The following issues were found
tests/server/sws.c
44 issues
Line: 97
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define RCMD_STREAM 2 /* told to stream */
struct httprequest {
char reqbuf[REQBUFSIZ]; /* buffer area for the incoming request */
bool connect_request; /* if a CONNECT */
unsigned short connect_port; /* the port number CONNECT used */
size_t checkindex; /* where to start checking of the request */
size_t offset; /* size of the incoming request */
long testno; /* test number found in the request */
Reported by FlawFinder.
Line: 104
Column: 8
CWE codes:
362
size_t offset; /* size of the incoming request */
long testno; /* test number found in the request */
long partno; /* part number found in the request */
bool open; /* keep connection open info, as found in the request */
bool auth_req; /* authentication required, don't wait for body unless
there's an Authorization header */
bool auth; /* Authorization header present in the incoming request */
size_t cl; /* Content-Length of the incoming request */
bool digest; /* Authorization digest header found */
Reported by FlawFinder.
Line: 240
Column: 13
CWE codes:
362
/* parse the file on disk that might have a test number for us */
static int parse_cmdfile(struct httprequest *req)
{
FILE *f = fopen(cmdfile, FOPEN_READTEXT);
if(f) {
int testnum = DOCNUMBER_NOTHING;
char buf[256];
while(fgets(buf, sizeof(buf), f)) {
if(1 == sscanf(buf, "Testnum %d", &testnum)) {
Reported by FlawFinder.
Line: 243
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
FILE *f = fopen(cmdfile, FOPEN_READTEXT);
if(f) {
int testnum = DOCNUMBER_NOTHING;
char buf[256];
while(fgets(buf, sizeof(buf), f)) {
if(1 == sscanf(buf, "Testnum %d", &testnum)) {
logmsg("[%s] cmdfile says testnum %d", cmdfile, testnum);
req->testno = testnum;
}
Reported by FlawFinder.
Line: 360
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char *line = &req->reqbuf[req->checkindex];
bool chunked = FALSE;
static char request[REQUEST_KEYWORD_SIZE];
static char doc[MAXDOCNAMELEN];
char logbuf[456];
int prot_major, prot_minor;
char *end = strstr(line, end_of_headers);
Reported by FlawFinder.
Line: 361
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *line = &req->reqbuf[req->checkindex];
bool chunked = FALSE;
static char request[REQUEST_KEYWORD_SIZE];
static char doc[MAXDOCNAMELEN];
char logbuf[456];
int prot_major, prot_minor;
char *end = strstr(line, end_of_headers);
req->callcount++;
Reported by FlawFinder.
Line: 362
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool chunked = FALSE;
static char request[REQUEST_KEYWORD_SIZE];
static char doc[MAXDOCNAMELEN];
char logbuf[456];
int prot_major, prot_minor;
char *end = strstr(line, end_of_headers);
req->callcount++;
Reported by FlawFinder.
Line: 748
Column: 11
CWE codes:
362
if(strstr(req->reqbuf, "Connection: close"))
req->open = FALSE; /* close connection after this request */
if(req->open &&
req->prot_version >= 11 &&
req->reqbuf + req->offset > end + strlen(end_of_headers) &&
!req->cl &&
(!strncmp(req->reqbuf, "GET", strlen("GET")) ||
!strncmp(req->reqbuf, "HEAD", strlen("HEAD")))) {
Reported by FlawFinder.
Line: 800
Column: 12
CWE codes:
362
return;
do {
dump = fopen(dumpfile, "ab");
} while(!dump && ((error = errno) == EINTR));
if(!dump) {
logmsg("[2] Error opening file %s error: %d %s",
dumpfile, error, strerror(error));
logmsg("Failed to write request input ");
Reported by FlawFinder.
Line: 959
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int error = 0;
int res;
const char *responsedump = is_proxy?RESPONSE_PROXY_DUMP:RESPONSE_DUMP;
static char weare[256];
switch(req->rcmd) {
default:
case RCMD_NORMALREQ:
break; /* continue with business as usual */
Reported by FlawFinder.
lib/vtls/openssl.c
44 issues
Line: 271
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done)
{
const SSL_SESSION *session = SSL_get_session(ssl);
unsigned char client_random[SSL3_RANDOM_SIZE];
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
int master_key_length = 0;
if(!session || *keylog_done)
return;
Reported by FlawFinder.
