Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/tf-4.0s1/src/command.c
Examining data/tf-4.0s1/src/command.h
Examining data/tf-4.0s1/src/commands.h
Examining data/tf-4.0s1/src/dstring.c
Examining data/tf-4.0s1/src/dstring.h
Examining data/tf-4.0s1/src/enumlist.h
Examining data/tf-4.0s1/src/expand.c
Examining data/tf-4.0s1/src/expand.h
Examining data/tf-4.0s1/src/expr.c
Examining data/tf-4.0s1/src/expr.h
Examining data/tf-4.0s1/src/fd_set.h
Examining data/tf-4.0s1/src/funclist.h
Examining data/tf-4.0s1/src/globals.h
Examining data/tf-4.0s1/src/help.c
Examining data/tf-4.0s1/src/hooklist.h
Examining data/tf-4.0s1/src/keyboard.c
Examining data/tf-4.0s1/src/keyboard.h
Examining data/tf-4.0s1/src/keylist.h
Examining data/tf-4.0s1/src/macro.c
Examining data/tf-4.0s1/src/macro.h
Examining data/tf-4.0s1/src/main.c
Examining data/tf-4.0s1/src/makehelp.c
Examining data/tf-4.0s1/src/malloc.c
Examining data/tf-4.0s1/src/malloc.h
Examining data/tf-4.0s1/src/output.c
Examining data/tf-4.0s1/src/output.h
Examining data/tf-4.0s1/src/parse.h
Examining data/tf-4.0s1/src/port.h
Examining data/tf-4.0s1/src/process.c
Examining data/tf-4.0s1/src/process.h
Examining data/tf-4.0s1/src/search.c
Examining data/tf-4.0s1/src/search.h
Examining data/tf-4.0s1/src/signals.c
Examining data/tf-4.0s1/src/signals.h
Examining data/tf-4.0s1/src/tf.h
Examining data/tf-4.0s1/src/tfio.c
Examining data/tf-4.0s1/src/tfio.h
Examining data/tf-4.0s1/src/tfselect.h
Examining data/tf-4.0s1/src/tty.c
Examining data/tf-4.0s1/src/tty.h
Examining data/tf-4.0s1/src/util.h
Examining data/tf-4.0s1/src/variable.c
Examining data/tf-4.0s1/src/variable.h
Examining data/tf-4.0s1/src/varlist.h
Examining data/tf-4.0s1/src/world.c
Examining data/tf-4.0s1/src/world.h
Examining data/tf-4.0s1/src/regexp/regerror.c
Examining data/tf-4.0s1/src/regexp/regexp.c
Examining data/tf-4.0s1/src/regexp/regexp.h
Examining data/tf-4.0s1/src/regexp/regmagic.h
Examining data/tf-4.0s1/src/regexp/regsub.c
Examining data/tf-4.0s1/src/regexp/timer.c
Examining data/tf-4.0s1/src/regexp/try.c
Examining data/tf-4.0s1/src/history.c
Examining data/tf-4.0s1/src/history.h
Examining data/tf-4.0s1/src/mccp.c
Examining data/tf-4.0s1/src/mccp.h
Examining data/tf-4.0s1/src/socket.c
Examining data/tf-4.0s1/src/socket.h
Examining data/tf-4.0s1/src/util.c
Examining data/tf-4.0s1/os2/config.h
FINAL RESULTS:
data/tf-4.0s1/src/dstring.c:140:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(dest->s, src);
data/tf-4.0s1/src/dstring.c:152:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(dest->s, src->s ? src->s : "");
data/tf-4.0s1/src/dstring.c:184:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(dest->s + len, src);
data/tf-4.0s1/src/dstring.c:198:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(dest->s + len, src->s ? src->s : "");
data/tf-4.0s1/src/output.c:1605:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(buf, "start_color_%s", enum_color[color]);
data/tf-4.0s1/src/port.h:80:61: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# define format_printf(fmt, var) __attribute__((format(printf, fmt, var)))
data/tf-4.0s1/src/process.c:131:17: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(nbuf, "%8s", "pending");
data/tf-4.0s1/src/process.c:133:9: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(obuf, "%-8s ", p->world ? p->world->name : "");
data/tf-4.0s1/src/process.c:138:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(obuf+9, p->ptime == -2 ? "S " : " ");
data/tf-4.0s1/src/regexp/regexp.c:1200:10: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
(void) strcat(buf, p);
data/tf-4.0s1/src/regexp/timer.c:104:2: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, s1, s2);
data/tf-4.0s1/src/regexp/timer.c:180:2: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, s1, s2);
data/tf-4.0s1/src/regexp/try.c:106:2: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, s1, s2);
data/tf-4.0s1/src/regexp/try.c:235:2: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, s1, s2);
