Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libhbaapi-2.2.9/hbaapi.h
Examining data/libhbaapi-2.2.9/hbaapilib.c
Examining data/libhbaapi-2.2.9/hbaapitest.c
Examining data/libhbaapi-2.2.9/hbasample.c
Examining data/libhbaapi-2.2.9/hbasample.h
Examining data/libhbaapi-2.2.9/vendorhbaapi.h
FINAL RESULTS:
data/libhbaapi-2.2.9/hbaapilib.c:75:2: [4] (format) syslog:
If syslog's format strings can be influenced by an attacker, they can be
exploited (CWE-134). Use a constant format string for syslog.
syslog (LOG_INFO, (STR), (A1), (A2), (A3));\
data/libhbaapi-2.2.9/hbaapilib.c:80:6: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(_hbaapi_debug_fd, #STR "\n", (A1), (A2), (A3));\
data/libhbaapi-2.2.9/hbaapilib.c:93:2: [4] (format) syslog:
If syslog's format strings can be influenced by an attacker, they can be
exploited (CWE-134). Use a constant format string for syslog.
syslog (LOG_INFO, (STR), (A1), (A2), (A3));\
data/libhbaapi-2.2.9/hbaapilib.c:105:6: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(_hbaapi_debug_fd, #STR "\n", (A1), (A2), (A3));\
data/libhbaapi-2.2.9/hbaapilib.c:843:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(dummyname, "NULLADAPTER-%s-%03d",
data/libhbaapi-2.2.9/hbaapilib.c:882:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(adaptername, adapt_infop->name);
data/libhbaapi-2.2.9/hbaapilib.c:1018:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(attributes->LibPath, map->l_lname);
data/libhbaapi-2.2.9/hbaapilib.c:1025:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(attributes->VName, VENDOR);
data/libhbaapi-2.2.9/hbaapilib.c:1030:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(attributes->VVersion, VERSION);
data/libhbaapi-2.2.9/hbaapilib.c:2722:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(attributes->LibPath,
data/libhbaapi-2.2.9/hbaapi.h:262:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char ipv4address[4];
data/libhbaapi-2.2.9/hbaapi.h:263:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char ipv6address[16];
data/libhbaapi-2.2.9/hbaapi.h:271:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char Manufacturer[64];
data/libhbaapi-2.2.9/hbaapi.h:272:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char SerialNumber[64];
data/libhbaapi-2.2.9/hbaapi.h:273:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char Model[256];
data/libhbaapi-2.2.9/hbaapi.h:274:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ModelDescription[256];
data/libhbaapi-2.2.9/hbaapi.h:276:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char NodeSymbolicName[256];
data/libhbaapi-2.2.9/hbaapi.h:277:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char HardwareVersion[256];
data/libhbaapi-2.2.9/hbaapi.h:278:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char DriverVersion[256];
data/libhbaapi-2.2.9/hbaapi.h:279:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char OptionROMVersion[256];
data/libhbaapi-2.2.9/hbaapi.h:280:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char FirmwareVersion[256];
data/libhbaapi-2.2.9/hbaapi.h:283:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char DriverName[256];
data/libhbaapi-2.2.9/hbaapi.h:296:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char PortSymbolicName[256];
data/libhbaapi-2.2.9/hbaapi.h:297:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char OSDeviceName[256];
data/libhbaapi-2.2.9/hbaapi.h:334:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char OSDeviceName[256];
data/libhbaapi-2.2.9/hbaapi.h:348:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[256];
data/libhbaapi-2.2.9/hbaapi.h:438:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char LibPath[256];
data/libhbaapi-2.2.9/hbaapi.h:439:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char VName[256];
data/libhbaapi-2.2.9/hbaapi.h:440:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char VVersion[256];
data/libhbaapi-2.2.9/hbaapilib.c:77:25: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
_hbaapi_debug_fd = fopen("/tmp/HBAAPI.log", "a");\
data/libhbaapi-2.2.9/hbaapilib.c:102:25: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
_hbaapi_debug_fd = fopen("/tmp/HBAAPI.log", "a");\
