Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libpam-ldap-186/acconfig.h
Examining data/libpam-ldap-186/md5.c
Examining data/libpam-ldap-186/md5.h
Examining data/libpam-ldap-186/pam_ldap.h
Examining data/libpam-ldap-186/pam_ldap.c
FINAL RESULTS:
data/libpam-ldap-186/pam_ldap.c:182:4: [4] (format) syslog:
If syslog's format strings can be influenced by an attacker, they can be
exploited (CWE-134). Use a constant format string for syslog.
syslog(LOG_DEBUG, "%s:%i " fmt , __FUNCTION__ , __LINE__ , ## args); \
data/libpam-ldap-186/pam_ldap.c:188:23: [4] (format) syslog:
If syslog's format strings can be influenced by an attacker, they can be
exploited (CWE-134). Use a constant format string for syslog.
syslog(LOG_DEBUG, "%s:%i " fmt , __FUNCTION__ , __LINE__ , __VA_ARGS__); \
data/libpam-ldap-186/pam_ldap.c:941:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (ssd->base + len, result->base);
data/libpam-ldap-186/pam_ldap.c:1204:8: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (name, "%s/ldap.%d", session->conf->logdir,
data/libpam-ldap-186/pam_ldap.c:3133:47: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
snprintf (buf, sizeof buf, "{crypt}%s", crypt (new_password, saltbuf));
data/libpam-ldap-186/pam_ldap.c:3148:47: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
snprintf (buf, sizeof buf, "{crypt}%s", crypt (new_password, saltbuf));
data/libpam-ldap-186/pam_ldap.c:2605:3: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand (time (NULL));
data/libpam-ldap-186/md5.c:52:18: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static const char *const test[7] = {
data/libpam-ldap-186/md5.c:203:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(xbuf, data, 64);
data/libpam-ldap-186/md5.c:358:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pms->buf + offset, p, copy);
data/libpam-ldap-186/md5.c:372:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pms->buf, p, left);
data/libpam-ldap-186/pam_ldap.c:264:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *_get_md5_salt (char saltbuf[16]);
data/libpam-ldap-186/pam_ldap.c:264:29: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *_get_md5_salt (char saltbuf[16]);
data/libpam-ldap-186/pam_ldap.c:265:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *_get_salt (char salt[16]);
data/libpam-ldap-186/pam_ldap.c:265:25: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *_get_salt (char salt[16]);
data/libpam-ldap-186/pam_ldap.c:705:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result->host, tmp, len);
data/libpam-ldap-186/pam_ldap.c:719:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (result->base, tmp, len);
data/libpam-ldap-186/pam_ldap.c:735:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy (p, tmp, len);
data/libpam-ldap-186/pam_ldap.c:736:22: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->port = atoi (p);
data/libpam-ldap-186/pam_ldap.c:770:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char b[BUFSIZ];
data/libpam-ldap-186/pam_ldap.c:793:8: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp = fopen (configFile, "r");
data/libpam-ldap-186/pam_ldap.c:917:19: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->port = atoi (v);
data/libpam-ldap-186/pam_ldap.c:921:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->timelimit = atoi (v);
data/libpam-ldap-186/pam_ldap.c:925:29: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->bind_timelimit = atoi (v);
data/libpam-ldap-186/pam_ldap.c:981:22: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->version = atoi (v);
data/libpam-ldap-186/pam_ldap.c:1047:30: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->min_uid = (uid_t) atol (v);
data/libpam-ldap-186/pam_ldap.c:1051:30: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->max_uid = (uid_t) atol (v);
data/libpam-ldap-186/pam_ldap.c:1100:20: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
result->debug = atol (v);
data/libpam-ldap-186/pam_ldap.c:1154:12: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
fp = fopen (PAM_LDAP_PATH_ROOTPASSWD, "r");
data/libpam-ldap-186/pam_ldap.c:1206:20: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
debugfile = fopen (name, "a");
data/libpam-ldap-186/pam_ldap.c:2220:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char seconds[32];
data/libpam-ldap-186/pam_ldap.c:2224:50: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
session->info->password_expiration_time = atol (seconds);
data/libpam-ldap-186/pam_ldap.c:2330:10: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
*ptr = atoi (vals[0]);
data/libpam-ldap-186/pam_ldap.c:2347:10: [2] (integer) atol:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
*ptr = atol (vals[0]);
