Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ptunnel-ng-1.42/model_file.c
Examining data/ptunnel-ng-1.42/src/challenge.c
Examining data/ptunnel-ng-1.42/src/challenge.h
Examining data/ptunnel-ng-1.42/src/md5.c
Examining data/ptunnel-ng-1.42/src/md5.h
Examining data/ptunnel-ng-1.42/src/options.c
Examining data/ptunnel-ng-1.42/src/options.h
Examining data/ptunnel-ng-1.42/src/pconfig.h
Examining data/ptunnel-ng-1.42/src/pdesc.c
Examining data/ptunnel-ng-1.42/src/pdesc.h
Examining data/ptunnel-ng-1.42/src/pkt.c
Examining data/ptunnel-ng-1.42/src/pkt.h
Examining data/ptunnel-ng-1.42/src/ptunnel.c
Examining data/ptunnel-ng-1.42/src/ptunnel.h
Examining data/ptunnel-ng-1.42/src/utils.c
Examining data/ptunnel-ng-1.42/src/utils.h
Examining data/ptunnel-ng-1.42/src/win32/includes/bittypes.h
Examining data/ptunnel-ng-1.42/src/win32/includes/pcap-stdinc.h
Examining data/ptunnel-ng-1.42/src/win32/includes/pcap.h
Examining data/ptunnel-ng-1.42/src/win32/includes/pcap/bpf.h
Examining data/ptunnel-ng-1.42/src/win32/includes/pcap/pcap.h
FINAL RESULTS:
data/ptunnel-ng-1.42/src/utils.c:95:4: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(log+header_len,sizeof(log)-header_len,fmt,args);
data/ptunnel-ng-1.42/src/utils.c:100:48: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
fprintf(opts.log_file, "%s", header[level]), vfprintf(opts.log_file, fmt, args);
data/ptunnel-ng-1.42/src/win32/includes/pcap-stdinc.h:64:9: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/ptunnel-ng-1.42/src/win32/includes/pcap-stdinc.h:64:18: [4] (format) _snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define snprintf _snprintf
data/ptunnel-ng-1.42/src/win32/includes/pcap-stdinc.h:65:9: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
#define vsnprintf _vsnprintf
data/ptunnel-ng-1.42/src/challenge.c:68:6: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
c->random[i] = pt_random();
data/ptunnel-ng-1.42/src/challenge.h:60:11: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
uint32_t random[6];
data/ptunnel-ng-1.42/src/options.c:424:7: [3] (buffer) getopt_long:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
c = getopt_long(argc, argv, "m:p:l:r::R::c:v:L::o::sP:d::Su::g::C::e::w:a:t:y:E:h", &long_options[0], &oidx);
data/ptunnel-ng-1.42/src/options.h:112:6: [3] (misc) chroot:
chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22).
Make sure the program immediately chdir("/"), closes file descriptors, and
drops root privileges, and that all necessary files (and no more!) are in
the new root.
int chroot;
data/ptunnel-ng-1.42/src/ptunnel.c:220:11: [3] (misc) chroot:
chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22).
Make sure the program immediately chdir("/"), closes file descriptors, and
drops root privileges, and that all necessary files (and no more!) are in
the new root.
if (opts.chroot) {
data/ptunnel-ng-1.42/src/ptunnel.c:222:43: [3] (misc) chroot:
chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22).
Make sure the program immediately chdir("/"), closes file descriptors, and
drops root privileges, and that all necessary files (and no more!) are in
the new root.
if (-1 == chdir(opts.root_dir) || -1 == chroot(".") || -1 == chdir("/")) {
data/ptunnel-ng-1.42/src/ptunnel.h:88:31: [3] (misc) EnterCriticalSection:
On some versions of Windows, exceptions can be thrown in low-memory
situations. Use InitializeCriticalSectionAndSpinCount instead.
