Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/pyregfi.h
Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/class.c
Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/regfi.c
Examining data/reglookup-1.0.1+svn287/python/experimental/regfi/error.c
Examining data/reglookup-1.0.1+svn287/python/experimental/include/class.h
Examining data/reglookup-1.0.1+svn287/python/experimental/include/aff4_errors.h
Examining data/reglookup-1.0.1+svn287/src/reglookup.c
Examining data/reglookup-1.0.1+svn287/src/reglookup-recover.c
Examining data/reglookup-1.0.1+svn287/src/common.c
Examining data/reglookup-1.0.1+svn287/lib/winsec.c
Examining data/reglookup-1.0.1+svn287/lib/regfi.c
Examining data/reglookup-1.0.1+svn287/lib/range_list.c
Examining data/reglookup-1.0.1+svn287/lib/lru_cache.c
Examining data/reglookup-1.0.1+svn287/lib/void_stack.c
Examining data/reglookup-1.0.1+svn287/include/lru_cache.h
Examining data/reglookup-1.0.1+svn287/include/range_list.h
Examining data/reglookup-1.0.1+svn287/include/void_stack.h
Examining data/reglookup-1.0.1+svn287/include/compat.h
Examining data/reglookup-1.0.1+svn287/include/byteorder.h
Examining data/reglookup-1.0.1+svn287/include/winsec.h
Examining data/reglookup-1.0.1+svn287/include/regfi.h
FINAL RESULTS:
data/reglookup-1.0.1+svn287/lib/regfi.c:168:3: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
data/reglookup-1.0.1+svn287/lib/regfi.c:307:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(fo, flag_map[i]);
data/reglookup-1.0.1+svn287/lib/regfi.c:386:7: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(r, perm_map[i]);
data/reglookup-1.0.1+svn287/lib/regfi.c:442:10: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
data/reglookup-1.0.1+svn287/python/experimental/regfi/error.c:35:5: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
vsnprintf(error_buffer, ERROR_BUFFER_SIZE-1, reason,ap);
data/reglookup-1.0.1+svn287/src/reglookup-recover.c:955:7: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
data/reglookup-1.0.1+svn287/include/byteorder.h:120:52: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
#define CVAL(buf,pos) ((unsigned)(((const unsigned char *)(buf))[pos]))
data/reglookup-1.0.1+svn287/include/byteorder.h:121:38: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */
data/reglookup-1.0.1+svn287/lib/lru_cache.c:257:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(e->index, index, index_len);
data/reglookup-1.0.1+svn287/lib/regfi.c:154:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(new_msg+buf_used, "INFO: ");
data/reglookup-1.0.1+svn287/lib/regfi.c:158:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(new_msg+buf_used, "WARN: ");
data/reglookup-1.0.1+svn287/lib/regfi.c:162:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(new_msg+buf_used, "ERROR: ");
data/reglookup-1.0.1+svn287/lib/regfi.c:316:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(fo, "0x%.2X ", flags);
data/reglookup-1.0.1+svn287/lib/regfi.c:395:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(r, "0x%.8X ", perms);
data/reglookup-1.0.1+svn287/lib/regfi.c:2774:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
data/reglookup-1.0.1+svn287/lib/regfi.c:2796:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
data/reglookup-1.0.1+svn287/lib/regfi.c:2814:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
data/reglookup-1.0.1+svn287/lib/regfi.c:2815:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
data/reglookup-1.0.1+svn287/lib/regfi.c:2872:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(hbin->magic, hbin_header, 4);
data/reglookup-1.0.1+svn287/lib/winsec.c:293:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->id_auth, buf+2, 6);
data/reglookup-1.0.1+svn287/lib/winsec.c:330:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->clock_seq, buf+0x8, 2);
data/reglookup-1.0.1+svn287/lib/winsec.c:331:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ret_val->node, buf+0xB, 6);
data/reglookup-1.0.1+svn287/lib/winsec.c:429:11: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
data/reglookup-1.0.1+svn287/python/experimental/regfi/regfi.c:37:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
self->fd = open(filename, O_RDONLY);
data/reglookup-1.0.1+svn287/python/experimental/regfi/regfi.c:408:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(buff, self->data->raw, available_to_read);
data/reglookup-1.0.1+svn287/src/common.c:176:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*error_msg, "Data pointer was NULL or size was 0.");
data/reglookup-1.0.1+svn287/src/common.c:187:5: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*error_msg, "Data could not be interpreted, quoting raw buffer.");
data/reglookup-1.0.1+svn287/src/common.c:196:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*error_msg, "Buffer could not be quoted due to unknown error.");
data/reglookup-1.0.1+svn287/src/common.c:206:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*error_msg, "Buffer could not be quoted due to unknown error.");
