Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/tarlz-0.17/arg_parser.h
Examining data/tarlz-0.17/lzip_index.cc
Examining data/tarlz-0.17/arg_parser.cc
Examining data/tarlz-0.17/main.cc
Examining data/tarlz-0.17/create_lz.cc
Examining data/tarlz-0.17/common_decode.cc
Examining data/tarlz-0.17/archive_reader.h
Examining data/tarlz-0.17/create.cc
Examining data/tarlz-0.17/tarlz.h
Examining data/tarlz-0.17/lzip_index.h
Examining data/tarlz-0.17/extract.cc
Examining data/tarlz-0.17/archive_reader.cc
Examining data/tarlz-0.17/delete.cc
Examining data/tarlz-0.17/decode_lz.cc
Examining data/tarlz-0.17/extended.cc
Examining data/tarlz-0.17/common.cc
Examining data/tarlz-0.17/exclude.cc
Examining data/tarlz-0.17/delete_lz.cc
FINAL RESULTS:
data/tarlz-0.17/create.cc:462:18: [5] (race) readlink:
This accepts filename arguments; if an attacker can move those files or
change the link content, a race condition results. Also, it does not
terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
len = sz = readlink( filename, (char *)header + linkname_o, linkname_l );
data/tarlz-0.17/create.cc:469:18: [5] (race) readlink:
This accepts filename arguments; if an attacker can move those files or
change the link content, a race condition results. Also, it does not
terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
len = sz = readlink( filename, buf, st.st_size );
data/tarlz-0.17/extract.cc:238:18: [5] (race) chown:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchown( ) instead.
if( !islink && chown( filename, uid, gid ) != 0 &&
data/tarlz-0.17/extract.cc:358:18: [5] (race) readlink:
This accepts filename arguments; if an attacker can move those files or
change the link content, a race condition results. Also, it does not
terminate with ASCII NUL. (CWE-362, CWE-20). Reconsider approach.
long len = readlink( filename, buf, st.st_size );
data/tarlz-0.17/main.cc:88:8: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
std::printf( "\nOptions:\n"
data/tarlz-0.17/common_decode.cc:40:51: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void format_mode_string( const Tar_header header, char buf[mode_string_size] )
data/tarlz-0.17/common_decode.cc:44:8: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( buf, "----------", mode_string_size );
data/tarlz-0.17/common_decode.cc:77:31: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[group_string_size] )
data/tarlz-0.17/create.cc:251:14: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
{ std::memcpy( header + name_o, stored_name, len ); return true; }
data/tarlz-0.17/create.cc:256:16: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( header + name_o, stored_name + i + 1, len - i - 1 );
data/tarlz-0.17/create.cc:257:16: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( header + prefix_o, stored_name, i );
data/tarlz-0.17/create.cc:473:38: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
if( len <= linkname_l ) std::memcpy( header + linkname_o, buf, len );
data/tarlz-0.17/extended.cc:115:8: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( buf + pos, value.c_str(), value.size() );
data/tarlz-0.17/extended.cc:177:8: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( buf + pos, Extended::crc_record.c_str(), crc_size );
data/tarlz-0.17/extended.cc:265:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char stored_name[prefix_l+1+name_l+1];
data/tarlz-0.17/lzip_index.cc:47:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[80];
data/tarlz-0.17/lzip_index.cc:77:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/tarlz-0.17/lzip_index.cc:154:10: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( buffer + rd_size, buffer, buffer_size - rd_size );
data/tarlz-0.17/main.cc:277:20: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
const int infd = open( name.c_str(), O_RDONLY | O_BINARY );
data/tarlz-0.17/main.cc:289:21: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
const int outfd = open( name.c_str(), flags, outfd_mode );
data/tarlz-0.17/tarlz.h:48:8: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
std::memcpy( header + magic_o, ustar_magic, magic_l - 1 );
