Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libnet-interface-perl-1.016/ni_get_set.c Examining data/libnet-interface-perl-1.016/ni_malloc.c Examining data/libnet-interface-perl-1.016/ni_linuxproc.c Examining data/libnet-interface-perl-1.016/ni_util.c Examining data/libnet-interface-perl-1.016/miniSocketXS.c Examining data/libnet-interface-perl-1.016/ni_in6_classify.c Examining data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c Examining data/libnet-interface-perl-1.016/ni_funct.h Examining data/libnet-interface-perl-1.016/ni_strlcpy.c Examining data/libnet-interface-perl-1.016/defaults.h Examining data/libnet-interface-perl-1.016/ni_strlcpy.h Examining data/libnet-interface-perl-1.016/ni_memcmp.c Examining data/libnet-interface-perl-1.016/ni_getifaddrs.c Examining data/libnet-interface-perl-1.016/ppport.h Examining data/libnet-interface-perl-1.016/ni_memcmp.h Examining data/libnet-interface-perl-1.016/inet_aton.c Examining data/libnet-interface-perl-1.016/ni_in6_ifreq.c Examining data/libnet-interface-perl-1.016/ni_lifreq.c Examining data/libnet-interface-perl-1.016/ni_fixups.h Examining data/libnet-interface-perl-1.016/ni_af_inetcommon.c Examining data/libnet-interface-perl-1.016/ni_ifreq.c Parsing failed to find end of parameter list; semicolon terminated it in ("mtu %d",((struct ifdata *)ifr->ni_data)->ifi_mtu; #endif printf("\n\t"); if (ioctl(fd,SIOCGIFADDR,ifr) != -1 ) { #ifdef HAVE_GETNAMEINFO if (getnameinfo(&ifr->ni_saddr,LOCAL_SIZEOF_SOCK Examining data/libnet-interface-perl-1.016/ni_SMI-NUMBERS.c Examining data/libnet-interface-perl-1.016/localconf.h FINAL RESULTS: data/libnet-interface-perl-1.016/miniSocketXS.c:120:23: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. * so let's use this sprintf() workaround everywhere. data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:131:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(name,"/dev/%s",&ifr->ni_ifr_name); data/libnet-interface-perl-1.016/ni_ifreq.c:180:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(namebuf,inet_ntoa(ifr->ni_sin.sin_addr)); data/libnet-interface-perl-1.016/ni_in6_ifreq.c:224:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(namebuf,inet_ntoa(ifr->ni_sin.sin_addr)); data/libnet-interface-perl-1.016/ni_in6_ifreq.c:245:17: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(namebuf,inet_ntop(AF_INET6,&ifr->ni_sin6.sin6_addr,namebuf,NI_MAXHOST)); data/libnet-interface-perl-1.016/ni_lifreq.c:279:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(namebuf,inet_ntoa(sin->sin_addr)); data/libnet-interface-perl-1.016/ni_lifreq.c:289:17: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(namebuf,inet_ntoa(sin->sin_addr)); data/libnet-interface-perl-1.016/ni_lifreq.c:300:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(namebuf,inet_ntop(AF_INET6,&sin6->sin6_addr,namebuf,NI_MAXHOST)); data/libnet-interface-perl-1.016/ni_linuxproc.c:157:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(txt,"%s:%s:%s:%s:%s:%s:%s:%s", data/libnet-interface-perl-1.016/miniSocketXS.c:123:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(addr_str, "%d.%d.%d.%d", data/libnet-interface-perl-1.016/ni_af_inetcommon.c:102:26: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define NI_RESTORE_COPYS memcpy(&ifr->ni_saddr,©6,LOCAL_SIZEOF_SOCKADDR_IN6) data/libnet-interface-perl-1.016/ni_af_inetcommon.c:104:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(©6,&ifr->ni_saddr,LOCAL_SIZEOF_SOCKADDR_IN6); data/libnet-interface-perl-1.016/ni_af_inetcommon.c:165:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char copy[sizeof(struct sockaddr_storage) + IFNAMSIZ]; data/libnet-interface-perl-1.016/ni_af_inetcommon.c:171:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(cifr,*oifr,inc); /* copy the current ifreq struct */ data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:53:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[IFNAMSIZ +5], dlpbuf[DL_MAXIMUM]; data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:87:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ifr->ni_char,&physaddr.current_pa[0]); data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:101:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open("/dev/nit",0)) >= 0) { data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:115:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open(&ifr->ni_ifr_name,O_RDONLY)) >= 0) { data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:121:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ifr->ni_char,&ioctl_arg.value.s[0],6); data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:132:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open(name,O_RDWR)) < 0) { data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:149:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (ppa < 0 || (fd = open(name,O_RDWR)) < 0) { data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:151:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open("/dev/dlpi",O_RDWR)) < 