Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/uanytun-0.3.7/src/options.h
Examining data/uanytun-0.3.7/src/options.c
Examining data/uanytun-0.3.7/src/key_derivation.h
Examining data/uanytun-0.3.7/src/log.h
Examining data/uanytun-0.3.7/src/datatypes.h
Examining data/uanytun-0.3.7/src/bsd/tun.c
Examining data/uanytun-0.3.7/src/init_crypt.h
Examining data/uanytun-0.3.7/src/cipher.h
Examining data/uanytun-0.3.7/src/tun_helper.h
Examining data/uanytun-0.3.7/src/linux/tun.c
Examining data/uanytun-0.3.7/src/plain_packet.h
Examining data/uanytun-0.3.7/src/uanytun.c
Examining data/uanytun-0.3.7/src/plain_packet.c
Examining data/uanytun-0.3.7/src/log.c
Examining data/uanytun-0.3.7/src/auth_algo.c
Examining data/uanytun-0.3.7/src/daemon.h
Examining data/uanytun-0.3.7/src/tun.h
Examining data/uanytun-0.3.7/src/sysexec.c
Examining data/uanytun-0.3.7/src/cipher.c
Examining data/uanytun-0.3.7/src/seq_window.c
Examining data/uanytun-0.3.7/src/key_derivation.c
Examining data/uanytun-0.3.7/src/encrypted_packet.c
Examining data/uanytun-0.3.7/src/string_list.h
Examining data/uanytun-0.3.7/src/sig_handler.h
Examining data/uanytun-0.3.7/src/string_list.c
Examining data/uanytun-0.3.7/src/sig_handler.c
Examining data/uanytun-0.3.7/src/seq_window.h
Examining data/uanytun-0.3.7/src/udp.h
Examining data/uanytun-0.3.7/src/log_targets.h
Examining data/uanytun-0.3.7/src/auth_algo.h
Examining data/uanytun-0.3.7/src/sysexec.h
Examining data/uanytun-0.3.7/src/udp.c
Examining data/uanytun-0.3.7/src/encrypted_packet.h
FINAL RESULTS:
data/uanytun-0.3.7/src/log.c:242:3: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(msg, MSG_LENGTH_MAX, fmt, args);
data/uanytun-0.3.7/src/daemon.h:129:6: [3] (misc) chroot:
chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22).
Make sure the program immediately chdir("/"), closes file descriptors, and
drops root privileges, and that all necessary files (and no more!) are in
the new root.
if(chroot(chrootdir)) {
data/uanytun-0.3.7/src/auth_algo.c:276:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&tag[encrypted_packet_get_auth_tag_length(packet) - length], &hmac[SHA1_LENGTH - length], length);
data/uanytun-0.3.7/src/bsd/tun.c:130:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
dev->fd_ = open(device_file_tmp, O_RDWR);
data/uanytun-0.3.7/src/bsd/tun.c:137:16: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
dev->fd_ = open(device_file, O_RDWR);
data/uanytun-0.3.7/src/cipher.c:84:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
c->key_length_ = atoi(tmp);
data/uanytun-0.3.7/src/cipher.c:195:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(out, in, (ilen < olen) ? ilen : olen);
data/uanytun-0.3.7/src/cipher.c:285:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(params->ctr_.salt_.buf_, c->salt_.buf_, C_AESCTR_SALT_LENGTH);
data/uanytun-0.3.7/src/daemon.h:175:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open("/dev/null",O_RDWR); // stdin
data/uanytun-0.3.7/src/key_derivation.c:88:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
kd->key_length_ = atoi(tmp);
data/uanytun-0.3.7/src/key_derivation.c:111:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(kd->master_key_.buf_, key, key_len);
data/uanytun-0.3.7/src/key_derivation.c:126:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(kd->master_salt_.buf_, salt, salt_len);
data/uanytun-0.3.7/src/key_derivation.c:200:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(kd->master_key_.buf_, &digest.buf_[digest.length_ - kd->master_key_.length_], kd->master_key_.length_);
data/uanytun-0.3.7/src/key_derivation.c:264:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(kd->master_salt_.buf_, &digest.buf_[digest.length_ - kd->master_salt_.length_], kd->master_salt_.length_);
data/uanytun-0.3.7/src/key_derivation.c:448:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(params->ctr_.salt_.buf_, kd->master_salt_.buf_, KD_AESCTR_SALT_LENGTH);
data/uanytun-0.3.7/src/linux/tun.c:82:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
dev->fd_ = open(DEFAULT_DEVICE, O_RDWR);
data/uanytun-0.3.7/src/log.c:153:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if(new_target->open != NULL)
data/uanytun-0.3.7/src/log.c:154:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
(*new_target->open)(new_target);
data/uanytun-0.3.7/src/log.c:238:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char msg[MSG_LENGTH_MAX];
