Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libconfuse-3.3/doc/listing1.c Examining data/libconfuse-3.3/doc/listing2.c Examining data/libconfuse-3.3/doc/listing3.c Examining data/libconfuse-3.3/doc/listing4.c Examining data/libconfuse-3.3/doc/listing5.c Examining data/libconfuse-3.3/doc/listing6.c Examining data/libconfuse-3.3/doc/listing7.c Examining data/libconfuse-3.3/doc/listing8.c Examining data/libconfuse-3.3/examples/addsec.c Examining data/libconfuse-3.3/examples/cfgtest.c Examining data/libconfuse-3.3/examples/cli.c Examining data/libconfuse-3.3/examples/deprecated.c Examining data/libconfuse-3.3/examples/env.c Examining data/libconfuse-3.3/examples/ftpconf.c Examining data/libconfuse-3.3/examples/nested.c Examining data/libconfuse-3.3/examples/parsebuf.c Examining data/libconfuse-3.3/examples/reread.c Examining data/libconfuse-3.3/examples/simple.c Examining data/libconfuse-3.3/examples/wincfgtest.c Examining data/libconfuse-3.3/src/compat.h Examining data/libconfuse-3.3/src/confuse.c Examining data/libconfuse-3.3/src/confuse.h Examining data/libconfuse-3.3/src/fmemopen.c Examining data/libconfuse-3.3/src/reallocarray.c Examining data/libconfuse-3.3/tests/annotate.c Examining data/libconfuse-3.3/tests/check_confuse.h Examining data/libconfuse-3.3/tests/empty_string.c Examining data/libconfuse-3.3/tests/env.c Examining data/libconfuse-3.3/tests/ignore_parm.c Examining data/libconfuse-3.3/tests/include.c Examining data/libconfuse-3.3/tests/keyval.c Examining data/libconfuse-3.3/tests/list_plus_syntax.c Examining data/libconfuse-3.3/tests/modified_flag.c Examining data/libconfuse-3.3/tests/print_filter.c Examining data/libconfuse-3.3/tests/quote_before_print.c Examining data/libconfuse-3.3/tests/searchpath.c Examining data/libconfuse-3.3/tests/section_add.c Examining data/libconfuse-3.3/tests/section_getopt.c Examining data/libconfuse-3.3/tests/section_remove.c Examining data/libconfuse-3.3/tests/section_title_dupes.c Examining data/libconfuse-3.3/tests/setmulti_reset.c Examining data/libconfuse-3.3/tests/setopt_ptr.c Examining data/libconfuse-3.3/tests/single_title_sections.c Examining data/libconfuse-3.3/tests/suite_dup.c Examining data/libconfuse-3.3/tests/suite_func.c Examining data/libconfuse-3.3/tests/suite_list.c Examining data/libconfuse-3.3/tests/suite_ptr.c Examining data/libconfuse-3.3/tests/suite_single.c Examining data/libconfuse-3.3/tests/suite_validate.c Examining data/libconfuse-3.3/windows/borland/config.h Examining data/libconfuse-3.3/windows/devcpp/config.h Examining data/libconfuse-3.3/windows/mingw/config.h Examining data/libconfuse-3.3/windows/msvc6/libConfuse/config.h Examining data/libconfuse-3.3/windows/msvc6/libConfuse/unistd.h Examining data/libconfuse-3.3/windows/msvs.net/config.h Examining data/libconfuse-3.3/windows/msvs.net/unistd.h FINAL RESULTS: data/libconfuse-3.3/examples/wincfgtest.c:90:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf, "bool: %s\nstring: %s\nnumber: %ld\nfloat: %f\n", data/libconfuse-3.3/src/compat.h:24:9: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. #define snprintf c99_snprintf data/libconfuse-3.3/src/compat.h:25:9: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. #define vsnprintf c99_vsnprintf data/libconfuse-3.3/src/confuse.c:1224:3: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr, fmt, ap); data/libconfuse-3.3/src/confuse.c:1887:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(expanded, passwd->pw_dir); data/libconfuse-3.3/src/confuse.c:1888:4: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(expanded, file); data/libconfuse-3.3/tests/check_confuse.h:9:9: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, \ data/libconfuse-3.3/examples/wincfgtest.c:73:16: [3] (misc) LoadLibrary: Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to find library path, if you aren't already. hinstLib = LoadLibrary("libConfuse"); data/libconfuse-3.3/examples/cfgtest.c:211:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen("test.conf.out", "w"); data/libconfuse-3.3/examples/simple.c:64:14: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). FILE *fp = fopen("simple.conf.out", "w"); data/libconfuse-3.3/examples/wincfgtest.c:62:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/libconfuse-3.3/src/confuse.c:126:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dup, str, len); data/libconfuse-3.3/src/confuse.c:674:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dupopts, opts, n * sizeof(cfg_opt_t)); data/libconfuse-3.3/src/confuse.c:1767:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen(cfg->filename, "r"); data/libconfuse-3.3/src/fmemopen.c:45:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, &ops->buf[ops->pos], len); data/libconfuse-3.3/src/fmemopen.c:62:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ops->buf[ops->pos], buf, len); data/libconfuse-3.3/src/fmemopen.c:128:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tp[MAX_PATH - 13]; data/libconfuse-3.3/src/fmemopen.c:129:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fn[MAX_PATH + 1]; data/libconfuse-3.3/tests/empty_string.c:16:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[100]; /* should be enough */ data/libconfuse-3.3/tests/print_filter.c:34:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[200]; /* should be enough */ data/libconfuse-3.3/tests/quote_before_print.c:29:7: [2] (tmpfile) tmpfile: Function tmpfile() has a security flaw on some systems (e.g., older System V systems) (CWE-377). fp = tmpfile(); data/libconfuse-3.3/tests/setopt_ptr.c:14:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *ptr = atoi(value); data/libconfuse-3.3/tests/suite_list.c:52:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *multi[2]; data/libconfuse-3.3/tests/suite_list.c:94:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *multi[3]; data/libconfuse-3.3/tests/suite_list.c:142:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *multi[3]; data/libconfuse-3.3/tests/suite_list.c:196:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *multi[3]; data/libconfuse-3.3/tests/suite_ptr.c:18:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *ptr = atoi(value); data/libconfuse-3.3/tests/suite_single.c:37:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char ec[6]; data/libconfuse-3.3/tests/suite_single.c:53:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[18]; data/libconfuse-3.3/tests/suite_single.c:55:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); data/libconfuse-3.3/tests/suite_single.c:62:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[16]; data/libconfuse-3.3/tests/suite_single.c:64:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); data/libconfuse-3.3/tests/suite_single.c:79:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(*(void **)result, tmp, 6); data/libconfuse-3.3/tests/suite_single.c:274:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[80]; data/libconfuse-3.3/examples/cli.c:105:8: [1] (buffer) fgetc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ch = fgetc(stdin); data/libconfuse-3.3/src/confuse.c:121:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(str) + 1; data/libconfuse-3.3/src/confuse.c:141:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(r, s, n); data/libconfuse-3.3/src/confuse.c:211:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). end = title + strlen(title); data/libconfuse-3.3/src/confuse.c:225:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). memmove(ch, ch + 1, strlen(ch)); data/libconfuse-3.3/src/confuse.c:792:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fp = fmemopen(buf, strlen(buf), "r"); data/libconfuse-3.3/src/confuse.c:798:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(buf) > 0) data/libconfuse-3.3/src/confuse.c:1697:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(dir) + strlen(file) + 2; data/libconfuse-3.3/src/confuse.c:1697:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(dir) + strlen(file) + 2; data/libconfuse-3.3/src/confuse.c:1798:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fp = fmemopen((void *)buf, strlen(buf), "r"); data/libconfuse-3.3/src/confuse.c:1804:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(buf) > 0) data/libconfuse-3.3/src/confuse.c:1871:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). file = filename + strlen(filename); data/libconfuse-3.3/src/confuse.c:1877:4: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(user, filename + 1, file - filename - 1); data/libconfuse-3.3/src/confuse.c:1883:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). expanded = malloc(strlen(passwd->pw_dir) + strlen(file) + 1); data/libconfuse-3.3/src/confuse.c:1883:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). expanded = malloc(strlen(passwd->pw_dir) + strlen(file) + 1); data/libconfuse-3.3/tests/suite_validate.c:64:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(str) > 42) ANALYSIS SUMMARY: Hits = 50 Lines analyzed = 8798 in approximately 0.30 seconds (29441 lines/second) Physical Source Lines of Code (SLOC) = 5531 Hits@level = [0] 119 [1] 16 [2] 26 [3] 1 [4] 7 [5] 0 Hits@level+ = [0+] 169 [1+] 50 [2+] 34 [3+] 8 [4+] 7 [5+] 0 Hits/KSLOC@level+ = [0+] 30.5551 [1+] 9.03996 [2+] 6.14717 [3+] 1.44639 [4+] 1.26559 [5+] 0 Dot directories skipped = 2 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.