data/tf-4.0s1/src/signals.c:324:5: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, fmt, n);
data/tf-4.0s1/src/signals.c:404:14: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
result = system(cmd);
data/tf-4.0s1/src/socket.c:1441:13: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(linebuf, "%7s", "foregnd");
data/tf-4.0s1/src/tfio.c:189:20: [4] (shell) popen:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
if (!(fp = popen(name, "r"))) return NULL;
data/tf-4.0s1/src/tfio.c:221:9: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(strcpy(newname, name), suffix);
data/tf-4.0s1/src/tfio.c:221:16: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcat(strcpy(newname, name), suffix);
data/tf-4.0s1/src/tfio.c:231:18: [4] (shell) popen:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
fp = popen(buffer->s, mode);
data/tf-4.0s1/src/tfio.c:479:13: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf(tempbuf, spec, va_arg(ap, int));
data/tf-4.0s1/src/tfio.c:486:13: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf(tempbuf, spec, va_arg(ap, unsigned int));
data/tf-4.0s1/src/tfio.c:495:13: [4] (format) sprintf:
Potential format string problem (CWE-134). Make format string constant.
sprintf(tempbuf, spec, va_arg(ap, double));
data/tf-4.0s1/src/util.h:38:6: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
(strcpy(xmalloc((len) + 1, __FILE__, __LINE__), (src)))
data/tf-4.0s1/src/variable.c:303:5: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(str, "%s=%s", var->name, var->value);
data/tf-4.0s1/src/command.c:366:43: [3] (buffer) getwd:
This does not protect against buffer overflows by itself, so use with
caution (CWE-120, CWE-20). Use getcwd instead.
oprintf("%% Current directory is %s", getwd(buffer));
data/tf-4.0s1/src/port.h:251:30: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
# define RAND() (int)random()
data/tf-4.0s1/src/port.h:252:25: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
# define SRAND(seed) srandom(seed)
data/tf-4.0s1/src/port.h:257:26: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
# define SRAND(seed) srand(seed)
data/tf-4.0s1/src/port.h:290:19: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
extern long NDECL(random);
data/tf-4.0s1/src/port.h:291:19: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
extern int FDECL(srandom,(unsigned));
data/tf-4.0s1/src/port.h:302:19: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
extern long NDECL(random);
data/tf-4.0s1/src/port.h:303:19: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
extern int FDECL(srandom,(unsigned));
data/tf-4.0s1/src/command.c:354:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[PATH_MAX + 1];
data/tf-4.0s1/src/command.c:577:38: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
else if (is_digit(*args) && (n = atoi(args)) < 0) return newint(0);
data/tf-4.0s1/src/command.c:615:20: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if ((exiting = atoi(args)) <= 0) exiting = 1;
data/tf-4.0s1/src/expand.c:421:37: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if ((breaking = atoi(ip)) <= 0) breaking = 1;
data/tf-4.0s1/src/expand.c:586:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[sizeof("elseif")]; /* "elseif" is the longest keyword. */
data/tf-4.0s1/src/expand.c:1071:23: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
count = (*args) ? atoi(args) : 1;
data/tf-4.0s1/src/expr.c:286:44: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (*str == '-' || *str == '+') return atol(str);
data/tf-4.0s1/src/expr.c:322:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buffer[32];
data/tf-4.0s1/src/expr.c:326:25: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
case TYPE_INT: sprintf(buffer, "%ld", val->u.ival); return buffer;
data/tf-4.0s1/src/expr.c:333:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buffer, "%.15g", val->u.fval);
data/tf-4.0s1/src/expr.c:335:17: [2] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused). Risk is low because the
source is a constant string.
