + strlen(r3->raw) data/http-parser-2.9.3/test.c:3948:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size_t read; data/http-parser-2.9.3/test.c:3950:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). read = parse(total, strlen(total)); data/http-parser-2.9.3/test.c:3953:32: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). upgrade_message_fix(total, read, 3, r1, r2, r3); data/http-parser-2.9.3/test.c:3957:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != strlen(total)) { data/http-parser-2.9.3/test.c:3957:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (read != strlen(total)) { data/http-parser-2.9.3/test.c:3958:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(total, read); data/http-parser-2.9.3/test.c:3964:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != 0) { data/http-parser-2.9.3/test.c:3965:24: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(total, read); data/http-parser-2.9.3/test.c:3997:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). size_t read; data/http-parser-2.9.3/test.c:3999:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int total_len = strlen(total); data/http-parser-2.9.3/test.c:4037:72: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (!messages[0].headers_complete_cb_called && parser.nread != read) { data/http-parser-2.9.3/test.c:4038:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(buf1, read); data/http-parser-2.9.3/test.c:4044:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != buf1_len) { data/http-parser-2.9.3/test.c:4045:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(buf1, read); data/http-parser-2.9.3/test.c:4053:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != buf1_len + buf2_len) { data/http-parser-2.9.3/test.c:4054:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(buf2, read); data/http-parser-2.9.3/test.c:4062:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (read != buf1_len + buf2_len + buf3_len) { data/http-parser-2.9.3/test.c:4063:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). print_error(buf3, read); data/http-parser-2.9.3/test.c:4071:38: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). upgrade_message_fix(total, read, 3, r1, r2, r3); data/http-parser-2.9.3/test.c:4115:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t headers_len = strlen(headers); data/http-parser-2.9.3/test.c:4145:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(msg->raw); data/http-parser-2.9.3/test.c:4194:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t buflen = strlen(msg->raw); ANALYSIS SUMMARY: Hits = 107 Lines analyzed = 7938 in approximately 0.26 seconds (30956 lines/second) Physical Source Lines of Code (SLOC) = 6461 Hits@level = [0] 91 [1] 73 [2] 25 [3] 0 [4] 9 [5] 0 Hits@level+ = [0+] 198 [1+] 107 [2+] 34 [3+] 9 [4+] 9 [5+] 0 Hits/KSLOC@level+ = [0+] 30.6454 [1+] 16.5609 [2+] 5.26234 [3+] 1.39297 [4+] 1.39297 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.