The following issues were found
lib/getinfo.c
4 issues
Line: 186
Column: 19
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
} lptr;
#ifdef DEBUGBUILD
char *timestr = getenv("CURL_TIME");
if(timestr) {
unsigned long val = strtol(timestr, NULL, 10);
switch(info) {
case CURLINFO_LOCAL_PORT:
*param_longp = (long)val;
Reported by FlawFinder.
Line: 198
Column: 13
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
}
/* use another variable for this to allow different values */
timestr = getenv("CURL_DEBUG_SIZE");
if(timestr) {
unsigned long val = strtol(timestr, NULL, 10);
switch(info) {
case CURLINFO_HEADER_SIZE:
case CURLINFO_REQUEST_SIZE:
Reported by FlawFinder.
Line: 332
Column: 19
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
curl_off_t *param_offt)
{
#ifdef DEBUGBUILD
char *timestr = getenv("CURL_TIME");
if(timestr) {
unsigned long val = strtol(timestr, NULL, 10);
switch(info) {
case CURLINFO_TOTAL_TIME_T:
case CURLINFO_NAMELOOKUP_TIME_T:
Reported by FlawFinder.
Line: 411
Column: 19
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
double *param_doublep)
{
#ifdef DEBUGBUILD
char *timestr = getenv("CURL_TIME");
if(timestr) {
unsigned long val = strtol(timestr, NULL, 10);
switch(info) {
case CURLINFO_TOTAL_TIME:
case CURLINFO_NAMELOOKUP_TIME:
Reported by FlawFinder.
src/tool_cb_wrt.c
4 issues
Line: 78
Column: 10
CWE codes:
362
}
name = aname;
}
fd = open(name, O_CREAT | O_WRONLY | O_EXCL | O_BINARY, OPENMODE);
if(fd != -1) {
file = fdopen(fd, "wb");
if(!file)
close(fd);
}
Reported by FlawFinder.
Line: 88
Column: 12
CWE codes:
362
}
else
/* open file for writing */
file = fopen(outs->filename, "wb");
if(!file) {
warnf(global, "Failed to create the file %s: %s\n", outs->filename,
strerror(errno));
return FALSE;
Reported by FlawFinder.
Line: 204
Column: 14
CWE codes:
120
DWORD wc_len;
/* calculate buffer size for wide characters */
wc_len = MultiByteToWideChar(CP_UTF8, 0, buffer, in_len, NULL, 0);
wc_buf = (wchar_t*) malloc(wc_len * sizeof(wchar_t));
if(!wc_buf)
return failure;
/* calculate buffer size for multi-byte characters */
Reported by FlawFinder.
Line: 210
Column: 14
CWE codes:
120
return failure;
/* calculate buffer size for multi-byte characters */
wc_len = MultiByteToWideChar(CP_UTF8, 0, buffer, in_len, wc_buf, wc_len);
if(!wc_len) {
free(wc_buf);
return failure;
}
Reported by FlawFinder.
lib/escape.c
4 issues
Line: 105
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
else {
/* encode it */
char encoded[4];
result = Curl_convert_to_network(data, (char *)&in, 1);
if(result) {
/* Curl_convert_to_network calls failf if unsuccessful */
Curl_dyn_free(&d);
return NULL;
Reported by FlawFinder.
Line: 167
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(('%' == in) && (alloc > 2) &&
ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
/* this is two hexadecimal digits following a '%' */
char hexstr[3];
char *ptr;
hexstr[0] = string[1];
hexstr[1] = string[2];
hexstr[2] = 0;
Reported by FlawFinder.
Line: 91
Column: 39
CWE codes:
126
Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH * 3);
length = (inlength?(size_t)inlength:strlen(string));
if(!length)
return strdup("");
while(length--) {
unsigned char in = *string; /* we need to treat the characters unsigned */
Reported by FlawFinder.
Line: 156
Column: 26
CWE codes:
126
DEBUGASSERT(string);
DEBUGASSERT(ctrl >= REJECT_NADA); /* crash on TRUE/FALSE */
alloc = (length?length:strlen(string)) + 1;
ns = malloc(alloc);
if(!ns)
return CURLE_OUT_OF_MEMORY;
Reported by FlawFinder.
docs/examples/hiperfifo.c
4 issues
Line: 97
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURL *easy;
char *url;
GlobalInfo *global;
char error[CURL_ERROR_SIZE];
} ConnInfo;
/* Information associated with a specific socket */
typedef struct _SockInfo
Reported by FlawFinder.
Line: 366
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This gets called whenever data is received from the fifo */
static void fifo_cb(int fd, short event, void *arg)
{
char s[1024];
long int rv = 0;
int n = 0;
GlobalInfo *g = (GlobalInfo *)arg;
(void)fd;
(void)event;
Reported by FlawFinder.
