Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c
FINAL RESULTS:
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:1065:36: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:1098:38: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:1125:38: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:1147:36: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2489:75: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
g_string_append_printf(url, "%s/sockjs/%d/pidgin%d/websocket", ya->path, g_random_int_range(100, 999), g_random_int_range(1, 100));
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2489:105: [3] (random) g_random_int_range:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
g_string_append_printf(url, "%s/sockjs/%d/pidgin%d/websocket", ya->path, g_random_int_range(100, 999), g_random_int_range(1, 100));
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2701:38: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2714:38: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2887:36: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:3183:37: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
_id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:3620:37: [3] (random) g_random_int:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
_id = g_strdup_printf("%012XFFFF", g_random_int());
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:361:12: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
major = atoi(markdown_version_split[0]);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:365:13: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
minor = atoi(markdown_version_split[1]);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:369:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
micro = atoi(markdown_version_split[2]);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2549:10: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
port = atoi(server_split[1]);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:388:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
markdown_len = mkd_line((char *)markdown, strlen(markdown), &markdown_str, flags);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:592:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
chunk_start += strlen(start);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:641:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
header_len = strlen(headers);
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:829:78: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
g_string_append_printf(headers, "Content-Length: %" G_GSIZE_FORMAT "\r\n", strlen(postdata));
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2506:52: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
purple_ssl_write(ya->websocket, websocket_header, strlen(websocket_header));
data/purple-rocketchat-0.1~hg20200403.800ef89/librocketchat.c:2647:14: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
} else if (strlen(chatname) == 17) {
ANALYSIS SUMMARY:
Hits = 21
Lines analyzed = 3973 in approximately 0.09 seconds (43431 lines/second)
Physical Source Lines of Code (SLOC) = 2955
Hits@level = [0] 0 [1] 6 [2] 4 [3] 11 [4] 0 [5] 0
Hits@level+ = [0+] 21 [1+] 21 [2+] 15 [3+] 11 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 7.1066 [1+] 7.1066 [2+] 5.07614 [3+] 3.7225 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.