Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c
FINAL RESULTS:
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:752:4: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
strcat(filter, entity);
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:183:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(merged_cfg, s_cfg2, sizeof(ldap_userdir_config));
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:256:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(arg) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:286:4: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
((strlen(url->lud_scheme) == strlen(scheme) - 1) && \
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:286:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
((strlen(url->lud_scheme) == strlen(scheme) - 1) && \
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:287:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
(strncasecmp(url->lud_scheme, scheme, strlen(scheme) - 1) == 0))
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:289:54: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
# define SCHEME_IS(scheme) (strncasecmp(arg, scheme, strlen(scheme)) == 0)
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:321:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(word) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:337:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(dn) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:340:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(pass) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:359:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(arg) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:376:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(arg) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:393:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(arg) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:454:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(their_attr) == 0) {
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:628:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
bindcred.bv_len = strlen(s_cfg->dn_pass);
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:746:26: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
filter = apr_pcalloc(p, strlen(template) - (num_escapes * 2) + (num_escapes * strlen(entity)) + 1);
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:746:80: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
filter = apr_pcalloc(p, strlen(template) - (num_escapes * 2) + (num_escapes * strlen(entity)) + 1);
data/libapache2-mod-ldap-userdir-1.1.19/mod_ldap_userdir.c:753:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
j += strlen(entity);
ANALYSIS SUMMARY:
Hits = 18
Lines analyzed = 1191 in approximately 0.06 seconds (19130 lines/second)
Physical Source Lines of Code (SLOC) = 921
Hits@level = [0] 0 [1] 16 [2] 1 [3] 0 [4] 1 [5] 0
Hits@level+ = [0+] 18 [1+] 18 [2+] 2 [3+] 1 [4+] 1 [5+] 0
Hits/KSLOC@level+ = [0+] 19.544 [1+] 19.544 [2+] 2.17155 [3+] 1.08578 [4+] 1.08578 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.