Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/ttysnoop-0.12d/config.h
Examining data/ttysnoop-0.12d/logwtmp.h
Examining data/ttysnoop-0.12d/common.c
Examining data/ttysnoop-0.12d/common.h
Examining data/ttysnoop-0.12d/ttysnoop.c
Examining data/ttysnoop-0.12d/logwtmp.c
Examining data/ttysnoop-0.12d/ttysnoops.c
FINAL RESULTS:
data/ttysnoop-0.12d/ttysnoops.c:236:6: [5] (race) chown:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchown( ) instead.
if (chown (ttyname, getuid(), gid)
data/ttysnoop-0.12d/ttysnoops.c:237:9: [5] (race) chmod:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchmod( ) instead.
|| chmod (ttyname, S_IRUSR | S_IWUSR | S_IWGRP))
data/ttysnoop-0.12d/common.c:25:2: [4] (format) vfprintf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
vfprintf (stderr, fmt, args);
data/ttysnoop-0.12d/common.c:37:6: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
r = vsprintf(str, fmt, args);
data/ttysnoop-0.12d/ttysnoops.c:131:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (tty, leafname(ttyname(STDIN_FILENO)));
data/ttysnoop-0.12d/ttysnoops.c:172:3: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(ptyname, name);
data/ttysnoop-0.12d/ttysnoops.c:412:30: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
if (strcmp(pw->pw_passwd, crypt(buff, pw->pw_passwd)) == 0)
data/ttysnoop-0.12d/ttysnoops.c:414:50: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
if (strcmp(spw->sp_pwdp, crypt(buff, spw->sp_pwdp)) == 0)
data/ttysnoop-0.12d/ttysnoops.c:442:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy (utmp.ut_line, ptynam);
data/ttysnoop-0.12d/ttysnoops.c:567:3: [4] (shell) execv:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
execv (childproc, &argv[0]);
data/ttysnoop-0.12d/ttysnoops.c:590:3: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
sprintf (sockname, "%s/%s", SPOOLDIR,
data/ttysnoop-0.12d/common.c:34:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char str[256];
data/ttysnoop-0.12d/logwtmp.c:50:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0)
data/ttysnoop-0.12d/ttysnoop.c:37:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buff[BUFF_SIZE];
data/ttysnoop-0.12d/ttysnoop.c:49:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char sockname[128];
data/ttysnoop-0.12d/ttysnoops.c:62:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buff[BUFF_SIZE];
data/ttysnoop-0.12d/ttysnoops.c:67:1: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char snoopdev[32], ptynam[32], childproc[128], sockname[128];
data/ttysnoop-0.12d/ttysnoops.c:126:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char line[1024], arg[128], tty[16], *tail;
data/ttysnoop-0.12d/ttysnoops.c:128:11: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((f = fopen(SNOOPTAB, "r")) == NULL)
data/ttysnoop-0.12d/ttysnoops.c:180:2: [2] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused). Risk is low because the source is a constant string.
strcpy (ptyname, "/dev/ptyxx");
data/ttysnoop-0.12d/ttysnoops.c:190:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fd = open(ptyname, O_RDWR)) >= 0)
data/ttysnoop-0.12d/ttysnoops.c:214:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fd = open(name, O_RDWR)) >= 0)
data/ttysnoop-0.12d/ttysnoops.c:243:12: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fd = open(ttyname, O_RDWR)) >= 0)
data/ttysnoop-0.12d/ttysnoops.c:387:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buff[PASS_SIZE];
data/ttysnoop-0.12d/ttysnoops.c:614:18: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((snoopfd = open(snoopdev, O_RDWR)) < 0)
data/ttysnoop-0.12d/common.h:6:23: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
#define strncopy(x,y) strncpy (x, y, sizeof(x))
data/ttysnoop-0.12d/logwtmp.c:56:16: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120). Risk is low because the source is a
constant character.
strncpy(ut.ut_id, "", 2);
data/ttysnoop-0.12d/logwtmp.c:57:16: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ut.ut_line, line, sizeof(ut.ut_line));
data/ttysnoop-0.12d/logwtmp.c:58:16: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ut.ut_name, name, sizeof(ut.ut_name));
data/ttysnoop-0.12d/logwtmp.c:60:16: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy(ut.ut_host, host, sizeof(ut.ut_host));
data/ttysnoop-0.12d/ttysnoop.c:65:2: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (sock_addr.sun_path, sockname, sizeof(sock_addr.sun_path) - 1);
data/ttysnoop-0.12d/ttysnoop.c:104:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((n = read(sockfd, buff, BUFF_SIZE)) <= 0) {
data/ttysnoop-0.12d/ttysnoop.c:118:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
n = read(STDIN_FILENO, buff, BUFF_SIZE);
data/ttysnoop-0.12d/ttysnoops.c:80:21: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
while ((b = fgetc(f)) != EOF && isspace(b));
data/ttysnoop-0.12d/ttysnoops.c:85:17: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
b = fgetc(f);
data/ttysnoop-0.12d/ttysnoops.c:343:12: [1] (buffer) fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((b = fgetc(f)) != EOF)
data/ttysnoop-0.12d/ttysnoops.c:355:12: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
buff[strlen(buff) - 1] = 0;
data/ttysnoop-0.12d/ttysnoops.c:364:16: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((l = strlen(buff)) < max)
data/ttysnoop-0.12d/ttysnoops.c:596:3: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
pointers [MS-banned] (CWE-120).
strncpy (serv_addr.sun_path, sockname, sizeof(serv_addr.sun_path) - 1);
data/ttysnoop-0.12d/ttysnoops.c:647:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((n = read(STDIN_FILENO, buff, BUFF_SIZE)) < 1)
data/ttysnoop-0.12d/ttysnoops.c:655:8: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
n = read(snoopfd, buff, BUFF_SIZE);
data/ttysnoop-0.12d/ttysnoops.c:677:13: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
if ((n = read(ptyfd, buff, BUFF_SIZE)) < 1)
ANALYSIS SUMMARY:
Hits = 42
Lines analyzed = 1049 in approximately 0.05 seconds (21338 lines/second)
Physical Source Lines of Code (SLOC) = 727
Hits@level = [0] 9 [1] 17 [2] 14 [3] 0 [4] 9 [5] 2
Hits@level+ = [0+] 51 [1+] 42 [2+] 25 [3+] 11 [4+] 11 [5+] 2
Hits/KSLOC@level+ = [0+] 70.1513 [1+] 57.7717 [2+] 34.3879 [3+] 15.1307 [4+] 15.1307 [5+] 2.75103
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.