Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/cryptcat-20031202/farm9crypt.cc Examining data/cryptcat-20031202/farm9crypt.h Examining data/cryptcat-20031202/generic.h Examining data/cryptcat-20031202/netcat.c Examining data/cryptcat-20031202/twofish2.cc Examining data/cryptcat-20031202/twofish2.h FINAL RESULTS: data/cryptcat-20031202/netcat.c:183:18: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define Debug(x) printf x; printf ("\n"); fflush (stdout); sleep (1); data/cryptcat-20031202/netcat.c:201:5: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf (stderr, str, p1, p2, p3, p4, p5, p6); data/cryptcat-20031202/netcat.c:207:2: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf (stderr, h_errs[h_errno]); /* handle it here */ data/cryptcat-20031202/netcat.c:376:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (poop->name, unknown); /* preload it */ data/cryptcat-20031202/netcat.c:600:3: [4] (shell) execl: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. execl (pr00gie, p, NULL); data/cryptcat-20031202/netcat.c:822:7: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (bigbuf_net, inet_ntoa (lclend->sin_addr)); data/cryptcat-20031202/netcat.c:896:2: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat (p, pp); /* and build the final string */ data/cryptcat-20031202/netcat.c:915:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (cp, inet_ntoa (lclend->sin_addr)); data/cryptcat-20031202/netcat.c:927:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (bigbuf_net, inet_ntoa (remend->sin_addr)); data/cryptcat-20031202/farm9crypt.cc:94:2: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand( 1000 ); data/cryptcat-20031202/netcat.c:63:15: [3] (random) srandom: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #define SRAND srandom /* that this doesn't need *strong* random */ data/cryptcat-20031202/netcat.c:64:14: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #define RAND random /* numbers just to mix up port numbers!! */ data/cryptcat-20031202/netcat.c:66:15: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. #define SRAND srand data/cryptcat-20031202/netcat.c:1419:15: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((x = getopt (argc, argv, "ae:g:G:hi:k:lno:p:rs:tuvw:z")) != EOF) { data/cryptcat-20031202/farm9crypt.cc:107:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char outBuffer[8193]; data/cryptcat-20031202/farm9crypt.cc:108:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char inBuffer[8193]; data/cryptcat-20031202/farm9crypt.cc:112:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outbuf[16]; data/cryptcat-20031202/farm9crypt.cc:113:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outbuf2[16]; data/cryptcat-20031202/farm9crypt.cc:132:14: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int limit = atoi( outbuf ); data/cryptcat-20031202/farm9crypt.cc:156:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( buf, obuf + 32, limit ); data/cryptcat-20031202/farm9crypt.cc:161:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char localBuf[2000]; data/cryptcat-20031202/farm9crypt.cc:163:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tempbuf[16]; data/cryptcat-20031202/farm9crypt.cc:164:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char outbuf[16]; data/cryptcat-20031202/farm9crypt.cc:166:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( tempbuf, "%d %d", size, rand() ); data/cryptcat-20031202/netcat.c:109:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[MAXHOSTNAMELEN]; /* dns name */ data/cryptcat-20031202/netcat.c:110:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char addrs[8][24]; /* ascii-format IP addresses */ data/cryptcat-20031202/netcat.c:116:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name [64]; /* name in /etc/services */ data/cryptcat-20031202/netcat.c:117:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char anum [8]; /* ascii-format number */ data/cryptcat-20031202/netcat.c:150:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char hexnibs[20] = "0123456789abcdef "; data/cryptcat-20031202/netcat.c:389:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&poop->iaddrs[x], hostent->h_addr_list[x], sizeof (IA)); data/cryptcat-20031202/netcat.c:408:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (poop->iaddrs, &iaddr, sizeof (IA)); data/cryptcat-20031202/netcat.c:481:9: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). x = atoi (pstring); data/cryptcat-20031202/netcat.c:510:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (portpoop->anum, "%d", x); /* always load any numeric specs! */ data/cryptcat-20031202/netcat.c:660:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&lclend->sin_addr.s_addr, lad, sizeof (IA)); data/cryptcat-20031202/netcat.c:687:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (&remend->sin_addr.s_addr, rad, sizeof (IA)); data/cryptcat-20031202/netcat.c:740:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (opp, gates[x]->iaddrs, sizeof (IA)); data/cryptcat-20031202/netcat.c:744:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (opp, rad, sizeof (IA)); data/cryptcat-20031202/netcat.c:820:5: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (bigbuf_net, "listening on ["); /* buffer reuse... */ data/cryptcat-20031202/netcat.c:824:7: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (bigbuf_net, "any"); data/cryptcat-20031202/netcat.c:825:5: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat (bigbuf_net, "] %d ..."); data/cryptcat-20031202/netcat.c:895:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (pp, "%2.2x ", *q); /* clumsy, but works: turn into hex */ data/cryptcat-20031202/netcat.c:1056:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (&stage[2], "%8.8x ", obc); /* xxx: still slow? */ data/cryptcat-20031202/netcat.c:1097:19: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char obuf [4]; /* tiny thing to build responses into */ data/cryptcat-20031202/netcat.c:1179:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (timer2, timer1, sizeof (struct timeval)); data/cryptcat-20031202/netcat.c:1334:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char keystr[32]; data/cryptcat-20031202/netcat.c:1391:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (bigbuf_in, &cp[x], insaved); data/cryptcat-20031202/netcat.c:1431:18: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. farm9crypt_init(memcpy(keystr, optarg, MAXKEYSIZE)); data/cryptcat-20031202/netcat.c:1434:6: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). x = atoi (optarg); data/cryptcat-20031202/netcat.c:1458:15: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). o_interval = atoi (optarg) & 0xffff; data/cryptcat-20031202/netcat.c:1492:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). o_wait = atoi (optarg); data/cryptcat-20031202/netcat.c:1527:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ofd = open (stage, O_WRONLY | O_CREAT | O_TRUNC, 0664); data/cryptcat-20031202/twofish2.cc:48:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static unsigned char P[2][256] = data/cryptcat-20031202/twofish2.cc:453:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char PnMinusOne[16]; data/cryptcat-20031202/twofish2.cc:454:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char CnMinusOne[16]; data/cryptcat-20031202/twofish2.cc:461:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char CBCplusCprime[16]; data/cryptcat-20031202/twofish2.cc:495:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char Pn[16]; data/cryptcat-20031202/twofish2.cc:497:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( &Pn[0], in, size ); data/cryptcat-20031202/twofish2.cc:514:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( &prevCipher[0], &qBlockPlain[0], 16 ); data/cryptcat-20031202/twofish2.cc:515:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( &qBlockPlain[0], p, 16 ); data/cryptcat-20031202/twofish2.cc:516:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( &qBlockCrypt[0], c, 16 ); data/cryptcat-20031202/twofish2.cc:521:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( p, &qBlockPlain[0], 16 ); data/cryptcat-20031202/twofish2.cc:522:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( c, &qBlockCrypt[0], 16 ); data/cryptcat-20031202/twofish2.cc:740:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char key[32]; data/cryptcat-20031202/twofish2.cc:774:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char byteBuf[200]; data/cryptcat-20031202/twofish2.cc:778:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char inList[16]; data/cryptcat-20031202/twofish2.cc:779:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char outList[16]; data/cryptcat-20031202/twofish2.cc:786:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( inList, in + bidx, 16 ); data/cryptcat-20031202/twofish2.cc:789:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( inList, in + bidx, remaining ); data/cryptcat-20031202/twofish2.cc:802:11: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf( out, "%03d", byteBuf[i] ); data/cryptcat-20031202/twofish2.cc:820:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char byteBuf[200]; data/cryptcat-20031202/twofish2.cc:834:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char inList[16]; data/cryptcat-20031202/twofish2.cc:835:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char outList[16]; data/cryptcat-20031202/twofish2.cc:841:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( inList, &byteBuf[bidx], 16 ); data/cryptcat-20031202/twofish2.cc:844:13: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy( inList, &byteBuf[bidx], remaining ); data/cryptcat-20031202/twofish2.h:121:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char qBlockPlain[16]; data/cryptcat-20031202/twofish2.h:122:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char qBlockCrypt[16]; data/cryptcat-20031202/twofish2.h:123:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char prevCipher[16]; data/cryptcat-20031202/farm9crypt.cc:167:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tempbuf[strlen(tempbuf)] = 'x'; data/cryptcat-20031202/netcat.c:387:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2); data/cryptcat-20031202/netcat.c:390:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (poop->addrs[x], inet_ntoa (poop->iaddrs[x]), data/cryptcat-20031202/netcat.c:409:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (poop->addrs[0], inet_ntoa (iaddr), sizeof (poop->addrs)); data/cryptcat-20031202/netcat.c:419:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (poop->name, hostent->h_name, MAXHOSTNAMELEN - 2); data/cryptcat-20031202/netcat.c:469:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name)); data/cryptcat-20031202/netcat.c:488:7: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (portpoop->name, servent->s_name, sizeof (portpoop->name)); data/cryptcat-20031202/netcat.c:1228:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rr = read (0, bigbuf_in, BIGSIZ); data/cryptcat-20031202/netcat.c:1384:15: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). insaved = read (0, cp, BIGSIZ); /* we're gonna fake fgets() here */ data/cryptcat-20031202/twofish2.cc:781:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int remaining = strlen( in ); data/cryptcat-20031202/twofish2.cc:814:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int inLen = strlen( in ); data/cryptcat-20031202/twofish2.cc:818:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). inLen = strlen( in ); ANALYSIS SUMMARY: Hits = 89 Lines analyzed = 3303 in approximately 0.15 seconds (22546 lines/second) Physical Source Lines of Code (SLOC) = 2190 Hits@level = [0] 8 [1] 12 [2] 63 [3] 5 [4] 9 [5] 0 Hits@level+ = [0+] 97 [1+] 89 [2+] 77 [3+] 14 [4+] 9 [5+] 0 Hits/KSLOC@level+ = [0+] 44.2922 [1+] 40.6393 [2+] 35.1598 [3+] 6.39269 [4+] 4.10959 [5+] 0 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.