Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/expect-5.45.4/exp_tty_comm.c Examining data/expect-5.45.4/pty_sgttyb.c Examining data/expect-5.45.4/expect.c Examining data/expect-5.45.4/exp_strf.c Examining data/expect-5.45.4/exp_event.c Examining data/expect-5.45.4/Dbg.c Examining data/expect-5.45.4/exp_log.h Examining data/expect-5.45.4/expect_tcl.h Examining data/expect-5.45.4/exp_int.h Examining data/expect-5.45.4/exp_glob.c Examining data/expect-5.45.4/exp_prog.h Examining data/expect-5.45.4/exp_event.h Examining data/expect-5.45.4/testsuite/exp_test.c Examining data/expect-5.45.4/exp_tty.c Examining data/expect-5.45.4/expTcl.c Examining data/expect-5.45.4/exp_console.c Examining data/expect-5.45.4/exp_memmove.c Examining data/expect-5.45.4/exp_poll.c Examining data/expect-5.45.4/expect_comm.h Examining data/expect-5.45.4/exp_simple.c Examining data/expect-5.45.4/exp_main_exp.c Examining data/expect-5.45.4/exp_rename.h Examining data/expect-5.45.4/exp_pty.h Examining data/expect-5.45.4/example/unbuffer.c Examining data/expect-5.45.4/example/chesslib2.c Examining data/expect-5.45.4/example/chesslib.c Examining data/expect-5.45.4/example/chesslib++.c Examining data/expect-5.45.4/expTcl.h Examining data/expect-5.45.4/exp_inter.c Examining data/expect-5.45.4/retoglob.c Examining data/expect-5.45.4/exp_select.c Examining data/expect-5.45.4/exp_noevent.c Examining data/expect-5.45.4/exp_pty.c Examining data/expect-5.45.4/expect.h Examining data/expect-5.45.4/exp_tstamp.h Examining data/expect-5.45.4/tcldbg.h Examining data/expect-5.45.4/exp_regexp.h Examining data/expect-5.45.4/pty_unicos.c Examining data/expect-5.45.4/exp_closetcl.c Examining data/expect-5.45.4/exp_regexp.c Examining data/expect-5.45.4/exp_trap.c Examining data/expect-5.45.4/exp_chan.c Examining data/expect-5.45.4/exp_command.h Examining data/expect-5.45.4/exp_main_sub.c Examining data/expect-5.45.4/exp_tty.h Examining data/expect-5.45.4/exp_tty_in.h Examining data/expect-5.45.4/exp_win.c Examining data/expect-5.45.4/exp_win.h Examining data/expect-5.45.4/pty_termios.c Examining data/expect-5.45.4/exp_log.c Examining data/expect-5.45.4/exp_clib.c Examining data/expect-5.45.4/exp_command.c FINAL RESULTS: data/expect-5.45.4/pty_unicos.c:236:29: [5] (race) chown: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchown( ) instead. if (chown(linet, realuid, realgid) == -1) { data/expect-5.45.4/pty_unicos.c:240:29: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. if (chmod(linet, 0600) == -1) { data/expect-5.45.4/pty_unicos.c:367:21: [5] (race) chown: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchown( ) instead. if (chown(linet,0,0) == -1) { data/expect-5.45.4/pty_unicos.c:370:21: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. if (chmod(linet, 0666) == -1) { data/expect-5.45.4/Dbg.c:606:2: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(level_text,(level == -1)?"?":"%d",level); data/expect-5.45.4/Dbg.c:1139:18: [4] (format) vprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. if (!printproc) vprintf(fmt,args); data/expect-5.45.4/Dbg.c:1151:3: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buf,fmt,args); data/expect-5.45.4/example/chesslib++.c:26:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s 1. %s",move); data/expect-5.45.4/example/chesslib++.c:39:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s %*s %*s %*s ... %s",move); data/expect-5.45.4/example/chesslib++.c:50:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s %*s ... %*s %*s %s",move); data/expect-5.45.4/example/chesslib.c:22:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s 1. %s",move); data/expect-5.45.4/example/chesslib.c:35:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s %*s %*s %*s ... %s",move); data/expect-5.45.4/example/chesslib.c:46:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s %*s ... %*s %*s %s",move); data/expect-5.45.4/example/chesslib2.c:22:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s 1. %s",move); data/expect-5.45.4/example/chesslib2.c:35:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s %*s %*s %*s ... %s",move); data/expect-5.45.4/example/chesslib2.c:46:2: [4] (buffer) sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. sscanf(exp_match,"%*s %*s ... %*s %*s %s",move); data/expect-5.45.4/example/chesslib2.c:52:2: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(fp,move); data/expect-5.45.4/exp_clib.c:1402:10: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). (void) strcat(buf, p); data/expect-5.45.4/exp_clib.c:2225:16: [4] (shell) execvp: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. (void) execvp(file,argv); data/expect-5.45.4/exp_clib.c:2915:24: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. if (exp_debugfile) vfprintf(exp_debugfile,fmt,args); data/expect-5.45.4/exp_clib.c:2917:2: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr,fmt,args); data/expect-5.45.4/exp_clib.c:2918:19: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. if (exp_logfile) vfprintf(exp_logfile,fmt,args); data/expect-5.45.4/exp_clib.c:2936:5: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. vfprintf(stderr,fmt,args); data/expect-5.45.4/exp_clib.c:2937:24: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. if (exp_debugfile) vfprintf(exp_debugfile,fmt,args); data/expect-5.45.4/exp_clib.c:2938:22: [4] (format) vfprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. if (exp_logfile) vfprintf(exp_logfile,fmt,args); data/expect-5.45.4/exp_command.c:179:5: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. vsprintf(buffer,fmt,args); data/expect-5.45.4/exp_command.c:573:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(esPtr->slave_name,exp_pty_slave_name); data/expect-5.45.4/exp_command.c:1344:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (argv[k],Tcl_GetString (objv[i])); data/expect-5.45.4/exp_command.c:1348:5: [4] (shell) execvp: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. execvp(command,argv); data/expect-5.45.4/exp_command.c:1805:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(*stringp,arg); data/expect-5.45.4/exp_command.c:1893:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(i->value,p); data/expect-5.45.4/exp_command.c:2220:4: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(resultbuf,expLogFilenameGet()); data/expect-5.45.4/exp_command.c:2225:4: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(resultbuf,Tcl_GetChannelName(expLogChannelGet())); data/expect-5.45.4/exp_command.c:2443:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(resultbuf,"-f %s ",expDiagFilename()); data/expect-5.45.4/exp_command.c:2445:3: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). strcat(resultbuf,expDiagToStderrGet()?"1":"0"); data/expect-5.45.4/exp_command.c:2505:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(exp_onexit_action,act); data/expect-5.45.4/exp_command.c:2972:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(spawn_id,esPtr->name); data/expect-5.45.4/exp_command.c:3287:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (argv[j],Tcl_GetString (objv[k])); data/expect-5.45.4/exp_command.c:3296:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (argv[0]+1,command); data/expect-5.45.4/exp_command.c:3298:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (argv[0],command); data/expect-5.45.4/exp_command.c:3304:12: [4] (shell) execvp: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. (void) execvp(command,argv); data/expect-5.45.4/exp_command.c:3539:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(cmdnamebuf,"exp_%s",c->name); data/expect-5.45.4/exp_log.c:179:12: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. (void) vsprintf(bigbuf,fmt,args); data/expect-5.45.4/exp_log.c:225:12: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. (void) vsprintf(bigbuf,fmt,args); data/expect-5.45.4/exp_log.c:267:12: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. (void) vsprintf(bigbuf,fmt,args); data/expect-5.45.4/exp_log.c:310:9: [4] (format) vsprintf: Potential format string problem (CWE-134). Make format string constant. len = vsprintf(bigbuf,arg1,args); data/expect-5.45.4/exp_main_sub.c:189:5: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(buffer,prompt1_default,iPtr->numLevels,history_nextid(interp)); data/expect-5.45.4/exp_main_sub.c:908:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(file,"%s/expect.rc",SCRIPTDIR); data/expect-5.45.4/exp_main_sub.c:928:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(file,"%s/.expect.rc",home); data/expect-5.45.4/exp_pty.c:170:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(exp_pty_error,"can't create %s, errno = %d\n",locksrc, errno); data/expect-5.45.4/exp_pty.c:220:6: [4] (race) access: This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition (CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid()) and try to open the file directly. if (access(slave_name, R_OK|W_OK) != 0) { data/expect-5.45.4/exp_pty.c:285:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(lock,"/tmp/ptylock.