Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/pyregfi.h Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/class.c Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/regfi.c Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/error.c Examining data/reglookup-1.0.1+svn287/python/experimental/include/class.h Examining data/reglookup-1.0.1+svn287/python/experimental/include/aff4_errors.h Examining data/reglookup-1.0.1+svn287/src/reglookup.c Examining data/reglookup-1.0.1+svn287/src/reglookup-recover.c Examining data/reglookup-1.0.1+svn287/src/common.c Examining data/reglookup-1.0.1+svn287/lib/winsec.c Examining data/reglookup-1.0.1+svn287/lib/regfi.c Examining data/reglookup-1.0.1+svn287/lib/range_list.c Examining data/reglookup-1.0.1+svn287/lib/lru_cache.c Examining data/reglookup-1.0.1+svn287/lib/void_stack.c Examining data/reglookup-1.0.1+svn287/include/lru_cache.h Examining data/reglookup-1.0.1+svn287/include/range_list.h Examining data/reglookup-1.0.1+svn287/include/void_stack.h Examining data/reglookup-1.0.1+svn287/include/compat.h Examining data/reglookup-1.0.1+svn287/include/byteorder.h Examining data/reglookup-1.0.1+svn287/include/winsec.h Examining data/reglookup-1.0.1+svn287/include/regfi.h FINAL RESULTS: data/reglookup-1.0.1+svn287/lib/regfi.c:168:3: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args); data/reglookup-1.0.1+svn287/lib/regfi.c:307:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(fo, flag_map[i]); data/reglookup-1.0.1+svn287/lib/regfi.c:386:7: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(r, perm_map[i]); data/reglookup-1.0.1+svn287/lib/regfi.c:442:10: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s", data/reglookup-1.0.1+svn287/python/experimental/regfi/error.c:35:5: [4] (format) vsnprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. vsnprintf(error_buffer, ERROR_BUFFER_SIZE-1, reason,ap); data/reglookup-1.0.1+svn287/src/reglookup-recover.c:955:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name); data/reglookup-1.0.1+svn287/include/byteorder.h:120:52: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. #define CVAL(buf,pos) ((unsigned)(((const unsigned char *)(buf))[pos])) data/reglookup-1.0.1+svn287/include/byteorder.h:121:38: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. #define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */ data/reglookup-1.0.1+svn287/lib/lru_cache.c:257:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(e->index, index, index_len); data/reglookup-1.0.1+svn287/lib/regfi.c:154:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(new_msg+buf_used, "INFO: "); data/reglookup-1.0.1+svn287/lib/regfi.c:158:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(new_msg+buf_used, "WARN: "); data/reglookup-1.0.1+svn287/lib/regfi.c:162:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(new_msg+buf_used, "ERROR: "); data/reglookup-1.0.1+svn287/lib/regfi.c:316:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(fo, "0x%.2X ", flags); data/reglookup-1.0.1+svn287/lib/regfi.c:395:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(r, "0x%.8X ", perms); data/reglookup-1.0.1+svn287/lib/regfi.c:2774:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE); data/reglookup-1.0.1+svn287/lib/regfi.c:2796:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE); data/reglookup-1.0.1+svn287/lib/regfi.c:2814:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE); data/reglookup-1.0.1+svn287/lib/regfi.c:2815:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE); data/reglookup-1.0.1+svn287/lib/regfi.c:2872:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(hbin->magic, hbin_header, 4); data/reglookup-1.0.1+svn287/lib/winsec.c:293:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->id_auth, buf+2, 6); data/reglookup-1.0.1+svn287/lib/winsec.c:330:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->clock_seq, buf+0x8, 2); data/reglookup-1.0.1+svn287/lib/winsec.c:331:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ret_val->node, buf+0xB, 6); data/reglookup-1.0.1+svn287/lib/winsec.c:429:11: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]); data/reglookup-1.0.1+svn287/python/experimental/regfi/regfi.c:37:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). self->fd = open(filename, O_RDONLY); data/reglookup-1.0.1+svn287/python/experimental/regfi/regfi.c:408:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buff, self->data->raw, available_to_read); data/reglookup-1.0.1+svn287/src/common.c:176:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(*error_msg, "Data pointer was NULL or size was 0."); data/reglookup-1.0.1+svn287/src/common.c:187:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(*error_msg, "Data could not be interpreted, quoting raw buffer."); data/reglookup-1.0.1+svn287/src/common.c:196:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(*error_msg, "Buffer could not be quoted due to unknown