Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/skstream-0.3.9/skstream/skserver.h
Examining data/skstream-0.3.9/skstream/skstream.cpp
Examining data/skstream-0.3.9/skstream/skstream_unix.h
Examining data/skstream-0.3.9/skstream/sksocket.h
Examining data/skstream-0.3.9/skstream/skpoll.h
Examining data/skstream-0.3.9/skstream/skserver_unix.h
Examining data/skstream-0.3.9/skstream/skserver.cpp
Examining data/skstream-0.3.9/skstream/skstream.h
Examining data/skstream-0.3.9/skstream/skpoll.cpp
Examining data/skstream-0.3.9/skstream/skaddress.h
Examining data/skstream-0.3.9/skstream/skstreamconfig.h
Examining data/skstream-0.3.9/skstream/skaddress.cpp
Examining data/skstream-0.3.9/skstream/sksocket.cpp
Examining data/skstream-0.3.9/skstream/sasproto.h
Examining data/skstream-0.3.9/test/skstreamtestrunner.cpp
Examining data/skstream-0.3.9/test/basicskstreamtest.h
Examining data/skstream-0.3.9/test/skservertest.h
Examining data/skstream-0.3.9/test/childskstreamtest.h
Examining data/skstream-0.3.9/test/socketbuftest.h
Examining data/skstream-0.3.9/ping/ping.cpp
Examining data/skstream-0.3.9/ping/ping.h
Examining data/skstream-0.3.9/tools/cat.cpp
FINAL RESULTS:
data/skstream-0.3.9/tools/cat.cpp:58:17: [3] (buffer) getopt:
Some older implementations do not protect against internal buffer overflows
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
int c = getopt(argc, argv, "nv");
data/skstream-0.3.9/ping/ping.cpp:155:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbuf[NI_MAXHOST];
data/skstream-0.3.9/ping/ping.cpp:215:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbuf[NI_MAXHOST];
data/skstream-0.3.9/ping/ping.h:43:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char cData[REQ_DATASIZE];
data/skstream-0.3.9/skstream/skserver.cpp:155:5: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
::memcpy(&iaddr, i->ai_addr, i->ai_addrlen);
data/skstream-0.3.9/skstream/skserver.cpp:170:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char serviceName[32];
data/skstream-0.3.9/skstream/skserver.cpp:172:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
::sprintf(serviceName, "%d", service);
data/skstream-0.3.9/skstream/skserver.cpp:214:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int tcp_socket_server::open(int service)
data/skstream-0.3.9/skstream/skserver.cpp:234:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int tcp_socket_server::open(struct addrinfo * i)
data/skstream-0.3.9/skstream/skserver.cpp:263:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int udp_socket_server::open(int service)
data/skstream-0.3.9/skstream/skserver.cpp:301:25: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int unix_socket_server::open(const std::string & service) {
data/skstream-0.3.9/skstream/skserver.h:107:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(int service);
data/skstream-0.3.9/skstream/skserver.h:108:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(struct addrinfo *);
data/skstream-0.3.9/skstream/skserver.h:119:5: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(service);
data/skstream-0.3.9/skstream/skserver.h:125:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(int service);
data/skstream-0.3.9/skstream/skserver_unix.h:45:5: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(service);
data/skstream-0.3.9/skstream/skserver_unix.h:53:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(const std::string & service);
data/skstream-0.3.9/skstream/skstream.cpp:380:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char portName[32];
data/skstream-0.3.9/skstream/skstream.cpp:382:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
::sprintf(portName, "%d", port);
data/skstream-0.3.9/skstream/skstream.cpp:396:9: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
::memcpy(&out_peer, i->ai_addr, i->ai_addrlen);
data/skstream-0.3.9/skstream/skstream.cpp:674:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(address, service, nonblock);
data/skstream-0.3.9/skstream/skstream.cpp:683:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(address, service, milliseconds);
data/skstream-0.3.9/skstream/skstream.cpp:693:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int tcp_socket_stream::open(const std::string & address,
data/skstream-0.3.9/skstream/skstream.cpp:707:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char serviceName[32];
data/skstream-0.3.9/skstream/skstream.cpp:709:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
::sprintf(serviceName, "%d", service);
data/skstream-0.3.9/skstream/skstream.cpp:772:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int tcp_socket_stream::open(const std::string & address, int service,