Line: 272
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const SSL_SESSION *session = SSL_get_session(ssl);
unsigned char client_random[SSL3_RANDOM_SIZE];
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
int master_key_length = 0;
if(!session || *keylog_done)
return;
Reported by FlawFinder.
Line: 289
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#else
if(ssl->s3 && session->master_key_length > 0) {
master_key_length = session->master_key_length;
memcpy(master_key, session->master_key, session->master_key_length);
memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
}
#endif
/* The handshake has not progressed sufficiently yet, or this is a TLS 1.3
Reported by FlawFinder.
Line: 290
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(ssl->s3 && session->master_key_length > 0) {
master_key_length = session->master_key_length;
memcpy(master_key, session->master_key, session->master_key_length);
memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
}
#endif
/* The handshake has not progressed sufficiently yet, or this is a TLS 1.3
* session (when curl was built with older OpenSSL headers and running with
Reported by FlawFinder.
Line: 421
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!encrypting) {
int klen = curlx_uztosi(strlen((char *)global_passwd));
if(num > klen) {
memcpy(buf, global_passwd, klen + 1);
return klen;
}
}
return 0;
}
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static CURLcode ossl_seed(struct Curl_easy *data)
{
char fname[256];
/* This might get called before it has been added to a multi handle */
if(data->multi && data->multi->ssl_seeded)
return CURLE_OK;
Reported by FlawFinder.
Line: 491
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* fallback to a custom seeding of the PRNG using a hash based on a current
time */
do {
unsigned char randb[64];
size_t len = sizeof(randb);
size_t i, i_max;
for(i = 0, i_max = len / sizeof(struct curltime); i < i_max; ++i) {
struct curltime tv = Curl_now();
Curl_wait_ms(1);
Reported by FlawFinder.
Line: 504
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tv.tv_usec ^= (unsigned int) ((Curl_now().tv_sec +
Curl_now().tv_usec) *
(i + 4)) << 16;
memcpy(&randb[i * sizeof(struct curltime)], &tv,
sizeof(struct curltime));
}
RAND_add(randb, (int)len, (double)len/2);
} while(!rand_enough());
Reported by FlawFinder.
Line: 748
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *key_type,
char *key_passwd)
{
char error_buffer[256];
bool check_privkey = TRUE;
int file_type = do_file_type(cert_type);
if(cert_file || cert_blob || (file_type == SSL_FILETYPE_ENGINE)) {
Reported by FlawFinder.
Line: 1146
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
size--; /* don't overwrite the buffer end */
memcpy(buf, biomem->data, size);
buf[size] = 0;
BIO_free(bio_out);
return !rc;
Reported by FlawFinder.
lib/vssh/libssh2.c
41 issues
Line: 922
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
sshc->rsa = aprintf("%s/.ssh/id_rsa", home);
if(!sshc->rsa)
out_of_memory = TRUE;
else if(access(sshc->rsa, R_OK) != 0) {
Curl_safefree(sshc->rsa);
sshc->rsa = aprintf("%s/.ssh/id_dsa", home);
if(!sshc->rsa)
out_of_memory = TRUE;
else if(access(sshc->rsa, R_OK) != 0) {
Reported by FlawFinder.
Line: 927
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
sshc->rsa = aprintf("%s/.ssh/id_dsa", home);
if(!sshc->rsa)
out_of_memory = TRUE;
else if(access(sshc->rsa, R_OK) != 0) {
Curl_safefree(sshc->rsa);
}
}
free(home);
}
Reported by FlawFinder.
Line: 936
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if(!out_of_memory && !sshc->rsa) {
/* Nothing found; try the current dir. */
sshc->rsa = strdup("id_rsa");
if(sshc->rsa && access(sshc->rsa, R_OK) != 0) {
Curl_safefree(sshc->rsa);
sshc->rsa = strdup("id_dsa");
if(sshc->rsa && access(sshc->rsa, R_OK) != 0) {
Curl_safefree(sshc->rsa);
/* Out of guesses. Set to the empty string to avoid
Reported by FlawFinder.
Line: 939
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if(sshc->rsa && access(sshc->rsa, R_OK) != 0) {
Curl_safefree(sshc->rsa);
sshc->rsa = strdup("id_dsa");
if(sshc->rsa && access(sshc->rsa, R_OK) != 0) {
Curl_safefree(sshc->rsa);
/* Out of guesses. Set to the empty string to avoid
* surprising info messages. */
sshc->rsa = strdup("");
}
Reported by FlawFinder.
