Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/geoip-1.6.12/apps/geoiplookup.c
Examining data/geoip-1.6.12/apps/geoiplookup6.c
Examining data/geoip-1.6.12/libGeoIP/GeoIP.c
Examining data/geoip-1.6.12/libGeoIP/GeoIP.h
Examining data/geoip-1.6.12/libGeoIP/GeoIPCity.c
Examining data/geoip-1.6.12/libGeoIP/GeoIPCity.h
Examining data/geoip-1.6.12/libGeoIP/GeoIP_deprecated.c
Examining data/geoip-1.6.12/libGeoIP/GeoIP_internal.h
Examining data/geoip-1.6.12/libGeoIP/pread.c
Examining data/geoip-1.6.12/libGeoIP/pread.h
Examining data/geoip-1.6.12/libGeoIP/regionName.c
Examining data/geoip-1.6.12/libGeoIP/timeZone.c
Examining data/geoip-1.6.12/test/benchmark.c
Examining data/geoip-1.6.12/test/test-geoip-asnum.c
Examining data/geoip-1.6.12/test/test-geoip-city.c
Examining data/geoip-1.6.12/test/test-geoip-domain.c
Examining data/geoip-1.6.12/test/test-geoip-invalid-file.c
Examining data/geoip-1.6.12/test/test-geoip-isp.c
Examining data/geoip-1.6.12/test/test-geoip-netspeed.c
Examining data/geoip-1.6.12/test/test-geoip-org.c
Examining data/geoip-1.6.12/test/test-geoip-region.c
Examining data/geoip-1.6.12/test/test-geoip.c
Examining data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp
Examining data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp
FINAL RESULTS:
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:833:9: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
std::printf(usage, program_invocation_name);
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:1027:9: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
std::printf(usage, program_invocation_name);
data/geoip-1.6.12/libGeoIP/GeoIP.c:31:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/geoip-1.6.12/libGeoIP/GeoIP.c:31:18: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/geoip-1.6.12/libGeoIP/GeoIP.c:91:13: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(stderr, fmt, ##__VA_ARGS__); \
data/geoip-1.6.12/test/test-geoip-asnum.c:45:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s", host) != EOF) {
data/geoip-1.6.12/test/test-geoip-city.c:48:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s", host) != EOF) {
data/geoip-1.6.12/test/test-geoip-domain.c:47:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s", host) != EOF) {
data/geoip-1.6.12/test/test-geoip-isp.c:45:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s", host) != EOF) {
data/geoip-1.6.12/test/test-geoip-netspeed.c:43:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s", host) != EOF) {
data/geoip-1.6.12/test/test-geoip-org.c:47:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s", host) != EOF) {
data/geoip-1.6.12/test/test-geoip-region.c:78:12: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s%s%s", ipAddress, expectedCountry, expectedCountry3) !=
data/geoip-1.6.12/test/test-geoip.c:77:13: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
fscanf(f, "%s%s%s", ipAddress, expectedCountry, expectedCountry3) !=
data/geoip-1.6.12/test/test-geoip.c:128:16: [4] (buffer) fscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
while (fscanf(f, "%s%s", ipAddress, expectedCountry) != EOF) {
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:808:16: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
int optret = getopt_long(argc, argv, "46i:o:v", long_options, NULL);
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:984:16: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
int optret = getopt_long(argc, argv, "46i:l:o:t:v", long_options, NULL);
data/geoip-1.6.12/libGeoIP/pread.c:49:5: [3] (misc) EnterCriticalSection:
On some versions of Windows, exceptions can be thrown in low-memory
situations. Use InitializeCriticalSectionAndSpinCount instead.
EnterCriticalSection(&preadsc);
data/geoip-1.6.12/libGeoIP/pread.c:72:5: [3] (misc) EnterCriticalSection:
On some versions of Windows, exceptions can be thrown in low-memory
situations. Use InitializeCriticalSectionAndSpinCount instead.
EnterCriticalSection(&preadsc);
data/geoip-1.6.12/libGeoIP/pread.c:95:5: [3] (misc) InitializeCriticalSection:
Exceptions can be thrown in low-memory situations. Use
InitializeCriticalSectionAndSpinCount instead.
