Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/scanssh-2.0/compat/libdnet/dnet.h
Examining data/scanssh-2.0/compat/sys/queue.h
Examining data/scanssh-2.0/compat/sys/tree.h
Examining data/scanssh-2.0/compat/err.h
Examining data/scanssh-2.0/compat/md5.h
Examining data/scanssh-2.0/acconfig.h
Examining data/scanssh-2.0/arc4random.c
Examining data/scanssh-2.0/getaddrinfo.c
Examining data/scanssh-2.0/getnameinfo.c
Examining data/scanssh-2.0/inet_aton.c
Examining data/scanssh-2.0/inet_pton.c
Examining data/scanssh-2.0/strlcat.c
Examining data/scanssh-2.0/strlcpy.c
Examining data/scanssh-2.0/strsep.c
Examining data/scanssh-2.0/scanssh.c
Examining data/scanssh-2.0/atomicio.c
Examining data/scanssh-2.0/exclude.c
Examining data/scanssh-2.0/connecter.c
Examining data/scanssh-2.0/xmalloc.c
Examining data/scanssh-2.0/interface.c
Examining data/scanssh-2.0/socks.c
Examining data/scanssh-2.0/http.c
Examining data/scanssh-2.0/telnet.c
Examining data/scanssh-2.0/exclude.h
Examining data/scanssh-2.0/interface.h
Examining data/scanssh-2.0/scanssh.h
Examining data/scanssh-2.0/socks.h
Examining data/scanssh-2.0/xmalloc.h
Examining data/scanssh-2.0/md5.c
Examining data/scanssh-2.0/err.c
FINAL RESULTS:
data/scanssh-2.0/err.c:53:9: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
(void)vfprintf(stderr, fmt, ap);
data/scanssh-2.0/err.c:68:9: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
(void)vfprintf(stderr, fmt, ap);
data/scanssh-2.0/err.c:82:9: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
(void)vfprintf(stderr, fmt, ap);
data/scanssh-2.0/err.c:95:9: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
(void)vfprintf(stderr, fmt, ap);
data/scanssh-2.0/getnameinfo.c:30:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(serv, tmpserv);
data/scanssh-2.0/getnameinfo.c:38:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(host, inet_ntoa(sin->sin_addr));
data/scanssh-2.0/getnameinfo.c:49:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(host, hp->h_name);
data/scanssh-2.0/http.c:54:32: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define DFPRINTF(x) if (debug) fprintf x
data/scanssh-2.0/scanssh.c:73:32: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define DFPRINTF(x) if (debug) fprintf x
data/scanssh-2.0/scanssh.c:74:41: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define DNFPRINTF(y, x) if (debug >= y) fprintf x
data/scanssh-2.0/socks.c:55:32: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define DFPRINTF(x) if (debug) fprintf x
data/scanssh-2.0/telnet.c:55:32: [4] (format) fprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
#define DFPRINTF(x) if (debug) fprintf x
data/scanssh-2.0/arc4random.c:19:3: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srandom(time(NULL));
data/scanssh-2.0/arc4random.c:21:10: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
return (random());
data/scanssh-2.0/exclude.c:78:2: [3] (random) srandom:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
srandom(seed);
data/scanssh-2.0/exclude.c:80:16: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
rndsbox[i] = random();
data/scanssh-2.0/scanssh.c:594:16: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
int done = 0, random;
data/scanssh-2.0/scanssh.c:604:7: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (random)
data/scanssh-2.0/scanssh.c:616:8: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (!random || rndexclude) {
data/scanssh-2.0/scanssh.c:619:9: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (random) {
data/scanssh-2.0/scanssh.c:656:7: [3] (random) random:
This function is not sufficiently random for security-related functions
such as key and nonce creation (CWE-327). Use a more secure technique for
acquiring random values.