%c%s",bank,num); data/expect-5.45.4/exp_pty.c:329:3: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(buf,fmt,num); data/expect-5.45.4/exp_pty.c:340:3: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(buf,fmt,str1); data/expect-5.45.4/exp_pty.c:350:3: [4] (format) sprintf: Potential format string problem (CWE-134). Make format string constant. sprintf(buf,fmt,str1,str2); data/expect-5.45.4/exp_regexp.c:1229:10: [4] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). (void) strcat(buf, p); data/expect-5.45.4/exp_strf.c:232:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, days_a[timeptr->tm_wday]); data/expect-5.45.4/exp_strf.c:239:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, days_l[timeptr->tm_wday]); data/expect-5.45.4/exp_strf.c:249:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, months_a[timeptr->tm_mon]); data/expect-5.45.4/exp_strf.c:256:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, months_l[timeptr->tm_mon]); data/expect-5.45.4/exp_strf.c:260:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(tbuf, "%s %s %2d %02d:%02d:%02d %d", data/expect-5.45.4/exp_strf.c:306:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, ampm[0]); data/expect-5.45.4/exp_strf.c:308:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, ampm[1]); data/expect-5.45.4/exp_strf.c:330:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(tbuf, "%s %s %2d %d", data/expect-5.45.4/exp_strf.c:361:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, tzname[i]); data/expect-5.45.4/exp_strf.c:363:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(tbuf, zone_name (timeptr)); data/expect-5.45.4/exp_strf.c:444:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(s, tbuf); data/expect-5.45.4/exp_tty.c:501:7: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%sraw %secho", data/expect-5.45.4/exp_tty.c:639:8: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%sraw %secho", data/expect-5.45.4/exp_tty.c:665:17: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. systemStatus = system(buf); data/expect-5.45.4/exp_tty.c:703:6: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%sraw %secho", data/expect-5.45.4/expect.c:229:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(news,s); data/expect-5.45.4/expect.c:2201:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(msg,"%s from indirect variable (%s)", data/expect-5.45.4/expect.c:2415:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(backup,esPtr->name); data/expect-5.45.4/expect.c:3144:2: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf((exp_i->direct == EXP_DIRECT)?" direct":" indirect"); data/expect-5.45.4/expect.c:3145:2: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf((exp_i->duration == EXP_PERMANENT)?" perm":" tmp"); data/expect-5.45.4/expect.c:3175:2: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. printf((ecmd->duration==EXP_PERMANENT)?" perm ": "tmp "); data/expect-5.45.4/pty_sgttyb.c:58:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%s %s > %s",STTY_BIN,s,name); data/expect-5.45.4/pty_sgttyb.c:60:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%s %s < %s",STTY_BIN,s,name); data/expect-5.45.4/pty_sgttyb.c:63:2: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. system(buf); data/expect-5.45.4/pty_sgttyb.c:198:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(slave_name,master_name); data/expect-5.45.4/pty_termios.c:262:2: [4] (shell) execvp: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. execvp(args[0],args); data/expect-5.45.4/pty_termios.c:276:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%s %s > %s",STTY_BIN,s,name); data/expect-5.45.4/pty_termios.c:278:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%s %s < %s",STTY_BIN,s,name); data/expect-5.45.4/pty_termios.c:281:2: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. system(buf); data/expect-5.45.4/pty_termios.c:416:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(exp_pty_error,"grantpt(%s) failed - likely reason is that your system administrator (in a rage of blind passion to rid the system of security holes) removed setuid from the utility used internally by grantpt to change pty permissions. Tell your system admin to reestablish setuid on the utility. Get the utility name by running Expect under truss or trace.", expErrnoMsg(errno)); data/expect-5.45.4/pty_termios.c:423:4: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(exp_pty_error,"unlockpt(%s) failed.", expErrnoMsg(errno)); data/expect-5.45.4/pty_termios.c:495:2: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(slave_name, ttyname_checked(slave)); data/expect-5.45.4/pty_termios.c:514:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(slave_name,master_name); data/expect-5.45.4/pty_termios.c:527:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf (master_name, "%s%s", "/dev/ptyp", num_str); data/expect-5.45.4/pty_termios.c:530:13: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf (slave_name, "%s%s", "/dev/ttyp", num_str); data/expect-5.45.4/pty_termios.c:588:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(slave_num,tty_num); data/expect-5.45.4/pty_termios.c:604:4: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(slave_num,tty_num); data/expect-5.45.4/pty_termios.c:616:3: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(slave_name,master_name); data/expect-5.45.4/pty_termios.c:661:3: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(exp_pty_error,"open(%s,rw) = %d (%s)",slave_name,slave,expErrnoMsg(errno)); data/expect-5.45.4/pty_unicos.c:26:20: [4] (shell) execl: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. extern int fork(), execl(), wait(); data/expect-5.45.4/pty_unicos.c:92:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%s %s > %s",STTY_BIN,s,name); data/expect-5.45.4/pty_unicos.c:94:2: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf(buf,"%s %s < %s",STTY_BIN,s,name); data/expect-5.45.4/pty_unicos.c:97:2: [4] (shell) system: This causes a new program to execute and is difficult to use safely (CWE-78). try using a library call that implements the same functionality if available. system(buf); data/expect-5.45.4/pty_unicos.c:190:9: [4] (misc) cuserid: Exactly what cuserid() does is poorly defined (e.g., some systems use the effective uid, like Linux, while others like System V use the real uid). Thus, you can't trust what it does. It's certainly not portable (The cuserid function was included in the 1988 version of POSIX, but removed from the 1990 version). Also, if passed a non-null parameter, there's a risk of a buffer overflow if the passed-in buffer is not at least L_cuserid characters long (CWE-120). Use getpwuid(geteuid()) and extract the