Line: 411
Column: 12
CWE codes:
362
perror("mkfifo");
exit(1);
}
sockfd = open(fifo, O_RDWR | O_NONBLOCK, 0);
if(sockfd == -1) {
perror("open");
exit(1);
}
g->input = fdopen(sockfd, "r");
Reported by FlawFinder.
Line: 375
Column: 10
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
do {
s[0]='\0';
rv = fscanf(g->input, "%1023s%n", s, &n);
s[n]='\0';
if(n && s[0]) {
if(!strcmp(s, "stop")) {
g->stopped = 1;
if(g->still_running == 0)
Reported by FlawFinder.
tests/libtest/lib547.c
4 issues
Line: 57
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(size * nmemb > strlen(UPLOADTHIS)) {
fprintf(stderr, "READ!\n");
strcpy(ptr, UPLOADTHIS);
return strlen(UPLOADTHIS);
}
fprintf(stderr, "READ NOT FINE!\n");
return 0;
}
Reported by FlawFinder.
Line: 55
Column: 21
CWE codes:
126
}
(*counter)++; /* bump */
if(size * nmemb > strlen(UPLOADTHIS)) {
fprintf(stderr, "READ!\n");
strcpy(ptr, UPLOADTHIS);
return strlen(UPLOADTHIS);
}
fprintf(stderr, "READ NOT FINE!\n");
Reported by FlawFinder.
Line: 58
Column: 12
CWE codes:
126
if(size * nmemb > strlen(UPLOADTHIS)) {
fprintf(stderr, "READ!\n");
strcpy(ptr, UPLOADTHIS);
return strlen(UPLOADTHIS);
}
fprintf(stderr, "READ NOT FINE!\n");
return 0;
}
static curlioerr ioctlcallback(CURL *handle,
Reported by FlawFinder.
Line: 114
Column: 50
CWE codes:
126
test_setopt(curl, CURLOPT_READDATA, &counter);
/* We CANNOT do the POST fine without setting the size (or choose
chunked)! */
test_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(UPLOADTHIS));
#endif
test_setopt(curl, CURLOPT_POST, 1L);
test_setopt(curl, CURLOPT_PROXY, libtest_arg2);
test_setopt(curl, CURLOPT_PROXYUSERPWD, libtest_arg3);
test_setopt(curl, CURLOPT_PROXYAUTH,
Reported by FlawFinder.
src/tool_cb_hdr.c
4 issues
Line: 206
Column: 7
CWE codes:
134
Suggestion:
Use a constant for the format specification
value = memchr(ptr, ':', cb);
if(value) {
size_t namelen = value - ptr;
fprintf(outs->stream, BOLD "%.*s" BOLDOFF ":", namelen, ptr);
fwrite(&value[1], cb - namelen - 1, 1, outs->stream);
}
else
/* not "handled", just show it */
fwrite(ptr, cb, 1, outs->stream);
Reported by FlawFinder.
Line: 230
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy = malloc(len + 1);
if(!copy)
return NULL;
memcpy(copy, ptr, len);
copy[len] = '\0';
p = copy;
if(*p == '\'' || *p == '"') {
/* store the starting quote */
Reported by FlawFinder.
Line: 300
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char *tdir = curlx_getenv("CURL_TESTDIR");
if(tdir) {
char buffer[512]; /* suitably large */
msnprintf(buffer, sizeof(buffer), "%s/%s", tdir, copy);
Curl_safefree(copy);
copy = strdup(buffer); /* clone the buffer, we don't use the libcurl
aprintf() or similar since we want to use the
same memory code as the "real" parse_filename
Reported by FlawFinder.
Line: 279
Column: 22
CWE codes:
126
*q = '\0';
if(copy != p)
memmove(copy, p, strlen(p) + 1);
#if defined(MSDOS) || defined(WIN32)
{
char *sanitized;
SANITIZEcode sc = sanitize_file_name(&sanitized, copy, 0);
Reported by FlawFinder.
tests/libtest/lib555.c
4 issues
Line: 64
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(size * nmemb > strlen(uploadthis)) {
fprintf(stderr, "READ!\n");
strcpy(ptr, uploadthis);
return strlen(uploadthis);
}
fprintf(stderr, "READ NOT FINE!\n");
return 0;
}
Reported by FlawFinder.
Line: 62
Column: 21
CWE codes:
126
}
(*counter)++; /* bump */
if(size * nmemb > strlen(uploadthis)) {
fprintf(stderr, "READ!\n");
strcpy(ptr, uploadthis);
return strlen(uploadthis);
}
fprintf(stderr, "READ NOT FINE!\n");
Reported by FlawFinder.
