Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/canlock-3.2.0/include/sha.h
Examining data/canlock-3.2.0/include/base64.h
Examining data/canlock-3.2.0/include/sha-private.h
Examining data/canlock-3.2.0/include/canlock-private.h
Examining data/canlock-3.2.0/src/sha1.c
Examining data/canlock-3.2.0/src/base64.c
Examining data/canlock-3.2.0/src/sha384-512.c
Examining data/canlock-3.2.0/src/canlock.c
Examining data/canlock-3.2.0/src/secret.c
Examining data/canlock-3.2.0/src/sha224-256.c
Examining data/canlock-3.2.0/src/usha.c
Examining data/canlock-3.2.0/src/hmac.c
Examining data/canlock-3.2.0/hp/include/package_name.h
Examining data/canlock-3.2.0/hp/include/hfp_lexer.h
Examining data/canlock-3.2.0/hp/include/hfp_parser_external.h
Examining data/canlock-3.2.0/hp/util/package_name.c
Examining data/canlock-3.2.0/hp/util/canlock-mhp.c
Examining data/canlock-3.2.0/hp/util/canlock-hfp.c
Examining data/canlock-3.2.0/test/shatest.c
Examining data/canlock-3.2.0/test/canlocktest.c
Examining data/canlock-3.2.0/test/hkdf.c
Examining data/canlock-3.2.0/test/canlocktest_legacy.c
Examining data/canlock-3.2.0/util/canlock.c
FINAL RESULTS:
data/canlock-3.2.0/hp/util/canlock-hfp.c:76:4: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
snprintf(sbuf, 81, __VA_ARGS__); \
data/canlock-3.2.0/hp/util/package_name.c:64:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(p, n);
data/canlock-3.2.0/test/canlocktest.c:171:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(uid_mid, uid);
data/canlock-3.2.0/test/canlocktest.c:172:4: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(uid_mid, mid);
data/canlock-3.2.0/test/canlocktest_legacy.c:118:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(canlock, "%s", "sha1:bNXHc6ohSmeHaRHHW56BIWZJt+4=");
data/canlock-3.2.0/test/canlocktest_legacy.c:119:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(cankey, "%s", "sha1:aaaBBBcccDDDeeeFFF");
data/canlock-3.2.0/test/canlocktest_legacy.c:126:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(canlock, "%s", "SHA1:H7/zsCUemvbvSDyARDaMs6AQu5s=");
data/canlock-3.2.0/test/canlocktest_legacy.c:127:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(cankey, "%s", "sha1:chW8hNeDx3iNUsGBU6/ezDk88P4=");
data/canlock-3.2.0/test/canlocktest_legacy.c:130:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(canlock, "%s", "SHA1:H7/zsCUemvbvSDyARDaMs6AQu5s=");
data/canlock-3.2.0/test/canlocktest_legacy.c:131:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(cankey, "%s", "sha1:4srkWaRIzvK51ArAP:Hc");
data/canlock-3.2.0/test/canlocktest_legacy.c:138:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(canlock, "%s", "sha1:JyEBL4w9/abCBuzCxMIE/E73GM4=");
data/canlock-3.2.0/test/canlocktest_legacy.c:139:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(cankey, "%s", "sha1:K4rkWRjRcXmIzvK51ArAP:Jy");
data/canlock-3.2.0/test/canlocktest_legacy.c:142:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(canlock, "%s", "sha1:2Bmg+zWaY1noRiCdy8k3IapwSDU=");
data/canlock-3.2.0/test/canlocktest_legacy.c:143:4: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(cankey, "%s", "sha1:K4rkWRjRcXmIzvK51ArAP:Jy");
data/canlock-3.2.0/util/canlock.c:261:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(key, opt_value);
data/canlock-3.2.0/test/shatest.c:1378:15: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((i = getopt(argc, argv,
data/canlock-3.2.0/hp/util/canlock-hfp.c:67:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char sbuf[81]; /*!< String buffer for debugging */
data/canlock-3.2.0/include/sha.h:218:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char k_opad[USHA_Max_Message_Block_Size];
data/canlock-3.2.0/include/sha.h:233:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char prk[USHAMaxHashSize];
data/canlock-3.2.0/include/sha.h:333:53: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern int hkdf(SHAversion whichSha, const unsigned char *salt,
data/canlock-3.2.0/include/sha.h:334:46: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
int salt_len, const unsigned char *ikm, int ikm_len,
data/canlock-3.2.0/include/sha.h:335:32: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *info, int info_len,
data/canlock-3.2.0/include/sha.h:337:60: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt,
data/canlock-3.2.0/include/sha.h:338:53: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
int salt_len, const unsigned char *ikm,
data/canlock-3.2.0/include/sha.h:341:51: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
int prk_len, const unsigned char *info,
data/canlock-3.2.0/include/sha.h:357:38: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *info, int info_len,
data/canlock-3.2.0/src/canlock.c:224:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *cankey[1], *tmp;
data/canlock-3.2.0/src/canlock.c:303:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *canlock[1], *tmp, *junk;
data/canlock-3.2.0/src/canlock.c:406:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *templock[1];
data/canlock-3.2.0/src/hmac.c:46:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *message_array, int length,
data/canlock-3.2.0/src/hmac.c:47:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *key, int key_len,
data/canlock-3.2.0/src/hmac.c:88:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char k_ipad[USHA_Max_Message_Block_Size];
data/canlock-3.2.0/src/hmac.c:91:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char tempkey[USHAMaxHashSize];
