Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/netcat-1.10/generic.h
Examining data/netcat-1.10/data/data.c
Examining data/netcat-1.10/data/xor.c
Examining data/netcat-1.10/data/rservice.c
Examining data/netcat-1.10/netcat.c
FINAL RESULTS:
data/netcat-1.10/data/data.c:157:3: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf (stderr, surveysez); /* if both or neither */
data/netcat-1.10/netcat.c:192:18: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define Debug(x) printf x; printf ("\n"); fflush (stdout); sleep (1);
data/netcat-1.10/netcat.c:210:5: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf (stderr, str, p1, p2, p3, p4, p5, p6);
data/netcat-1.10/netcat.c:397:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (poop->name, unknown); /* preload it */
data/netcat-1.10/netcat.c:620:5: [4] (shell) execl:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execl ("/bin/sh", "sh", "-c", pr00gie, NULL);
data/netcat-1.10/netcat.c:630:3: [4] (shell) execl:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execl (pr00gie, p, NULL);
data/netcat-1.10/netcat.c:882:7: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat (bigbuf_net, inet_ntoa (lclend->sin_addr));
data/netcat-1.10/netcat.c:967:2: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat (p, pp); /* and build the final string */
data/netcat-1.10/netcat.c:986:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (cp, inet_ntoa (lclend->sin_addr));
data/netcat-1.10/netcat.c:998:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (bigbuf_net, inet_ntoa (remend->sin_addr));
data/netcat-1.10/data/data.c:68:7: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
q = random();
data/netcat-1.10/data/data.c:99:3: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand (time(0) + x);
data/netcat-1.10/data/data.c:101:3: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srandom (time(0) + x);
data/netcat-1.10/netcat.c:55:15: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#define SRAND srandom /* that this doesn't need *strong* random */
data/netcat-1.10/netcat.c:56:14: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#define RAND random /* numbers just to mix up port numbers!! */
data/netcat-1.10/netcat.c:58:15: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
#define SRAND srand
data/netcat-1.10/netcat.c:1519:15: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((x = getopt (argc, argv, "abc:e:g:G:hi:klno:p:q:rs:T:tuvw:zC")) != EOF) {
data/netcat-1.10/data/data.c:27:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf_in [128];
data/netcat-1.10/data/data.c:28:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf_raw [8192];
data/netcat-1.10/data/data.c:133:9: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
x = atoi (argv[2]);
data/netcat-1.10/data/data.c:184:9: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
x = atoi (p); /* reg'lar decimal number */
data/netcat-1.10/data/rservice.c:17:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf [4096];
data/netcat-1.10/data/xor.c:19:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[8192];
data/netcat-1.10/data/xor.c:20:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bytes[256];
data/netcat-1.10/data/xor.c:71:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
x = open (argv[1], O_RDONLY | O_BINARY);
data/netcat-1.10/data/xor.c:73:9: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
x = open (argv[1], O_RDONLY);
data/netcat-1.10/netcat.c:107:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[MAXHOSTNAMELEN]; /* dns name */
data/netcat-1.10/netcat.c:108:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char addrs[8][24]; /* ascii-format IP addresses */
data/netcat-1.10/netcat.c:114:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name [64]; /* name in /etc/services */
data/netcat-1.10/netcat.c:115:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char anum [8]; /* ascii-format number */
data/netcat-1.10/netcat.c:152:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char hexnibs[20] = "0123456789abcdef ";
data/netcat-1.10/netcat.c:410:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&poop->iaddrs[x], hostent->h_addr_list[x], sizeof (IA));
data/netcat-1.10/netcat.c:429:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (poop->iaddrs, &iaddr, sizeof (IA));
data/netcat-1.10/netcat.c:504:9: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
x = atoi (pstring);
data/netcat-1.10/netcat.c:533:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (portpoop->anum, "%d", x); /* always load any numeric specs! */
data/netcat-1.10/netcat.c:711:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&lclend->sin_addr.s_addr, lad, sizeof (IA));
data/netcat-1.10/netcat.c:738:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (&remend->sin_addr.s_addr, rad, sizeof (IA));