data/uanytun-0.3.7/src/log.c:253:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char msg[MSG_LENGTH_MAX];
data/uanytun-0.3.7/src/log.h:66:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void (*open)(struct log_target_struct* self);
data/uanytun-0.3.7/src/log_targets.h:266:55: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
((log_target_file_param_t*)(self->param_))->file_ = fopen(((log_target_file_param_t*)(self->param_))->logfilename_, "w");
data/uanytun-0.3.7/src/options.c:78:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
VALUE = atoi(argv[i+1]); \
data/uanytun-0.3.7/src/options.c:206:31: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
ifcfg->prefix_length_ = atoi(ptr);
data/uanytun-0.3.7/src/sysexec.c:88:10: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fd = open("/dev/null",O_RDWR); // stdin
data/uanytun-0.3.7/src/uanytun.c:408:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
pid_file = fopen(opt.pid_file_, "w");
data/uanytun-0.3.7/src/udp.c:127:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(new_sock->local_end_.addr_), r->ai_addr, r->ai_addrlen);
data/uanytun-0.3.7/src/udp.c:249:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(s->remote_end_.addr_), r->ai_addr, r->ai_addrlen);
data/uanytun-0.3.7/src/udp.c:293:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&(sock->active_sock_->remote_end_.addr_), &(remote->addr_), remote->len_);
data/uanytun-0.3.7/src/udp.c:326:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char addrstr[INET6_ADDRSTRLEN + 1], portstr[6], *ret;
data/uanytun-0.3.7/src/bsd/tun.c:296:12: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return(read(dev->fd_, buf, len));
data/uanytun-0.3.7/src/daemon.h:153:3: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
umask(0);
data/uanytun-0.3.7/src/daemon.h:184:3: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
umask(027);
data/uanytun-0.3.7/src/key_derivation.c:182:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
SHA256((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
data/uanytun-0.3.7/src/key_derivation.c:186:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sha256_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase);
data/uanytun-0.3.7/src/key_derivation.c:189:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase));
data/uanytun-0.3.7/src/key_derivation.c:246:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
SHA1((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
data/uanytun-0.3.7/src/key_derivation.c:250:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sha1_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase);
data/uanytun-0.3.7/src/key_derivation.c:253:62: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase));
data/uanytun-0.3.7/src/linux/tun.c:107:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ifr.ifr_name, dev_name, IFNAMSIZ-1);
data/uanytun-0.3.7/src/linux/tun.c:172:12: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return(read(dev->fd_, buf, len));
data/uanytun-0.3.7/src/log_targets.h:114:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(logname, conf, len);
data/uanytun-0.3.7/src/log_targets.h:243:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(logfilename, conf, len);
data/uanytun-0.3.7/src/options.c:106:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for(j=0; j < strlen(argv[i+1]); ++j) \
data/uanytun-0.3.7/src/options.c:139:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for(j=0; j < strlen(argv[i+1]); ++j) \
data/uanytun-0.3.7/src/options.c:164:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
u_int32_t hex_len = strlen(hex);
data/uanytun-0.3.7/src/sig_handler.c:66:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int ret = read(sig_pipe_fds[0], &set, sizeof(sigset_t));
data/uanytun-0.3.7/src/sig_handler.c:133:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int ret = read(sig_pipe_fds[0], &set, sizeof(sigset_t));
data/uanytun-0.3.7/src/sysexec.c:116:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if(read(pipefd[0], (void*)(&err), sizeof(err)) >= sizeof(err)) {
ANALYSIS SUMMARY:
Hits = 49
Lines analyzed = 6563 in approximately 0.21 seconds (31558 lines/second)
Physical Source Lines of Code (SLOC) = 4097
Hits@level = [0] 103 [1] 19 [2] 28 [3] 1 [4] 1 [5] 0
Hits@level+ = [0+] 152 [1+] 49 [2+] 30 [3+] 2 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 37.1003 [1+] 11.96 [2+] 7.32243 [3+] 0.488162 [4+] 0.244081 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.