data/libpam-ldap-186/pam_ldap.c:2490:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hostname[MAXHOSTNAMELEN];
data/libpam-ldap-186/pam_ldap.c:2498:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/libpam-ldap-186/pam_ldap.c:2572:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *
data/libpam-ldap-186/pam_ldap.c:2573:16: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
_get_md5_salt (char saltbuf[16])
data/libpam-ldap-186/pam_ldap.c:2590:3: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (saltbuf, "$1$");
data/libpam-ldap-186/pam_ldap.c:2599:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char *
data/libpam-ldap-186/pam_ldap.c:2600:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
_get_salt (char salt[16])
data/libpam-ldap-186/pam_ldap.c:2641:4: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (p, "\\2a");
data/libpam-ldap-186/pam_ldap.c:2645:4: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (p, "\\28");
data/libpam-ldap-186/pam_ldap.c:2649:4: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (p, "\\29");
data/libpam-ldap-186/pam_ldap.c:2653:4: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (p, "\\5c");
data/libpam-ldap-186/pam_ldap.c:2690:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char filter[LDAP_FILT_MAXSIZ], escapedUser[LDAP_FILT_MAXSIZ];
data/libpam-ldap-186/pam_ldap.c:3063:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *strvalsold[2];
data/libpam-ldap-186/pam_ldap.c:3064:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char *strvalsnew[2];
data/libpam-ldap-186/pam_ldap.c:3067:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[64], saltbuf[16];
data/libpam-ldap-186/pam_ldap.c:3077:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char old_password_with_quotes[17], new_password_with_quotes[17];
data/libpam-ldap-186/pam_ldap.c:3078:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char old_unicode_password[34], new_unicode_password[34];
data/libpam-ldap-186/pam_ldap.c:3549:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[32], *strvals[2];
data/libpam-ldap-186/pam_ldap.c:3558:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char errmsg[1024];
data/libpam-ldap-186/pam_ldap.c:3941:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024];
data/libpam-ldap-186/md5.c:70:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
md5_append(&state, (const md5_byte_t *)test[i], strlen(test[i]));
data/libpam-ldap-186/pam_ldap.c:832:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (v) - 1;
data/libpam-ldap-186/pam_ldap.c:939:31: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ssd->base = malloc (len + strlen (result->base) + 1);
data/libpam-ldap-186/pam_ldap.c:940:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (ssd->base, v, len);
data/libpam-ldap-186/pam_ldap.c:946:5: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (ssd->base, v, len);
data/libpam-ldap-186/pam_ldap.c:1160:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen (b);
data/libpam-ldap-186/pam_ldap.c:1201:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
char *name = malloc (strlen (session->conf->logdir) + 18);
data/libpam-ldap-186/pam_ldap.c:1676:42: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
userpw.bv_len = (userpw.bv_val != 0) ? strlen (userpw.bv_val) : 0;
data/libpam-ldap-186/pam_ldap.c:1902:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
interact->len = strlen(interact->result);
data/libpam-ldap-186/pam_ldap.c:2117:46: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
userpw.bv_len = (userpw.bv_val != 0) ? strlen (userpw.bv_val) : 0;
data/libpam-ldap-186/pam_ldap.c:3205:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0; i < strlen (new_password_with_quotes); i++)
data/libpam-ldap-186/pam_ldap.c:3208:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
bvalnew.bv_len = strlen (new_password_with_quotes) * 2;
data/libpam-ldap-186/pam_ldap.c:3222:20: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
for (i = 0; i < strlen (old_password_with_quotes); i++)
data/libpam-ldap-186/pam_ldap.c:3225:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
bvalold.bv_len = strlen (old_password_with_quotes) * 2;
data/libpam-ldap-186/pam_ldap.c:3803:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
else if (strlen (newpass) < (size_t) policy.password_min_length)
ANALYSIS SUMMARY:
Hits = 69
Lines analyzed = 5062 in approximately 0.14 seconds (35808 lines/second)
Physical Source Lines of Code (SLOC) = 3935
Hits@level = [0] 65 [1] 15 [2] 47 [3] 1 [4] 6 [5] 0
Hits@level+ = [0+] 134 [1+] 69 [2+] 54 [3+] 7 [4+] 6 [5+] 0
Hits/KSLOC@level+ = [0+] 34.0534 [1+] 17.5349 [2+] 13.723 [3+] 1.77891 [4+] 1.52478 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.