data/canlock-3.2.0/test/canlocktest_legacy.c:57:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char keytype[BUFFSIZE], locktype[BUFFSIZE];
data/canlock-3.2.0/test/canlocktest_legacy.c:90:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cankey[256], canlock[256], *lkey, *llock;
data/canlock-3.2.0/test/hkdf.c:57:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *salt, int salt_len,
data/canlock-3.2.0/test/hkdf.c:58:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *ikm, int ikm_len,
data/canlock-3.2.0/test/hkdf.c:59:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *info, int info_len,
data/canlock-3.2.0/test/hkdf.c:96:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *salt, int salt_len,
data/canlock-3.2.0/test/hkdf.c:97:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *ikm, int ikm_len,
data/canlock-3.2.0/test/hkdf.c:100:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char nullSalt[USHAMaxHashSize];
data/canlock-3.2.0/test/hkdf.c:145:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *info, int info_len,
data/canlock-3.2.0/test/hkdf.c:149:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char T[USHAMaxHashSize];
data/canlock-3.2.0/test/hkdf.c:178:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(okm + where, T,
data/canlock-3.2.0/test/hkdf.c:213:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char nullSalt[USHAMaxHashSize];
data/canlock-3.2.0/test/hkdf.c:317:31: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char *info, int info_len,
data/canlock-3.2.0/test/shatest.c:242:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *randomresults[RANDOMCOUNT];
data/canlock-3.2.0/test/shatest.c:424:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *keyarray[5];
data/canlock-3.2.0/test/shatest.c:426:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *dataarray[5];
data/canlock-3.2.0/test/shatest.c:428:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *resultarray[5];
data/canlock-3.2.0/test/shatest.c:757:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char hexdigits[ ] = "0123456789ABCDEF";
data/canlock-3.2.0/test/shatest.c:923:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[128];
data/canlock-3.2.0/test/shatest.c:1013:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char prk[USHAMaxHashSize+1];
data/canlock-3.2.0/test/shatest.c:1015:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[128];
data/canlock-3.2.0/test/shatest.c:1099:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[4096];
data/canlock-3.2.0/test/shatest.c:1104:5: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fopen(hashfilename, "r");
data/canlock-3.2.0/test/shatest.c:1206:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[128];
data/canlock-3.2.0/test/shatest.c:1207:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize];
data/canlock-3.2.0/test/shatest.c:1210:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(SEED, seed, hashsize);
data/canlock-3.2.0/test/shatest.c:1219:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(MD[0], SEED, hashsize);
data/canlock-3.2.0/test/shatest.c:1220:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(MD[1], SEED, hashsize);
data/canlock-3.2.0/test/shatest.c:1221:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(MD[2], SEED, hashsize);
data/canlock-3.2.0/test/shatest.c:1235:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(SEED, MD[i-1], hashsize);
data/canlock-3.2.0/test/shatest.c:1251:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *names[HASHCOUNT][2] = {
data/canlock-3.2.0/test/shatest.c:1382:35: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'B': numberExtrabits = atoi(optarg); break;
data/canlock-3.2.0/test/shatest.c:1392:30: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'l': loopnohigh = atoi(optarg); break;
data/canlock-3.2.0/test/shatest.c:1397:31: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 'R': randomcount = atoi(optarg); break;
data/canlock-3.2.0/test/shatest.c:1401:43: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break;
data/canlock-3.2.0/test/shatest.c:1443:55: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
numberExtrabits, extrabits, (const unsigned char *)hmacKey,
data/canlock-3.2.0/test/shatest.c:1454:40: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
(const unsigned char *)hmacKey, hmaclen,
data/canlock-3.2.0/test/shatest.c:1462:40: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
(const unsigned char *)hmacKey, hmaclen,
data/canlock-3.2.0/test/shatest.c:1483:40: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
(const unsigned char *)(
data/canlock-3.2.0/util/canlock.c:150:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static unsigned char buf[SEC_DATA_SIZE_MAX];
data/canlock-3.2.0/hp/util/canlock-hfp.c:216:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
else if ('-' == argv[i][0] && 1 != strlen(argv[i]))
data/canlock-3.2.0/hp/util/canlock-mhp.c:159:11: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
c = fgetc(stdin);
data/canlock-3.2.0/hp/util/canlock-mhp.c:225:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(buf);
data/canlock-3.2.0/hp/util/canlock-mhp.c:237:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(fn);
data/canlock-3.2.0/hp/util/canlock-mhp.c:253:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (!strlen(ufn)) { print_error("Empty header field name"); }
data/canlock-3.2.0/hp/util/canlock-mhp.c:318:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memmove((void*) p, (void*) &p[1], strlen(&p[1]) + (size_t) 1);