Line: 914
Column: 24
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
else {
/* To ponder about: should really the lib be messing about with the
HOME environment variable etc? */
char *home = curl_getenv("HOME");
/* If no private key file is specified, try some common paths. */
if(home) {
/* Try ~/.ssh first. */
sshc->rsa = aprintf("%s/.ssh/id_rsa", home);
Reported by FlawFinder.
Line: 619
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ssh_conn *sshc = &conn->proto.sshc;
const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5];
char md5buffer[33];
const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
LIBSSH2_HOSTKEY_HASH_MD5);
if(fingerprint) {
Reported by FlawFinder.
Line: 709
Column: 20
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
store->name, data->set.str[STRING_SSH_KNOWNHOSTS]);
continue;
}
port = atoi(kh_name_end + 2);
if(kh_name_end && (port == conn->remote_port)) {
kh_name_size = strlen(store->name) - 1 - strlen(kh_name_end);
if(strncmp(store->name + 1,
conn->host.name, kh_name_size) == 0) {
found = true;
Reported by FlawFinder.
Line: 1233
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SSH_SFTP_REALPATH:
{
char tempHome[PATH_MAX];
/*
* Get the "home" directory
*/
rc = sftp_libssh2_realpath(sshc->sftp_session, ".",
Reported by FlawFinder.
Line: 97
Column: 50
CWE codes:
126
#endif
#define sftp_libssh2_realpath(s,p,t,m) \
libssh2_sftp_symlink_ex((s), (p), curlx_uztoui(strlen(p)), \
(t), (m), LIBSSH2_SFTP_REALPATH)
/* Local functions: */
static const char *sftp_libssh2_strerror(unsigned long err);
static LIBSSH2_ALLOC_FUNC(my_libssh2_malloc);
Reported by FlawFinder.
Line: 207
Column: 40
CWE codes:
126
if(num_prompts == 1) {
struct connectdata *conn = data->conn;
responses[0].text = strdup(conn->passwd);
responses[0].length = curlx_uztoui(strlen(conn->passwd));
}
(void)prompts;
} /* kbd_callback */
static CURLcode sftp_libssh2_error_to_CURLE(unsigned long err)
Reported by FlawFinder.
lib/vauth/digest.c
40 issues
Line: 343
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t i;
struct MD5_context *ctxt;
char *response = NULL;
unsigned char digest[MD5_DIGEST_LEN];
char HA1_hex[2 * MD5_DIGEST_LEN + 1];
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
Reported by FlawFinder.
Line: 344
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct MD5_context *ctxt;
char *response = NULL;
unsigned char digest[MD5_DIGEST_LEN];
char HA1_hex[2 * MD5_DIGEST_LEN + 1];
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
Reported by FlawFinder.
Line: 345
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *response = NULL;
unsigned char digest[MD5_DIGEST_LEN];
char HA1_hex[2 * MD5_DIGEST_LEN + 1];
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
Reported by FlawFinder.
Line: 346
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char digest[MD5_DIGEST_LEN];
char HA1_hex[2 * MD5_DIGEST_LEN + 1];
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
int qop_values;
Reported by FlawFinder.
Line: 347
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char HA1_hex[2 * MD5_DIGEST_LEN + 1];
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
int qop_values;
char cnonce[33];
Reported by FlawFinder.
Line: 348
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char HA2_hex[2 * MD5_DIGEST_LEN + 1];
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
int qop_values;
char cnonce[33];
char nonceCount[] = "00000001";
Reported by FlawFinder.
Line: 349
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char resp_hash_hex[2 * MD5_DIGEST_LEN + 1];
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
int qop_values;
char cnonce[33];
char nonceCount[] = "00000001";
char method[] = "AUTHENTICATE";
Reported by FlawFinder.
Line: 350
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char nonce[64];
char realm[128];
char algorithm[64];
char qop_options[64];
int qop_values;
char cnonce[33];
char nonceCount[] = "00000001";
char method[] = "AUTHENTICATE";
char qop[] = DIGEST_QOP_VALUE_STRING_AUTH;
Reported by FlawFinder.
Line: 352
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char algorithm[64];
char qop_options[64];
int qop_values;
char cnonce[33];
char nonceCount[] = "00000001";
char method[] = "AUTHENTICATE";
char qop[] = DIGEST_QOP_VALUE_STRING_AUTH;
char *spn = NULL;
Reported by FlawFinder.
