The following issues were found
lib/vssh/wolfssh.c
4 issues
Line: 519
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sshc->actualcode = CURLE_OUT_OF_MEMORY;
}
else {
memcpy(sshc->homedir, name->fName, name->fSz);
sshc->homedir[name->fSz] = 0;
infof(data, "wolfssh SFTP realpath succeeded!");
}
wolfSSH_SFTPNAME_list_free(name);
state(data, SSH_STOP);
Reported by FlawFinder.
Line: 356
Column: 49
CWE codes:
126
"PUBLICCKEY"));
if(authtype == WOLFSSH_USERAUTH_PASSWORD) {
authdata->sf.password.password = (byte *)data->conn->passwd;
authdata->sf.password.passwordSz = (word32) strlen(data->conn->passwd);
}
return 0;
}
Reported by FlawFinder.
Line: 559
Column: 27
CWE codes:
126
if(data->set.upload)
state(data, SSH_SFTP_UPLOAD_INIT);
else {
if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
state(data, SSH_SFTP_READDIR_INIT);
else
state(data, SSH_SFTP_DOWNLOAD_INIT);
}
break;
Reported by FlawFinder.
Line: 872
Column: 44
CWE codes:
126
break;
}
result = Curl_client_write(data, CLIENTWRITE_BODY,
line, strlen(line));
free(line);
if(result) {
sshc->actualcode = result;
break;
}
Reported by FlawFinder.
tests/libtest/lib1915.c
3 issues
Line: 50
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
host = preload_hosts[s->index++];
if(host && (strlen(host) < e->namelen)) {
strcpy(e->name, host);
e->includeSubDomains = FALSE;
strcpy(e->expire, "20370320 01:02:03"); /* curl turns 39 that day
just before 31-bit time_t overflow */
fprintf(stderr, "add '%s'\n", host);
}
Reported by FlawFinder.
Line: 52
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(host && (strlen(host) < e->namelen)) {
strcpy(e->name, host);
e->includeSubDomains = FALSE;
strcpy(e->expire, "20370320 01:02:03"); /* curl turns 39 that day
just before 31-bit time_t overflow */
fprintf(stderr, "add '%s'\n", host);
}
else
return CURLSTS_DONE;
Reported by FlawFinder.
Line: 49
Column: 15
CWE codes:
126
(void)easy;
host = preload_hosts[s->index++];
if(host && (strlen(host) < e->namelen)) {
strcpy(e->name, host);
e->includeSubDomains = FALSE;
strcpy(e->expire, "20370320 01:02:03"); /* curl turns 39 that day
just before 31-bit time_t overflow */
fprintf(stderr, "add '%s'\n", host);
Reported by FlawFinder.
docs/examples/imap-append.c
3 issues
Line: 76
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t len = strlen(data);
if(room < len)
len = room;
memcpy(ptr, data, len);
upload_ctx->bytes_read += len;
return len;
}
Reported by FlawFinder.
Line: 73
Column: 18
CWE codes:
126
data = &payload_text[upload_ctx->bytes_read];
if(data) {
size_t len = strlen(data);
if(room < len)
len = room;
memcpy(ptr, data, len);
upload_ctx->bytes_read += len;
Reported by FlawFinder.
Line: 111
Column: 18
CWE codes:
126
curl_easy_setopt(curl, CURLOPT_READDATA, &upload_ctx);
curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
infilesize = strlen(payload_text);
curl_easy_setopt(curl, CURLOPT_INFILESIZE, infilesize);
/* Perform the append */
res = curl_easy_perform(curl);
Reported by FlawFinder.
lib/vtls/rustls.c
3 issues
Line: 159
CWE codes:
682
while(plain_bytes_copied < plainlen) {
rresult = rustls_connection_read(rconn,
(uint8_t *)plainbuf + plain_bytes_copied,
plainlen - plain_bytes_copied,
&n);
if(rresult == RUSTLS_RESULT_ALERT_CLOSE_NOTIFY) {
*err = CURLE_OK;
return 0;
Reported by Cppcheck.
Line: 126
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t tls_bytes_read = 0;
size_t plain_bytes_copied = 0;
rustls_result rresult = 0;
char errorbuf[255];
rustls_io_result io_error;
io_error = rustls_connection_read_tls(rconn, read_cb,
&conn->sock[sockindex], &tls_bytes_read);
if(io_error == EAGAIN || io_error == EWOULDBLOCK) {
Reported by FlawFinder.
Line: 297
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char *hostname = conn->host.name;
char errorbuf[256];
size_t errorlen;
int result;
rustls_slice_bytes alpn[2] = {
{ (const uint8_t *)ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH },
{ (const uint8_t *)ALPN_H2, ALPN_H2_LENGTH },
Reported by FlawFinder.
lib/asyn-thread.c
3 issues
Line: 235
CWE codes:
476
tsd->done = 1;
#ifdef HAVE_GETADDRINFO
DEBUGASSERT(hints);
tsd->hints = *hints;
#else
(void) hints;
#endif
tsd->mtx = malloc(sizeof(curl_mutex_t));
Reported by Cppcheck.
Line: 298
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct thread_sync_data *tsd = (struct thread_sync_data *)arg;
struct thread_data *td = tsd->td;
char service[12];
int rc;
#ifndef CURL_DISABLE_SOCKETPAIR
char buf[1];
#endif
Reported by FlawFinder.
Line: 301
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char service[12];
int rc;
#ifndef CURL_DISABLE_SOCKETPAIR
char buf[1];
#endif
msnprintf(service, sizeof(service), "%d", tsd->port);
rc = Curl_getaddrinfo_ex(tsd->hostname, service, &tsd->hints, &tsd->res);
Reported by FlawFinder.
lib/asyn-ares.c
3 issues
Line: 701
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca->ai_next = NULL;
ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
memcpy(ca->ai_addr, ai->ai_addr, ss_size);
/* if the return list is empty, this becomes the first element */
if(!cafirst)
cafirst = ca;
Reported by FlawFinder.
