Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/luasocket-3.0~rc1+git+ac3201d/gem/gem.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/buffer.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/compat.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/compat.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/except.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/except.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/inet.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/inet.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/io.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/luasocket.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/luasocket.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/mime.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/mime.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/options.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/options.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/pierror.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/select.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/select.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/serial.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/socket.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/tcp.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/tcp.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/timeout.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/udp.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/udp.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/unix.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/unixtcp.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/unixtcp.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/usocket.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/wsocket.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/wsocket.h
Examining data/luasocket-3.0~rc1+git+ac3201d/src/buffer.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/io.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/timeout.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/usocket.c
Examining data/luasocket-3.0~rc1+git+ac3201d/src/unix.c
FINAL RESULTS:
data/luasocket-3.0~rc1+git+ac3201d/src/unixtcp.c:192:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(local.sun_path, path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixtcp.c:246:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(remote.sun_path, path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:145:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(remote.sun_path, path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:266:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(local.sun_path, path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:321:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(remote.sun_path, path);
data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c:49:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32];
data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c:57:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "%p", lua_touserdata(L, 1));
data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c:93:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[45];
data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c:94:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "%.35s expected", classname);
data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c:107:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[45];
data/luasocket-3.0~rc1+git+ac3201d/src/auxiliar.c:108:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "%.35s expected", groupname);
data/luasocket-3.0~rc1+git+ac3201d/src/buffer.h:33:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[BUF_SIZE]; /* storage space for buffer data */
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:84:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbuf[NI_MAXHOST];
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:85:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char sbuf[NI_MAXSERV];
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:179:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbuf[NI_MAXHOST];
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:227:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[257];
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:250:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[INET6_ADDRSTRLEN];
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:251:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char port[6]; /* 65535 = 5 bytes + 0 to terminate it */
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:284:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[INET6_ADDRSTRLEN];
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:285:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char port[6]; /* 65535 = 5 bytes + 0 to terminate it */
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:532:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, &in->sin_addr, sizeof(in->sin_addr));
data/luasocket-3.0~rc1+git+ac3201d/src/inet.c:535:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, &in->sin6_addr, sizeof(in->sin6_addr));
data/luasocket-3.0~rc1+git+ac3201d/src/options.c:40:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[45];
data/luasocket-3.0~rc1+git+ac3201d/src/options.c:41:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "unsupported option `%.35s'", name);
data/luasocket-3.0~rc1+git+ac3201d/src/options.c:53:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[45];
data/luasocket-3.0~rc1+git+ac3201d/src/options.c:54:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(msg, "unsupported option `%.35s'", name);
data/luasocket-3.0~rc1+git+ac3201d/src/serial.c:152:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
t_socket sock = open(path, O_NOCTTY|O_RDWR);
data/luasocket-3.0~rc1+git+ac3201d/src/udp.c:210:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[UDP_DATAGRAMSIZE];
data/luasocket-3.0~rc1+git+ac3201d/src/udp.c:239:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[UDP_DATAGRAMSIZE];
data/luasocket-3.0~rc1+git+ac3201d/src/udp.c:244:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char addrstr[INET6_ADDRSTRLEN];
data/luasocket-3.0~rc1+git+ac3201d/src/udp.c:245:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char portstr[6];
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:167:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[UNIXUDP_DATAGRAMSIZE];
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:196:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[UNIXUDP_DATAGRAMSIZE];
data/luasocket-3.0~rc1+git+ac3201d/src/unixtcp.c:188:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixtcp.c:243:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:136:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:262:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(path);
data/luasocket-3.0~rc1+git+ac3201d/src/unixudp.c:318:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(path);
data/luasocket-3.0~rc1+git+ac3201d/src/usocket.c:345:29: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
long taken = (long) read(*ps, data, count);
ANALYSIS SUMMARY:
Hits = 39
Lines analyzed = 6426 in approximately 0.24 seconds (26274 lines/second)
Physical Source Lines of Code (SLOC) = 4487
Hits@level = [0] 11 [1] 6 [2] 28 [3] 0 [4] 5 [5] 0
Hits@level+ = [0+] 50 [1+] 39 [2+] 33 [3+] 5 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 11.1433 [1+] 8.69178 [2+] 7.35458 [3+] 1.11433 [4+] 1.11433 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.