Line: 517
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
Curl_auth_digest_cleanup(digest);
for(;;) {
char value[DIGEST_MAX_VALUE_LENGTH];
char content[DIGEST_MAX_CONTENT_LENGTH];
/* Pass all additional spaces here */
while(*chlg && ISSPACE(*chlg))
chlg++;
Reported by FlawFinder.
tests/smbserver.py
37 issues
Line: 39
Column: 5
if sys.version_info.major >= 3:
import configparser
else:
import ConfigParser as configparser
# impacket needs to be installed in the Python environment
try:
import impacket
except ImportError:
Reported by Pylint.
Line: 48
Column: 1
sys.stderr.write('Python package impacket needs to be installed!\n')
sys.stderr.write('Use pip or your package manager to install it.\n')
sys.exit(1)
from impacket import smb as imp_smb
from impacket import smbserver as imp_smbserver
from impacket.nt_errors import (STATUS_ACCESS_DENIED, STATUS_NO_SUCH_FILE,
STATUS_SUCCESS)
log = logging.getLogger(__name__)
Reported by Pylint.
Line: 49
Column: 1
sys.stderr.write('Use pip or your package manager to install it.\n')
sys.exit(1)
from impacket import smb as imp_smb
from impacket import smbserver as imp_smbserver
from impacket.nt_errors import (STATUS_ACCESS_DENIED, STATUS_NO_SUCH_FILE,
STATUS_SUCCESS)
log = logging.getLogger(__name__)
SERVER_MAGIC = "SERVER_MAGIC"
Reported by Pylint.
Line: 50
Column: 1
sys.exit(1)
from impacket import smb as imp_smb
from impacket import smbserver as imp_smbserver
from impacket.nt_errors import (STATUS_ACCESS_DENIED, STATUS_NO_SUCH_FILE,
STATUS_SUCCESS)
log = logging.getLogger(__name__)
SERVER_MAGIC = "SERVER_MAGIC"
TESTS_MAGIC = "TESTS_MAGIC"
Reported by Pylint.
Line: 43
Column: 5
# impacket needs to be installed in the Python environment
try:
import impacket
except ImportError:
sys.stderr.write('Python package impacket needs to be installed!\n')
sys.stderr.write('Use pip or your package manager to install it.\n')
sys.exit(1)
from impacket import smb as imp_smb
Reported by Pylint.
Line: 60
Column: 15
VERIFIED_RSP = "WE ROOLZ: {pid}\n"
def smbserver(options):
"""Start up a TCP SMB server that serves forever
"""
if options.pidfile:
pid = os.getpid()
Reported by Pylint.
Line: 248
Column: 17
if root_fid > 0:
# If we have a rootFid, the path is relative to that fid
path = conn_data["OpenedFiles"][root_fid]["FileName"]
log.debug("RootFid present %s!" % path)
else:
if "path" in conn_shares[tid]:
path = conn_shares[tid]["path"]
else:
raise SmbException(STATUS_ACCESS_DENIED,
Reported by Pylint.
Line: 306
Column: 13
except Exception:
log.exception("Failed to make test file")
raise SmbException(STATUS_NO_SUCH_FILE, "Failed to make test file")
class SmbException(Exception):
def __init__(self, error_code, error_message):
super(SmbException, self).__init__(error_message)
Reported by Pylint.
Line: 347
Column: 19
return parser.parse_args()
def setup_logging(options):
"""
Set up logging from the command line options
"""
root_logger = logging.getLogger()
add_stdout = False
Reported by Pylint.
Line: 390
Column: 12
# Run main script.
try:
rc = smbserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
os.unlink(options.pidfile)
Reported by Pylint.
tests/server/rtspd.c
36 issues
Line: 98
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
((p)[3] = (unsigned char)((l) & 0xFF)))
struct httprequest {
char reqbuf[REQBUFSIZ]; /* buffer area for the incoming request */
size_t checkindex; /* where to start checking of the request */
size_t offset; /* size of the incoming request */
long testno; /* test number found in the request */
long partno; /* part number found in the request */
bool open; /* keep connection open info, as found in the request */
Reported by FlawFinder.