0) data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:172:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ifr->ni_ifr_name,(dlpbuf + dlpi->dl_addr_offset),6); data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:214:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ifr->ni_ifr_name,(dlpbuf + dlpp->dl_addr_offset),6); data/libnet-interface-perl-1.016/ni_funct.h:172:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ni_ifr_name[IFNAMSIZ]; data/libnet-interface-perl-1.016/ni_funct.h:183:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ifr_char[2]; data/libnet-interface-perl-1.016/ni_funct.h:186:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char ifr_uchar[2]; data/libnet-interface-perl-1.016/ni_funct.h:198:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lifreq_pad[NI_LIFREQ_PAD]; data/libnet-interface-perl-1.016/ni_get_set.c:137:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ifr6.lin6_addr,&ifr->ni_sin6.sin6_addr,LOCAL_SIZEOF_SOCKADDR_IN6); data/libnet-interface-perl-1.016/ni_getifaddrs.c:237:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hostaddr[40]; data/libnet-interface-perl-1.016/ni_ifreq.c:124:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char namebuf[NI_MAXHOST]; data/libnet-interface-perl-1.016/ni_in6_ifreq.c:112:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ifr6,ifr,IFNAMSIZ + LOCAL_SIZEOF_SOCKADDR_IN6); /* copy name & family */ data/libnet-interface-perl-1.016/ni_in6_ifreq.c:157:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char namebuf[NI_MAXHOST]; data/libnet-interface-perl-1.016/ni_in6_ifreq.c:239:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(©6,&ifr->ni_saddr,LOCAL_SIZEOF_SOCKADDR_IN6); data/libnet-interface-perl-1.016/ni_in6_ifreq.c:240:26: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define NI_RESTORE_COPYS memcpy(&ifr->ni_saddr,©6,LOCAL_SIZEOF_SOCKADDR_IN6) data/libnet-interface-perl-1.016/ni_in6_ifreq.c:272:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&lifetime,&ifr->ni_lifetime,sizeof(struct in6_addrlifetime)); data/libnet-interface-perl-1.016/ni_lifreq.c:233:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char mac[6] = {0x0,0x0,0x0,0xfa,0x11,0xed}; data/libnet-interface-perl-1.016/ni_lifreq.c:234:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char altmac[6], * macp; data/libnet-interface-perl-1.016/ni_lifreq.c:235:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char namebuf[NI_MAXHOST]; data/libnet-interface-perl-1.016/ni_linuxproc.c:94:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char devname[20]; data/libnet-interface-perl-1.016/ni_linuxproc.c:95:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char chp[8][5]; data/libnet-interface-perl-1.016/ni_linuxproc.c:97:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char _pad[4]; data/libnet-interface-perl-1.016/ni_linuxproc.c:124:15: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = fopen(_PATH_PROCNET_IFINET6, "r")) == NULL) data/libnet-interface-perl-1.016/ni_linuxproc.c:155:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. lx_hex2txt(char * txt, char (*chp)[5]) data/libnet-interface-perl-1.016/ni_linuxproc.c:155:24: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. lx_hex2txt(char * txt, char (*chp)[5]) data/libnet-interface-perl-1.016/ni_linuxproc.c:168:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hostaddr[40]; data/libnet-interface-perl-1.016/ni_linuxproc.c:247:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lastname[IFNAMSIZ]; data/libnet-interface-perl-1.016/ni_linuxproc.c:302:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hostaddr[40]; data/libnet-interface-perl-1.016/ni_util.c:51:12: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. return memcpy(newmp,memp,size); data/libnet-interface-perl-1.016/ni_util.c:80:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ifr,ifrp,sizeof(struct ifreq)); data/libnet-interface-perl-1.016/miniSocketXS.c:128:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ST(0) = sv_2mortal(newSVpvn(addr_str, strlen(addr_str))); data/libnet-interface-perl-1.016/ni_fallbackhwaddr.c:134:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). n = strlen(name); data/libnet-interface-perl-1.016/ni_linuxproc.c:130:12: [1] (buffer) fscanf: It's unclear if the %s limit in the format string is small enough (CWE-120). Check that the limit is sufficiently small, or use a different input function. while (fscanf(fd, "%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n", ANALYSIS SUMMARY: Hits = 53 Lines analyzed = 5532 in approximately 0.19 seconds (29266 lines/second) Physical Source Lines of Code (SLOC) = 3363 Hits@level = [0] 145 [1] 3 [2] 41 [3] 0 [4] 9 [5] 0 Hits@level+ = [0+] 198 [1+] 53 [2+] 50 [3+] 9 [4+] 9 [5+] 0 Hits/KSLOC@level+ = [0+] 58.876 [1+] 15.7597 [2+] 14.8677 [3+] 2.67618 [4+] 2.67618 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.