Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/libpam-ldap-186/acconfig.h Examining data/libpam-ldap-186/md5.c Examining data/libpam-ldap-186/md5.h Examining data/libpam-ldap-186/pam_ldap.h Examining data/libpam-ldap-186/pam_ldap.c FINAL RESULTS: data/libpam-ldap-186/pam_ldap.c:182:4: [4] (format) syslog: If syslog's format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant format string for syslog. syslog(LOG_DEBUG, "%s:%i " fmt , __FUNCTION__ , __LINE__ , ## args); \ data/libpam-ldap-186/pam_ldap.c:188:23: [4] (format) syslog: If syslog's format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant format string for syslog. syslog(LOG_DEBUG, "%s:%i " fmt , __FUNCTION__ , __LINE__ , __VA_ARGS__); \ data/libpam-ldap-186/pam_ldap.c:941:5: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy (ssd->base + len, result->base); data/libpam-ldap-186/pam_ldap.c:1204:8: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. sprintf (name, "%s/ldap.%d", session->conf->logdir, data/libpam-ldap-186/pam_ldap.c:3133:47: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. snprintf (buf, sizeof buf, "{crypt}%s", crypt (new_password, saltbuf)); data/libpam-ldap-186/pam_ldap.c:3148:47: [4] (crypto) crypt: The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment (CWE-327). Use a different algorithm, such as SHA-256, with a larger, non-repeating salt. snprintf (buf, sizeof buf, "{crypt}%s", crypt (new_password, saltbuf)); data/libpam-ldap-186/pam_ldap.c:2605:3: [3] (random) srand: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. srand (time (NULL)); data/libpam-ldap-186/md5.c:52:18: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static const char *const test[7] = { data/libpam-ldap-186/md5.c:203:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(xbuf, data, 64); data/libpam-ldap-186/md5.c:358:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(pms->buf + offset, p, copy); data/libpam-ldap-186/md5.c:372:2: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(pms->buf, p, left); data/libpam-ldap-186/pam_ldap.c:264:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *_get_md5_salt (char saltbuf[16]); data/libpam-ldap-186/pam_ldap.c:264:29: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *_get_md5_salt (char saltbuf[16]); data/libpam-ldap-186/pam_ldap.c:265:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *_get_salt (char salt[16]); data/libpam-ldap-186/pam_ldap.c:265:25: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char *_get_salt (char salt[16]); data/libpam-ldap-186/pam_ldap.c:705:3: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (result->host, tmp, len); data/libpam-ldap-186/pam_ldap.c:719:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (result->base, tmp, len); data/libpam-ldap-186/pam_ldap.c:735:7: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (p, tmp, len); data/libpam-ldap-186/pam_ldap.c:736:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->port = atoi (p); data/libpam-ldap-186/pam_ldap.c:770:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char b[BUFSIZ]; data/libpam-ldap-186/pam_ldap.c:793:8: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen (configFile, "r"); data/libpam-ldap-186/pam_ldap.c:917:19: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->port = atoi (v); data/libpam-ldap-186/pam_ldap.c:921:24: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->timelimit = atoi (v); data/libpam-ldap-186/pam_ldap.c:925:29: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->bind_timelimit = atoi (v); data/libpam-ldap-186/pam_ldap.c:981:22: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->version = atoi (v); data/libpam-ldap-186/pam_ldap.c:1047:30: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->min_uid = (uid_t) atol (v); data/libpam-ldap-186/pam_ldap.c:1051:30: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->max_uid = (uid_t) atol (v); data/libpam-ldap-186/pam_ldap.c:1100:20: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). result->debug = atol (v); data/libpam-ldap-186/pam_ldap.c:1154:12: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). fp = fopen (PAM_LDAP_PATH_ROOTPASSWD, "r"); data/libpam-ldap-186/pam_ldap.c:1206:20: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). debugfile = fopen (name, "a"); data/libpam-ldap-186/pam_ldap.c:2220:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char seconds[32]; data/libpam-ldap-186/pam_ldap.c:2224:50: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). session->info->password_expiration_time = atol (seconds); data/libpam-ldap-186/pam_ldap.c:2330:10: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *ptr = atoi (vals[0]); data/libpam-ldap-186/pam_ldap.c:2347:10: [2] (integer) atol: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *ptr = atol (vals[0]); data/libpam-ldap-186/pam_ldap.c:2490:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hostname[MAXHOSTNAMELEN]; data/libpam-ldap-186/pam_ldap.c:2498:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/libpam-ldap-186/pam_ldap.c:2572:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char * data/libpam-ldap-186/pam_ldap.c:2573:16: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. _get_md5_salt (char saltbuf[16]) data/libpam-ldap-186/pam_ldap.c:2590:3: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (saltbuf, "$1$"); data/libpam-ldap-186/pam_ldap.c:2599:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. static char * data/libpam-ldap-186/pam_ldap.c:2600:12: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. _get_salt (char salt[16]) data/libpam-ldap-186/pam_ldap.c:2641:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (p, "\\2a"); data/libpam-ldap-186/pam_ldap.c:2645:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (p, "\\28"); data/libpam-ldap-186/pam_ldap.c:2649:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (p, "\\29"); data/libpam-ldap-186/pam_ldap.c:2653:4: [2] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant string. strcpy (p, "\\5c"); data/libpam-ldap-186/pam_ldap.c:2690:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char filter[LDAP_FILT_MAXSIZ], escapedUser[LDAP_FILT_MAXSIZ]; data/libpam-ldap-186/pam_ldap.c:3063:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *strvalsold[2]; data/libpam-ldap-186/pam_ldap.c:3064:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *strvalsnew[2]; data/libpam-ldap-186/pam_ldap.c:3067:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[64], saltbuf[16]; data/libpam-ldap-186/pam_ldap.c:3077:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char old_password_with_quotes[17], new_password_with_quotes[17]; data/libpam-ldap-186/pam_ldap.c:3078:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char old_unicode_password[34], new_unicode_password[34]; data/libpam-ldap-186/pam_ldap.c:3549:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[32], *strvals[2]; data/libpam-ldap-186/pam_ldap.c:3558:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char errmsg[1024]; data/libpam-ldap-186/pam_ldap.c:3941:3: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buf[1024]; data/libpam-ldap-186/md5.c:70:50: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). md5_append(&state, (const md5_byte_t *)test[i], strlen(test[i])); data/libpam-ldap-186/pam_ldap.c:832:13: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (v) - 1; data/libpam-ldap-186/pam_ldap.c:939:31: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). ssd->base = malloc (len + strlen (result->base) + 1); data/libpam-ldap-186/pam_ldap.c:940:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (ssd->base, v, len); data/libpam-ldap-186/pam_ldap.c:946:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). strncpy (ssd->base, v, len); data/libpam-ldap-186/pam_ldap.c:1160:14: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). len = strlen (b); data/libpam-ldap-186/pam_ldap.c:1201:25: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). char *name = malloc (strlen (session->conf->logdir) + 18); data/libpam-ldap-186/pam_ldap.c:1676:42: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). userpw.bv_len = (userpw.bv_val != 0) ? strlen (userpw.bv_val) : 0; data/libpam-ldap-186/pam_ldap.c:1902:19: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). interact->len = strlen(interact->result); data/libpam-ldap-186/pam_ldap.c:2117:46: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). userpw.bv_len = (userpw.bv_val != 0) ? strlen (userpw.bv_val) : 0; data/libpam-ldap-186/pam_ldap.c:3205:23: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (i = 0; i < strlen (new_password_with_quotes); i++) data/libpam-ldap-186/pam_ldap.c:3208:24: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). bvalnew.bv_len = strlen (new_password_with_quotes) * 2; data/libpam-ldap-186/pam_ldap.c:3222:20: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). for (i = 0; i < strlen (old_password_with_quotes); i++) data/libpam-ldap-186/pam_ldap.c:3225:21: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). bvalold.bv_len = strlen (old_password_with_quotes) * 2; data/libpam-ldap-186/pam_ldap.c:3803:17: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). else if (strlen (newpass) < (size_t) policy.password_min_length) ANALYSIS SUMMARY: Hits = 69 Lines analyzed = 5062 in approximately 0.14 seconds (35808 lines/second) Physical Source Lines of Code (SLOC) = 3935 Hits@level = [0] 65 [1] 15 [2] 47 [3] 1 [4] 6 [5] 0 Hits@level+ = [0+] 134 [1+] 69 [2+] 54 [3+] 7 [4+] 6 [5+] 0 Hits/KSLOC@level+ = [0+] 34.0534 [1+] 17.5349 [2+] 13.723 [3+] 1.77891 [4+] 1.52478 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.