Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/otpw-1.5/demologin.c Examining data/otpw-1.5/md.c Examining data/otpw-1.5/md.h Examining data/otpw-1.5/otpw-gen.c Examining data/otpw-1.5/otpw-l.c Examining data/otpw-1.5/otpw.h Examining data/otpw-1.5/pam_otpw.c Examining data/otpw-1.5/rmd160.c Examining data/otpw-1.5/rmd160.h Examining data/otpw-1.5/otpw.c FINAL RESULTS: data/otpw-1.5/otpw.c:421:7: [5] (race) readlink: This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach. i = readlink(ch->lockfilename, lock, sizeof(lock)-1); data/otpw-1.5/demologin.c:132:25: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. if (!user || strcmp(crypt(password, user->pwd.pw_passwd), data/otpw-1.5/otpw-gen.c:279:7: [4] (shell) popen: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. f = popen(command, "r"); data/otpw-1.5/otpw-gen.c:758:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(fnout, pseudouser->pwd.pw_dir); data/otpw-1.5/otpw-gen.c:760:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(fnout, user->pwd.pw_name); data/otpw-1.5/otpw-gen.c:766:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(fnout, user->pwd.pw_dir); data/otpw-1.5/otpw-gen.c:768:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(fnout, otpw_file); data/otpw-1.5/otpw-gen.c:966:5: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. snprintf(header, sizeof(header), regenerate ? data/otpw-1.5/otpw-gen.c:995:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(normal_masterkey, masterkey); data/otpw-1.5/otpw-gen.c:1044:2: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(NL); data/otpw-1.5/otpw-gen.c:1047:7: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(NL NL "%*s", (cols*(challen + 1 + pwlen + 2) - 2)/2 + 50/2, data/otpw-1.5/otpw-gen.c:1051:7: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(FF); data/otpw-1.5/otpw-gen.c:1053:7: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf(NL); data/otpw-1.5/otpw-gen.c:1076:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(fntmp, fnout); data/otpw-1.5/otpw-gen.c:1077:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(fntmp, tmpsuffix); data/otpw-1.5/otpw-gen.c:1120:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(fntmp, fnout); data/otpw-1.5/otpw-gen.c:1121:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(fntmp, otpw_locksuffix); data/otpw-1.5/otpw.c:24:28: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. { fprintf(stderr, __VA_ARGS__); fputc('\n', stderr); } data/otpw-1.5/otpw.c:278:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ch->filename, otpw_pseudouser->pwd.pw_dir); data/otpw-1.5/otpw.c:280:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(ch->filename, user->pw_name); data/otpw-1.5/otpw.c:289:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ch->filename, user->pw_dir); data/otpw-1.5/otpw.c:291:5: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(ch->filename, otpw_file); data/otpw-1.5/otpw.c:302:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(ch->lockfilename, ch->filename); data/otpw-1.5/otpw.c:303:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(ch->lockfilename, otpw_locksuffix); data/otpw-1.5/otpw.c:457:5: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(ch->challenge + strlen(ch->challenge), "%s%.*s", data/otpw-1.5/pam_otpw.c:177:3: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. vsnprintf(message, sizeof(message), format, args); data/otpw-1.5/demologin.c:29:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char username[81] = "", password[81]; data/otpw-1.5/md.c:50:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(md->buf + remaining, src, chunk); data/otpw-1.5/md.c:69:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(md->buf, src, len); data/otpw-1.5/md.c:89:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char result[MD_LEN]; data/otpw-1.5/md.c:91:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *pattern[8] = { data/otpw-1.5/md.c:104:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md_result[9][MD_LEN] = { data/otpw-1.5/md.c:126:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md_result[9][MD_LEN] = { data/otpw-1.5/md.h:20:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char md[MD_LEN]; /* internal status of hash function */ data/otpw-1.5/md.h:21:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[MD_BUFLEN]; /* buffer for stream-like interface */ data/otpw-1.5/otpw-gen.c:59:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char word[2048][4] = { data/otpw-1.5/otpw-gen.c:275:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[128]; data/otpw-1.5/otpw-gen.c:362:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char