Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libcli-1.10.4/clitest.c Examining data/libcli-1.10.4/libcli.c Examining data/libcli-1.10.4/libcli.h FINAL RESULTS: data/libcli-1.10.4/libcli.c:51:10: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. size = vsnprintf(NULL, 0, fmt, argCopy); data/libcli-1.10.4/libcli.c:57:10: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. size = vsnprintf(*strp, size + 1, fmt, args); data/libcli-1.10.4/libcli.c:72:5: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. int fprintf(FILE *stream, const char *fmt, ...) { data/libcli-1.10.4/libcli.c:828:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(p, argv[i]); data/libcli-1.10.4/libcli.c:996:76: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. if (des || !strncmp(pass, MD5_PREFIX, sizeof(MD5_PREFIX) - 1)) attempt = crypt(attempt, pass); data/libcli-1.10.4/libcli.c:1412:13: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy((cmd + l), comphelp.entries[0]); data/libcli-1.10.4/libcli.c:2548:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(tptr, quoteChar); data/libcli-1.10.4/libcli.c:2549:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(tptr, word); data/libcli-1.10.4/libcli.c:2550:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(tptr, quoteChar); data/libcli-1.10.4/libcli.h:212:84: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. void cli_print(struct cli_def *cli, const char *format, ...) __attribute__((format(printf, 2, 3))); data/libcli-1.10.4/libcli.h:213:87: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. void cli_bufprint(struct cli_def *cli, const char *format, ...) __attribute__((format(printf, 2, 3))); data/libcli-1.10.4/libcli.h:215:84: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. void cli_error(struct cli_def *cli, const char *format, ...) __attribute__((format(printf, 2, 3))); data/libcli-1.10.4/clitest.c:213:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char sidename[50], *value; data/libcli-1.10.4/clitest.c:457:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fh = fopen("clitest.txt", "r"))) { data/libcli-1.10.4/libcli.c:354:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char string[64]; data/libcli-1.10.4/libcli.c:1764:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[CLI_MAX_LINE_LENGTH]; data/libcli-1.10.4/libcli.c:2517:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char quoteChar[2] = ""; data/libcli-1.10.4/libcli.h:59:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *history[MAX_HISTORY]; data/libcli-1.10.4/libcli.h:173:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *words[CLI_MAX_LINE_WORDS]; data/libcli-1.10.4/clitest.c:231:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!value || !strncmp(*shape, value, strlen(value))) { data/libcli-1.10.4/clitest.c:279:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!word || !strncmp(*color, word, strlen(word))) { data/libcli-1.10.4/libcli.c:37:5: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). int read(int fd, void *buf, unsigned int count) { data/libcli-1.10.4/libcli.c:304:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). c->unique_len = strlen(c->command); data/libcli-1.10.4/libcli.c:819:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len += strlen(argv[i]); data/libcli-1.10.4/libcli.c:826:12: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. if (i) strcat(p, " "); data/libcli-1.10.4/libcli.c:867:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((!stage->words[0] || (command[strlen(command) - 1] == ' ')) && (stage->words[stage->num_words - 1])) data/libcli-1.10.4/libcli.c:885:69: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (stage->words[i] && strncasecmp(c->command, stage->words[i], strlen(stage->words[i]))) continue; data/libcli-1.10.4/libcli.c:897:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (stage->words[i] && (strlen(stage->words[i]) < c->unique_len) && strcmp(stage->words[i], c->command)) continue; data/libcli-1.10.4/libcli.c:1007:58: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (cli->hostname) len += write(sockfd, cli->hostname, strlen(cli->hostname)); data/libcli-1.10.4/libcli.c:1009:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (cli->modestring) len += write(sockfd, cli->modestring, strlen(cli->modestring)); data/libcli-1.10.4/libcli.c:1012:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len += write(sockfd, cli->buildmode->cname, strlen(cli->buildmode->cname)); data/libcli-1.10.4/libcli.c:1014:84: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (cli->buildmode->mode_text) len += write(sockfd, cli->buildmode->mode_text, strlen(cli->buildmode->mode_text)); data/libcli-1.10.4/libcli.c:1017:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return len + write(sockfd, cli->promptchar, strlen(cli->promptchar)); data/libcli-1.10.4/libcli.c:1035:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _write(sockfd, negotiate, strlen(negotiate)); data/libcli-1.10.4/libcli.c:1106:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _write(sockfd, "Username: ", strlen("Username: ")); data/libcli-1.10.4/libcli.c:1110:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _write(sockfd, "Password: ", strlen("Password: ")); data/libcli-1.10.4/libcli.c:1124:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _write(sockfd, "Password: ", strlen("Password: ")); data/libcli-1.10.4/libcli.c:1168:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((n = read(sockfd, &c, 1)) < 0) { data/libcli-1.10.4/libcli.c:1401:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _write(sockfd, comphelp.entries[i], strlen(comphelp.entries[i])); data/libcli-1.10.4/libcli.c:1413:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l += strlen(comphelp.entries[0]); data/libcli-1.10.4/libcli.c:1416:49: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). _write(sockfd, comphelp.entries[0], strlen(comphelp.entries[0])); data/libcli-1.10.4/libcli.c:1441:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). k = strlen(tptr); data/libcli-1.10.4/libcli.c:1455:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (j = 0; (j < k) && (j < (int)strlen(wptr)); j++) { data/libcli-1.10.4/libcli.c:1467:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(cmd + l, tptr, k); data/libcli-1.10.4/libcli.c:1546:11: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(cmd, cli->history[in_history], CLI_MAX_LINE_LENGTH - 1); data/libcli-1.10.4/libcli.c:1547:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l = cursor = strlen(cmd); data/libcli-1.10.4/libcli.c:1834:51: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (p != cli->buffer) memmove(cli->buffer, p, strlen(p)); data/libcli-1.10.4/libcli.c:1878:65: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((*value++ == '-') && (*value) && (strspn(value, "vie") == strlen(value))) return CLI_OK; data/libcli-1.10.4/libcli.c:2515:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t oldlen = strlen(cmdline); data/libcli-1.10.4/libcli.c:2516:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). size_t wordlen = strlen(word); data/libcli-1.10.4/libcli.c:2547:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(tptr, " "); data/libcli-1.10.4/libcli.c:2713:99: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((!strcmp(c->command, optarg_pair->name)) && (!word || !strncmp(word, optarg_pair->name, strlen(word)))) { data/libcli-1.10.4/libcli.c:2781:59: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strncasecmp(c->command, stage->words[start_word], strlen(stage->words[start_word]))) continue; data/libcli-1.10.4/libcli.c:3045:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). namewidth = strlen(nameptr); data/libcli-1.10.4/libcli.c:3056:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). toprint = strlen(helpptr); data/libcli-1.10.4/libcli.c:3098:62: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!(anchor_word && !strncmp(anchor_word, optarg->name, strlen(anchor_word)))) { data/libcli-1.10.4/libcli.c:3127:64: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (!(anchor_word && !strncmp(anchor_word, optarg->name, strlen(anchor_word)))) { data/libcli-1.10.4/libcli.c:3204:92: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } while (lineptr && nameptr && helpptr && (next_word && (strncmp(next_word, nameptr, strlen(next_word))))); data/libcli-1.10.4/libcli.c:3210:69: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } else if ((!anchor_word || !strncmp(anchor_word, optarg->name, strlen(anchor_word))) && data/libcli-1.10.4/libcli.c:3300:68: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). !strncasecmp(oaptr->name, stage->words[word_idx], strlen(stage->words[word_idx]))) { ANALYSIS SUMMARY: Hits = 60 Lines analyzed = 4319 in approximately 0.13 seconds (32206 lines/second) Physical Source Lines of Code (SLOC) = 3326 Hits@level = [0] 33 [1] 41 [2] 7 [3] 0 [4] 12 [5] 0 Hits@level+ = [0+] 93 [1+] 60 [2+] 19 [3+] 12 [4+] 12 [5+] 0 Hits/KSLOC@level+ = [0+] 27.9615 [1+] 18.0397 [2+] 5.71257 [3+] 3.60794 [4+] 3.60794 [5+] 0 Dot directories skipped = 2 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.