data/tarlz-0.17/archive_reader.cc:45:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int retval = read( (uint8_t *)rbuf(), bufsize );
data/tarlz-0.17/archive_reader.cc:54:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int Archive_reader::read( uint8_t * const buf, const int size )
data/tarlz-0.17/archive_reader.cc:91:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int ret = read( buf, size ); if( ret != 0 ) return ret;
data/tarlz-0.17/archive_reader.cc:150:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int ret = read( buf, rsize );
data/tarlz-0.17/archive_reader.cc:170:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int Archive_reader_i::read( uint8_t * const buf, const int size )
data/tarlz-0.17/archive_reader.cc:219:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int ret = read( buf, rsize );
data/tarlz-0.17/archive_reader.h:70:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
virtual int read( uint8_t * const buf, const int size ) = 0;
data/tarlz-0.17/archive_reader.h:88:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int read( uint8_t * const buf, const int size );
data/tarlz-0.17/archive_reader.h:120:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int read( uint8_t * const buf, const int size );
data/tarlz-0.17/arg_parser.cc:40:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if( std::strlen( options[i].name ) == len ) // Exact match found
data/tarlz-0.17/common.cc:125:19: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int n = read( fd, buf + sz, size - sz );
data/tarlz-0.17/create.cc:248:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
const int len = std::strlen( stored_name );
data/tarlz-0.17/create.cc:500:10: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
std::strncpy( (char *)header + uname_o, pw->pw_name, uname_l - 1 );
data/tarlz-0.17/create.cc:506:10: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
std::strncpy( (char *)header + gname_o, gr->gr_name, gname_l - 1 );
data/tarlz-0.17/decode_lz.cc:372:26: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int ret = ar.read( header, header_size );
data/tarlz-0.17/extract.cc:154:49: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
if( first_call ) { first_call = false; mask = umask( 0 ); umask( mask );
data/tarlz-0.17/extract.cc:154:61: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
if( first_call ) { first_call = false; mask = umask( 0 ); umask( mask );
data/tarlz-0.17/extract.cc:256:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int ret = ar.read( buf, rsize );
data/tarlz-0.17/extract.cc:392:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if( ( retval = ar.read( buf1, rsize1 ) ) != 0 ) { diff = true; break; }
data/tarlz-0.17/extract.cc:461:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
const int ret = ar.read( header, header_size );
data/tarlz-0.17/main.cc:150:53: [1] (obsolete) ulimit:
This C routine is considered obsolete (as opposed to the shell command by
the same name, which is NOT obsolete) (CWE-676). Use getrlimit(2),
setrlimit(2), and sysconf(3) instead.
const unsigned long long ulimit )
data/tarlz-0.17/main.cc:184:11: [1] (obsolete) ulimit:
This C routine is considered obsolete (as opposed to the shell command by
the same name, which is NOT obsolete) (CWE-676). Use getrlimit(2),
setrlimit(2), and sysconf(3) instead.
if( ulimit / factor >= result ) result *= factor;
data/tarlz-0.17/main.cc:188:47: [1] (obsolete) ulimit:
This C routine is considered obsolete (as opposed to the shell command by
the same name, which is NOT obsolete) (CWE-676). Use getrlimit(2),
setrlimit(2), and sysconf(3) instead.
if( !errno && ( result < llimit || result > ulimit ) ) errno = ERANGE;
ANALYSIS SUMMARY:
Hits = 44
Lines analyzed = 5565 in approximately 0.18 seconds (30838 lines/second)
Physical Source Lines of Code (SLOC) = 4438
Hits@level = [0] 32 [1] 23 [2] 16 [3] 0 [4] 1 [5] 4
Hits@level+ = [0+] 76 [1+] 44 [2+] 21 [3+] 5 [4+] 5 [5+] 4
Hits/KSLOC@level+ = [0+] 17.1248 [1+] 9.91438 [2+] 4.73186 [3+] 1.12663 [4+] 1.12663 [5+] 0.901307
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.