strcat(buffer, ".0");
data/tf-4.0s1/src/expr.c:369:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[16];
data/tf-4.0s1/src/expr.c:478:25: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "%ld", i);
data/tf-4.0s1/src/expr.c:585:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file = fopen(expand_filename(ptr), "a");
data/tf-4.0s1/src/expr.c:910:25: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(numbuf, "%ld", i);
data/tf-4.0s1/src/help.c:35:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf0[HELPLEN], buf1[HELPLEN], buf2[HELPLEN];
data/tf-4.0s1/src/help.c:93:22: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
offset = atol(input);
data/tf-4.0s1/src/history.c:440:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(partials + buffer->len, aline->partials,
data/tf-4.0s1/src/keyboard.c:127:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[64];
data/tf-4.0s1/src/keyboard.c:252:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(keybuf->s + keyboard_pos, input, len);
data/tf-4.0s1/src/macro.c:94:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[16];
data/tf-4.0s1/src/macro.c:430:45: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
if (*name == '#') return find_num_macro(atoi(name + 1));
data/tf-4.0s1/src/macro.c:833:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
spec->num = atoi(spec->name + 1);
data/tf-4.0s1/src/macro.c:950:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
spec->num = atoi(spec->name + 1);
data/tf-4.0s1/src/macro.c:1119:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char numbuf[16];
data/tf-4.0s1/src/macro.c:1124:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(numbuf, "#%d", macro->num);
data/tf-4.0s1/src/macro.c:1346:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char numbuf[16];
data/tf-4.0s1/src/macro.c:1347:36: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
if (!*macro->name) sprintf(numbuf, "#%d", macro->num);
data/tf-4.0s1/src/makehelp.c:24:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[240+1];
data/tf-4.0s1/src/mccp.c:189:13: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->outbuf + state->outsize, state->inbuf, state->insize);
data/tf-4.0s1/src/mccp.c:231:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->outbuf + state->outsize, data, len);
data/tf-4.0s1/src/mccp.c:233:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->outbuf + state->outsize, state->inbuf, state->insize);
data/tf-4.0s1/src/mccp.c:305:21: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->inbuf,
data/tf-4.0s1/src/mccp.c:338:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->inbuf + state->insize, state->outbuf + residual, state->outsize - residual);
data/tf-4.0s1/src/mccp.c:347:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(state->inbuf + state->insize, data, len);
data/tf-4.0s1/src/mccp.c:379:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf, state->outbuf, copied);
data/tf-4.0s1/src/output.c:385:41: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
lines = ((str = getvar("LINES"))) ? atoi(str) : 0;
data/tf-4.0s1/src/output.c:386:45: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
columns = ((str = getvar("COLUMNS"))) ? atoi(str) : 0;
data/tf-4.0s1/src/output.c:415:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char termcap_entry[4096];
data/tf-4.0s1/src/output.c:417:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char termcap_buffer[1024];
data/tf-4.0s1/src/output.c:1609:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "start_color_%ld", color);
data/tf-4.0s1/src/port.h:147:11: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
# define memcpy(dst, src, len) bcopy((src), (dst), (len))
data/tf-4.0s1/src/port.h:147:33: [2] (buffer) bcopy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
# define memcpy(dst, src, len) bcopy((src), (dst), (len))
data/tf-4.0s1/src/port.h:236:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((GENERIC*)&(dst), (GENERIC*)&(src), sizeof(src))
data/tf-4.0s1/src/process.c:83:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char obuf[18], nbuf[10];
data/tf-4.0s1/src/process.c:122:13: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(nbuf, " 0");
data/tf-4.0s1/src/process.c:124:13: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(nbuf, " ?");
data/tf-4.0s1/src/process.c:128:17: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(nbuf, "%2ld:%02ld:%02ld",
data/tf-4.0s1/src/process.c:135:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(obuf+9, "%2ld:%02ld:%02ld", (long)p->ptime/3600,
data/tf-4.0s1/src/regexp/regexp.c:1130:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buf[50];
data/tf-4.0s1/src/regexp/regexp.c:1174:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN);
data/tf-4.0s1/src/regexp/regexp.c:1186:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE);
data/tf-4.0s1/src/regexp/regexp.h:9:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *startp[NSUBEXP];
