Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/geoip-1.6.12/apps/geoiplookup.c Examining data/geoip-1.6.12/apps/geoiplookup6.c Examining data/geoip-1.6.12/libGeoIP/GeoIP.c Examining data/geoip-1.6.12/libGeoIP/GeoIP.h Examining data/geoip-1.6.12/libGeoIP/GeoIPCity.c Examining data/geoip-1.6.12/libGeoIP/GeoIPCity.h Examining data/geoip-1.6.12/libGeoIP/GeoIP_deprecated.c Examining data/geoip-1.6.12/libGeoIP/GeoIP_internal.h Examining data/geoip-1.6.12/libGeoIP/pread.c Examining data/geoip-1.6.12/libGeoIP/pread.h Examining data/geoip-1.6.12/libGeoIP/regionName.c Examining data/geoip-1.6.12/libGeoIP/timeZone.c Examining data/geoip-1.6.12/test/benchmark.c Examining data/geoip-1.6.12/test/test-geoip-asnum.c Examining data/geoip-1.6.12/test/test-geoip-city.c Examining data/geoip-1.6.12/test/test-geoip-domain.c Examining data/geoip-1.6.12/test/test-geoip-invalid-file.c Examining data/geoip-1.6.12/test/test-geoip-isp.c Examining data/geoip-1.6.12/test/test-geoip-netspeed.c Examining data/geoip-1.6.12/test/test-geoip-org.c Examining data/geoip-1.6.12/test/test-geoip-region.c Examining data/geoip-1.6.12/test/test-geoip.c Examining data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp Examining data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp FINAL RESULTS: data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:833:9: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. std::printf(usage, program_invocation_name); data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:1027:9: [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. std::printf(usage, program_invocation_name); data/geoip-1.6.12/libGeoIP/GeoIP.c:31:9: [4] (format) snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. #define snprintf _snprintf data/geoip-1.6.12/libGeoIP/GeoIP.c:31:18: [4] (format) _snprintf: If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate (CWE-134). Use a constant for the format specification. #define snprintf _snprintf data/geoip-1.6.12/libGeoIP/GeoIP.c:91:13: [4] (format) fprintf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant for the format specification. fprintf(stderr, fmt, ##__VA_ARGS__); \ data/geoip-1.6.12/test/test-geoip-asnum.c:45:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s", host) != EOF) { data/geoip-1.6.12/test/test-geoip-city.c:48:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s", host) != EOF) { data/geoip-1.6.12/test/test-geoip-domain.c:47:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s", host) != EOF) { data/geoip-1.6.12/test/test-geoip-isp.c:45:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s", host) != EOF) { data/geoip-1.6.12/test/test-geoip-netspeed.c:43:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s", host) != EOF) { data/geoip-1.6.12/test/test-geoip-org.c:47:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s", host) != EOF) { data/geoip-1.6.12/test/test-geoip-region.c:78:12: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s%s%s", ipAddress, expectedCountry, expectedCountry3) != data/geoip-1.6.12/test/test-geoip.c:77:13: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. fscanf(f, "%s%s%s", ipAddress, expectedCountry, expectedCountry3) != data/geoip-1.6.12/test/test-geoip.c:128:16: [4] (buffer) fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a different input function. while (fscanf(f, "%s%s", ipAddress, expectedCountry) != EOF) { data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:808:16: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int optret = getopt_long(argc, argv, "46i:o:v", long_options, NULL); data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:984:16: [3] (buffer) getopt_long: Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. int optret = getopt_long(argc, argv, "46i:l:o:t:v", long_options, NULL); data/geoip-1.6.12/libGeoIP/pread.c:49:5: [3] (misc) EnterCriticalSection: On some versions of Windows, exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. EnterCriticalSection(&preadsc); data/geoip-1.6.12/libGeoIP/pread.c:72:5: [3] (misc) EnterCriticalSection: On some versions of Windows, exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. EnterCriticalSection(&preadsc); data/geoip-1.6.12/libGeoIP/pread.c:95:5: [3] (misc) InitializeCriticalSection: Exceptions can be thrown in low-memory situations. Use InitializeCriticalSectionAndSpinCount instead. InitializeCriticalSection(&preadsc); data/geoip-1.6.12/apps/geoiplookup.c:192:29: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. num_chars_written = sprintf(cur_str, "%d", octet[i]); data/geoip-1.6.12/apps/geoiplookup.c:206:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ipaddr[16]; data/geoip-1.6.12/apps/geoiplookup.c:207:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char tmp[16]; data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:453:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char chars[6]; data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:701:10: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char tag[3] = { 0, 0, 0 }; data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:711:19: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char structure_info[4] = { 0xFF, 0xFF, 0xFF, 9 }; data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:716:19: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char structure_info[4] = { 0xFF, 0xFF, 0xFF, 21 }; data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:656:4: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char chars[6]; data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:673:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char tag[3] = { 0, 0, 0 }; data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:683:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char structure_info[4] = { 0xFF, 0xFF, 0xFF, database_type }; data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:807:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const unsigned char structure_info[7] = { 0xFF, data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:839:17: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int loc_id = ::atoi(info[0].c_str()); data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:915:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int metro_code = ::atoi(info[7].c_str()); data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:916:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). int area_code = ::atoi(info[8].c_str()); data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:1382:21: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). const int loc_id = atoi(csv_fields[CSV_BLOCK_FIELD_LOC].c_str()); data/geoip-1.6.12/libGeoIP/GeoIP.c:100:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char GeoIP_country_code[256][3] = { data/geoip-1.6.12/libGeoIP/GeoIP.c:127:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char GeoIP_country_code3[256][4] = { data/geoip-1.6.12/libGeoIP/GeoIP.c:153:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *GeoIP_utf8_country_name[256] = { data/geoip-1.6.12/libGeoIP/GeoIP.c:413:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *GeoIP_country_name[256] = { data/geoip-1.6.12/libGeoIP/GeoIP.c:675:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char GeoIP_country_continent[256][3] = { data/geoip-1.6.12/libGeoIP/GeoIP.c:718:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&in.sin_addr, src, sizeof(struct in_addr)); data/geoip-1.6.12/libGeoIP/GeoIP.c:731:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(&in.sin6_addr, src, sizeof(struct in_addr6)); data/geoip-1.6.12/libGeoIP/GeoIP.c:757:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dst, res->ai_addr, res->ai_addrlen); data/geoip-1.6.12/libGeoIP/GeoIP.c:807:7: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *GeoIPDBDescription[NUM_DB_TYPES] = { data/geoip-1.6.12/libGeoIP/GeoIP.c:862:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_PATH], *p, *q = NULL; data/geoip-1.6.12/libGeoIP/GeoIP.c:1079:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char delim[3]; data/geoip-1.6.12/libGeoIP/GeoIP.c:1080:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[LARGE_SEGMENT_RECORD_LENGTH]; data/geoip-1.6.12/libGeoIP/GeoIP.c:1271:37: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). gi->GeoIPDatabase = fopen(gi->file_path, "rb"); data/geoip-1.6.12/libGeoIP/GeoIP.c:1361:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char paddr[ADDR_STR_LEN]; data/geoip-1.6.12/libGeoIP/GeoIP.c:1363:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char stack_buffer[2 * MAX_RECORD_LENGTH]; data/geoip-1.6.12/libGeoIP/GeoIP.c:1463:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char stack_buffer[2 * MAX_RECORD_LENGTH]; data/geoip-1.6.12/libGeoIP/GeoIP.c:1638:25: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). gi->GeoIPDatabase = fopen(filename, "rb"); data/geoip-1.6.12/libGeoIP/GeoIP.c:1871:5: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(ipnum.s6_addr, data/geoip-1.6.12/libGeoIP/GeoIP.c:2103:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char