Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/netifaces-0.10.9/netifaces.c FINAL RESULTS: data/netifaces-0.10.9/netifaces.c:513:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (bufptr, pfxbuf); data/netifaces-0.10.9/netifaces.c:614:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (bufptr, pfxbuf); data/netifaces-0.10.9/netifaces.c:634:20: [3] (misc) LoadLibrary: Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to find library path, if you aren't already. HMODULE hmod = LoadLibrary ("ws2_32.dll"); data/netifaces-0.10.9/netifaces.c:650:20: [3] (misc) LoadLibrary: Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to find library path, if you aren't already. HMODULE hmod = LoadLibrary ("ws2_32.dll"); data/netifaces-0.10.9/netifaces.c:270:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmpbuf[20]; data/netifaces-0.10.9/netifaces.c:272:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (tmpbuf, "%d.%d.%d.%d", data/netifaces-0.10.9/netifaces.c:284:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmpbuf[80], *ptr = tmpbuf; data/netifaces-0.10.9/netifaces.c:297:11: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (ptr, "%x%02x", b1, b2); data/netifaces-0.10.9/netifaces.c:305:11: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (ptr, "%x", b2); data/netifaces-0.10.9/netifaces.c:363:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(bigaddr, addr, SA_LEN(addr)); data/netifaces-0.10.9/netifaces.c:424:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (ptr, "%02x:", data[n] & 0xff); data/netifaces-0.10.9/netifaces.c:453:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pfxbuf[16]; data/netifaces-0.10.9/netifaces.c:510:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (pfxbuf, "/%u", prefix); data/netifaces-0.10.9/netifaces.c:563:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:572:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char pfxbuf[16]; data/netifaces-0.10.9/netifaces.c:611:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (pfxbuf, "/%u", prefix); data/netifaces-0.10.9/netifaces.c:666:5: [2] (buffer) wchar_t: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. wchar_t buffer[256]; data/netifaces-0.10.9/netifaces.c:675:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:787:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:802:9: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (ptr, "%02x:", pInfo->PhysicalAddress[n] & 0xff); data/netifaces-0.10.9/netifaces.c:1026:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:1146:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:1645:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char gwbuf[16]; data/netifaces-0.10.9/netifaces.c:1661:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (gwbuf, "%u.%u.%u.%u", data/netifaces-0.10.9/netifaces.c:1715:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char data[0]; data/netifaces-0.10.9/netifaces.c:1898:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:1899:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ifnamebuf[IF_NAMESIZE]; data/netifaces-0.10.9/netifaces.c:1980:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ifnamebuf[IF_NAMESIZE]; data/netifaces-0.10.9/netifaces.c:2078:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char strbuf[256]; data/netifaces-0.10.9/netifaces.c:2147:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ifnamebuf[IF_NAMESIZE]; data/netifaces-0.10.9/netifaces.c:2297:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:2302:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (ifnamebuf, ifp->sdl_data, ifp->sdl_nlen); data/netifaces-0.10.9/netifaces.c:2476:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[256]; data/netifaces-0.10.9/netifaces.c:2481:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (ifnamebuf, ifp->sdl_data, ifp->sdl_nlen); data/netifaces-0.10.9/netifaces.c:7:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). Py_ssize_t len = strlen(s); data/netifaces-0.10.9/netifaces.c:275:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (buffer, tmpbuf, buflen); data/netifaces-0.10.9/netifaces.c:298:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ptr += strlen (ptr); data/netifaces-0.10.9/netifaces.c:306:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ptr += strlen (ptr); data/netifaces-0.10.9/netifaces.c:330:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (buffer, tmpbuf, buflen); data/netifaces-0.10.9/netifaces.c:512:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (bufend - bufptr > (int)strlen(pfxbuf)) data/netifaces-0.10.9/netifaces.c:613:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((size_t)(bufend - bufptr) > strlen(pfxbuf)) data/netifaces-0.10.9/netifaces.c:1059:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (ifr6.ifr_name, addr->ifa_name, IFNAMSIZ); data/netifaces-0.10.9/netifaces.c:1148:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (ifr.CNAME(ifr_name), ifname, IFNAMSIZ); data/netifaces-0.10.9/netifaces.c:1569:44: [1] (buffer) wcslen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ifname = PyUnicode_FromUnicode (pwcsName, wcslen (pwcsName)); data/netifaces-0.10.9/netifaces.c:1676:49: [1] (buffer) wcslen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ifname = PyUnicode_FromUnicode (pwcsName, wcslen (pwcsName)); ANALYSIS SUMMARY: Hits = 45 Lines analyzed = 2905 in approximately 0.09 seconds (32664 lines/second) Physical Source Lines of Code (SLOC) = 2347 Hits@level = [0] 3 [1] 11 [2] 30 [3] 2 [4] 2 [5] 0 Hits@level+ = [0+] 48 [1+] 45 [2+] 34 [3+] 4 [4+] 2 [5+] 0 Hits/KSLOC@level+ = [0+] 20.4516 [1+] 19.1734 [2+] 14.4866 [3+] 1.7043 [4+] 0.852152 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.