data/tf-4.0s1/src/regexp/regexp.h:10:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *endp[NSUBEXP];
data/tf-4.0s1/src/regexp/regexp.h:15:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char program[1]; /* Unwarranted chumminess with compiler. */
data/tf-4.0s1/src/regexp/timer.c:54:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dummy[512];
data/tf-4.0s1/src/regexp/timer.c:61:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
ncomp = atoi(argv[1]);
data/tf-4.0s1/src/regexp/timer.c:62:11: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
nexec = atoi(argv[2]);
data/tf-4.0s1/src/regexp/timer.c:63:10: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
nsub = atoi(argv[3]);
data/tf-4.0s1/src/regexp/timer.c:130:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dbuf[BUFSIZ];
data/tf-4.0s1/src/regexp/try.c:44:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[BUFSIZ];
data/tf-4.0s1/src/regexp/try.c:118:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char rbuf[BUFSIZ];
data/tf-4.0s1/src/regexp/try.c:119:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *field[5];
data/tf-4.0s1/src/regexp/try.c:193:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char dbuf[BUFSIZ];
data/tf-4.0s1/src/socket.c:42:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char sin_zero[8];
data/tf-4.0s1/src/socket.c:263:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static CONST char *telnet_label[0x100];
data/tf-4.0s1/src/socket.c:847:38: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
xsock->addr.sin_port = htons(atoi(xsock->port));
data/tf-4.0s1/src/socket.c:1062:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((GENERIC *)sin_addr, (GENERIC *)host->h_addr, sizeof(*sin_addr));
data/tf-4.0s1/src/socket.c:1389:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char idlebuf[16], linebuf[16];
data/tf-4.0s1/src/socket.c:1443:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(linebuf, "%7d", sock->activity);
data/tf-4.0s1/src/socket.c:1446:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(idlebuf, "%3ds", t);
data/tf-4.0s1/src/socket.c:1448:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(idlebuf, "%3dm", t);
data/tf-4.0s1/src/socket.c:1450:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(idlebuf, "%3dh", t);
data/tf-4.0s1/src/socket.c:1452:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(idlebuf, "%3dd", t);
data/tf-4.0s1/src/socket.c:1454:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(idlebuf, "long");
data/tf-4.0s1/src/socket.c:1716:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[4];
data/tf-4.0s1/src/socket.c:1717:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "%c%c%c", TN_IAC, cmd, opt);
data/tf-4.0s1/src/socket.c:1728:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *place, localchar, buffer[4096];
data/tf-4.0s1/src/tf.h:40:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
typedef char smallstr[65]; /* Short buffer */
data/tf-4.0s1/src/tfio.c:205:15: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fp = fopen(name, mode)) && fstat(fileno(fp), &buf) == 0) {
data/tf-4.0s1/src/tfio.c:223:19: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fp = fopen(newname, mode)) != NULL) { /* test readability */
data/tf-4.0s1/src/tfio.c:890:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
id = atoi(handle);
data/tf-4.0s1/src/tfio.h:54:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/tf-4.0s1/src/tty.c:93:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char bs[2], dline[2], bword[2], refresh[2], lnext[2];
data/tf-4.0s1/src/util.c:57:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tf_ctype[0x100];
data/tf-4.0s1/src/util.c:169:13: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
c = atoi(*sp);
data/tf-4.0s1/src/util.c:186:9: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
i = atoi(*sp);
data/tf-4.0s1/src/util.c:196:9: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
i = atol(*sp);
data/tf-4.0s1/src/util.c:1125:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char fmtbuf[3] = "%?"; /* static to allow init in K&R C */
data/tf-4.0s1/src/variable.c:98:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char **oldenv, **p, *value, buf[20], *str;
data/tf-4.0s1/src/variable.c:119:13: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf, "%ld", var->ival);
data/tf-4.0s1/src/variable.c:583:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buffer[20];
data/tf-4.0s1/src/variable.c:609:23: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
var->ival=atol(value);
data/tf-4.0s1/src/variable.c:620:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buffer, "%ld", var->ival);
data/tf-4.0s1/src/world.c:139:9: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buffer, "(unnamed%d)", unnamed++);
data/tf-4.0s1/src/command.c:400:38: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
write(STDOUT_FILENO, string, strlen(string));
data/tf-4.0s1/src/dstring.c:138:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dest->len = strlen(src);
