Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/puma-4.3.6/ext/puma_http11/ext_help.h
Examining data/puma-4.3.6/ext/puma_http11/http11_parser.c
Examining data/puma-4.3.6/ext/puma_http11/http11_parser.h
Examining data/puma-4.3.6/ext/puma_http11/io_buffer.c
Examining data/puma-4.3.6/ext/puma_http11/mini_ssl.c
Examining data/puma-4.3.6/ext/puma_http11/puma_http11.c
FINAL RESULTS:
data/puma-4.3.6/ext/puma_http11/http11_parser.h:52:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUFFER_LEN];
data/puma-4.3.6/ext/puma_http11/io_buffer.c:56:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(top, old, used);
data/puma-4.3.6/ext/puma_http11/io_buffer.c:63:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(b->cur, RSTRING_PTR(str), str_len);
data/puma-4.3.6/ext/puma_http11/io_buffer.c:97:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(top, old, used);
data/puma-4.3.6/ext/puma_http11/io_buffer.c:108:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(b->cur, RSTRING_PTR(str), str_len);
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:300:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512];
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:301:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char msg[512];
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:333:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512];
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:385:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512];
data/puma-4.3.6/ext/puma_http11/puma_http11.c:134:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[256]; /* MAX_FIELD_NAME_LENGTH */
data/puma-4.3.6/ext/puma_http11/puma_http11.c:135:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(tmp, HTTP_PREFIX, HTTP_PREFIX_LEN);
data/puma-4.3.6/ext/puma_http11/puma_http11.c:141:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(tmp + HTTP_PREFIX_LEN, cf->name, cf->len + 1);
data/puma-4.3.6/ext/puma_http11/puma_http11.c:198:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(hp->buf, HTTP_PREFIX, HTTP_PREFIX_LEN);
data/puma-4.3.6/ext/puma_http11/puma_http11.c:199:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(hp->buf + HTTP_PREFIX_LEN, field, flen);
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:25:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
BIO* read;
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:54:22: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
BIO_set_nbio(conn->read, 1);
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:256:26: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
SSL_set_bio(ssl, conn->read, conn->write);
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:274:32: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
SSL_set_bio(conn->ssl, conn->read, conn->write);
data/puma-4.3.6/ext/puma_http11/mini_ssl.c:288:26: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
used = BIO_write(conn->read, RSTRING_PTR(str), (int)RSTRING_LEN(str));
ANALYSIS SUMMARY:
Hits = 19
Lines analyzed = 2337 in approximately 0.10 seconds (23784 lines/second)
Physical Source Lines of Code (SLOC) = 1897
Hits@level = [0] 5 [1] 5 [2] 14 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 24 [1+] 19 [2+] 14 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 12.6516 [1+] 10.0158 [2+] 7.38007 [3+] 0 [4+] 0 [5+] 0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.