desired information instead. (void) cuserid(myname); data/expect-5.45.4/pty_unicos.c:256:7: [4] (race) access: This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition (CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid()) and try to open the file directly. if (access(linet, R_OK|W_OK) != 0) { data/expect-5.45.4/retoglob.c:135:20: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define LOG if (1) fprintf data/expect-5.45.4/retoglob.c:139:20: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. #define LOG if (0) fprintf data/expect-5.45.4/exp_clib.c:98:16: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. extern char * getenv _ANSI_ARGS_((CONST char *name)); data/expect-5.45.4/exp_command.c:1599:5: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand(getpid()); data/expect-5.45.4/exp_main_sub.c:704:14: [3] (buffer) getopt: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. while ((c = getopt(argc, argv, "+b:c:dD:f:inN-v")) != EOF) { data/expect-5.45.4/exp_main_sub.c:739:27: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if (0 == (debug_init = getenv("EXPECT_DEBUG_INIT"))) { data/expect-5.45.4/exp_main_sub.c:924:12: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. char *getenv(); data/expect-5.45.4/exp_main_sub.c:926:27: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. if ((NULL != (home = getenv("DOTDIR"))) || data/expect-5.45.4/exp_main_sub.c:927:20: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. (NULL != (home = getenv("HOME")))) { data/expect-5.45.4/exp_strf.c:96:14: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. extern char *getenv(); data/expect-5.45.4/exp_strf.c:105:14: [3] (buffer) getenv: Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once (CWE-807, CWE-20). Check environment variables carefully before using them. extern char *getenv(const char *v); data/expect-5.45.4/Dbg.c:74:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char viewFrameName[FRAMENAMELEN];/* destination frame name for up/down */ data/expect-5.45.4/Dbg.c:161:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[20]; data/expect-5.45.4/Dbg.c:170:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d",i); data/expect-5.45.4/Dbg.c:312:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf_basic[DEFAULT_WIDTH+1]; data/expect-5.45.4/Dbg.c:329:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\b"); d += 2; data/expect-5.45.4/Dbg.c:331:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\f"); d += 2; data/expect-5.45.4/Dbg.c:333:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\v"); d += 2; data/expect-5.45.4/Dbg.c:335:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\r"); d += 2; data/expect-5.45.4/Dbg.c:337:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\n"); d += 2; data/expect-5.45.4/Dbg.c:339:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\t"); d += 2; data/expect-5.45.4/Dbg.c:341:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(d,"\\%03o",ch); d += 4; data/expect-5.45.4/Dbg.c:343:6: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\177"); d += 4; data/expect-5.45.4/Dbg.c:347:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(d,"\\u%04x",ch); d += 6; data/expect-5.45.4/Dbg.c:362:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf_basic[DEFAULT_WIDTH+1]; /* basic buffer */ data/expect-5.45.4/Dbg.c:377:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf,"%.*s",buf_width,argv[0]); data/expect-5.45.4/Dbg.c:409:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(bufp," {%.*s}",space-3,*argv); data/expect-5.45.4/Dbg.c:411:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(bufp," %.*s",space-1,*argv); data/expect-5.45.4/Dbg.c:570:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char level_text[6]; /* textual representation of level */ data/expect-5.45.4/Dbg.c:1142:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf_basic[DEFAULT_WIDTH+PAD+1]; data/expect-5.45.4/Dbg.c:1265:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[BUFSIZ+1]; /* space for partial command */ data/expect-5.45.4/Dbg.c:1329:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num[10]; data/expect-5.45.4/Dbg.c:1331:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(num," %d",last_step_count); data/expect-5.45.4/example/chesslib++.c:18:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char move[100]; data/expect-5.45.4/example/chesslib.c:12:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char move[100]; data/expect-5.45.4/example/chesslib2.c:12:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char move[100]; data/expect-5.45.4/exp_chan.c:694:5: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(esPtr->name,"exp%d",fdin); data/expect-5.45.4/exp_clib.c:92:13: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). extern int atoi _ANSI_ARGS_((CONST char *string)); data/expect-5.45.4/exp_clib.c:93:14: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). extern long atol _ANSI_ARGS_((CONST char *string)); data/expect-5.45.4/exp_clib.c:1323:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[50]; data/expect-5.45.4/exp_clib.c:1367:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_clib.c:1379:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_clib.c:1390:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_clib.c:1394:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_clib.c:2038:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ttyfd = open("/dev/tty", O_RDWR); data/expect-5.45.4/exp_clib.c:2115:7: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (open("/dev/tty", O_RDWR) < 0) { data/expect-5.45.4/exp_clib.c:2171:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open("/dev/console", O_RDONLY)) == -1) { data/expect-5.45.4/exp_clib.c:2542:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(exp_buffer,exp_buffer+first_half,second_half); data/expect-5.45.4/exp_clib.c:2892:10: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ttyfd = open("/dev/tty", O_RDWR); data/expect-5.45.4/exp_clib.c:2965:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\r"); d += 2; data/expect-5.45.4/exp_clib.c:2967:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\n"); d += 2; data/expect-5.45.4/exp_clib.c:2969:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\t"); d += 2; data/expect-5.45.4/exp_clib.c:2973:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(d,"\\x%02x",*s & 0xff); d += 4; data/expect-5.45.4/exp_command.c:175:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[2000]; data/expect-5.45.4/exp_command.c:204:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open, data/expect-5.45.4/exp_command.c:208:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (open && !esPtr->open) { data/expect-5.45.4/exp_command.c:208:25: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (open && !esPtr->open) { data/expect-5.45.4/exp_command.c:220:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open, data/expect-5.45.4/exp_command.c:247:39: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return expStateCheck(interp,esPtr,open,adjust,msg); data/expect-5.45.4/exp_command.c:257:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. ((char *)status)[i] = 0; data/expect-5.45.4/exp_command.c:313:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int x = open("/dev/null",0); data/expect-5.45.4/exp_command.c:869:15: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). testfd = open("/",0); data/expect-5.45.4/exp_command.c:983:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char value[20]; data/expect-5.45.4/exp_command.c:998:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%ld",esPtr->fd_slave); data/expect-5.45.4/exp_command.c:1158:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ttyfd = open("/dev/tty", O_RDWR); data/expect-5.45.4/exp_command.c:1235:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (open("/dev/tty", O_RDWR) < 