Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/xfce4-mount-plugin-1.1.3/panel-plugin/helpers.c Examining data/xfce4-mount-plugin-1.1.3/panel-plugin/helpers.h Examining data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c Examining data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c Examining data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.h Examining data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.h FINAL RESULTS: data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:94:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). logvol = atoi(disk_device+i+1); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:103:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). volume = atoi(disk_device+i+1); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:417:30: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mt->message_dialog = atoi(xfce_rc_read_entry(rc, "message_dialog", NULL)); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:422:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mt->include_NFSs = atoi(xfce_rc_read_entry(rc, "include_NFSs", NULL)); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:430:37: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mt->trim_devicename_count = atoi(xfce_rc_read_entry(rc, "td_count", NULL)); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:434:27: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mt->exclude_FSs = atoi(xfce_rc_read_entry(rc, "exclude_FSs", NULL)); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:439:35: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mt->exclude_devicenames = atoi(xfce_rc_read_entry(rc, "exclude_devicenames", NULL)); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:444:28: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). mt->eject_drives = atoi(xfce_rc_read_entry(rc, "eject_drives", NULL)); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:458:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *file, tmp[4]; data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:190:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if (strlen(dev)>len) // len cannot be set lower than 9 data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:193:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). lastchars = (char *) (dev + strlen(dev) - 5); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:262:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tmp = g_strstr_len(pdisk->device, strlen(pdisk->device), "/dev/cd"); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:303:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (on_mount_cmd != NULL && strlen(on_mount_cmd)!=0) { data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:425:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). stringlength1 = strlen(pdisk->device); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:426:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). stringlength3 = strlen(pdisk->mount_point); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:431:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). stringlength2 = strlen(disk->device); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:432:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). stringlength4 = strlen(disk->mount_point); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:596:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). device_len = strlen(device); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:638:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). mountp_len = strlen(mountp); data/xfce4-mount-plugin-1.1.3/panel-plugin/devices.c:720:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). excluded_FS_i_len = strlen(excluded_FS_i); data/xfce4-mount-plugin-1.1.3/panel-plugin/helpers.c:45:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while ( q < p+strlen(p) && q!=NULL) data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:89:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). i = strlen(disk_device) - 1; data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:119:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tmp = strlen(gtk_label_get_text(GTK_LABEL(disk_display->label_mount_info))); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:123:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tmp = strlen(gtk_label_get_text(GTK_LABEL(disk_display->label_disk))); data/xfce4-mount-plugin-1.1.3/panel-plugin/mount-plugin.c:600:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). || strlen(mt->excluded_filesystems)!=0) { ANALYSIS SUMMARY: Hits = 25 Lines analyzed = 2557 in approximately 0.08 seconds (30890 lines/second) Physical Source Lines of Code (SLOC) = 1654 Hits@level = [0] 11 [1] 16 [2] 9 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 36 [1+] 25 [2+] 9 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 21.7654 [1+] 15.1149 [2+] 5.44135 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.