stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/wraplinux-1.7/elf32.h
Examining data/wraplinux-1.7/reloc/reloc_linux.c
Examining data/wraplinux-1.7/reloc/reloc.h
Examining data/wraplinux-1.7/elfcommon.h
Examining data/wraplinux-1.7/segment.h
Examining data/wraplinux-1.7/linux.c
Examining data/wraplinux-1.7/cwrite.c
Examining data/wraplinux-1.7/multiboot.h
Examining data/wraplinux-1.7/segment.c
Examining data/wraplinux-1.7/nbi.h
Examining data/wraplinux-1.7/le.h
Examining data/wraplinux-1.7/mapfile.c
Examining data/wraplinux-1.7/xmalloc.c
Examining data/wraplinux-1.7/nbi.c
Examining data/wraplinux-1.7/elf.c
Examining data/wraplinux-1.7/setup.h
Examining data/wraplinux-1.7/main.c
Examining data/wraplinux-1.7/wraplinux.h

FINAL RESULTS:

data/wraplinux-1.7/main.c:89:18:  [3] (buffer) getopt_long:
  Some older implementations do not protect against internal buffer overflows
  (CWE-120, CWE-20). Check implementation on installation, or limit the size
  of all string inputs.
	while ((optch = getopt_long(argc, argv, OPTSTRING, long_options, NULL))
data/wraplinux-1.7/cwrite.c:31:15:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	static const char zerobuf[BUFSIZ]; /* All zero */
data/wraplinux-1.7/elf32.h:62:11:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
	unsigned char e_ident[EI_NIDENT];
data/wraplinux-1.7/linux.c:130:14:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
	kernel_fd = open(kernel_file, O_RDONLY);
data/wraplinux-1.7/linux.c:227:15:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
		ird[i].fd = open(ip->str, O_RDONLY);
data/wraplinux-1.7/main.c:106:11:  [2] (misc) fopen:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
				out = fopen(optarg, "wb");
data/wraplinux-1.7/elf.c:86:17:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			namebytes += strlen(s->name)+1;
data/wraplinux-1.7/elf.c:195:18:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
		uint32_t len = strlen(s->name)+1;
data/wraplinux-1.7/elf.c:230:19:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
			name_offset += strlen(s->name)+1;
data/wraplinux-1.7/linux.c:45:11:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	int la = strlen(argument);
data/wraplinux-1.7/linux.c:271:16:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
	scmd.length = strlen(cmdline) + 1;

ANALYSIS SUMMARY:

Hits = 11
Lines analyzed = 2275 in approximately 0.08 seconds (28934 lines/second)
Physical Source Lines of Code (SLOC) = 1552
Hits@level = [0]  11 [1]   5 [2]   5 [3]   1 [4]   0 [5]   0
Hits@level+ = [0+]  22 [1+]  11 [2+]   6 [3+]   1 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 14.1753 [1+] 7.08763 [2+] 3.86598 [3+] 0.64433 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.