Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/r8168-8.048.03/src/r8168.h Examining data/r8168-8.048.03/src/r8168_asf.c Examining data/r8168-8.048.03/src/r8168_asf.h Examining data/r8168-8.048.03/src/r8168_dash.h Examining data/r8168-8.048.03/src/r8168_fiber.h Examining data/r8168-8.048.03/src/r8168_realwow.h Examining data/r8168-8.048.03/src/rtltool.c Examining data/r8168-8.048.03/src/rtltool.h Examining data/r8168-8.048.03/src/rtl_eeprom.c Examining data/r8168-8.048.03/src/rtl_eeprom.h Examining data/r8168-8.048.03/src/r8168_n.c FINAL RESULTS: data/r8168-8.048.03/src/r8168_n.c:4843:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(info->driver, MODULENAME); data/r8168-8.048.03/src/r8168_n.c:4844:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(info->version, RTL8168_VERSION); data/r8168-8.048.03/src/r8168_n.c:4845:9: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). strcpy(info->bus_info, pci_name(tp->pci_dev)); data/r8168-8.048.03/src/r8168.h:719:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char driver[32]; data/r8168-8.048.03/src/r8168.h:720:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char version[32]; data/r8168-8.048.03/src/r8168.h:721:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fw_version[32]; data/r8168-8.048.03/src/r8168.h:722:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char bus_info[32]; data/r8168-8.048.03/src/r8168.h:723:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char reserved1[32]; data/r8168-8.048.03/src/r8168.h:724:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char reserved2[16]; data/r8168-8.048.03/src/r8168_asf.h:275:17: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char string[MAX_STR_LEN]; data/r8168-8.048.03/src/r8168_n.c:659:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy (dest->data, src, len); data/r8168-8.048.03/src/r8168_n.c:1648:9: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char name[12]; data/r8168-8.048.03/src/r8168_n.c:3563:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(skb_put(skb, dev->addr_len), dev->dev_addr, dev->addr_len); data/r8168-8.048.03/src/r8168_n.c:3564:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(skb_put(skb, dev->addr_len), dev->dev_addr, dev->addr_len); data/r8168-8.048.03/src/r8168_n.c:3565:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(skb_put(skb, sizeof(type)), &type, sizeof(type)); data/r8168-8.048.03/src/r8168_n.c:5562:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(data, *rtl8168_gstrings, sizeof(rtl8168_gstrings)); data/r8168-8.048.03/src/r8168_n.c:5641:17: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(buf, (u8 *)eeprom_buff + (eeprom->offset & 3), eeprom->len); data/r8168-8.048.03/src/r8168_n.c:24580:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dev->perm_addr, dev->dev_addr, dev->addr_len); data/r8168-8.048.03/src/r8168_n.c:24607:9: [2] (buffer) memcpy: Does not check for buffer overflows when copying to destination (CWE-120). Make sure destination can always hold the source data. memcpy(dev->dev_addr, addr->sa_data, dev->addr_len); ANALYSIS SUMMARY: Hits = 19 Lines analyzed = 32998 in approximately 0.80 seconds (41281 lines/second) Physical Source Lines of Code (SLOC) = 29561 Hits@level = [0] 33 [1] 0 [2] 16 [3] 0 [4] 3 [5] 0 Hits@level+ = [0+] 52 [1+] 19 [2+] 19 [3+] 3 [4+] 3 [5+] 0 Hits/KSLOC@level+ = [0+] 1.75907 [1+] 0.642739 [2+] 0.642739 [3+] 0.101485 [4+] 0.101485 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.