InitializeCriticalSection(&preadsc);
data/geoip-1.6.12/apps/geoiplookup.c:192:29: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
num_chars_written = sprintf(cur_str, "%d", octet[i]);
data/geoip-1.6.12/apps/geoiplookup.c:206:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ipaddr[16];
data/geoip-1.6.12/apps/geoiplookup.c:207:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmp[16];
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:453:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char chars[6];
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:701:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char tag[3] = { 0, 0, 0 };
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:711:19: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char structure_info[4] = { 0xFF, 0xFF, 0xFF, 9 };
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:716:19: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char structure_info[4] = { 0xFF, 0xFF, 0xFF, 21 };
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:656:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char chars[6];
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:673:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char tag[3] = { 0, 0, 0 };
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:683:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char structure_info[4] = { 0xFF, 0xFF, 0xFF, database_type };
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:807:17: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char structure_info[7] = { 0xFF,
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:839:17: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
int loc_id = ::atoi(info[0].c_str());
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:915:22: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
int metro_code = ::atoi(info[7].c_str());
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:916:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
int area_code = ::atoi(info[8].c_str());
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:1382:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
const int loc_id = atoi(csv_fields[CSV_BLOCK_FIELD_LOC].c_str());
data/geoip-1.6.12/libGeoIP/GeoIP.c:100:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char GeoIP_country_code[256][3] = {
data/geoip-1.6.12/libGeoIP/GeoIP.c:127:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char GeoIP_country_code3[256][4] = {
data/geoip-1.6.12/libGeoIP/GeoIP.c:153:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *GeoIP_utf8_country_name[256] = {
data/geoip-1.6.12/libGeoIP/GeoIP.c:413:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *GeoIP_country_name[256] = {
data/geoip-1.6.12/libGeoIP/GeoIP.c:675:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char GeoIP_country_continent[256][3] = {
data/geoip-1.6.12/libGeoIP/GeoIP.c:718:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&in.sin_addr, src, sizeof(struct in_addr));
data/geoip-1.6.12/libGeoIP/GeoIP.c:731:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&in.sin6_addr, src, sizeof(struct in_addr6));
data/geoip-1.6.12/libGeoIP/GeoIP.c:757:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, res->ai_addr, res->ai_addrlen);
data/geoip-1.6.12/libGeoIP/GeoIP.c:807:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *GeoIPDBDescription[NUM_DB_TYPES] = {
data/geoip-1.6.12/libGeoIP/GeoIP.c:862:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[MAX_PATH], *p, *q = NULL;
data/geoip-1.6.12/libGeoIP/GeoIP.c:1079:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char delim[3];
data/geoip-1.6.12/libGeoIP/GeoIP.c:1080:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[LARGE_SEGMENT_RECORD_LENGTH];
data/geoip-1.6.12/libGeoIP/GeoIP.c:1271:37: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
gi->GeoIPDatabase = fopen(gi->file_path, "rb");
data/geoip-1.6.12/libGeoIP/GeoIP.c:1361:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char paddr[ADDR_STR_LEN];
data/geoip-1.6.12/libGeoIP/GeoIP.c:1363:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char stack_buffer[2 * MAX_RECORD_LENGTH];
data/geoip-1.6.12/libGeoIP/GeoIP.c:1463:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char stack_buffer[2 * MAX_RECORD_LENGTH];
data/geoip-1.6.12/libGeoIP/GeoIP.c:1638:25: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
gi->GeoIPDatabase = fopen(filename, "rb");
data/geoip-1.6.12/libGeoIP/GeoIP.c:1871:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ipnum.s6_addr,
data/geoip-1.6.12/libGeoIP/GeoIP.c:2103:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char buf[3];
data/geoip-1.6.12/libGeoIP/GeoIP.c:2194:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(region->country_code, code, 2);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2221:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(region->country_code, code, 2);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2251:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(region->country_code, code, 2);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2278:17: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(region->country_code, code, 2);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2409:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[MAX_ORG_RECORD_LENGTH];
data/geoip-1.6.12/libGeoIP/GeoIP.c:2470:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[MAX_ORG_RECORD_LENGTH + 1];
data/geoip-1.6.12/libGeoIP/GeoIP.c:2541:29: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
num_chars_written = sprintf(cur_str, "%d", octet[i]);
data/geoip-1.6.12/libGeoIP/GeoIP.h:89:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char country_code[3];
data/geoip-1.6.12/libGeoIP/GeoIP.h:90:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char region[3];
data/geoip-1.6.12/libGeoIP/GeoIP.h:171:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern GEOIP_DATA const char *GeoIPDBDescription[NUM_DB_TYPES];
data/geoip-1.6.12/libGeoIP/GeoIP.h:184:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern GEOIP_DATA const char GeoIP_country_code[256][3];
data/geoip-1.6.12/libGeoIP/GeoIP.h:185:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern GEOIP_DATA const char GeoIP_country_code3[256][4];
data/geoip-1.6.12/libGeoIP/GeoIP.h:186:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern GEOIP_DATA const char *GeoIP_country_name[256];
data/geoip-1.6.12/libGeoIP/GeoIP.h:187:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern GEOIP_DATA const char *GeoIP_utf8_country_name[256];
data/geoip-1.6.12/libGeoIP/GeoIP.h:188:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern GEOIP_DATA const char GeoIP_country_continent[256][3];
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:101:31: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
record->continent_code = (char *)GeoIP_country_continent[record_buf[0]];