data/netcat-1.10/netcat.c:791:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (opp, gates[x]->iaddrs, sizeof (IA));
data/netcat-1.10/netcat.c:795:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (opp, rad, sizeof (IA));
data/netcat-1.10/netcat.c:880:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (bigbuf_net, "listening on ["); /* buffer reuse... */
data/netcat-1.10/netcat.c:884:7: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat (bigbuf_net, "any");
data/netcat-1.10/netcat.c:885:5: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat (bigbuf_net, "] %d ...");
data/netcat-1.10/netcat.c:966:2: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (pp, "%2.2x ", *q); /* clumsy, but works: turn into hex */
data/netcat-1.10/netcat.c:1127:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf (&stage[2], "%8.8x ", obc); /* xxx: still slow? */
data/netcat-1.10/netcat.c:1168:19: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static unsigned char obuf [4]; /* tiny thing to build responses into */
data/netcat-1.10/netcat.c:1250:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (timer2, timer1, sizeof (struct timeval));
data/netcat-1.10/netcat.c:1491:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (bigbuf_in, &cp[x], insaved);
data/netcat-1.10/netcat.c:1538:6: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
x = atoi (optarg);
data/netcat-1.10/netcat.c:1562:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
o_interval = atoi (optarg) & 0xffff;
data/netcat-1.10/netcat.c:1583:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
o_quit = atoi(optarg); break;
data/netcat-1.10/netcat.c:1600:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
o_wait = atoi (optarg);
data/netcat-1.10/netcat.c:1618:12: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
o_tos = atoi(optarg);;
data/netcat-1.10/netcat.c:1648:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
ofd = open (stage, O_WRONLY | O_CREAT | O_TRUNC, 0664);
data/netcat-1.10/data/data.c:237:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
x = read (0, buf_raw, 8192);
data/netcat-1.10/data/rservice.c:36:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (p, argv[1], sizeof (buf) - y); /* first arg plus another null */
data/netcat-1.10/data/rservice.c:37:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
x = strlen (argv[1]) + 1;
data/netcat-1.10/data/rservice.c:45:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (p, argv[2], sizeof (buf) - y); /* second arg plus null */
data/netcat-1.10/data/rservice.c:46:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
x = strlen (argv[2]) + 1;
data/netcat-1.10/data/rservice.c:55:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (p, q, sizeof (buf) - y); /* the command, plus final null */
data/netcat-1.10/data/rservice.c:56:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
x = strlen (q) + 1;
data/netcat-1.10/data/rservice.c:62:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant character.
strncpy (p, "\n", sizeof (buf) - y); /* and a newline, so it goes */
data/netcat-1.10/data/xor.c:76:5: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read (x, bytes, 250); /* nothin' fancy here */
data/netcat-1.10/data/xor.c:82:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
x = read (0, buf, sizeof (buf));
data/netcat-1.10/netcat.c:408:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2);
data/netcat-1.10/netcat.c:411:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (poop->addrs[x], inet_ntoa (poop->iaddrs[x]),
data/netcat-1.10/netcat.c:430:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (poop->addrs[0], inet_ntoa (iaddr), sizeof (poop->addrs));
data/netcat-1.10/netcat.c:440:2: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2);
data/netcat-1.10/netcat.c:492:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name));
data/netcat-1.10/netcat.c:511:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name));
data/netcat-1.10/netcat.c:1276:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
rr = read (fd, bigbuf_net, BIGSIZ);
data/netcat-1.10/netcat.c:1298:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
rr = read (0, bigbuf_in, BIGSIZ);
data/netcat-1.10/netcat.c:1406:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
end = start + strlen(start);
data/netcat-1.10/netcat.c:1483:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
insaved = read (0, cp, BIGSIZ-1); /* we're gonna fake fgets() here */
ANALYSIS SUMMARY:
Hits = 73
Lines analyzed = 2669 in approximately 0.11 seconds (23977 lines/second)
Physical Source Lines of Code (SLOC) = 1834
Hits@level = [0] 16 [1] 20 [2] 36 [3] 7 [4] 10 [5] 0
Hits@level+ = [0+] 89 [1+] 73 [2+] 53 [3+] 17 [4+] 10 [5+] 0
Hits/KSLOC@level+ = [0+] 48.5278 [1+] 39.8037 [2+] 28.8986 [3+] 9.26936 [4+] 5.45256 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.