data/skstream-0.3.9/skstream/skstream.cpp:775:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (open(address, service, true) != 0) {
data/skstream-0.3.9/skstream/skstream.cpp:786:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int tcp_socket_stream::open(struct addrinfo * i, bool nonblock)
data/skstream-0.3.9/skstream/skstream.cpp:913:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hbuf[NI_MAXHOST];
data/skstream-0.3.9/skstream/skstream.cpp:929:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char sbuf[NI_MAXSERV];
data/skstream-0.3.9/skstream/skstream.cpp:1032:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char serviceName[32];
data/skstream-0.3.9/skstream/skstream.cpp:1034:5: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
::sprintf(serviceName, "%d", service);
data/skstream-0.3.9/skstream/skstream.cpp:1091:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int udp_socket_stream::open(int service)
data/skstream-0.3.9/skstream/skstream.cpp:1126:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(address, nonblock);
data/skstream-0.3.9/skstream/skstream.cpp:1132:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(address, milliseconds);
data/skstream-0.3.9/skstream/skstream.cpp:1138:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(other, nonblock);
data/skstream-0.3.9/skstream/skstream.cpp:1150:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void unix_socket_stream::open(const std::string & address, bool nonblock)
data/skstream-0.3.9/skstream/skstream.cpp:1203:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void unix_socket_stream::open(const std::string & address,
data/skstream-0.3.9/skstream/skstream.cpp:1206:3: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
open(address, true);
data/skstream-0.3.9/skstream/skstream.cpp:1212:26: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void unix_socket_stream::open(unix_socket_stream & other, bool nonblock)
data/skstream-0.3.9/skstream/skstream.h:307:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(const std::string& address, int service, bool nonblock = false);
data/skstream-0.3.9/skstream/skstream.h:308:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(const std::string& address, int service, unsigned int milliseconds);
data/skstream-0.3.9/skstream/skstream.h:309:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(struct addrinfo *, bool nonblock = false);
data/skstream-0.3.9/skstream/skstream.h:376:7: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int open(int service);
data/skstream-0.3.9/skstream/skstream_unix.h:59:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void open(const std::string& address, bool nonblock = false);
data/skstream-0.3.9/skstream/skstream_unix.h:60:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void open(const std::string& address, unsigned int milliseconds);
data/skstream-0.3.9/skstream/skstream_unix.h:61:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
void open(unix_socket_stream & other, bool nonblock = false);
data/skstream-0.3.9/test/childskstreamtest.h:154:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
skstream->open(hostname, port);
data/skstream-0.3.9/test/childskstreamtest.h:172:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
skstream->open(hostname, port, true);
data/skstream-0.3.9/test/skservertest.h:125:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
skserver->open(7777);
data/skstream-0.3.9/test/skservertest.h:175:23: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
skserver->open(7777);
data/skstream-0.3.9/tools/cat.cpp:35:12: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buffer[BUF_SIZE];
data/skstream-0.3.9/tools/cat.cpp:90:8: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
s->open(argv[optind], port, option_nonblock);
data/skstream-0.3.9/tools/cat.cpp:154:20: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char buffer[BUF_SIZE];
data/skstream-0.3.9/ping/ping.cpp:189:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
sock.read((char*)&reply,sizeof(ECHO_REPLY));
data/skstream-0.3.9/skstream/skserver.cpp:318:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(sa.sun_path, service.c_str(), 108);
data/skstream-0.3.9/skstream/skstream.cpp:1177:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(sa.sun_path, address.c_str(), sizeof(sa.sun_path));
ANALYSIS SUMMARY:
Hits = 57
Lines analyzed = 4573 in approximately 0.14 seconds (33427 lines/second)
Physical Source Lines of Code (SLOC) = 2619
Hits@level = [0] 2 [1] 3 [2] 53 [3] 1 [4] 0 [5] 0
Hits@level+ = [0+] 59 [1+] 57 [2+] 54 [3+] 1 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 22.5277 [1+] 21.764 [2+] 20.6186 [3+] 0.381825 [4+] 0 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.