Line: 103
Column: 8
CWE codes:
362
size_t offset; /* size of the incoming request */
long testno; /* test number found in the request */
long partno; /* part number found in the request */
bool open; /* keep connection open info, as found in the request */
bool auth_req; /* authentication required, don't wait for body unless
there's an Authorization header */
bool auth; /* Authorization header present in the incoming request */
size_t cl; /* Content-Length of the incoming request */
bool digest; /* Authorization digest header found */
Reported by FlawFinder.
Line: 208
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char *line = &req->reqbuf[req->checkindex];
bool chunked = FALSE;
static char request[REQUEST_KEYWORD_SIZE];
static char doc[MAXDOCNAMELEN];
static char prot_str[5];
int prot_major, prot_minor;
char *end = strstr(line, END_OF_HEADERS);
Reported by FlawFinder.
Line: 209
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *line = &req->reqbuf[req->checkindex];
bool chunked = FALSE;
static char request[REQUEST_KEYWORD_SIZE];
static char doc[MAXDOCNAMELEN];
static char prot_str[5];
int prot_major, prot_minor;
char *end = strstr(line, END_OF_HEADERS);
logmsg("ProcessRequest() called with testno %ld and line [%s]",
Reported by FlawFinder.
Line: 210
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool chunked = FALSE;
static char request[REQUEST_KEYWORD_SIZE];
static char doc[MAXDOCNAMELEN];
static char prot_str[5];
int prot_major, prot_minor;
char *end = strstr(line, END_OF_HEADERS);
logmsg("ProcessRequest() called with testno %ld and line [%s]",
req->testno, line);
Reported by FlawFinder.
Line: 228
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
&prot_major,
&prot_minor) == 5) {
char *ptr;
char logbuf[256];
if(!strcmp(prot_str, "HTTP")) {
req->protocol = RPROT_HTTP;
}
else if(!strcmp(prot_str, "RTSP")) {
Reported by FlawFinder.
Line: 369
Column: 19
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill it with junk data */
for(i = 0; i < rtp_size; i += RTP_DATA_SIZE) {
memcpy(rtp_scratch + 4 + i, RTP_DATA, RTP_DATA_SIZE);
}
if(!req->rtp_buffer) {
req->rtp_buffer = rtp_scratch;
req->rtp_buffersize = rtp_size + 4;
Reported by FlawFinder.
Line: 380
Column: 19
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->rtp_buffer = realloc(req->rtp_buffer,
req->rtp_buffersize +
rtp_size + 4);
memcpy(req->rtp_buffer + req->rtp_buffersize, rtp_scratch,
rtp_size + 4);
req->rtp_buffersize += rtp_size + 4;
free(rtp_scratch);
}
logmsg("rtp_buffersize is %zu, rtp_size is %d.",
Reported by FlawFinder.
Line: 553
Column: 11
CWE codes:
362
req->open = FALSE; /* close connection after this request */
if(!req->pipe &&
req->open &&
req->prot_version >= 11 &&
req->reqbuf + req->offset > end + strlen(END_OF_HEADERS) &&
(!strncmp(req->reqbuf, "GET", strlen("GET")) ||
!strncmp(req->reqbuf, "HEAD", strlen("HEAD")))) {
/* If we have a persistent connection, HTTP version >= 1.1
Reported by FlawFinder.
Line: 608
Column: 12
CWE codes:
362
return;
do {
dump = fopen(REQUEST_DUMP, "ab");
} while(!dump && ((error = errno) == EINTR));
if(!dump) {
logmsg("Error opening file %s error: %d %s",
REQUEST_DUMP, error, strerror(error));
logmsg("Failed to write request input to " REQUEST_DUMP);
Reported by FlawFinder.
tests/unit/unit1603.c
32 issues
Line: 63
Column: 26
CWE codes:
126
/* Ensure the key hashes are as expected in order to test both hash
collisions and a full table. Unfortunately, the hashes can vary
between architectures. */
if(Curl_hash_str(key1, strlen(key1), slots) != 1 ||
Curl_hash_str(key2, strlen(key2), slots) != 0 ||
Curl_hash_str(key3, strlen(key3), slots) != 2 ||
Curl_hash_str(key4, strlen(key4), slots) != 1)
fprintf(stderr, "Warning: hashes are not computed as expected on this "
"architecture; test coverage will be less comprehensive\n");
Reported by FlawFinder.
