Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/liblightify-0~git20160911/src/context.c
Examining data/liblightify-0~git20160911/src/context.h
Examining data/liblightify-0~git20160911/src/groups.c
Examining data/liblightify-0~git20160911/src/groups.h
Examining data/liblightify-0~git20160911/src/liblightify.c
Examining data/liblightify-0~git20160911/src/liblightify/liblightify.h
Examining data/liblightify-0~git20160911/src/liblightify++/liblightify++.hpp
Examining data/liblightify-0~git20160911/src/liblightify-private.h
Examining data/liblightify-0~git20160911/src/log.c
Examining data/liblightify-0~git20160911/src/log.h
Examining data/liblightify-0~git20160911/src/node.c
Examining data/liblightify-0~git20160911/src/node.h
Examining data/liblightify-0~git20160911/src/socket.c
Examining data/liblightify-0~git20160911/src/socket.h
Examining data/liblightify-0~git20160911/src/tests/test-lightify.c
Examining data/liblightify-0~git20160911/src/tools/lightify-example.cpp
Examining data/liblightify-0~git20160911/src/tools/lightify-util.c
FINAL RESULTS:
data/liblightify-0~git20160911/src/liblightify-private.h:41:57: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
static inline void __attribute__((always_inline, format(printf, 2, 3)))
data/liblightify-0~git20160911/src/log.c:59:9: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf(stderr, format, args);
data/liblightify-0~git20160911/src/tools/lightify-util.c:407:7: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
c = getopt_long(argc, argv, "dc:r:l:n:h:p:01t:w:g:u", long_options,
data/liblightify-0~git20160911/src/context.c:697:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char msg[32];
data/liblightify-0~git20160911/src/context.c:760:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char msg[32];
data/liblightify-0~git20160911/src/context.c:815:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char msg[32];
data/liblightify-0~git20160911/src/context.c:868:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char msg[32];
data/liblightify-0~git20160911/src/context.c:990:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char msg[ANSWER_0x68_SIZE+2];
data/liblightify-0~git20160911/src/liblightify++/liblightify++.hpp:369:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy((char *) &serv_addr.sin_addr.s_addr, (char *) server->h_addr,
data/liblightify-0~git20160911/src/socket.c:104:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/liblightify-0~git20160911/src/socket.c:113:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf + strlen(buf), " 0x%02x,", msg_[k]);
data/liblightify-0~git20160911/src/socket.c:186:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[80];
data/liblightify-0~git20160911/src/socket.c:195:4: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf + strlen(buf), " 0x%02x,", msg_[k]);
data/liblightify-0~git20160911/src/tests/test-lightify.c:53:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512] ="\nWROTE:\n\n";
data/liblightify-0~git20160911/src/tests/test-lightify.c:61:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf + strlen(buf), " %02x%c=%02x", one,
data/liblightify-0~git20160911/src/tests/test-lightify.c:69:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512] ="\nREAD\n\n";
data/liblightify-0~git20160911/src/tests/test-lightify.c:77:3: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf + strlen(buf), " %02x%c=%02x", one,
data/liblightify-0~git20160911/src/tests/test-lightify.c:248:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(mfs->buf_read, our_answer, answer_len);
data/liblightify-0~git20160911/src/tests/test-lightify.c:381:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(fs->buf_write + fs->size_write, msg, size);
data/liblightify-0~git20160911/src/tests/test-lightify.c:402:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(msg, fs->buf_read, read_size);
data/liblightify-0~git20160911/src/tests/test-lightify.c:567:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[512];
data/liblightify-0~git20160911/src/tests/test-lightify.c:576:6: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(buf + strlen(buf), " %02x%c=%02x", one,
data/liblightify-0~git20160911/src/tools/lightify-util.c:267:2: [2] (buffer) bcopy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
bcopy((char *) server->h_addr, (char *)&serv_addr.sin_addr.s_addr, server->h_length);
data/liblightify-0~git20160911/src/socket.c:113:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf + strlen(buf), " 0x%02x,", msg_[k]);
data/liblightify-0~git20160911/src/socket.c:135:7: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
n = read(fd, msg, m);
data/liblightify-0~git20160911/src/socket.c:195:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf + strlen(buf), " 0x%02x,", msg_[k]);
data/liblightify-0~git20160911/src/tests/test-lightify.c:61:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf + strlen(buf), " %02x%c=%02x", one,
data/liblightify-0~git20160911/src/tests/test-lightify.c:77:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf + strlen(buf), " %02x%c=%02x", one,
data/liblightify-0~git20160911/src/tests/test-lightify.c:576:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
sprintf(buf + strlen(buf), " %02x%c=%02x", one,
ANALYSIS SUMMARY:
Hits = 29
Lines analyzed = 5507 in approximately 0.18 seconds (30725 lines/second)
Physical Source Lines of Code (SLOC) = 3096
Hits@level = [0] 68 [1] 6 [2] 20 [3] 1 [4] 2 [5] 0
Hits@level+ = [0+] 97 [1+] 29 [2+] 23 [3+] 3 [4+] 2 [5+] 0
Hits/KSLOC@level+ = [0+] 31.3307 [1+] 9.36693 [2+] 7.42894 [3+] 0.968992 [4+] 0.645995 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.