if (random) {
data/scanssh-2.0/scanssh.c:1008:15: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
while ((ch = getopt(argc, argv, "VIhdps:i:e:n:r:ER")) != -1)
data/scanssh-2.0/compat/md5.h:16:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char in[64];
data/scanssh-2.0/compat/md5.h:21:24: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void MD5Final(unsigned char digest[16], struct MD5Context *context);
data/scanssh-2.0/compat/md5.h:22:49: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void MD5Transform(uint32 buf[4], const unsigned char in[64]);
data/scanssh-2.0/connecter.c:369:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char strport[NI_MAXSERV];
data/scanssh-2.0/exclude.c:139:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[BUFSIZ];
data/scanssh-2.0/exclude.c:153:16: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((stream = fopen(excludefile, "r")) == NULL)
data/scanssh-2.0/getaddrinfo.c:58:16: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
port = htons(atoi(servname));
data/scanssh-2.0/getnameinfo.c:23:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char tmpserv[16];
data/scanssh-2.0/inet_pton.c:116:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, tmp, INADDRSZ);
data/scanssh-2.0/inet_pton.c:218:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(dst, tmp, IN6ADDRSZ);
data/scanssh-2.0/interface.c:90:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ebuf[PCAP_ERRBUF_SIZE];
data/scanssh-2.0/interface.c:167:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ebuf[PCAP_ERRBUF_SIZE], *dst;
data/scanssh-2.0/interface.c:240:9: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char filter[1024];
data/scanssh-2.0/interface.c:241:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[1024], *p;
data/scanssh-2.0/interface.c:289:5: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char single[32];
data/scanssh-2.0/interface.h:43:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char if_filter[1024];
data/scanssh-2.0/md5.c:104:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, len);
data/scanssh-2.0/md5.c:107:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, t);
data/scanssh-2.0/md5.c:116:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, 64);
data/scanssh-2.0/md5.c:124:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, len);
data/scanssh-2.0/md5.c:133:15: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char digest[16];
data/scanssh-2.0/md5.c:197:21: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
const unsigned char inraw[64];
data/scanssh-2.0/md5.c:295:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char checksum[16];
data/scanssh-2.0/scanssh.c:755:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char seed[31], *line, *end;
data/scanssh-2.0/scanssh.c:1047:15: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
syn_rate = atoi(optarg);
data/scanssh-2.0/scanssh.c:1266:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(arg->a_ports, ports, nports * sizeof(struct port));
data/scanssh-2.0/scanssh.c:1316:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024], *line = buf;
data/scanssh-2.0/scanssh.c:1367:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[1024], *line = buf;
data/scanssh-2.0/socks.c:104:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(address, &socks_dst_addr->addr_ip, sizeof(ip_addr_t));
data/scanssh-2.0/socks.c:122:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(address, &socks_dst_addr->addr_ip, sizeof(ip_addr_t));
data/scanssh-2.0/socks.c:186:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char response[32];
data/scanssh-2.0/socks.h:71:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char domain[64]; /* the host where it lives */
data/scanssh-2.0/connecter.c:295:37: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
bufferevent_write(bev, HTTP_SCAN, strlen(HTTP_SCAN));
data/scanssh-2.0/exclude.c:157:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
len = strlen(line);
data/scanssh-2.0/getnameinfo.c:27:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(tmpserv) > servlen)
data/scanssh-2.0/getnameinfo.c:35:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
data/scanssh-2.0/getnameinfo.c:46:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(hp->h_name) > hostlen)
data/scanssh-2.0/http.c:80:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strncasecmp(line, HTTP10_OK, strlen(HTTP10_OK)) &&
data/scanssh-2.0/http.c:81:35: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strncasecmp(line, HTTP11_OK, strlen(HTTP11_OK)))
data/scanssh-2.0/http.c:100:7: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(EVBUFFER_DATA(input)) == 0) {
data/scanssh-2.0/md5.c:308:33: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
MD5Update (&context, argv[j], strlen (argv[j]));
data/scanssh-2.0/scanssh.c:769:6: [1] (buffer) sscanf:
It's unclear if the %s limit in the format string is small enough
(CWE-120). Check that the limit is sufficiently small, or use a different
input function.
if (sscanf(line, "random(%d,%30s)/", &gen->gen_max, seed) < 1)
data/scanssh-2.0/scanssh.c:773:6: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(seed)) {
data/scanssh-2.0/scanssh.c:779:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
MD5Update(&ctx, seed, strlen(seed));
data/scanssh-2.0/socks.c:196:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(EVBUFFER_DATA(input)) == 0) {
data/scanssh-2.0/socks.c:214:40: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (evbuffer_find(input, socks->word, strlen(socks->word)) != NULL) {
data/scanssh-2.0/socks.c:460:39: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
bufferevent_write(bev, socks->word, strlen(socks->word) + 1);
data/scanssh-2.0/strlcat.c:61:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return(dlen + strlen(s));
data/scanssh-2.0/strlcpy.c:53:10: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
return(strlen(s));
data/scanssh-2.0/telnet.c:95:36: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (evbuffer_find(input, CCPROXY, strlen(CCPROXY)) != NULL) {
data/scanssh-2.0/telnet.c:102:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
} else if (evbuffer_find(input, GATEWAY1, strlen(GATEWAY1)) != NULL) {
data/scanssh-2.0/telnet.c:109:44: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
} else if (evbuffer_find(input, GATEWAY2, strlen(GATEWAY2)) != NULL) {
data/scanssh-2.0/telnet.c:120:43: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
} else if (evbuffer_find(input, WINGATE, strlen(WINGATE)) != NULL) {
data/scanssh-2.0/telnet.c:188:4: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(state->connect_wait)) == NULL)
data/scanssh-2.0/xmalloc.c:61:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
size_t len = strlen(str) + 1;
ANALYSIS SUMMARY:
Hits = 77
Lines analyzed = 6582 in approximately 0.18 seconds (36503 lines/second)
Physical Source Lines of Code (SLOC) = 4462
Hits@level = [0] 39 [1] 23 [2] 32 [3] 10 [4] 12 [5] 0
Hits@level+ = [0+] 116 [1+] 77 [2+] 54 [3+] 22 [4+] 12 [5+] 0
Hits/KSLOC@level+ = [0+] 25.9973 [1+] 17.2568 [2+] 12.1022 [3+] 4.93052 [4+] 2.68938 [5+] 0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.