data/libhbaapi-2.2.9/hbaapilib.c:402:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char wwn_str1[17];
data/libhbaapi-2.2.9/hbaapilib.c:403:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char wwn_str2[17];
data/libhbaapi-2.2.9/hbaapilib.c:404:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char wwn_str3[17];
data/libhbaapi-2.2.9/hbaapilib.c:414:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(&buf[j], "%02X", (int)*pc++);
data/libhbaapi-2.2.9/hbaapilib.c:440:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char fullline[512]; /* line read from HBA.conf */
data/libhbaapi-2.2.9/hbaapilib.c:443:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbaConfFilePath[256];
data/libhbaapi-2.2.9/hbaapilib.c:455:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaConfFilePath, "/etc/hba.conf");
data/libhbaapi-2.2.9/hbaapilib.c:457:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((hbaconf = fopen(hbaConfFilePath, "r")) == NULL) {
data/libhbaapi-2.2.9/hbaapilib.c:774:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char adaptername[256];
data/libhbaapi-2.2.9/hbaapilib.c:842:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dummyname[512];
data/libhbaapi-2.2.9/hbaapitest.c:70:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char namebuf[1028];
data/libhbaapi-2.2.9/hbaapitest.c:262:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char large_buf[1024];
data/libhbaapi-2.2.9/hbaapitest.c:263:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char large_buf2[1024];
data/libhbaapi-2.2.9/hbasample.c:144:3: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(adaptername, "org.snia.sample-1");
data/libhbaapi-2.2.9/hbasample.c:196:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->Manufacturer, "Emulex");
data/libhbaapi-2.2.9/hbasample.c:197:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->SerialNumber, "A12345");
data/libhbaapi-2.2.9/hbasample.c:198:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->Model, "QLA2200");
data/libhbaapi-2.2.9/hbasample.c:199:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->ModelDescription, "Agilent TachLite");
data/libhbaapi-2.2.9/hbasample.c:210:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->NodeSymbolicName, "HBA API Sample Driver");
data/libhbaapi-2.2.9/hbasample.c:211:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->HardwareVersion, "Hardware Version");
data/libhbaapi-2.2.9/hbasample.c:212:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->DriverVersion, "Driver Version");
data/libhbaapi-2.2.9/hbasample.c:213:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->OptionROMVersion, "Option ROM Version");
data/libhbaapi-2.2.9/hbasample.c:214:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(hbaattributes->FirmwareVersion, "Firmware Version");
data/libhbaapi-2.2.9/hbasample.c:252:3: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(portattributes->OSDeviceName, "DeviceName");
data/libhbaapi-2.2.9/hbasample.c:341:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&PortWWN, &port, 8);
data/libhbaapi-2.2.9/hbaapilib.c:471:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(libraryname) >= 64) {
data/libhbaapi-2.2.9/hbaapilib.c:478:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(librarypath) >= 256) {
data/libhbaapi-2.2.9/hbaapilib.c:492:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(libraryname) == 0 ||
data/libhbaapi-2.2.9/hbaapilib.c:494:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(strlen(librarypath) == 0)) {
data/libhbaapi-2.2.9/hbaapilib.c:1017:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(map->l_name) < 256) {
data/libhbaapi-2.2.9/hbaapilib.c:2721:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(adapt_infop->library->LibraryPath) < 256) {
ANALYSIS SUMMARY:
Hits = 62
Lines analyzed = 4697 in approximately 0.22 seconds (21215 lines/second)
Physical Source Lines of Code (SLOC) = 3644
Hits@level = [0] 131 [1] 6 [2] 46 [3] 0 [4] 10 [5] 0
Hits@level+ = [0+] 193 [1+] 62 [2+] 56 [3+] 10 [4+] 10 [5+] 0
Hits/KSLOC@level+ = [0+] 52.9638 [1+] 17.0143 [2+] 15.3677 [3+] 2.74424 [4+] 2.74424 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.