#define pthread_mutex_lock EnterCriticalSection
data/ptunnel-ng-1.42/src/utils.c:187:2: [3] (random) srand:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srand(time(0));
data/ptunnel-ng-1.42/src/challenge.c:83:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buf, challenge, sizeof(challenge_t));
data/ptunnel-ng-1.42/src/challenge.c:84:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(&buf[sizeof(challenge_t)], opts.password_digest, kMD5_digest_size);
data/ptunnel-ng-1.42/src/md5.c:169:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(xbuf, data, 64);
data/ptunnel-ng-1.42/src/md5.c:343:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pms->buf + offset, p, copy);
data/ptunnel-ng-1.42/src/md5.c:357:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pms->buf, p, left);
data/ptunnel-ng-1.42/src/options.c:576:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opts.window_size = atoi(optarg);
data/ptunnel-ng-1.42/src/options.c:581:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opts.ack_interval = atoi(optarg);
data/ptunnel-ng-1.42/src/options.c:586:28: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opts.resend_interval = atoi(optarg);
data/ptunnel-ng-1.42/src/options.c:591:25: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opts.payload_size = atoi(optarg);
data/ptunnel-ng-1.42/src/options.c:596:24: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
opts.empty_pings = atoi(optarg);
data/ptunnel-ng-1.42/src/options.c:627:31: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (NULL == (opts.pid_file = fopen(opts.pid_path, "w")))
data/ptunnel-ng-1.42/src/options.c:633:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
tmp_log = fopen(opts.log_path, "a");
data/ptunnel-ng-1.42/src/pdesc.c:183:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(fwd_desc->data, data, data_len);
data/ptunnel-ng-1.42/src/pdesc.c:228:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(pt_pkt->data, buf, num_bytes);
data/ptunnel-ng-1.42/src/pdesc.h:81:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[0];
data/ptunnel-ng-1.42/src/pkt.c:197:8: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(cur->buf, cur->challenge, sizeof(challenge_t));
data/ptunnel-ng-1.42/src/pkt.h:95:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[0];
data/ptunnel-ng-1.42/src/pkt.h:113:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[0];
data/ptunnel-ng-1.42/src/pkt.h:131:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[0];
data/ptunnel-ng-1.42/src/ptunnel.c:64:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char errorstr[255];
data/ptunnel-ng-1.42/src/ptunnel.c:66:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char last_errorstr[255];
data/ptunnel-ng-1.42/src/ptunnel.c:100:7: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const char *state_name[kNum_proto_types] = { "start", "ack ", "data ",
data/ptunnel-ng-1.42/src/ptunnel.c:107:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char errbuf[PCAP_ERRBUF_SIZE+1];
data/ptunnel-ng-1.42/src/ptunnel.c:822:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(elem->data, pkt+sizeof(struct ether_header), hdr->caplen-sizeof(struct ether_header));
data/ptunnel-ng-1.42/src/ptunnel.h:96:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
extern const char *state_name[kNum_proto_types];
data/ptunnel-ng-1.42/src/ptunnel.h:115:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char data[0];
data/ptunnel-ng-1.42/src/utils.c:92:4: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char log[255];
data/ptunnel-ng-1.42/src/utils.c:168:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
rng_fd = open(RNGDEV, O_RDONLY);
data/ptunnel-ng-1.42/src/utils.c:175:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
bytes_read = read(rng_fd, &rnd_val, sizeof rnd_val);
ANALYSIS SUMMARY:
Hits = 42
Lines analyzed = 5655 in approximately 0.19 seconds (29589 lines/second)
Physical Source Lines of Code (SLOC) = 3273
Hits@level = [0] 29 [1] 1 [2] 28 [3] 8 [4] 5 [5] 0
Hits@level+ = [0+] 71 [1+] 42 [2+] 41 [3+] 13 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 21.6926 [1+] 12.8323 [2+] 12.5267 [3+] 3.97189 [4+] 1.52765 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.