Line: 64
Column: 26
CWE codes:
126
collisions and a full table. Unfortunately, the hashes can vary
between architectures. */
if(Curl_hash_str(key1, strlen(key1), slots) != 1 ||
Curl_hash_str(key2, strlen(key2), slots) != 0 ||
Curl_hash_str(key3, strlen(key3), slots) != 2 ||
Curl_hash_str(key4, strlen(key4), slots) != 1)
fprintf(stderr, "Warning: hashes are not computed as expected on this "
"architecture; test coverage will be less comprehensive\n");
Reported by FlawFinder.
Line: 65
Column: 26
CWE codes:
126
between architectures. */
if(Curl_hash_str(key1, strlen(key1), slots) != 1 ||
Curl_hash_str(key2, strlen(key2), slots) != 0 ||
Curl_hash_str(key3, strlen(key3), slots) != 2 ||
Curl_hash_str(key4, strlen(key4), slots) != 1)
fprintf(stderr, "Warning: hashes are not computed as expected on this "
"architecture; test coverage will be less comprehensive\n");
nodep = Curl_hash_add(&hash_static, &key1, strlen(key1), &key1);
Reported by FlawFinder.
Line: 66
Column: 26
CWE codes:
126
if(Curl_hash_str(key1, strlen(key1), slots) != 1 ||
Curl_hash_str(key2, strlen(key2), slots) != 0 ||
Curl_hash_str(key3, strlen(key3), slots) != 2 ||
Curl_hash_str(key4, strlen(key4), slots) != 1)
fprintf(stderr, "Warning: hashes are not computed as expected on this "
"architecture; test coverage will be less comprehensive\n");
nodep = Curl_hash_add(&hash_static, &key1, strlen(key1), &key1);
fail_unless(nodep, "insertion into hash failed");
Reported by FlawFinder.
Line: 70
Column: 46
CWE codes:
126
fprintf(stderr, "Warning: hashes are not computed as expected on this "
"architecture; test coverage will be less comprehensive\n");
nodep = Curl_hash_add(&hash_static, &key1, strlen(key1), &key1);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key1, strlen(key1));
fail_unless(nodep == key1, "hash retrieval failed");
nodep = Curl_hash_add(&hash_static, &key2, strlen(key2), &key2);
Reported by FlawFinder.
Line: 72
Column: 47
CWE codes:
126
nodep = Curl_hash_add(&hash_static, &key1, strlen(key1), &key1);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key1, strlen(key1));
fail_unless(nodep == key1, "hash retrieval failed");
nodep = Curl_hash_add(&hash_static, &key2, strlen(key2), &key2);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key2, strlen(key2));
Reported by FlawFinder.
Line: 75
Column: 46
CWE codes:
126
nodep = Curl_hash_pick(&hash_static, &key1, strlen(key1));
fail_unless(nodep == key1, "hash retrieval failed");
nodep = Curl_hash_add(&hash_static, &key2, strlen(key2), &key2);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key2, strlen(key2));
fail_unless(nodep == key2, "hash retrieval failed");
nodep = Curl_hash_add(&hash_static, &key3, strlen(key3), &key3);
Reported by FlawFinder.
Line: 77
Column: 47
CWE codes:
126
nodep = Curl_hash_add(&hash_static, &key2, strlen(key2), &key2);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key2, strlen(key2));
fail_unless(nodep == key2, "hash retrieval failed");
nodep = Curl_hash_add(&hash_static, &key3, strlen(key3), &key3);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key3, strlen(key3));
Reported by FlawFinder.
Line: 80
Column: 46
CWE codes:
126
nodep = Curl_hash_pick(&hash_static, &key2, strlen(key2));
fail_unless(nodep == key2, "hash retrieval failed");
nodep = Curl_hash_add(&hash_static, &key3, strlen(key3), &key3);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key3, strlen(key3));
fail_unless(nodep == key3, "hash retrieval failed");
/* The fourth element exceeds the number of slots & collides */
Reported by FlawFinder.
Line: 82
Column: 47
CWE codes:
126
nodep = Curl_hash_add(&hash_static, &key3, strlen(key3), &key3);
fail_unless(nodep, "insertion into hash failed");
nodep = Curl_hash_pick(&hash_static, &key3, strlen(key3));
fail_unless(nodep == key3, "hash retrieval failed");
/* The fourth element exceeds the number of slots & collides */
nodep = Curl_hash_add(&hash_static, &key4, strlen(key4), &key4);
fail_unless(nodep, "insertion into hash failed");
Reported by FlawFinder.
lib/http.c
31 issues
Line: 1309
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
/* Allow debug builds to override this logic to force short initial
sends
*/
char *p = getenv("CURL_SMALLREQSEND");
if(p) {
size_t altsize = (size_t)strtoul(p, NULL, 10);
if(altsize)
sendsize = CURLMIN(size, altsize);
else
Reported by FlawFinder.
