Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/rancid-3.13/include/version.h
Examining data/rancid-3.13/include/config.h
Examining data/rancid-3.13/bin/hpuifilter.c
Examining data/rancid-3.13/bin/par.c
FINAL RESULTS:
data/rancid-3.13/bin/hpuifilter.c:816:10: [5] (race) chown:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchown( ) instead.
if (chown(line, getuid(), ttygid) == 0 &&
data/rancid-3.13/bin/hpuifilter.c:817:3: [5] (race) chmod:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchmod( ) instead.
chmod(line, mode) == 0 &&
data/rancid-3.13/bin/hpuifilter.c:305:2: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(argv[optind], argv + optind);
data/rancid-3.13/bin/hpuifilter.c:823:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
(void)strcpy(name, linep);
data/rancid-3.13/bin/par.c:732:14: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
if ((vlen = vsnprintf(*ret, len, format, ap)) < len &&
data/rancid-3.13/bin/par.c:826:2: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(cmd[0], cmd);
data/rancid-3.13/bin/par.c:1212:2: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(new[0], new);
data/rancid-3.13/bin/par.c:1289:2: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(new[0], new);
data/rancid-3.13/bin/par.c:1342:2: [4] (shell) execvp:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execvp(cmd[0], cmd);
data/rancid-3.13/bin/hpuifilter.c:175:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((i = getopt(argc, argv, "dhvt:")) != -1 )
data/rancid-3.13/bin/par.c:199:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((i = getopt(argc, argv, "FHdefhiqxvc:e:l:n:p:")) != -1 )
data/rancid-3.13/bin/hpuifilter.c:149:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbuf[BUFSZ], /* hlogin buffer */
data/rancid-3.13/bin/hpuifilter.c:181:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
timeo = atoi(optarg);
data/rancid-3.13/bin/hpuifilter.c:322:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
devnull = open("/dev/null", O_RDWR);
data/rancid-3.13/bin/hpuifilter.c:549:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char reg[N_REG][50] = { /* vt100/220 escape codes */
data/rancid-3.13/bin/hpuifilter.c:575:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bufstr[3] = {ESC, '\x07', '\0'},
data/rancid-3.13/bin/hpuifilter.c:755:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open("/dev/ptmx_bsd", O_RDWR))
data/rancid-3.13/bin/hpuifilter.c:757:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open("/dev/ptmx", O_RDWR))
data/rancid-3.13/bin/hpuifilter.c:766:15: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((slave = open(linep, O_RDWR)) < 0) {
data/rancid-3.13/bin/hpuifilter.c:774:6: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[10240];
data/rancid-3.13/bin/hpuifilter.c:806:20: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((master = open(line, O_RDWR, 0)) == -1) {
data/rancid-3.13/bin/hpuifilter.c:818:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
(slave = open(line, O_RDWR, 0)) != -1) {
data/rancid-3.13/bin/par.c:187:20: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((devnull = open("/dev/null", O_RDWR, 0666)) == -1) {
data/rancid-3.13/bin/par.c:236:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
n_opt = atoi(optarg);
data/rancid-3.13/bin/par.c:243:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
p_opt = atoi(optarg);
data/rancid-3.13/bin/par.c:309:30: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((progeny[i].logfd = open(progeny[i].logfname,
data/rancid-3.13/bin/par.c:481:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ptr, src[i++], len);
data/rancid-3.13/bin/par.c:524:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[LINE_MAX * 2]; /* temporary space */
data/rancid-3.13/bin/par.c:600:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&buf[b], &ptr[c], len);
data/rancid-3.13/bin/par.c:949:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((*args)[argn], &line[b], (c - b));
data/rancid-3.13/bin/par.c:993:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[LINE_MAX + 1];
data/rancid-3.13/bin/par.c:1002:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((*F = fopen(fname, "r")) == NULL) {
data/rancid-3.13/bin/hpuifilter.c:289:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
write(0, ptyname, strlen(ptyname));
data/rancid-3.13/bin/hpuifilter.c:298:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
write(0, ptyname, strlen(ptyname));
data/rancid-3.13/bin/hpuifilter.c:308:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
write(0, ptyname, strlen(ptyname));
data/rancid-3.13/bin/hpuifilter.c:447:11: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = read(pfds[0].fd, hbuf + hlen, (BUFSZ - 1) - hlen);
data/rancid-3.13/bin/hpuifilter.c:464:11: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes = read(pfds[2].fd, tbuf + tlen, (BUFSZ - 1) - tlen);
data/rancid-3.13/bin/hpuifilter.c:489:18: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((bytes = read(pfds[2].fd, tbuf, (BUFSZ - 1))) > 0) {
data/rancid-3.13/bin/hpuifilter.c:495:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((hlen = read(pfds[0].fd, hbuf, (BUFSZ - 1))) > 0) {
data/rancid-3.13/bin/hpuifilter.c:700:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(name);
data/rancid-3.13/bin/par.c:471:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len += strlen(src[i++]);
data/rancid-3.13/bin/par.c:480:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(src[i]);
data/rancid-3.13/bin/par.c:620:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(args[argn]);
data/rancid-3.13/bin/par.c:719:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(format) + 1;
data/rancid-3.13/bin/par.c:810:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ct = ctime(&t); ct[strlen(ct) - 1] = '\0';
data/rancid-3.13/bin/par.c:881:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
llen = strlen(line);
data/rancid-3.13/bin/par.c:1013:15: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
switch ((e = fgetc(*F))) {
data/rancid-3.13/bin/par.c:1021:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
e = strlen(buf);
data/rancid-3.13/bin/par.c:1059:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
e = strlen(buf);
data/rancid-3.13/bin/par.c:1196:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ct = ctime(&t); ct[strlen(ct) - 1] = '\0';
data/rancid-3.13/bin/par.c:1273:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ct = ctime(&t); ct[strlen(ct) - 1] = '\0';
data/rancid-3.13/bin/par.c:1436:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
str = ctime(&t); str[strlen(str) - 1] = '\0';
ANALYSIS SUMMARY:
Hits = 52
Lines analyzed = 2570 in approximately 0.20 seconds (12622 lines/second)
Physical Source Lines of Code (SLOC) = 1791
Hits@level = [0] 89 [1] 20 [2] 21 [3] 2 [4] 7 [5] 2
Hits@level+ = [0+] 141 [1+] 52 [2+] 32 [3+] 11 [4+] 9 [5+] 2
Hits/KSLOC@level+ = [0+] 78.727 [1+] 29.0341 [2+] 17.8671 [3+] 6.14182 [4+] 5.02513 [5+] 1.11669
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.