data/canlock-3.2.0/hp/util/canlock-mhp.c:322:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
memmove((void*) p, (void*) &p[1], strlen(&p[1]) + (size_t) 1);
data/canlock-3.2.0/hp/util/package_name.c:61:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
p = (char*) malloc(strlen(n) + (size_t) 1);
data/canlock-3.2.0/src/base64.c:83:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return strlen(s);
data/canlock-3.2.0/src/base64.c:108:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(token) < 4)
data/canlock-3.2.0/src/canlock.c:87:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(s);
data/canlock-3.2.0/src/canlock.c:91:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(res, s, len);
data/canlock-3.2.0/src/canlock.c:181:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
scheme = (char *) malloc(strlen(input) + (size_t) 1);
data/canlock-3.2.0/src/canlock.c:264:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
scheme_len = strlen(scheme);
data/canlock-3.2.0/src/canlock.c:275:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(*cankey, scheme, scheme_len);
data/canlock-3.2.0/src/canlock.c:334:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (USHAInput(&hash_ctx, cankey, (unsigned int) strlen((char *) cankey))
data/canlock-3.2.0/src/canlock.c:370:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
scheme_len = strlen(scheme);
data/canlock-3.2.0/src/canlock.c:381:4: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(*canlock, scheme, scheme_len);
data/canlock-3.2.0/src/canlock.c:421:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
key_size = strlen(key);
data/canlock-3.2.0/test/canlocktest.c:134:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
c_key = cl_get_key(CL_SHA256, (const unsigned char *) sec, strlen(sec),
data/canlock-3.2.0/test/canlocktest.c:135:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(const unsigned char *) mid, strlen(mid));
data/canlock-3.2.0/test/canlocktest.c:136:65: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
c_lock = cl_get_lock(CL_SHA256, (const unsigned char *) sec, strlen(sec),
data/canlock-3.2.0/test/canlocktest.c:137:54: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(const unsigned char *) mid, strlen(mid));
data/canlock-3.2.0/test/canlocktest.c:170:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
uid_mid = (char *) malloc(strlen(uid) + strlen(mid) + (size_t) 1);
data/canlock-3.2.0/test/canlocktest.c:170:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
uid_mid = (char *) malloc(strlen(uid) + strlen(mid) + (size_t) 1);
data/canlock-3.2.0/test/canlocktest.c:173:64: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
c_key = cl_get_key(CL_SHA256, (const unsigned char *) sec2, strlen(sec2),
data/canlock-3.2.0/test/canlocktest.c:174:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(const unsigned char *) uid_mid, strlen(uid_mid));
data/canlock-3.2.0/test/canlocktest.c:175:66: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
c_lock = cl_get_lock(CL_SHA256, (const unsigned char *) sec2, strlen(sec2),
data/canlock-3.2.0/test/canlocktest.c:176:58: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(const unsigned char *) uid_mid, strlen(uid_mid));
data/canlock-3.2.0/test/canlocktest_legacy.c:99:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
llock = sha_lock(secret, strlen((char *) secret),
data/canlock-3.2.0/test/canlocktest_legacy.c:100:30: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
message, strlen((char *) message));
data/canlock-3.2.0/test/canlocktest_legacy.c:101:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
lkey = sha_key(secret, strlen((char *) secret),
data/canlock-3.2.0/test/canlocktest_legacy.c:102:28: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
message, strlen((char *)message));
data/canlock-3.2.0/test/shatest.c:1129:17: [1] (buffer) getc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ((c = getc(hashfp)) != EOF) {
data/canlock-3.2.0/test/shatest.c:1390:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
case 'i': info = optarg; infolen = strlen(optarg); break;
data/canlock-3.2.0/test/shatest.c:1391:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
case 'k': hmacKey = optarg; hmaclen = strlen(optarg); break;
data/canlock-3.2.0/test/shatest.c:1399:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
case 's': hashstr = optarg; hashlen = strlen(hashstr); break;
data/canlock-3.2.0/util/canlock.c:162:12: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
rv = fgetc(stdin);
data/canlock-3.2.0/util/canlock.c:229:59: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
out = cl_get_key(hash, sec, sec_size, mid, strlen(opt_value));
data/canlock-3.2.0/util/canlock.c:233:60: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
out = cl_get_lock(hash, sec, sec_size, mid, strlen(opt_value));
data/canlock-3.2.0/util/canlock.c:257:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
key = (char *) malloc(strlen(opt_value) + (size_t) 1);
ANALYSIS SUMMARY:
Hits = 114
Lines analyzed = 7584 in approximately 0.47 seconds (16157 lines/second)
Physical Source Lines of Code (SLOC) = 4304
Hits@level = [0] 136 [1] 41 [2] 57 [3] 1 [4] 15 [5] 0
Hits@level+ = [0+] 250 [1+] 114 [2+] 73 [3+] 16 [4+] 15 [5+] 0
Hits/KSLOC@level+ = [0+] 58.0855 [1+] 26.487 [2+] 16.961 [3+] 3.71747 [4+] 3.48513 [5+] 0
Dot directories skipped = 5 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.