Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/rbootd-3.0/bpf.c Examining data/rbootd-3.0/conf.c Examining data/rbootd-3.0/defs.h Examining data/rbootd-3.0/parseconf.c Examining data/rbootd-3.0/pathnames.h Examining data/rbootd-3.0/pcap.c Examining data/rbootd-3.0/rbootd.c Examining data/rbootd-3.0/rmp.h Examining data/rbootd-3.0/rmp_var.h Examining data/rbootd-3.0/rmpproto.c Examining data/rbootd-3.0/utils.c FINAL RESULTS: data/rbootd-3.0/bpf.c:99:10: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. (void) sprintf(bpfdev, _PATH_BPF, n++); data/rbootd-3.0/bpf.c:295:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). (void) strcpy(device, mp->ifr_name); data/rbootd-3.0/pcap.c:113:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(netdev, alldevsp->name); data/rbootd-3.0/pcap.c:218:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (req.ifr_name, IntfName); data/rbootd-3.0/rbootd.c:184:4: [4] (format) syslog: If syslog's format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant format string for syslog. syslog(LOG_ERR, errmsg, 0); data/rbootd-3.0/utils.c:144:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. (void) fprintf(DbgFp, BootFmt, rmp->r_brq.rmp_retcode, data/rbootd-3.0/utils.c:155:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. (void) fprintf(DbgFp, BootFmt, rmp->r_brpl.rmp_retcode, data/rbootd-3.0/utils.c:163:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. (void) fprintf(DbgFp, ReadFmt, rmp->r_rrq.rmp_retcode, data/rbootd-3.0/utils.c:171:11: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. (void) fprintf(DbgFp, ReadFmt, rmp->r_rrpl.rmp_retcode, data/rbootd-3.0/utils.c:350:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). (void) strcpy(stmp, str); data/rbootd-3.0/rbootd.c:114:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "adi:")) != EOF) data/rbootd-3.0/bpf.c:92:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bpfdev[32]; data/rbootd-3.0/bpf.c:100:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). BpfFd = open(bpfdev, O_RDWR); data/rbootd-3.0/bpf.c:150:2: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy(&RmpMcastAddr[0], (char *)&ifr.ifr_addr.sa_data[0], RMP_ADDRLEN); data/rbootd-3.0/bpf.c:231:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char device[sizeof(ifrp->ifr_name)]; data/rbootd-3.0/bpf.c:232:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char errbuf[128] = "No Error!"; data/rbootd-3.0/bpf.c:238:10: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. (void) strcpy(errbuf, "bpf: socket: %m"); data/rbootd-3.0/bpf.c:247:10: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. (void) strcpy(errbuf, "bpf: ioctl(OSIOCGIFCONF): %m"); data/rbootd-3.0/bpf.c:253:10: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. (void) strcpy(errbuf, "bpf: ioctl(SIOCGIFCONF): %m"); data/rbootd-3.0/bpf.c:264:11: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. (void) strcpy(errbuf, "bpf: ioctl(SIOCGIFFLAGS): %m"); data/rbootd-3.0/bpf.c:282:7: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). n = atoi(cp); data/rbootd-3.0/bpf.c:291:10: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. (void) strcpy(errbuf, "bpf: no interfaces found"); data/rbootd-3.0/bpf.c:354:4: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy((char *)&bhp->bh_tstamp, (char *)&rconn->tstamp, data/rbootd-3.0/bpf.c:356:4: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy((char *)bp + hdrlen, (char *)&rconn->rmp, caplen); data/rbootd-3.0/bpf.c:419:2: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy(&RmpMcastAddr[0], (char *)&ifr.ifr_addr.sa_data[0], RMP_ADDRLEN); data/rbootd-3.0/conf.c:71:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char MyHost[MAXHOSTNAMELEN+1]; /* host name */ data/rbootd-3.0/conf.c:87:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *BootFiles[C_MAXFILE]; /* list of boot files */ data/rbootd-3.0/defs.h:119:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *files[C_MAXFILE]; /* boot-able files */ data/rbootd-3.0/parseconf.c:89:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[C_LINELEN]; data/rbootd-3.0/parseconf.c:100:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(ConfigFile, "r")) == NULL) { data/rbootd-3.0/pcap.c:39:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char errbuf[PCAP_ERRBUF_SIZE]; /* buffer we use to get error msgs */ data/rbootd-3.0/pcap.c:103:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char netdev[31]; data/rbootd-3.0/pcap.c:148:7: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy((char *)&h->ts, (char *)&rconn.tstamp, sizeof(struct timeval)); data/rbootd-3.0/pcap.c:149:7: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy(sp, (char *)&rconn.rmp, datlen); /* and copy packet over */ data/rbootd-3.0/pcap.c:231:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&sa.sll_addr, &(rconn->rmp.hp_hdr.daddr), RMP_ADDRLEN); data/rbootd-3.0/rbootd.c:177:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char err_msg[PCAP_ERRBUF_SIZE]; data/rbootd-3.0/rbootd.c:212:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fp = fopen(PidFile, "w")) != NULL) { data/rbootd-3.0/rbootd.c:569:16: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((DbgFp = fopen(DbgFile, "w")) == NULL) data/rbootd-3.0/rmp_var.h:184:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char rmp_machtype[RMP_MACHLEN]; /* machine type */ data/rbootd-3.0/rmpproto.c:299:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *filename, filepath[RMPBOOTDATA+1]; data/rbootd-3.0/rmpproto.c:386:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((rconn->bootfd = open(filename, O_RDONLY, 0600)) < 0) { data/rbootd-3.0/rmpproto.c:595:2: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy((char *)&rconn->rmp.hp_hdr.saddr[0], data/rbootd-3.0/utils.c:218:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char etherstr[RMP_ADDRLEN*3]; data/rbootd-3.0/utils.c:294:2: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy(addr, &ctmp->addr[0], RMP_ADDRLEN); data/rbootd-3.0/utils.c:395:2: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. bcopy((char *)rconn, (char *)rtmp, sizeof(RMPCONN)); data/rbootd-3.0/bpf.c:112:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). (void) strncpy(ifr.ifr_name, IntfName, sizeof(ifr.ifr_name)); data/rbootd-3.0/bpf.c:326:13: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((cc = read(BpfFd, (char *)BpfPkt, (int)BpfLen)) < 0) { data/rbootd-3.0/rmpproto.c:360:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(filename)==0) { data/rbootd-3.0/rmpproto.c:365:6: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(filename, filelist[0],RMPBOOTDATA); data/rbootd-3.0/rmpproto.c:491:14: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if ((size = read(oldconn->bootfd, &rpl->r_rrpl.rmp_data, data/rbootd-3.0/utils.c:345:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if ((stmp = (char *)malloc((unsigned) (strlen(str)+1))) == NULL) { ANALYSIS SUMMARY: Hits = 51 Lines analyzed = 3507 in approximately 0.17 seconds (20445 lines/second) Physical Source Lines of Code (SLOC) = 1656 Hits@level = [0] 77 [1] 6 [2] 34 [3] 1 [4] 10 [5] 0 Hits@level+ = [0+] 128 [1+] 51 [2+] 45 [3+] 11 [4+] 10 [5+] 0 Hits/KSLOC@level+ = [0+] 77.2947 [1+] 30.7971 [2+] 27.1739 [3+] 6.64251 [4+] 6.03865 [5+] 0 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.