data/tf-4.0s1/src/dstring.c:163:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
unsigned len = strlen(src);
data/tf-4.0s1/src/dstring.c:169:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(dest->s, src, n);
data/tf-4.0s1/src/dstring.c:182:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dest->len += strlen(src);
data/tf-4.0s1/src/dstring.c:211:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
unsigned int len = strlen(src);
data/tf-4.0s1/src/dstring.c:217:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(dest->s + oldlen, src, n);
data/tf-4.0s1/src/dstring.c:235:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(dest->s + oldlen, src, n);
data/tf-4.0s1/src/expand.c:595:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(buf, ip, end - ip);
data/tf-4.0s1/src/expr.c:239:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (len < 0) len = strlen(str);
data/tf-4.0s1/src/expr.c:240:11: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
new = strncpy((char *)xmalloc(len + 1, file, line), str, len);
data/tf-4.0s1/src/expr.c:347:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return (val->type == TYPE_STR) ? val->len : strlen(valstr(val));
data/tf-4.0s1/src/help.c:88:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
place[strlen(place)-1] = '\0';
data/tf-4.0s1/src/help.c:113:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (*input) input[strlen(input)-1] = '\0';
data/tf-4.0s1/src/help.c:143:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (*input) input[strlen(input)-1] = '\0';
data/tf-4.0s1/src/history.c:155:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (remaining = strlen(str); remaining; str += len, remaining -= len) {
data/tf-4.0s1/src/keyboard.c:143:22: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((count = read(STDIN_FILENO, buf, sizeof(buf))) < 0) {
data/tf-4.0s1/src/keyboard.c:265:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
handle_input_string(args, strlen(args));
data/tf-4.0s1/src/macro.c:114:24: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
name = strncpy(buf, *argp, end - *argp);
data/tf-4.0s1/src/mccp.c:246:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
clen = (i + strlen(will_v1) < state->outsize) ? strlen(will_v1) : state->outsize - i;
data/tf-4.0s1/src/mccp.c:246:65: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
clen = (i + strlen(will_v1) < state->outsize) ? strlen(will_v1) : state->outsize - i;
data/tf-4.0s1/src/mccp.c:249:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (clen != strlen(will_v1)) {
data/tf-4.0s1/src/mccp.c:265:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&state->outbuf[i + strlen(will_v1)],
data/tf-4.0s1/src/mccp.c:266:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->outsize - strlen(will_v1));
data/tf-4.0s1/src/mccp.c:267:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->outsize -= strlen(will_v1);
data/tf-4.0s1/src/mccp.c:273:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (clen != strlen(will_v2)) {
data/tf-4.0s1/src/mccp.c:283:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
&state->outbuf[i + strlen(will_v2)],
data/tf-4.0s1/src/mccp.c:284:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->outsize - strlen(will_v2));
data/tf-4.0s1/src/mccp.c:285:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->outsize -= strlen(will_v2);
data/tf-4.0s1/src/mccp.c:290:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
clen = (i + strlen(on_v1) < state->outsize) ? strlen(on_v1) : state->outsize - i;
data/tf-4.0s1/src/mccp.c:290:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
clen = (i + strlen(on_v1) < state->outsize) ? strlen(on_v1) : state->outsize - i;
data/tf-4.0s1/src/mccp.c:294:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (clen != strlen(on_v1)) {
data/tf-4.0s1/src/mccp.c:303:60: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
grow_inbuf(state, state->outsize - i - strlen(on_v1));
data/tf-4.0s1/src/mccp.c:306:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->outbuf + i + strlen(on_v1),
data/tf-4.0s1/src/mccp.c:307:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->outsize - i - strlen(on_v1));
data/tf-4.0s1/src/mccp.c:309:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
state->insize = state->outsize - i - strlen(on_v1);
data/tf-4.0s1/src/output.c:770:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
field->width = strlen(field->name);
data/tf-4.0s1/src/regexp/regexp.c:276:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
data/tf-4.0s1/src/regexp/regexp.c:278:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(OPERAND(scan));
data/tf-4.0s1/src/regexp/regexp.c:862:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(opnd);
data/tf-4.0s1/src/regexp/regexp.c:1021:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
count = strlen(scan);
data/tf-4.0s1/src/regexp/regexp.c:1132:9: [1] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant character.
