Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/pyscard-2.0.0/smartcard/scard/helpers.c
Examining data/pyscard-2.0.0/smartcard/scard/helpers.h
Examining data/pyscard-2.0.0/smartcard/scard/memlog.h
Examining data/pyscard-2.0.0/smartcard/scard/pcsctypes.h
Examining data/pyscard-2.0.0/smartcard/scard/pyscard-reader.h
Examining data/pyscard-2.0.0/smartcard/scard/winscarddll.c
Examining data/pyscard-2.0.0/smartcard/scard/winscarddll.h
FINAL RESULTS:
data/pyscard-2.0.0/smartcard/scard/helpers.c:132:5: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( prl->aszReaderNames[x], psz );
data/pyscard-2.0.0/smartcard/scard/helpers.c:1053:9: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( pstr->sz, PyString_AsString( source ) );
data/pyscard-2.0.0/smartcard/scard/helpers.c:1230:17: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(p, psz);
data/pyscard-2.0.0/smartcard/scard/helpers.c:1234:13: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy( p, PyString_AsString(o) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:658:24: [3] (misc) LoadLibrary:
Ensure that the full path to the library is specified, or current directory
may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to
find library path, if you aren't already.
hinstDLL = LoadLibrary( "winscard.dll" );
data/pyscard-2.0.0/smartcard/scard/helpers.c:154:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(prl->ars[x].rgbAtr, ATR->ab, ATR->cBytes);
data/pyscard-2.0.0/smartcard/scard/helpers.h:38:14: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char Data4[ 8 ];
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:302:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char strError[75];
data/pyscard-2.0.0/smartcard/scard/helpers.c:43:21: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define lstrlen strlen
data/pyscard-2.0.0/smartcard/scard/helpers.c:125:41: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
prl->aszReaderNames[x] = mem_Malloc(strlen(psz)+1);
data/pyscard-2.0.0/smartcard/scard/helpers.c:312:50: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
pystr = PyUnicode_Decode( (char*)source, strlen(source), "cp1250" , NULL);
data/pyscard-2.0.0/smartcard/scard/helpers.c:1045:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
ulLength=strlen( PyString_AsString(source)) + 1 ;
data/pyscard-2.0.0/smartcard/scard/helpers.c:1195:19: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
cChars += strlen( PyString_AsString(o)) + 1 ;
data/pyscard-2.0.0/smartcard/scard/helpers.c:1236:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
p += strlen( p ) + 1;
data/pyscard-2.0.0/smartcard/scard/helpers.c:1238:9: [1] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant character.
strcpy( p, "\0" );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:307:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Command successful.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:310:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Command cancelled.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:313:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Cannot dispose handle.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:316:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Insufficient buffer.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:319:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Invalid ATR.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:322:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Invalid handle.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:325:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Invalid parameter given.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:328:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Invalid target given.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:331:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Invalid value given.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:334:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Not enough memory.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:337:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "RPC transport error.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:340:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Internal error.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:343:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Unknown error.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:346:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Waited too long.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:349:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Unknown reader specified.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:352:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Command timeout.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:355:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Sharing violation.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:358:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "No smart card inserted.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:361:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Unknown card.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:364:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card protocol mismatch.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:367:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Subsystem not ready.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:370:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "System cancelled.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:373:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Transaction failed.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:376:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Reader is unavailable.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:379:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card is not supported.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:382:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card is unresponsive.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:385:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card is unpowered.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:388:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card was reset.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:391:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card was removed.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:394:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Feature not supported.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:397:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "PCI struct too small.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:400:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Reader is unsupported.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:403:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Reader already exists.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:406:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Card is unsupported.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:409:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Service not available.", sizeof( strError ) );
data/pyscard-2.0.0/smartcard/scard/winscarddll.c:412:13: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant string.
strncpy( strError, "Service was stopped.", sizeof( strError ) );
ANALYSIS SUMMARY:
Hits = 51
Lines analyzed = 2750 in approximately 0.10 seconds (26908 lines/second)
Physical Source Lines of Code (SLOC) = 2068
Hits@level = [0] 27 [1] 43 [2] 3 [3] 1 [4] 4 [5] 0
Hits@level+ = [0+] 78 [1+] 51 [2+] 8 [3+] 5 [4+] 4 [5+] 0
Hits/KSLOC@level+ = [0+] 37.7176 [1+] 24.6615 [2+] 3.86847 [3+] 2.41779 [4+] 1.93424 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.