buf[3]; data/geoip-1.6.12/libGeoIP/GeoIP.c:2194:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(region->country_code, code, 2); data/geoip-1.6.12/libGeoIP/GeoIP.c:2221:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(region->country_code, code, 2); data/geoip-1.6.12/libGeoIP/GeoIP.c:2251:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(region->country_code, code, 2); data/geoip-1.6.12/libGeoIP/GeoIP.c:2278:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(region->country_code, code, 2); data/geoip-1.6.12/libGeoIP/GeoIP.c:2409:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ORG_RECORD_LENGTH]; data/geoip-1.6.12/libGeoIP/GeoIP.c:2470:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[MAX_ORG_RECORD_LENGTH + 1]; data/geoip-1.6.12/libGeoIP/GeoIP.c:2541:29: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. num_chars_written = sprintf(cur_str, "%d", octet[i]); data/geoip-1.6.12/libGeoIP/GeoIP.h:89:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char country_code[3]; data/geoip-1.6.12/libGeoIP/GeoIP.h:90:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char region[3]; data/geoip-1.6.12/libGeoIP/GeoIP.h:171:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern GEOIP_DATA const char *GeoIPDBDescription[NUM_DB_TYPES]; data/geoip-1.6.12/libGeoIP/GeoIP.h:184:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern GEOIP_DATA const char GeoIP_country_code[256][3]; data/geoip-1.6.12/libGeoIP/GeoIP.h:185:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern GEOIP_DATA const char GeoIP_country_code3[256][4]; data/geoip-1.6.12/libGeoIP/GeoIP.h:186:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern GEOIP_DATA const char *GeoIP_country_name[256]; data/geoip-1.6.12/libGeoIP/GeoIP.h:187:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern GEOIP_DATA const char *GeoIP_utf8_country_name[256]; data/geoip-1.6.12/libGeoIP/GeoIP.h:188:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. extern GEOIP_DATA const char GeoIP_country_continent[256][3]; data/geoip-1.6.12/libGeoIP/GeoIPCity.c:101:31: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. record->continent_code = (char *)GeoIP_country_continent[record_buf[0]]; data/geoip-1.6.12/libGeoIP/GeoIPCity.c:102:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. record->country_code = (char *)GeoIP_country_code[record_buf[0]]; data/geoip-1.6.12/libGeoIP/GeoIPCity.c:103:30: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. record->country_code3 = (char *)GeoIP_country_code3[record_buf[0]]; data/geoip-1.6.12/libGeoIP/GeoIPCity.c:104:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. record->country_name = (char *)GeoIP_country_name_by_id(gi, record_buf[0]); data/geoip-1.6.12/test/benchmark.c:8:1: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *ipstring[4] = { data/geoip-1.6.12/test/test-geoip-asnum.c:29:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[50]; data/geoip-1.6.12/test/test-geoip-asnum.c:38:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("asnum_test.txt", "r"); data/geoip-1.6.12/test/test-geoip-city.c:30:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[50]; data/geoip-1.6.12/test/test-geoip-city.c:41:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("city_test.txt", "r"); data/geoip-1.6.12/test/test-geoip-domain.c:29:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[50]; data/geoip-1.6.12/test/test-geoip-domain.c:39:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("domain_test.txt", "r"); data/geoip-1.6.12/test/test-geoip-isp.c:29:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[50]; data/geoip-1.6.12/test/test-geoip-isp.c:38:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("isp_test.txt", "r"); data/geoip-1.6.12/test/test-geoip-netspeed.c:27:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[50]; data/geoip-1.6.12/test/test-geoip-netspeed.c:36:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("netspeed_test.txt", "r"); data/geoip-1.6.12/test/test-geoip-org.c:29:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char host[50]; data/geoip-1.6.12/test/test-geoip-org.c:39:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("org_test.txt", "r"); data/geoip-1.6.12/test/test-geoip-region.c:52:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ipAddress[30]; data/geoip-1.6.12/test/test-geoip-region.c:53:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char