Line: 776
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef HAVE_CARES_GETADDRINFO
{
struct ares_addrinfo_hints hints;
char service[12];
int pf = PF_INET;
memset(&hints, 0, sizeof(hints));
#ifdef CURLRES_IPV6
if(Curl_ipv6works(data))
/* The stack seems to be IPv6-enabled */
Reported by FlawFinder.
Line: 911
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *local_ip6)
{
#if defined(HAVE_CARES_SET_LOCAL) && defined(ENABLE_IPV6)
unsigned char a6[INET6_ADDRSTRLEN];
if((!local_ip6) || (local_ip6[0] == 0)) {
/* disabled: do not bind to a specific address */
memset(a6, 0, sizeof(a6));
}
Reported by FlawFinder.
lib/idn_win32.c
3 issues
Line: 77
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wchar_t *in_w = curlx_convert_UTF8_to_wchar(in);
if(in_w) {
wchar_t punycode[IDN_MAX_LENGTH];
int chars = IdnToAscii(0, in_w, -1, punycode, IDN_MAX_LENGTH);
free(in_w);
if(chars) {
*out = curlx_convert_wchar_to_UTF8(punycode);
if(*out)
Reported by FlawFinder.
Line: 97
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wchar_t *in_w = curlx_convert_UTF8_to_wchar(in);
if(in_w) {
size_t in_len = wcslen(in_w) + 1;
wchar_t unicode[IDN_MAX_LENGTH];
int chars = IdnToUnicode(0, in_w, curlx_uztosi(in_len),
unicode, IDN_MAX_LENGTH);
free(in_w);
if(chars) {
*out = curlx_convert_wchar_to_UTF8(unicode);
Reported by FlawFinder.
Line: 96
Column: 21
CWE codes:
126
wchar_t *in_w = curlx_convert_UTF8_to_wchar(in);
if(in_w) {
size_t in_len = wcslen(in_w) + 1;
wchar_t unicode[IDN_MAX_LENGTH];
int chars = IdnToUnicode(0, in_w, curlx_uztosi(in_len),
unicode, IDN_MAX_LENGTH);
free(in_w);
if(chars) {
Reported by FlawFinder.
lib/http_proxy.c
3 issues
Line: 591
Column: 35
CWE codes:
126
}
else {
(void)curlx_strtoofft(linep +
strlen("Content-Length:"), NULL, 10, &s->cl);
}
}
else if(Curl_compareheader(linep, "Connection:", "close"))
s->close_connection = TRUE;
else if(checkprefix("Transfer-Encoding:", linep)) {
Reported by FlawFinder.
Line: 800
Column: 35
CWE codes:
126
goto error;
}
if(hyper_request_set_method(req, (uint8_t *)"CONNECT",
strlen("CONNECT"))) {
failf(data, "error setting method");
goto error;
}
result = CONNECT_host(data, conn, hostname, remote_port,
Reported by FlawFinder.
Line: 811
Column: 32
CWE codes:
126
goto error;
if(hyper_request_set_uri(req, (uint8_t *)hostheader,
strlen(hostheader))) {
failf(data, "error setting path");
result = CURLE_OUT_OF_MEMORY;
}
/* Setup the proxy-authorization header, if any */
result = Curl_http_output_auth(data, conn, "CONNECT", HTTPREQ_GET,
Reported by FlawFinder.
docs/examples/cookie_interface.c
3 issues
Line: 93
Column: 18
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf("-----------------------------------------------\n"
"Setting a cookie \"PREF\" via cookie interface:\n");
#ifdef WIN32
#define snprintf _snprintf
#endif
/* Netscape format cookie */
snprintf(nline, sizeof(nline), "%s\t%s\t%s\t%s\t%.0f\t%s\t%s",
".example.com", "TRUE", "/", "FALSE",
difftime(time(NULL) + 31337, (time_t)0),
Reported by FlawFinder.
Line: 93
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf("-----------------------------------------------\n"
"Setting a cookie \"PREF\" via cookie interface:\n");
#ifdef WIN32
#define snprintf _snprintf
#endif
/* Netscape format cookie */
snprintf(nline, sizeof(nline), "%s\t%s\t%s\t%s\t%.0f\t%s\t%s",
".example.com", "TRUE", "/", "FALSE",
difftime(time(NULL) + 31337, (time_t)0),
Reported by FlawFinder.
Line: 72
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if(curl) {
char nline[512];
curl_easy_setopt(curl, CURLOPT_URL, "https://www.example.com/");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(curl, CURLOPT_COOKIEFILE, ""); /* start cookie engine */
res = curl_easy_perform(curl);
Reported by FlawFinder.
docs/examples/http2-serverpush.c
3 issues
Line: 133
Column: 15
CWE codes:
362
static int setup(CURL *hnd)
{
FILE *out = fopen(OUTPUTFILE, "wb");
if(!out)
/* failed */
return 1;
/* write to this file */
Reported by FlawFinder.
Line: 172
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *headp;
size_t i;
int *transfers = (int *)userp;
char filename[128];
FILE *out;
static unsigned int count = 0;
(void)parent; /* we have no use for this */
Reported by FlawFinder.
Line: 181
Column: 9
CWE codes:
362
snprintf(filename, 128, "push%u", count++);
/* here's a new stream, save it in a new file for each new push */
out = fopen(filename, "wb");
if(!out) {
/* if we can't save it, deny it */
fprintf(stderr, "Failed to create output file for push\n");
return CURL_PUSH_DENY;
}
Reported by FlawFinder.