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:102:29: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
record->country_code = (char *)GeoIP_country_code[record_buf[0]];
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:103:30: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
record->country_code3 = (char *)GeoIP_country_code3[record_buf[0]];
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:104:29: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
record->country_name = (char *)GeoIP_country_name_by_id(gi, record_buf[0]);
data/geoip-1.6.12/test/benchmark.c:8:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *ipstring[4] = {
data/geoip-1.6.12/test/test-geoip-asnum.c:29:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host[50];
data/geoip-1.6.12/test/test-geoip-asnum.c:38:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("asnum_test.txt", "r");
data/geoip-1.6.12/test/test-geoip-city.c:30:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host[50];
data/geoip-1.6.12/test/test-geoip-city.c:41:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("city_test.txt", "r");
data/geoip-1.6.12/test/test-geoip-domain.c:29:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host[50];
data/geoip-1.6.12/test/test-geoip-domain.c:39:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("domain_test.txt", "r");
data/geoip-1.6.12/test/test-geoip-isp.c:29:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host[50];
data/geoip-1.6.12/test/test-geoip-isp.c:38:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("isp_test.txt", "r");
data/geoip-1.6.12/test/test-geoip-netspeed.c:27:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host[50];
data/geoip-1.6.12/test/test-geoip-netspeed.c:36:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("netspeed_test.txt", "r");
data/geoip-1.6.12/test/test-geoip-org.c:29:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char host[50];
data/geoip-1.6.12/test/test-geoip-org.c:39:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("org_test.txt", "r");
data/geoip-1.6.12/test/test-geoip-region.c:52:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ipAddress[30];
data/geoip-1.6.12/test/test-geoip-region.c:53:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char expectedCountry[3];
data/geoip-1.6.12/test/test-geoip-region.c:54:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char expectedCountry3[4];
data/geoip-1.6.12/test/test-geoip-region.c:64:9: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen("region_test.txt", "r");
data/geoip-1.6.12/test/test-geoip.c:26:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ipAddress[30];
data/geoip-1.6.12/test/test-geoip.c:27:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char expectedCountry[3];
data/geoip-1.6.12/test/test-geoip.c:28:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char expectedCountry3[4];
data/geoip-1.6.12/test/test-geoip.c:74:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen(SRCDIR "/test/country_test.txt", "r");
data/geoip-1.6.12/test/test-geoip.c:127:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
f = fopen(SRCDIR "/test/country_test2.txt", "r");
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:703:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dat_stream.write(database_info, std::strlen(database_info));
data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:821:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (std::strlen(database_info) > 99) {
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:675:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
dat_stream->write(database_info, std::strlen(database_info));
data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:998:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (std::strlen(database_info) > 99) {
data/geoip-1.6.12/libGeoIP/GeoIP.c:35:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
#define read _read
data/geoip-1.6.12/libGeoIP/GeoIP.c:97:46: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
(lseek(fd, offset, SEEK_SET) == offset ? read(fd, buf, count) : -1)
data/geoip-1.6.12/libGeoIP/GeoIP.c:879:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(GeoIP_custom_directory);
data/geoip-1.6.12/libGeoIP/GeoIP.c:1631:27: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = sizeof(char) * (strlen(filename) + 1);
data/geoip-1.6.12/libGeoIP/GeoIP.c:1637:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(gi->file_path, filename, len);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2451:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = sizeof(char) * (strlen(buf) + 1);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2453:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(org_buf, buf, len);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2460:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = sizeof(char) * (strlen(buf_pointer) + 1);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2462:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(org_buf, buf_pointer, len);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2509:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = sizeof(char) * (strlen(buf) + 1);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2511:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(org_buf, buf, len);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2518:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = sizeof(char) * (strlen(buf_pointer) + 1);
data/geoip-1.6.12/libGeoIP/GeoIP.c:2520:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(org_buf, buf_pointer, len);
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:36:9: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
#define read _read
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:51:46: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
(lseek(fd, offset, SEEK_SET) == offset ? read(fd, buf, count) : -1)
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:113:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(record->region, (char *)record_buf, str_length + 1);
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:127:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(record->city, (const char *)record_buf, str_length + 1);
data/geoip-1.6.12/libGeoIP/GeoIPCity.c:139:9: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(record->postal_code, (char *)record_buf, str_length + 1);
data/geoip-1.6.12/libGeoIP/pread.c:28:29: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
#pragma section(".CRT$XCU", read)
ANALYSIS SUMMARY:
Hits = 117
Lines analyzed = 19813 in approximately 0.44 seconds (44744 lines/second)
Physical Source Lines of Code (SLOC) = 17713
Hits@level = [0] 121 [1] 23 [2] 75 [3] 5 [4] 14 [5] 0
Hits@level+ = [0+] 238 [1+] 117 [2+] 94 [3+] 19 [4+] 14 [5+] 0
Hits/KSLOC@level+ = [0+] 13.4365 [1+] 6.60532 [2+] 5.30684 [3+] 1.07266 [4+] 0.79038 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.