0) { data/expect-5.45.4/exp_command.c:1269:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). timeout = atoi(t); data/expect-5.45.4/exp_command.c:1271:16: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). timeout = atoi(t)/2; data/expect-5.45.4/exp_command.c:2173:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char resultbuf[1000]; data/expect-5.45.4/exp_command.c:2217:27: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. if (expLogAllGet()) strcat(resultbuf,"-a "); data/expect-5.45.4/exp_command.c:2218:31: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. if (!expLogAppendGet()) strcat(resultbuf,"-noappend "); data/expect-5.45.4/exp_command.c:2223:8: [2] (buffer) strcat: Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused). Risk is low because the source is a constant string. strcat(resultbuf,"-leaveopen "); data/expect-5.45.4/exp_command.c:2410:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char resultbuf[1000]; data/expect-5.45.4/exp_command.c:2881:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char spawn_id[20]; data/expect-5.45.4/exp_command.c:3004:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(spawn_id,"-1"); data/expect-5.45.4/exp_command.c:3069:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!esPtr->open) { data/expect-5.45.4/exp_command.c:3169:2: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open("/dev/null",0); data/expect-5.45.4/exp_command.c:3170:2: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open("/dev/null",1); data/expect-5.45.4/exp_command.c:3184:2: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). open("/dev/null",1); data/expect-5.45.4/exp_command.c:3213:13: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ttyfd = open("/dev/tty", O_RDWR); data/expect-5.45.4/exp_command.c:3521:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char cmdnamebuf[80]; data/expect-5.45.4/exp_command.h:103:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[EXP_CHANNELNAMELEN+1]; /* expect and interact set variables data/expect-5.45.4/exp_command.h:131:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). int open; /* if fdin/fdout open */ data/expect-5.45.4/exp_console.c:54:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((fd = open("/dev/console", O_RDONLY)) == -1) { data/expect-5.45.4/exp_int.h:19:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define memcpy(x,y,len) bcopy(y,x,len) data/expect-5.45.4/exp_int.h:19:25: [2] (buffer) bcopy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. #define memcpy(x,y,len) bcopy(y,x,len) data/expect-5.45.4/exp_inter.c:362:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[20], value[20]; data/expect-5.45.4/exp_inter.c:376:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d,start",i); data/expect-5.45.4/exp_inter.c:377:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",start); data/expect-5.45.4/exp_inter.c:381:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d,end",i); data/expect-5.45.4/exp_inter.c:382:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",end); data/expect-5.45.4/exp_inter.c:387:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d,string",i); data/expect-5.45.4/exp_inter.c:477:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (esPtr->input.buffer + esPtr->input.use, data/expect-5.45.4/exp_inter.c:1567:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ustring, ustring + skip, size * sizeof(Tcl_UniChar)); data/expect-5.45.4/exp_inter.c:1827:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(u->buffer, u->buffer + skip, size); data/expect-5.45.4/exp_inter.c:1832:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(u->buffer, u->buffer + skip, size); data/expect-5.45.4/exp_inter.c:2073:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(u->buffer, u->buffer + skip, size); data/expect-5.45.4/exp_inter.c:2078:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(u->buffer, u->buffer + skip, size); data/expect-5.45.4/exp_log.c:47:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char bigbuf[2000]; data/expect-5.45.4/exp_log.c:306:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bigbuf[2000]; data/expect-5.45.4/exp_log.c:482:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char mode[2]; data/expect-5.45.4/exp_log.c:654:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\r"); d += 2; data/expect-5.45.4/exp_log.c:656:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\n"); d += 2; data/expect-5.45.4/exp_log.c:658:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\t"); d += 2; data/expect-5.45.4/exp_log.c:662:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(d,"\\u%04x",ch); d += 6; data/expect-5.45.4/exp_log.c:697:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\r"); d += 2; data/expect-5.45.4/exp_log.c:699:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\n"); d += 2; data/expect-5.45.4/exp_log.c:701:7: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy(d,"\\t"); d += 2; data/expect-5.45.4/exp_log.c:705:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(d,"\\u%04x",ch); d += 6; data/expect-5.45.4/exp_main_exp.c:25:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer [30]; data/expect-5.45.4/exp_main_exp.c:55:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buffer, "exit %d", rc); data/expect-5.45.4/exp_main_sub.c:185:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buffer[200]; data/expect-5.45.4/exp_main_sub.c:301:14: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (!esPtr->open) { data/expect-5.45.4/exp_main_sub.c:451:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). emajor = atoi(exp_version); data/expect-5.45.4/exp_main_sub.c:452:11: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). umajor = atoi(user_version); data/expect-5.45.4/exp_main_sub.c:465:7: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). u = atoi(dot+1); data/expect-5.45.4/exp_main_sub.c:467:7: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). e = atoi(dot+1); data/expect-5.45.4/exp_main_sub.c:517:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tcl_major = atoi(TCL_VERSION); data/expect-5.45.4/exp_main_sub.c:519:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int tcl_minor = atoi(dot+1); data/expect-5.45.4/exp_main_sub.c:524:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bufa [20]; data/expect-5.45.4/exp_main_sub.c:525:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bufb [20]; data/expect-5.45.4/exp_main_sub.c:528:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(bufa,"%d.%d",tcl_major,tcl_minor); data/expect-5.45.4/exp_main_sub.c:529:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(bufb,"%d.%d",NEED_TCL_MAJOR,NEED_TCL_MINOR); data/expect-5.45.4/exp_main_sub.c:653:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char sigint_init_default[80]; data/expect-5.45.4/exp_main_sub.c:654:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char sigterm_init_default[80]; data/expect-5.45.4/exp_main_sub.c:663:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char argc_rep[10]; /* enough space for storing literal rep of argc */ data/expect-5.45.4/exp_main_sub.c:690:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sigint_init_default, "trap {exit %d} SIGINT", EXP_SIG_EXIT(SIGINT)); data/expect-5.45.4/exp_main_sub.c:692:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(sigterm_init_default,"trap {exit %d} SIGTERM",EXP_SIG_EXIT(SIGTERM)); data/expect-5.45.4/exp_main_sub.c:814:19: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). exp_cmdfile = fopen(exp_cmdfilename,"r"); data/expect-5.45.4/exp_main_sub.c:852:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(argc_rep,"%d",argc-optind); data/expect-5.45.4/exp_main_sub.c:905:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file[200]; data/expect-5.45.4/exp_main_sub.c:909:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (-1 != (fd = open(file,0))) { data/expect-5.45.4/exp_main_sub.c:921:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char file[200]; data/expect-5.45.4/exp_main_sub.c:929:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (-1 != (fd = open(file,0))) { data/expect-5.45.4/exp_main_sub.c:979:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[BUFSIZ];/* buffer for partial Tcl command */ data/expect-5.45.4/exp_poll.c:343:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&fdArray[cur_fd_index],&fdArray[fdsInUse],sizeof(struct pollfd)); data/expect-5.45.4/exp_pty.c:64:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char locksrc[50] = "/tmp/expect.pid"; /* pid is replaced by real pid */ data/expect-5.45.4/exp_pty.c:161:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(locksrc,"/tmp/expect.