data/reglookup-1.0.1+svn287/src/common.c:214:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy(*error_msg, "Buffer could not be quoted due to unknown error.");
data/reglookup-1.0.1+svn287/src/common.c:224:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(ret_val, "0x%.8X", data->interpreted.dword);
data/reglookup-1.0.1+svn287/src/common.c:233:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(ret_val, "0x%.8X", data->interpreted.dword_be);
data/reglookup-1.0.1+svn287/src/common.c:242:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(ret_val, "0x%.16llX",
data/reglookup-1.0.1+svn287/src/common.c:311:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(*error_msg,
data/reglookup-1.0.1+svn287/src/common.c:353:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((ret_val = open(filename, REGLOOKUP_OPEN_FLAGS)) == -1)
data/reglookup-1.0.1+svn287/src/reglookup-recover.c:71:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mtime[24];
data/reglookup-1.0.1+svn287/src/reglookup.c:67:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mtime[20];
data/reglookup-1.0.1+svn287/src/reglookup.c:171:7: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(copy, cur, next-cur);
data/reglookup-1.0.1+svn287/src/reglookup.c:295:10: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char empty_str[1] = "";
data/reglookup-1.0.1+svn287/src/reglookup.c:300:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char mtime[24];
data/reglookup-1.0.1+svn287/include/regfi.h:701:15: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ssize_t (* read)(); /* (REGFI_RAW_FILE* self, void* buf, size_t count) */
data/reglookup-1.0.1+svn287/lib/regfi.c:143:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf_used = strlen(log_info->messages);
data/reglookup-1.0.1+svn287/lib/regfi.c:145:23: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buf_size = buf_used+strlen(fmt)+160;
data/reglookup-1.0.1+svn287/lib/regfi.c:170:3: [1] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) [MS-banned] (CWE-120). Consider strcat_s, strlcat, snprintf,
or automatically resizing strings. Risk is low because the source is a
constant character.
strncat(new_msg, "\n", buf_size-1);
data/reglookup-1.0.1+svn287/lib/regfi.c:308:13: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
fo += strlen(flag_map[i]);
data/reglookup-1.0.1+svn287/lib/regfi.c:387:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
r += strlen(perm_map[i]);
data/reglookup-1.0.1+svn287/lib/regfi.c:429:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
extra = strlen(sid_str) + strlen(type_str)
data/reglookup-1.0.1+svn287/lib/regfi.c:429:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
extra = strlen(sid_str) + strlen(type_str)
data/reglookup-1.0.1+svn287/lib/regfi.c:430:4: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
+ strlen(perms_str) + strlen(flags_str) + 5;
data/reglookup-1.0.1+svn287/lib/regfi.c:430:24: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
+ strlen(perms_str) + strlen(flags_str) + 5;
data/reglookup-1.0.1+svn287/lib/regfi.c:577:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
return read(*(int*)self->state, buf, count);
data/reglookup-1.0.1+svn287/lib/regfi.c:609:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
rret = file_cb->read(file_cb,
data/reglookup-1.0.1+svn287/python/experimental/include/class.h:379:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define ZSTRING_NO_NULL(str) str , (strlen(str))
data/reglookup-1.0.1+svn287/python/experimental/include/class.h:380:29: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define ZSTRING(str) str , (strlen(str)+1)
data/reglookup-1.0.1+svn287/src/common.c:148:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(str);
data/reglookup-1.0.1+svn287/src/reglookup-recover.c:302:22: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
path_element->len = strlen((char*)path_element->buf);
data/reglookup-1.0.1+svn287/src/reglookup-recover.c:948:32: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
data/reglookup-1.0.1+svn287/src/reglookup-recover.c:948:56: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
data/reglookup-1.0.1+svn287/src/reglookup.c:183:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if(strlen(cur) > 0)
data/reglookup-1.0.1+svn287/src/reglookup.c:250:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
name_len = strlen(name);
data/reglookup-1.0.1+svn287/src/reglookup.c:265:7: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(buf+(buf_len-buf_left-1), name, name_len);
ANALYSIS SUMMARY:
Hits = 61
Lines analyzed = 11536 in approximately 0.30 seconds (38610 lines/second)
Physical Source Lines of Code (SLOC) = 6731
Hits@level = [0] 104 [1] 21 [2] 34 [3] 0 [4] 6 [5] 0
Hits@level+ = [0+] 165 [1+] 61 [2+] 40 [3+] 6 [4+] 6 [5+] 0
Hits/KSLOC@level+ = [0+] 24.5134 [1+] 9.06255 [2+] 5.94265 [3+] 0.891398 [4+] 0.891398 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.