Line: 3677
Column: 12
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
((conn->handler->flags & PROTOPT_SSL) ||
#ifdef CURLDEBUG
/* allow debug builds to circumvent the HTTPS restriction */
getenv("CURL_ALTSVC_HTTP")
#else
0
#endif
)) {
/* the ALPN of the current request */
Reported by FlawFinder.
Line: 286
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!value)
return NULL;
memcpy(value, start, len);
value[len] = 0; /* null-terminate */
return value;
}
Reported by FlawFinder.
Line: 1188
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fullsize = (size_t)data->set.max_send_speed;
else if(http->postsize <= (curl_off_t)fullsize) {
memcpy(buffer, http->postdata, (size_t)http->postsize);
fullsize = (size_t)http->postsize;
if(http->backup.postsize) {
/* move backup data into focus and continue on that */
http->postdata = http->backup.postdata;
Reported by FlawFinder.
Line: 1208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return fullsize;
}
memcpy(buffer, http->postdata, fullsize);
http->postdata += fullsize;
http->postsize -= fullsize;
return fullsize;
}
Reported by FlawFinder.
Line: 1301
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(sendsize > (size_t)data->set.upload_buffer_size)
sendsize = (size_t)data->set.upload_buffer_size;
memcpy(data->state.ulbuf, ptr, sendsize);
ptr = data->state.ulbuf;
}
else {
#ifdef CURLDEBUG
/* Allow debug builds to override this logic to force short initial
Reported by FlawFinder.
Line: 1953
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct tm *tm;
struct tm keeptime;
CURLcode result;
char datestr[80];
const char *condp;
if(data->set.timecondition == CURL_TIMECOND_NONE)
/* no condition was asked for */
return CURLE_OK;
Reported by FlawFinder.
Line: 2600
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
else {
if(http->postsize) {
char chunk[16];
/* Append the POST data chunky-style */
msnprintf(chunk, sizeof(chunk), "%x\r\n", (int)http->postsize);
result = Curl_dyn_add(r, chunk);
if(!result) {
included_body = http->postsize + strlen(chunk);
Reported by FlawFinder.
Line: 4196
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define HEADER1 scratch
#define SCRATCHSIZE 21
CURLcode res;
char scratch[SCRATCHSIZE + 1]; /* "HTTP/major.minor 123" */
/* We can't really convert this yet because we don't know if it's the
1st header line or the body. So we do a partial conversion into a
scratch area, leaving the data at 'headp' as-is.
*/
strncpy(&scratch[0], headp, SCRATCHSIZE);
Reported by FlawFinder.
Line: 4222
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* guarantees on future behaviors since it isn't within the protocol.
*/
char separator;
char twoorthree[2];
int httpversion = 0;
nc = sscanf(HEADER1,
" HTTP/%1d.%1d%c%3d",
&httpversion_major,
&httpversion,
Reported by FlawFinder.
lib/urlapi.c
31 issues
Line: 800
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* handle the file: scheme */
if(url_has_scheme && strcasecompare(schemebuf, "file")) {
/* path has been allocated large enough to hold this */
strcpy(path, &url[5]);
hostname = NULL; /* no host for file: URLs */
u->scheme = strdup("file");
if(!u->scheme)
return CURLUE_OUT_OF_MEMORY;
Reported by FlawFinder.
Line: 1545
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
free((char *)newp);
return CURLUE_OUT_OF_MEMORY;
}
strcpy(p, u->query); /* original query */
if(addamperand)
p[querylen] = '&'; /* ampersand */
strcpy(&p[querylen + addamperand], newp); /* new suffix */
free((char *)newp);
free(*storep);
Reported by FlawFinder.
Line: 1548
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(p, u->query); /* original query */
if(addamperand)
p[querylen] = '&'; /* ampersand */
strcpy(&p[querylen + addamperand], newp); /* new suffix */
free((char *)newp);
free(*storep);
*storep = p;
return CURLUE_OK;
}
Reported by FlawFinder.
Line: 407
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy over the root url part */
memcpy(newest, url_clone, urllen);
/* check if we need to append a slash */
if(('/' == useurl[0]) || (protsep && !*protsep) || ('?' == useurl[0]))
;
else
Reported by FlawFinder.