Line: 65
Column: 12
CWE codes:
126
if(size * nmemb > strlen(uploadthis)) {
fprintf(stderr, "READ!\n");
strcpy(ptr, uploadthis);
return strlen(uploadthis);
}
fprintf(stderr, "READ NOT FINE!\n");
return 0;
}
static curlioerr ioctlcallback(CURL *handle,
Reported by FlawFinder.
Line: 109
Column: 50
CWE codes:
126
easy_setopt(curl, CURLOPT_READDATA, &counter);
/* We CANNOT do the POST fine without setting the size (or choose
chunked)! */
easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(uploadthis));
easy_setopt(curl, CURLOPT_POST, 1L);
easy_setopt(curl, CURLOPT_PROXY, libtest_arg2);
easy_setopt(curl, CURLOPT_PROXYUSERPWD, libtest_arg3);
easy_setopt(curl, CURLOPT_PROXYAUTH,
Reported by FlawFinder.
tests/libtest/lib1591.c
4 issues
Line: 49
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
consumed += amount;
(void)stream;
memcpy(ptr, data, amount);
return amount;
}
/*
* carefully not leak memory on OOM
Reported by FlawFinder.
Line: 39
Column: 18
CWE codes:
126
{
size_t amount = nmemb * size; /* Total bytes curl wants */
if(consumed == strlen(data)) {
return 0;
}
if(amount > strlen(data)-consumed) {
amount = strlen(data);
Reported by FlawFinder.
Line: 43
Column: 15
CWE codes:
126
return 0;
}
if(amount > strlen(data)-consumed) {
amount = strlen(data);
}
consumed += amount;
(void)stream;
Reported by FlawFinder.
Line: 44
Column: 14
CWE codes:
126
}
if(amount > strlen(data)-consumed) {
amount = strlen(data);
}
consumed += amount;
(void)stream;
memcpy(ptr, data, amount);
Reported by FlawFinder.
lib/vtls/mesalink.c
4 issues
Line: 310
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return CURLE_OK;
}
else {
char error_buffer[MESALINK_MAX_ERROR_SZ];
failf(data,
"SSL_connect failed with error %d: %s",
detail,
ERR_error_string_n(detail, error_buffer, sizeof(error_buffer)));
ERR_print_errors_fp(stderr);
Reported by FlawFinder.
Line: 390
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
char error_buffer[MESALINK_MAX_ERROR_SZ];
int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
int rc = SSL_write(BACKEND->handle, mem, memlen);
if(rc < 0) {
int err = SSL_get_error(BACKEND->handle, rc);
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[num];
char error_buffer[MESALINK_MAX_ERROR_SZ];
int buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
int nread = SSL_read(BACKEND->handle, buf, buffsize);
if(nread <= 0) {
int err = SSL_get_error(BACKEND->handle, nread);
Reported by FlawFinder.
Line: 102
Column: 25
CWE codes:
126
struct in6_addr addr6;
#endif
const char * const hostname = SSL_HOST_NAME();
size_t hostname_len = strlen(hostname);
SSL_METHOD *req_method = NULL;
curl_socket_t sockfd = conn->sock[sockindex];
if(connssl->state == ssl_connection_complete)
Reported by FlawFinder.
lib/openldap.c
4 issues
Line: 231
Column: 21
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
#ifdef CURL_OPENLDAP_DEBUG
static int do_trace = 0;
const char *env = getenv("CURL_OPENLDAP_TRACE");
do_trace = (env && strtol(env, NULL, 10) > 0);
if(do_trace) {
ldap_set_option(li->ld, LDAP_OPT_DEBUG_LEVEL, &do_trace);
}
#endif
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ldapconninfo *li = conn->proto.ldapc;
int rc, proto = LDAP_VERSION3;
char hosturl[1024];
char *ptr;
(void)done;
strcpy(hosturl, "ldap");
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
(void)done;
strcpy(hosturl, "ldap");
ptr = hosturl + 4;
if(conn->handler->flags & PROTOPT_SSL)
*ptr++ = 's';
msnprintf(ptr, sizeof(hosturl)-(ptr-hosturl), "://%s:%d",
conn->host.name, conn->remote_port);
Reported by FlawFinder.
Line: 302
Column: 23
CWE codes:
126
if(conn->bits.user_passwd) {
binddn = conn->user;
passwd.bv_val = conn->passwd;
passwd.bv_len = strlen(passwd.bv_val);
}
else {
binddn = NULL;
passwd.bv_val = NULL;
passwd.bv_len = 0;
Reported by FlawFinder.