expectedCountry[3]; data/geoip-1.6.12/test/test-geoip-region.c:54:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char expectedCountry3[4]; data/geoip-1.6.12/test/test-geoip-region.c:64:9: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen("region_test.txt", "r"); data/geoip-1.6.12/test/test-geoip.c:26:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char ipAddress[30]; data/geoip-1.6.12/test/test-geoip.c:27:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char expectedCountry[3]; data/geoip-1.6.12/test/test-geoip.c:28:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char expectedCountry3[4]; data/geoip-1.6.12/test/test-geoip.c:74:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen(SRCDIR "/test/country_test.txt", "r"); data/geoip-1.6.12/test/test-geoip.c:127:13: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). f = fopen(SRCDIR "/test/country_test2.txt", "r"); data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:703:41: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dat_stream.write(database_info, std::strlen(database_info)); data/geoip-1.6.12/debian/src/geoip-asn-csv-to-dat.cpp:821:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (std::strlen(database_info) > 99) { data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:675:40: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). dat_stream->write(database_info, std::strlen(database_info)); data/geoip-1.6.12/debian/src/geoip-csv-to-dat.cpp:998:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (std::strlen(database_info) > 99) { data/geoip-1.6.12/libGeoIP/GeoIP.c:35:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). #define read _read data/geoip-1.6.12/libGeoIP/GeoIP.c:97:46: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). (lseek(fd, offset, SEEK_SET) == offset ? read(fd, buf, count) : -1) data/geoip-1.6.12/libGeoIP/GeoIP.c:879:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen(GeoIP_custom_directory); data/geoip-1.6.12/libGeoIP/GeoIP.c:1631:27: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = sizeof(char) * (strlen(filename) + 1); data/geoip-1.6.12/libGeoIP/GeoIP.c:1637:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(gi->file_path, filename, len); data/geoip-1.6.12/libGeoIP/GeoIP.c:2451:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = sizeof(char) * (strlen(buf) + 1); data/geoip-1.6.12/libGeoIP/GeoIP.c:2453:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(org_buf, buf, len); data/geoip-1.6.12/libGeoIP/GeoIP.c:2460:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = sizeof(char) * (strlen(buf_pointer) + 1); data/geoip-1.6.12/libGeoIP/GeoIP.c:2462:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(org_buf, buf_pointer, len); data/geoip-1.6.12/libGeoIP/GeoIP.c:2509:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = sizeof(char) * (strlen(buf) + 1); data/geoip-1.6.12/libGeoIP/GeoIP.c:2511:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(org_buf, buf, len); data/geoip-1.6.12/libGeoIP/GeoIP.c:2518:35: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = sizeof(char) * (strlen(buf_pointer) + 1); data/geoip-1.6.12/libGeoIP/GeoIP.c:2520:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(org_buf, buf_pointer, len); data/geoip-1.6.12/libGeoIP/GeoIPCity.c:36:9: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). #define read _read data/geoip-1.6.12/libGeoIP/GeoIPCity.c:51:46: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). (lseek(fd, offset, SEEK_SET) == offset ? read(fd, buf, count) : -1) data/geoip-1.6.12/libGeoIP/GeoIPCity.c:113:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(record->region, (char *)record_buf, str_length + 1); data/geoip-1.6.12/libGeoIP/GeoIPCity.c:127:13: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(record->city, (const char *)record_buf, str_length + 1); data/geoip-1.6.12/libGeoIP/GeoIPCity.c:139:9: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy(record->postal_code, (char *)record_buf, str_length + 1); data/geoip-1.6.12/libGeoIP/pread.c:28:29: [1] (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). #pragma section(".CRT$XCU", read) ANALYSIS SUMMARY: Hits = 117 Lines analyzed = 19813 in approximately 0.44 seconds (44744 lines/second) Physical Source Lines of Code (SLOC) = 17713 Hits@level = [0] 121 [1] 23 [2] 75 [3] 5 [4] 14 [5] 0 Hits@level+ = [0+] 238 [1+] 117 [2+] 94 [3+] 19 [4+] 14 [5+] 0 Hits/KSLOC@level+ = [0+] 13.4365 [1+] 6.60532 [2+] 5.30684 [3+] 1.07266 [4+] 0.79038 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.