error."); data/reglookup-1.0.1+svn287/src/common.c:206:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(*error_msg, "Buffer could not be quoted due to unknown error."); data/reglookup-1.0.1+svn287/src/common.c:214:2: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(*error_msg, "Buffer could not be quoted due to unknown error."); data/reglookup-1.0.1+svn287/src/common.c:224:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(ret_val, "0x%.8X", data->interpreted.dword); data/reglookup-1.0.1+svn287/src/common.c:233:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(ret_val, "0x%.8X", data->interpreted.dword_be); data/reglookup-1.0.1+svn287/src/common.c:242:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(ret_val, "0x%.16llX", data/reglookup-1.0.1+svn287/src/common.c:311:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(*error_msg, data/reglookup-1.0.1+svn287/src/common.c:353:18: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((ret_val = open(filename, REGLOOKUP_OPEN_FLAGS)) == -1) data/reglookup-1.0.1+svn287/src/reglookup-recover.c:71:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mtime[24]; data/reglookup-1.0.1+svn287/src/reglookup.c:67:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mtime[20]; data/reglookup-1.0.1+svn287/src/reglookup.c:171:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(copy, cur, next-cur); data/reglookup-1.0.1+svn287/src/reglookup.c:295:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char empty_str[1] = ""; data/reglookup-1.0.1+svn287/src/reglookup.c:300:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mtime[24]; data/reglookup-1.0.1+svn287/include/regfi.h:701:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ssize_t (* read)(); /* (REGFI_RAW_FILE* self, void* buf, size_t count) */ data/reglookup-1.0.1+svn287/lib/regfi.c:143:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buf_used = strlen(log_info->messages); data/reglookup-1.0.1+svn287/lib/regfi.c:145:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). buf_size = buf_used+strlen(fmt)+160; data/reglookup-1.0.1+svn287/lib/regfi.c:170:3: [1] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is low because the source is a constant character. strncat(new_msg, "\n", buf_size-1); data/reglookup-1.0.1+svn287/lib/regfi.c:308:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). fo += strlen(flag_map[i]); data/reglookup-1.0.1+svn287/lib/regfi.c:387:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). r += strlen(perm_map[i]); data/reglookup-1.0.1+svn287/lib/regfi.c:429:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). extra = strlen(sid_str) + strlen(type_str) data/reglookup-1.0.1+svn287/lib/regfi.c:429:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). extra = strlen(sid_str) + strlen(type_str) data/reglookup-1.0.1+svn287/lib/regfi.c:430:4: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + strlen(perms_str) + strlen(flags_str) + 5; data/reglookup-1.0.1+svn287/lib/regfi.c:430:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). + strlen(perms_str) + strlen(flags_str) + 5; data/reglookup-1.0.1+svn287/lib/regfi.c:577:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). return read(*(int*)self->state, buf, count); data/reglookup-1.0.1+svn287/lib/regfi.c:609:21: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rret = file_cb->read(file_cb, data/reglookup-1.0.1+svn287/python/experimental/include/class.h:379:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define ZSTRING_NO_NULL(str) str , (strlen(str)) data/reglookup-1.0.1+svn287/python/experimental/include/class.h:380:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define ZSTRING(str) str , (strlen(str)+1) data/reglookup-1.0.1+svn287/src/common.c:148:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(str); data/reglookup-1.0.1+svn287/src/reglookup-recover.c:302:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). path_element->len = strlen((char*)path_element->buf); data/reglookup-1.0.1+svn287/src/reglookup-recover.c:948:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2); data/reglookup-1.0.1+svn287/src/reglookup-recover.c:948:56: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2); data/reglookup-1.0.1+svn287/src/reglookup.c:183:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if(strlen(cur) > 0) data/reglookup-1.0.1+svn287/src/reglookup.c:250:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). name_len = strlen(name); data/reglookup-1.0.1+svn287/src/reglookup.c:265:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(buf+(buf_len-buf_left-1), name, name_len); ANALYSIS SUMMARY: Hits = 61 Lines analyzed = 11536 in approximately 0.30 seconds (38610 lines/second) Physical Source Lines of Code (SLOC) = 6731 Hits@level = [0] 104 [1] 21 [2] 34 [3] 0 [4] 6 [5] 0 Hits@level+ = [0+] 165 [1+] 61 [2+] 40 [3+] 6 [4+] 6 [5+] 0 Hits/KSLOC@level+ = [0+] 24.5134 [1+] 9.06255 [2+] 5.94265 [3+] 0.891398 [4+] 0.891398 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.