r[MD_LEN]; data/otpw-1.5/otpw-gen.c:568:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf + i * 5, word[k], 4); data/otpw-1.5/otpw-gen.c:585:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char r[MD_LEN], h[MD_LEN]; data/otpw-1.5/otpw-gen.c:590:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char timestr[81], hostname[81], challenge[81]; data/otpw-1.5/otpw-gen.c:591:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char password1[1024], password2[1024]; data/otpw-1.5/otpw-gen.c:595:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char header[LINE_MAX]; data/otpw-1.5/otpw-gen.c:624:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). height = atoi(argv[i]); data/otpw-1.5/otpw-gen.c:629:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). width = atoi(argv[i]); data/otpw-1.5/otpw-gen.c:634:12: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). pages = atoi(argv[i]); data/otpw-1.5/otpw-gen.c:642:34: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (++i >= argc || (entropy = atoi(argv[i])) < 1) data/otpw-1.5/otpw-gen.c:647:38: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). if (++i >= argc || (key_entropy = atoi(argv[i])) < 1) data/otpw-1.5/otpw-gen.c:661:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). type = atoi(argv[i]); data/otpw-1.5/otpw-gen.c:669:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). key_type = atoi(argv[i]); data/otpw-1.5/otpw-gen.c:905:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen(fnout, "r"); data/otpw-1.5/otpw-gen.c:963:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(hostname, "???"); data/otpw-1.5/otpw-gen.c:1039:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(hbuf + k * hbuflen, "%0*d", challen, k); data/otpw-1.5/otpw-gen.c:1078:7: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen(fntmp, "w"); data/otpw-1.5/otpw-gen.c:1101:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hbuf + i*hbuflen, hbuf + k*hbuflen, hbuflen); data/otpw-1.5/otpw.c:142:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rbs[MD_LEN]; data/otpw-1.5/otpw.c:155:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). devrandom = open("/dev/urandom", O_RDONLY); data/otpw-1.5/otpw.c:237:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[81]; data/otpw-1.5/otpw.c:238:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char lock[81]; data/otpw-1.5/otpw.c:239:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char r[MD_LEN]; data/otpw-1.5/otpw.c:314:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(f = fopen(ch->filename, "r"))) { data/otpw-1.5/otpw.c:357:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hbuf + i*hbuflen, line, hbuflen); data/otpw-1.5/otpw.c:500:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[81]; data/otpw-1.5/otpw.c:501:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char h[MD_LEN]; data/otpw-1.5/otpw.c:603:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!(f = fopen(ch->filename, "r+"))) { data/otpw-1.5/otpw.h:32:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char challenge[81]; /* print this string before "Password:" */ data/otpw-1.5/otpw.h:88:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[0]; /* actual size is buflen if allocated by otpw_malloc_pwdbuf() */ data/otpw-1.5/pam_otpw.c:46:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char logname[80]; data/otpw-1.5/pam_otpw.c:124:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char message[81]; data/otpw-1.5/pam_otpw.c:172:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char message[1024]; data/otpw-1.5/demologin.c:51:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(username, argv[i], sizeof(username)); data/otpw-1.5/demologin.c:62:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). username[strlen(username) - 1] = 0; data/otpw-1.5/demologin.c:66:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). use_otpw = username[strlen(username) - 1] == '/'; data/otpw-1.5/demologin.c:69:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). username[strlen(username) - 1] = 0; data/otpw-1.5/demologin.c:107:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). password[strlen(password) - 1] = 0; data/otpw-1.5/md.c:162:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md_add(&md, pattern[i/2], strlen(pattern[i/2])); data/otpw-1.5/otpw-gen.c:577:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). assert((int) strlen(buf) == pwlen); data/otpw-1.5/otpw-gen.c:652:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(argv[i]+j) == 2 && data/otpw-1.5/otpw-gen.c:755:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fnout = (char *) malloc(strlen(pseudouser->pwd.pw_dir) + 1 + data/otpw-1.5/otpw-gen.c:756:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(user->pwd.pw_name) + 1); data/otpw-1.5/otpw-gen.c:759:7: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(fnout, "/"); data/otpw-1.5/otpw-gen.c:763:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fnout = (char *) malloc(strlen(user->pwd.pw_dir) + 1 + data/otpw-1.5/otpw-gen.c:764:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(otpw_file) + 1); data/otpw-1.5/otpw-gen.c:767:7: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(fnout, "/"); data/otpw-1.5/otpw-gen.c:935:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). password1[strlen(password1)-1] = 0; /* remove last character = LF */ data/otpw-1.5/otpw-gen.c:939:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md_add(&md, normal_masterkey, strlen(normal_masterkey)); data/otpw-1.5/otpw-gen.c:951:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). password1[strlen(password1)-1] = 0; /* remove last character = LF */ data/otpw-1.5/otpw-gen.c:998:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md_add(&md, normal_masterkey, strlen(normal_masterkey)); data/otpw-1.5/otpw-gen.c:1018:34: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md_add(&md, normal_masterkey, strlen(normal_masterkey)); data/otpw-1.5/otpw-gen.c:1019:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md_add(&md, challenge, strlen(challenge)); data/otpw-1.5/otpw-gen.c:1035:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md_add(&md, password1, strlen(password1)); data/otpw-1.5/otpw-gen.c:1074:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fntmp = (char *) malloc(strlen(fnout)+strlen(tmpsuffix)+1); data/otpw-1.5/otpw-gen.c:1074:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fntmp = (char *) malloc(strlen(fnout)+strlen(tmpsuffix)+1); data/otpw-1.5/otpw-gen.c:1118:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fntmp = (char *) malloc(strlen(fnout)+strlen(otpw_locksuffix)+1); data/otpw-1.5/otpw-gen.c:1118:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fntmp = (char *) malloc(strlen(fnout)+strlen(otpw_locksuffix)+1); data/otpw-1.5/otpw.c:157:5: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). read(devrandom, rbs, sizeof(rbs)); data/otpw-1.5/otpw.c:272:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ch->filename = (char *) malloc(strlen(otpw_pseudouser->pwd.pw_dir) + 1 + data/otpw-1.5/otpw.c:273:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(user->pw_name) + 1); data/otpw-1.5/otpw.c:279:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(ch->filename, "/"); data/otpw-1.5/otpw.c:284:36: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ch->filename = (char *) malloc(strlen(user->pw_dir)+1+strlen(otpw_file)+1); data/otpw-1.5/otpw.c:284:59: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ch->filename = (char *) malloc(strlen(user->pw_dir)+1+strlen(otpw_file)+1); data/otpw-1.5/otpw.c:290:5: [1] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant character. strcat(ch->filename, "/"); data/otpw-1.5/otpw.c:296:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ch->lockfilename = (char *) malloc(strlen(ch->filename) + data/otpw-1.5/otpw.c:297:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(otpw_locksuffix) + 1); data/otpw-1.5/otpw.c:353:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (int) strlen(line) != hbuflen + 1) { data/otpw-1.5/otpw.c:368:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(ch->challenge, hbuf + j*hbuflen, ch->challen); data/otpw-1.5/otpw.c:376:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(ch->hash[0], hbuf + j*hbuflen + ch->challen, ch->hlen); data/otpw-1.5/otpw.c:424:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((int) strlen(lock) != ch->challen) { data/otpw-1.5/otpw.c:442:3: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). strlen(ch->challenge) < sizeof(ch->challenge) - ch->challen - 2) { data/otpw-1.5/otpw.c:457:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(ch->challenge + strlen(ch->challenge), "%s%.*s", data/otpw-1.5/otpw.c:466:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(ch->hash[ch->passwords], hbuf + j*hbuflen + ch->challen, ch->hlen); data/otpw-1.5/otpw.c:535:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). l = strlen(password) - 1; ANALYSIS SUMMARY: Hits = 112 Lines analyzed = 3077 in approximately 0.19 seconds (16393 lines/second) Physical Source Lines of Code (SLOC) = 2333 Hits@level = [0] 68 [1] 42 [2] 44 [3] 0 [4] 25 [5] 1 Hits@level+ = [0+] 180 [1+] 112 [2+] 70 [3+] 26 [4+] 26 [5+] 1 Hits/KSLOC@level+ = [0+] 77.1539 [1+] 48.0069 [2+] 30.0043 [3+] 11.1444 [4+] 11.1444 [5+] 0.428633 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.