%d",getpid()); data/expect-5.45.4/exp_pty.c:167:25: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (-1 == (lfd = open(locksrc,O_RDWR|O_CREAT|O_EXCL,0777))) { data/expect-5.45.4/exp_pty.c:168:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[256]; data/expect-5.45.4/exp_pty.c:209:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (master = open(master_name,RDWR))) return(-1); data/expect-5.45.4/exp_pty.c:228:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (slave = open(slave_name,RDWR))) { data/expect-5.45.4/exp_pty.c:244:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (master = open(master_name,RDWR))) return(-1); data/expect-5.45.4/exp_pty.c:245:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (slave = open(slave_name,RDWR))) { data/expect-5.45.4/exp_pty.c:259:9: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). return(open(master_name,RDWR)); data/expect-5.45.4/exp_pty.c:328:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[1000]; data/expect-5.45.4/exp_pty.c:339:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[1000]; data/expect-5.45.4/exp_pty.c:349:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[1000]; data/expect-5.45.4/exp_regexp.c:1150:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[50]; data/expect-5.45.4/exp_regexp.c:1194:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_regexp.c:1206:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_regexp.c:1217:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_regexp.c:1221:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_simple.c:184:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy((VOID *) readyMasks, (VOID *) checkMasks, data/expect-5.45.4/exp_strf.c:115:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern char *tzname[2]; data/expect-5.45.4/exp_strf.c:169:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tbuf[100]; data/expect-5.45.4/exp_strf.c:272:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i); data/expect-5.45.4/exp_strf.c:277:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i); data/expect-5.45.4/exp_strf.c:286:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i); data/expect-5.45.4/exp_strf.c:290:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%03d", timeptr->tm_yday + 1); data/expect-5.45.4/exp_strf.c:295:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i + 1); data/expect-5.45.4/exp_strf.c:300:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i); data/expect-5.45.4/exp_strf.c:313:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i); data/expect-5.45.4/exp_strf.c:317:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", weeknumber(timeptr, 0)); data/expect-5.45.4/exp_strf.c:322:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%d", i); data/expect-5.45.4/exp_strf.c:326:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", weeknumber(timeptr, 1)); data/expect-5.45.4/exp_strf.c:338:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d:%02d:%02d", data/expect-5.45.4/exp_strf.c:346:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", i); data/expect-5.45.4/exp_strf.c:350:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%d", 1900 + timeptr->tm_year); data/expect-5.45.4/exp_strf.c:390:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%2d", range(1, timeptr->tm_mday, 31)); data/expect-5.45.4/exp_strf.c:414:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", (timeptr->tm_year + 1900) / 100); data/expect-5.45.4/exp_strf.c:423:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%02d", iso8601wknum(timeptr)); data/expect-5.45.4/exp_strf.c:428:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tbuf, "%d", timeptr->tm_wday == 0 ? 7 : data/expect-5.45.4/exp_trap.c:428:4: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(traps[sig].action,action,len); data/expect-5.45.4/exp_tty.c:406:21: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (-1 == (fd = open(infile,2))) { data/expect-5.45.4/exp_tty.c:500:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf [11]; data/expect-5.45.4/exp_tty.c:583:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ARGLIST]; data/expect-5.45.4/exp_tty.c:638:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf [11]; data/expect-5.45.4/exp_tty.c:655:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(bufp,argv[i],arg_len); data/expect-5.45.4/exp_tty.c:658:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(bufp," ",1); data/expect-5.45.4/exp_tty.c:702:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf [11]; data/expect-5.45.4/exp_tty.c:751:6: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char msg1[20], msg2[20]; data/expect-5.45.4/exp_tty.c:755:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(msg1, "%d", pid); data/expect-5.45.4/exp_tty.c:757:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(msg2, "%d", WEXITSTATUS(waitStatus)); data/expect-5.45.4/exp_win.c:112:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). winsize.rows = atoi(rows); data/expect-5.45.4/exp_win.c:119:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char rows [20]; data/expect-5.45.4/exp_win.c:121:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rows,"%d",winsize.rows); data/expect-5.45.4/exp_win.c:129:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). winsize.columns = atoi(columns); data/expect-5.45.4/exp_win.c:136:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char columns [20]; data/expect-5.45.4/exp_win.c:138:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(columns,"%d",winsize.columns); data/expect-5.45.4/exp_win.c:174:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). win2size.rows = atoi(rows); data/expect-5.45.4/exp_win.c:182:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char rows [20]; data/expect-5.45.4/exp_win.c:184:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(rows,"%d",win2size.rows); data/expect-5.45.4/exp_win.c:198:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). win2size.columns = atoi(columns); data/expect-5.45.4/exp_win.c:206:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char columns [20]; data/expect-5.45.4/exp_win.c:208:2: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(columns,"%d",win2size.columns); data/expect-5.45.4/expect.c:112:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *pattern_style[PAT_TYPES]; data/expect-5.45.4/expect.c:1283:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[25]; /* big enough for a small int */ data/expect-5.45.4/expect.c:1284:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(buf,"%ld", (long)fdp->esPtr); data/expect-5.45.4/expect.c:1557:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&ecmd->ecd.cases[start_index],eg.ecd.cases, data/expect-5.45.4/expect.c:1629:6: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (string, string + excess, new_msize * sizeof (Tcl_UniChar)); data/expect-5.45.4/expect.c:1790:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (esPtr->input.buffer + esPtr->input.use, data/expect-5.45.4/expect.c:2064:20: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). tsdPtr->timeout = atoi(t); data/expect-5.45.4/expect.c:2200:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char msg[200]; data/expect-5.45.4/expect.c:2261:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[20], value[20]; data/expect-5.45.4/expect.c:2295:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d,start",i); data/expect-5.45.4/expect.c:2296:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",start); data/expect-5.45.4/expect.c:2300:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d,end",i); data/expect-5.45.4/expect.c:2301:7: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",end); data/expect-5.45.4/expect.c:2306:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(name,"%d,string",i); data/expect-5.45.4/expect.c:2319:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",e->simple_start); data/expect-5.45.4/expect.c:2323:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",e->simple_start + match - 1); data/expect-5.45.4/expect.c:2336:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",match-1); data/expect-5.45.4/expect.c:2339:6: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(value,"%d",match-1); data/expect-5.45.4/expect.c:2400:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char backup[EXP_CHANNELNAMELEN+1]; /* backup copy of esPtr channel name! */ data/expect-5.45.4/expect.h:312:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *startp[NSUBEXP]; data/expect-5.45.4/expect.h:313:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *endp[NSUBEXP]; data/expect-5.45.4/expect.h:318:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char program[1]; /* Unwarranted chumminess with compiler. */ data/expect-5.45.4/pty_sgttyb.c:54:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ARGLIST]; /* overkill is easier */ data/expect-5.45.4/pty_sgttyb.c:155:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). exp_dev_tty = open("/dev/tty",O_RDWR); data/expect-5.45.4/pty_sgttyb.c:229:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (slave = open(slave_name, O_RDWR))) return(-1); data/expect-5.45.4/pty_termios.c:165:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char master_name[MAXPTYNAMELEN]; data/expect-5.45.4/pty_termios.c:166:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char slave_name[MAXPTYNAMELEN]; data/expect-5.45.4/pty_termios.c:193:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char master_name[MAXPTYNAMELEN]; data/expect-5.45.4/pty_termios.c:194:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char slave_name[MAXPTYNAMELEN]; data/expect-5.45.4/pty_termios.c:198:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char master_name[64]; data/expect-5.45.4/pty_termios.c:199:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char slave_name[64]; data/expect-5.45.4/pty_termios.c:212:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ARGLIST]; /* overkill is easier */ data/expect-5.45.4/pty_termios.c:233:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *args[50]; data/expect-5.45.4/pty_termios.c:272:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ARGLIST]; /* overkill is easier */ data/expect-5.45.4/pty_termios.c:367:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). exp_dev_tty = open("/dev/tty",O_RDWR); data/expect-5.45.4/pty_termios.c:405:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((master = open("/dev/ptmx_bsd", O_RDWR)) == -1) return(-1); data/expect-5.45.4/pty_termios.c:407:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if ((master = open("/dev/ptmx", O_RDWR)) == -1) return(-1); data/expect-5.45.4/pty_termios.c:414:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[500]; data/expect-5.45.4/pty_termios.c:421:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[500]; data/expect-5.45.4/pty_termios.c:446:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). master = open("/dev/ptc", O_RDWR); data/expect-5.45.4/pty_termios.c:455:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(slave_name,"/dev/ttyq%d",ptynum); data/expect-5.45.4/pty_termios.c:471:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). master = open("/dev/ptc",O_RDWR); data/expect-5.45.4/pty_termios.c:524:13: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char num_str [16]; data/expect-5.45.4/pty_termios.c:526:13: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf (num_str, "%d", num); data/expect-5.45.4/pty_termios.c:583:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tty_num,"00"); data/expect-5.45.4/pty_termios.c:587:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tty_num,"%02d",num); data/expect-5.45.4/pty_termios.c:599:3: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tty_num,"000"); data/expect-5.45.4/pty_termios.c:603:4: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. sprintf(tty_num,"%03d",num); data/expect-5.45.4/pty_termios.c:656:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[10240]; data/expect-5.45.4/pty_termios.c:658:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (slave = open(slave_name, O_RDWR))) { data/expect-5.45.4/pty_termios.c:659:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char buf[500]; data/expect-5.45.4/pty_termios.c:699:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (slave2 = open(slave_name, O_RDWR))) return(-1); data/expect-5.45.4/pty_unicos.c:77:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char myname[32]; data/expect-5.45.4/pty_unicos.c:78:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char hostname[MAXHOSTNAMELEN]; data/expect-5.45.4/pty_unicos.c:88:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ARGLIST]; /* overkill is easier */ data/expect-5.45.4/pty_unicos.c:183:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). exp_dev_tty = open("/dev/tty",O_RDWR); data/expect-5.45.4/pty_unicos.c:219:10: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. (void) sprintf(linep, "/dev/pty/%03d", npty); data/expect-5.45.4/pty_unicos.c:220:12: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). master = open(linep, O_RDWR); data/expect-5.45.4/pty_unicos.c:228:10: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. (void) sprintf(linet, "/dev/ttyp%03d", npty); data/expect-5.45.4/pty_unicos.c:245:34: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). master = open(linep, 2); data/expect-5.45.4/pty_unicos.c:290:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (0 > (slave = open(linet, O_RDWR))) { data/expect-5.45.4/pty_unicos.c:364:24: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. (void) sprintf(linet, "/dev/ttyp%03d", npty); data/expect-5.45.4/retoglob.c:13:22: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Tcl_UniChar open, data/expect-5.45.4/retoglob.c:516:23: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Tcl_UniChar open, data/expect-5.45.4/retoglob.c:519:30: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). ExpChopNested (xstr,xstrlen, open, close) data/expect-5.45.4/retoglob.c:522:20: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Tcl_UniChar open; data/expect-5.45.4/retoglob.c:531:17: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). if (MATCHC (open)) { data/expect-5.45.4/retoglob.c:577:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[20]; data/expect-5.45.4/retoglob.c:578:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char dst[TCL_UTF_MAX+1]; data/expect-5.45.4/testsuite/exp_test.c:14:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char line[ARRAYSIZE]; data/expect-5.45.4/Dbg.c:319:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). need = strlen(s)*6; data/expect-5.45.4/Dbg.c:378:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(buf); data/expect-5.45.4/Dbg.c:413:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(buf); data/expect-5.45.4/Dbg.c:423:3: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(buf,printify(buf),buf_width); data/expect-5.45.4/Dbg.c:429:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen(buf) == buf_width) { data/expect-5.45.4/Dbg.c:772:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(viewFrameName,frame,FRAMENAMELEN); data/expect-5.45.4/Dbg.c:1302:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). rc = read(0,line,BUFSIZ); data/expect-5.45.4/example/chesslib++.c:8:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). extern int strlen(...); data/expect-5.45.4/example/chesslib++.c:56:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). write(fd,move,strlen(move)); data/expect-5.45.4/example/chesslib.c:52:16: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). write(fd,move,strlen(move)); data/expect-5.45.4/exp_chan.c:219:17: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). bytesRead = read(esPtr->fdin, buf, (size_t) toRead); data/expect-5.45.4/exp_clib.c:440:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (OP(scan) == EXACTLY && ((int) strlen(OPERAND(scan))) >= len) { data/expect-5.45.4/exp_clib.c:442:12: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(OPERAND(scan)); data/expect-5.45.4/exp_clib.c:1047:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(opnd); data/expect-5.45.4/exp_clib.c:1215:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). count = strlen(scan); data/expect-5.45.4/exp_clib.c:1325:9: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. (void) strcpy(buf, ":"); data/expect-5.45.4/exp_clib.c:1367:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_clib.c:1379:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_clib.c:1390:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_clib.c:1394:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_clib.c:1556:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). return(strlen(string)+match); /* DEL */ data/expect-5.45.4/exp_clib.c:1559:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). head_len = strlen(string); /* length before tail */ data/expect-5.45.4/exp_clib.c:1956:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). cc = read(sync_fds[0],&sync_byte,1); data/expect-5.45.4/exp_clib.c:1984:11: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). switch (read(status_pipe[0],&child_errno,sizeof child_errno)) { data/expect-5.45.4/exp_clib.c:2206:7: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). cc = read(sync2_fds[0],&sync_byte,1); data/expect-5.45.4/exp_clib.c:2353:8: [1] (buffer) getc: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). c = getc(fp); data/expect-5.45.4/exp_clib.c:2365:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). cc = read(fd,buffer,length); data/expect-5.45.4/exp_clib.c:2386:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). cc = read(fd,buffer,length); data/expect-5.45.4/exp_clib.c:2643:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). exp_match_end = p + strlen(ec->pattern); data/expect-5.45.4/exp_clib.c:2956:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). need = strlen(s)*4 + 1; data/expect-5.45.4/exp_command.c:572:33: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). esPtr->slave_name = ckalloc(strlen(exp_pty_slave_name)+1); data/expect-5.45.4/exp_command.c:1057:16: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (((rc = read(sync_fds[0],&sync_byte,1)) < 0) && (errno == EINTR)) { data/expect-5.45.4/exp_command.c:1087:10: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). switch (read(status_pipe[0],&child_errno,sizeof child_errno)) { data/expect-5.45.4/exp_command.c:1328:19: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). while (((rc = read(sync2_fds[0],&sync_byte,1)) < 0) && (errno == EINTR)) { data/expect-5.45.4/exp_command.c:1343:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). argv[k] = ckalloc (1+strlen(Tcl_GetString (objv[i]))); data/expect-5.45.4/exp_command.c:1456:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (0 == strlen (Tcl_GetString(objv[1]))) { data/expect-5.45.4/exp_command.c:1804:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *stringp = ckalloc(strlen(arg)+1); data/expect-5.45.4/exp_command.c:1892:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). i->value = ckalloc(strlen(p)+1); data/expect-5.45.4/exp_command.c:2072:8: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(string); data/expect-5.45.4/exp_command.c:2313:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (0 == strlen (Tcl_GetString(objv[1]))) { data/expect-5.45.4/exp_command.c:3286:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). argv[j] = ckalloc (1+strlen(Tcl_GetString (objv[k]))); data/expect-5.45.4/exp_command.c:3293:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). argv[0] = ckalloc (2+strlen(command)); data/expect-5.45.4/exp_command.h:345:71: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). EXTERN int Exp_StringCaseMatch _ANSI_ARGS_((Tcl_UniChar *string, int strlen, Tcl_UniChar *pattern, int plen, int nocase, int *offset)); data/expect-5.45.4/exp_glob.c:32:29: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). Exp_StringCaseMatch(string, strlen, pattern, plen, nocase, offset) /* INTL */ data/expect-5.45.4/exp_glob.c:35:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen; data/expect-5.45.4/exp_glob.c:41:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). CONST Tcl_UniChar *stop = string + strlen; data/expect-5.45.4/exp_glob.c:51:38: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). expDiagLog(" string(%d)=\"",strlen); data/expect-5.45.4/exp_glob.c:52:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). expDiagLogU(expPrintifyUni(string,strlen)); data/expect-5.45.4/exp_glob.c:97:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). printf("skipped %d chars of %d\n", sm, strlen); fflush(stdout); data/expect-5.45.4/exp_log.c:199:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). length = strlen(buf); data/expect-5.45.4/exp_log.c:244:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int length = strlen(buf); data/expect-5.45.4/exp_log.c:485:7: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(mode,"a"); data/expect-5.45.4/exp_log.c:487:7: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(mode,"w"); data/expect-5.45.4/exp_log.c:644:9: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). need = strlen(s)*6 + 1; data/expect-5.45.4/exp_pty.c:128:8: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). cc = read(fd,buffer,length); data/expect-5.45.4/exp_regexp.c:1041:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). count = strlen(scan); data/expect-5.45.4/exp_regexp.c:1152:9: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. (void) strcpy(buf, ":"); data/expect-5.45.4/exp_regexp.c:1194:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_regexp.c:1206:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_regexp.c:1217:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); data/expect-5.45.4/exp_regexp.c:1221:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); data/expect-5.45.4/exp_strf.c:230:5: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(tbuf, "?"); data/expect-5.45.4/exp_strf.c:237:5: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(tbuf, "?"); data/expect-5.45.4/exp_strf.c:247:5: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(tbuf, "?"); data/expect-5.45.4/exp_strf.c:254:5: [1] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character. strcpy(tbuf, "?"); data/expect-5.45.4/exp_strf.c:441:7: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). i = strlen(tbuf); data/expect-5.45.4/exp_trap.c:426:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = 1 + strlen(action); data/expect-5.45.4/exp_tty.c:295:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). need = 1 + 2*(len?