(void) strcpy(buf, ":");
data/tf-4.0s1/src/regexp/regexp.c:1174:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN);
data/tf-4.0s1/src/regexp/regexp.c:1186:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE);
data/tf-4.0s1/src/regexp/regsub.c:46:15: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
extern char *strncpy();
data/tf-4.0s1/src/regexp/regsub.c:73:11: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
(void) strncpy(dst, prog->startp[no], len);
data/tf-4.0s1/src/regexp/try.c:128:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
rbuf[strlen(rbuf)-1] = '\0'; /* Dispense with \n. */
data/tf-4.0s1/src/socket.c:911:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read(xsock->fd, &err, sizeof(err)) < 0 || err != 0) {
data/tf-4.0s1/src/socket.c:927:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read(xsock->fd, (char*)&xsock->addr.sin_addr, sizeof(struct in_addr));
data/tf-4.0s1/src/socket.c:1216:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if (read(xsock->fd, &ch, 0) < 0) {
data/tf-4.0s1/src/socket.c:1222:17: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read(xsock->fd, &ch, 1); /* must fail */
data/tf-4.0s1/src/socket.c:1485:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
send_line(text, strlen(text), eol_flag);
data/tf-4.0s1/src/socket.c:1809:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
transmit(resp,strlen(resp));
data/tf-4.0s1/src/socket.c:2069:9: [1] (buffer) sscanf:
It's unclear if the %s limit in the format string is small enough
(CWE-120). Check that the limit is sufficiently small, or use a different
input function.
if (sscanf(str,
data/tf-4.0s1/src/tfio.c:220:34: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
newname = (char*)XMALLOC(strlen(name) + strlen(suffix) + 1);
data/tf-4.0s1/src/tfio.c:220:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
newname = (char*)XMALLOC(strlen(name) + strlen(suffix) + 1);
data/tf-4.0s1/src/tfio.c:530:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = sval ? strlen(sval) : 0;
data/tf-4.0s1/src/tfio.c:686:5: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read(STDIN_FILENO, &c, 1);
data/tf-4.0s1/src/tfio.c:764:25: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
file->len = read(fileno(file->u.fp), file->buf, sizeof(file->buf));
data/tf-4.0s1/src/tfio.c:814:18: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
aline->str = strncpy((char*)memory + sizeof(Aline), str, len);
data/tf-4.0s1/src/tfio.h:123:49: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define new_aline(s,a) dnew_aline((s), (a), strlen(s), __FILE__, __LINE__)
data/tf-4.0s1/src/util.c:274:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((len = strlen(s2) - 1) < 0) return (char*)s1;
data/tf-4.0s1/src/util.c:444:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen(re->endp[0]);
data/tf-4.0s1/src/util.c:700:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (end = s + strlen(s) - 1; is_space(*end); end--);
data/tf-4.0s1/src/util.c:901:26: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
info->name = strncpy(XMALLOC(end-name+1), name, end-name);
data/tf-4.0s1/src/util.c:1144:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
Stringncat(dest, str, strlen(str) - 1); /* remove ctime()'s '\n' */
data/tf-4.0s1/src/util.h:39:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define STRDUP(src) STRNDUP((src), strlen(src))
data/tf-4.0s1/src/variable.c:110:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(var->value);
data/tf-4.0s1/src/variable.c:116:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(var->value);
data/tf-4.0s1/src/variable.c:120:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(buf);
data/tf-4.0s1/src/variable.c:250:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(value);
data/tf-4.0s1/src/variable.c:269:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(value);
data/tf-4.0s1/src/variable.c:302:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
str = (char *)XMALLOC(strlen(var->name) + 1 + var->len + 1);
data/tf-4.0s1/src/variable.c:380:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(value);
data/tf-4.0s1/src/variable.c:468:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(value);
data/tf-4.0s1/src/variable.c:625:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
var->len = strlen(value);
ANALYSIS SUMMARY:
Hits = 205
Lines analyzed = 20221 in approximately 0.54 seconds (37662 lines/second)
Physical Source Lines of Code (SLOC) = 15663
Hits@level = [0] 38 [1] 76 [2] 95 [3] 8 [4] 26 [5] 0
Hits@level+ = [0+] 243 [1+] 205 [2+] 129 [3+] 34 [4+] 26 [5+] 0
Hits/KSLOC@level+ = [0+] 15.5143 [1+] 13.0882 [2+] 8.23597 [3+] 2.17072 [4+] 1.65996 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.