Line: 542
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(portptr) {
char *rest;
long port;
char portbuf[7];
/* Browser behavior adaptation. If there's a colon with no digits after,
just cut off the name there which makes us ignore the colon and just
use the default port. Firefox, Chrome and Safari all do that.
Reported by FlawFinder.
Line: 612
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(hostname[0] == '[') {
#ifdef ENABLE_IPV6
char dest[16]; /* fits a binary IPv6 address */
#endif
const char *l = "0123456789abcdefABCDEF:.";
if(hlen < 4) /* '[::]' is the shortest possible valid string */
return CURLUE_MALFORMED_INPUT;
hostname++;
Reported by FlawFinder.
Line: 629
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
hlen = len;
if(hostname[len] == '%') {
/* this could now be '%[zone id]' */
char zoneid[16];
int i = 0;
char *h = &hostname[len + 1];
/* pass '25' if present and is a url encoded percent sign */
if(!strncmp(h, "25", 2) && h[2] && (h[2] != ']'))
h += 2;
Reported by FlawFinder.
Line: 768
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *fragment = NULL;
CURLUcode result;
bool url_has_scheme = FALSE;
char schemebuf[MAX_SCHEME_LEN + 1];
const char *schemep = NULL;
size_t schemelen = 0;
size_t urllen;
if(!url)
Reported by FlawFinder.
Line: 911
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = p - hostp;
if(len) {
memcpy(hostname, hostp, len);
hostname[len] = 0;
}
else {
if(!(flags & CURLU_NO_AUTHORITY))
return CURLUE_MALFORMED_INPUT;
Reported by FlawFinder.
Line: 920
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
len = strlen(p);
memcpy(path, p, len);
path[len] = 0;
if(schemep) {
u->scheme = strdup(schemep);
if(!u->scheme)
Reported by FlawFinder.
tests/negtelnetserver.py
31 issues
Line: 37
Column: 5
if sys.version_info.major >= 3:
import socketserver
else:
import SocketServer as socketserver
log = logging.getLogger(__name__)
HOST = "localhost"
IDENT = "NTEL"
Reported by Pylint.
Line: 49
Column: 18
VERIFIED_RSP = "WE ROOLZ: {pid}"
def telnetserver(options):
"""
Starts up a TCP server with a telnet handler and serves DICT requests
forever.
"""
if options.pidfile:
Reported by Pylint.
Line: 126
Column: 20
self.tcp = tcp
self.state = self.NO_NEG
def recv(self, bytes):
"""
Read bytes from TCP, handling negotiation sequences
:param bytes: Number of bytes to read
:return: a buffer of bytes
Reported by Pylint.
Line: 307
Column: 19
return parser.parse_args()
def setup_logging(options):
"""
Set up logging from the command line options
"""
root_logger = logging.getLogger()
add_stdout = False
Reported by Pylint.
Line: 363
Column: 12
# Run main script.
try:
rc = telnetserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
os.unlink(options.pidfile)
Reported by Pylint.
Line: 59
Column: 44
# see tests/server/util.c function write_pidfile
if os.name == "nt":
pid += 65536
with open(options.pidfile, "w") as f:
f.write(str(pid))
local_bind = (HOST, options.port)
log.info("Listening on %s", local_bind)
Reported by Pylint.
Line: 114
Column: 1
log.exception("IOError hit during request")
class Negotiator(object):
NO_NEG = 0
START_NEG = 1
WILL = 2
WONT = 3
DO = 4
Reported by Pylint.
Line: 114
Column: 1
log.exception("IOError hit during request")
class Negotiator(object):
NO_NEG = 0
START_NEG = 1
WILL = 2
WONT = 3
DO = 4
Reported by Pylint.
Line: 160
Column: 5
return buffer
def no_neg(self, byte_int, buffer):
# Not negotiating anything thus far. Check to see if we
# should.
if byte_int == NegTokens.IAC:
# Start negotiation
log.debug("Starting negotiation (IAC)")
Reported by Pylint.
Line: 171
Column: 5
# Just append the incoming byte to the buffer
buffer.append(byte_int)
def start_neg(self, byte_int):
# In a negotiation.
log.debug("In negotiation (%s)",
NegTokens.from_val(byte_int))
if byte_int == NegTokens.WILL:
Reported by Pylint.