*len:strlen(s)); data/expect-5.45.4/exp_tty.c:649:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). total_len += (1 + (arg_len = strlen(argv[i]))); data/expect-5.45.4/expect.c:58:70: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). extern int Exp_StringCaseMatch _ANSI_ARGS_((Tcl_UniChar *string, int strlen, data/expect-5.45.4/expect.c:228:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *news = ckalloc(strlen(s) + 1); data/expect-5.45.4/expect.c:493:11: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen; data/expect-5.45.4/expect.c:495:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). str = Tcl_GetUnicodeFromObj (objv[i], &strlen); data/expect-5.45.4/expect.c:496:30: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). g = exp_retoglob (str, strlen); data/expect-5.45.4/pty_sgttyb.c:151:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_type = & slave_name[strlen("/dev/")]; data/expect-5.45.4/pty_sgttyb.c:152:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_bank = &master_name[strlen("/dev/pty")]; data/expect-5.45.4/pty_sgttyb.c:153:26: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_num = &master_name[strlen("/dev/ptyp")]; data/expect-5.45.4/pty_termios.c:354:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_bank = &master_name[strlen("/dev/ptym/pty")]; data/expect-5.45.4/pty_termios.c:355:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_num = &master_name[strlen("/dev/ptym/ptyX")]; data/expect-5.45.4/pty_termios.c:356:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). slave_bank = &slave_name[strlen("/dev/pty/tty")]; data/expect-5.45.4/pty_termios.c:357:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). slave_num = &slave_name[strlen("/dev/pty/ttyX")]; data/expect-5.45.4/pty_termios.c:359:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_bank = &master_name[strlen("/dev/pty")]; data/expect-5.45.4/pty_termios.c:360:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_num = &master_name[strlen("/dev/ptyp")]; data/expect-5.45.4/pty_termios.c:361:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). tty_type = &slave_name[strlen("/dev/")]; data/expect-5.45.4/pty_termios.c:565:3: [1] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a constant character. sprintf(tty_num,"0"); data/expect-5.45.4/pty_unicos.c:326:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(utmp.ut_user,myname,sizeof(utmp.ut_user)); data/expect-5.45.4/pty_unicos.c:327:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(utmp.ut_host,hostname,sizeof(utmp.ut_host)); data/expect-5.45.4/pty_unicos.c:328:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(utmp.ut_line,linet+5,sizeof(utmp.ut_line)); data/expect-5.45.4/pty_unicos.c:329:2: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(utmp.ut_id,linet+8,sizeof(utmp.ut_id)); data/expect-5.45.4/pty_unicos.c:396:16: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). (void) strncpy(utmp.ut_id, linet + strlen(linet) - 4, data/expect-5.45.4/pty_unicos.c:396:44: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). (void) strncpy(utmp.ut_id, linet + strlen(linet) - 4, data/expect-5.45.4/pty_unicos.c:407:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant character. strncpy(utmp.ut_name,"",sizeof(utmp.ut_name)); data/expect-5.45.4/pty_unicos.c:408:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant character. strncpy(utmp.ut_host,"",sizeof(utmp.ut_host)); data/expect-5.45.4/retoglob.c:19:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen)); data/expect-5.45.4/retoglob.c:35:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen)); data/expect-5.45.4/retoglob.c:53:18: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen) data/expect-5.45.4/retoglob.c:90:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). out = nexto = (Tcl_UniChar*) Tcl_Alloc (strlen*2*sizeof (Tcl_UniChar)); data/expect-5.45.4/retoglob.c:91:47: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). paren = nextp = (Tcl_UniChar**) Tcl_Alloc (strlen* sizeof (Tcl_UniChar*)); data/expect-5.45.4/retoglob.c:100:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define CHOPC(c) {while (*str != (c) && strlen) CHOP(1) ;} data/expect-5.45.4/retoglob.c:103:22: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define MATCH(lit) ((strlen >= (sizeof (lit)/sizeof (Tcl_UniChar))) && (0 == Tcl_UniCharNcmp (str,(lit),sizeof(lit)/sizeof (Tcl_UniChar)))) data/expect-5.45.4/retoglob.c:104:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). #define MATCHC(c) (strlen && (*str == (c))) data/expect-5.45.4/retoglob.c:146:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). LOG (stderr,"RE-2-GLOB '%s'\n", xxx(str,strlen)); FF; data/expect-5.45.4/retoglob.c:150:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). nexto = ExpLiteral (nexto, str, strlen); data/expect-5.45.4/retoglob.c:158:39: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). LOG (stderr,"ARE '%s'\n", xxx(str,strlen)); FF; data/expect-5.45.4/retoglob.c:169:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int save_strlen = strlen; data/expect-5.45.4/retoglob.c:178:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). stoplen = strlen; /* us to avoid a second CHOPC run later */ data/expect-5.45.4/retoglob.c:206:43: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). nexto = ExpLiteral (nexto, str, strlen); data/expect-5.45.4/retoglob.c:218:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (strlen) { data/expect-5.45.4/retoglob.c:221:37: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). LOG (stderr,"'%s'\n", xxx(str,strlen)); FF; data/expect-5.45.4/retoglob.c:230:6: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (strlen) CHOP (1); data/expect-5.45.4/retoglob.c:249:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ExpChopNested (&str, &strlen, '(', ')'); data/expect-5.45.4/retoglob.c:289:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (strlen) { data/expect-5.45.4/retoglob.c:375:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). } else if (MATCHC ('c') && (strlen >= 2)) { data/expect-5.45.4/retoglob.c:452:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). LOG (stderr,"'%s'\n", xxx(str,strlen)); FF; data/expect-5.45.4/retoglob.c:530:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (strlen) { data/expect-5.45.4/retoglob.c:544:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *xstrlen = strlen; data/expect-5.45.4/retoglob.c:548:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ExpLiteral (nexto, str, strlen) data/expect-5.45.4/retoglob.c:551:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen; data/expect-5.45.4/retoglob.c:555:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). LOG (stderr,"LITERAL '%s'\n", xxx(str,strlen)); FF; data/expect-5.45.4/retoglob.c:557:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (strlen) { data/expect-5.45.4/retoglob.c:568:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen) data/expect-5.45.4/retoglob.c:570:28: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ExpBackslash (prefix, str, strlen) data/expect-5.45.4/retoglob.c:573:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). int strlen; data/expect-5.45.4/retoglob.c:586:10: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). while (strlen) { data/expect-5.45.4/testsuite/exp_test.c:19:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). *(line + strlen(line)-1) = '\0'; /* get rid of the newline */ data/expect-5.45.4/testsuite/exp_test.c:24:11: [1] (buffer) getchar: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). if (getchar() == 'y') ANALYSIS SUMMARY: Hits = 493 Lines analyzed = 26227 in approximately 0.72 seconds (36592 lines/second) Physical Source Lines of Code (SLOC) = 17959 Hits@level = [0] 71 [1] 126 [2] 255 [3] 9 [4] 99 [5] 4 Hits@level+ = [0+] 564 [1+] 493 [2+] 367 [3+] 112 [4+] 103 [5+] 4 Hits/KSLOC@level+ = [0+] 31.4049 [1+] 27.4514 [2+] 20.4354 [3+] 6.23643 [4+] 5.73529 [5+] 0.22273 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.