The following issues were found
docs/examples/cookie_interface.c
3 issues
Line: 93
Column: 18
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf("-----------------------------------------------\n"
"Setting a cookie \"PREF\" via cookie interface:\n");
#ifdef WIN32
#define snprintf _snprintf
#endif
/* Netscape format cookie */
snprintf(nline, sizeof(nline), "%s\t%s\t%s\t%s\t%.0f\t%s\t%s",
".example.com", "TRUE", "/", "FALSE",
difftime(time(NULL) + 31337, (time_t)0),
Reported by FlawFinder.
Line: 93
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf("-----------------------------------------------\n"
"Setting a cookie \"PREF\" via cookie interface:\n");
#ifdef WIN32
#define snprintf _snprintf
#endif
/* Netscape format cookie */
snprintf(nline, sizeof(nline), "%s\t%s\t%s\t%s\t%.0f\t%s\t%s",
".example.com", "TRUE", "/", "FALSE",
difftime(time(NULL) + 31337, (time_t)0),
Reported by FlawFinder.
Line: 72
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if(curl) {
char nline[512];
curl_easy_setopt(curl, CURLOPT_URL, "https://www.example.com/");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(curl, CURLOPT_COOKIEFILE, ""); /* start cookie engine */
res = curl_easy_perform(curl);
Reported by FlawFinder.
docs/examples/http2-serverpush.c
3 issues
Line: 133
Column: 15
CWE codes:
362
static int setup(CURL *hnd)
{
FILE *out = fopen(OUTPUTFILE, "wb");
if(!out)
/* failed */
return 1;
/* write to this file */
Reported by FlawFinder.
Line: 172
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *headp;
size_t i;
int *transfers = (int *)userp;
char filename[128];
FILE *out;
static unsigned int count = 0;
(void)parent; /* we have no use for this */
Reported by FlawFinder.
Line: 181
Column: 9
CWE codes:
362
snprintf(filename, 128, "push%u", count++);
/* here's a new stream, save it in a new file for each new push */
out = fopen(filename, "wb");
if(!out) {
/* if we can't save it, deny it */
fprintf(stderr, "Failed to create output file for push\n");
return CURL_PUSH_DENY;
}
Reported by FlawFinder.
tests/libtest/lib553.c
3 issues
Line: 36
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static size_t myreadfunc(char *ptr, size_t size, size_t nmemb, void *stream)
{
static size_t total = POSTLEN;
static char buf[1024];
(void)stream;
memset(buf, 'A', sizeof(buf));
size *= nmemb;
Reported by FlawFinder.
Line: 48
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(size > sizeof(buf))
size = sizeof(buf);
memcpy(ptr, buf, size);
total -= size;
return size;
}
#define NUM_HEADERS 8
Reported by FlawFinder.
Line: 56
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NUM_HEADERS 8
#define SIZE_HEADERS 5000
static char buf[SIZE_HEADERS + 100];
int test(char *URL)
{
CURL *curl;
CURLcode res = CURLE_FAILED_INIT;
Reported by FlawFinder.
docs/examples/http2-download.c
3 issues
Line: 146
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void setup(struct transfer *t, int num)
{
char filename[128];
CURL *hnd;
hnd = t->easy = curl_easy_init();
curl_msnprintf(filename, 128, "dl-%d", num);
Reported by FlawFinder.
Line: 153
Column: 12
CWE codes:
362
curl_msnprintf(filename, 128, "dl-%d", num);
t->out = fopen(filename, "wb");
if(!t->out) {
fprintf(stderr, "error: could not open file %s for writing: %s\n",
filename, strerror(errno));
exit(1);
}
Reported by FlawFinder.
Line: 196
Column: 21
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
int num_transfers;
if(argc > 1) {
/* if given a number, do that many transfers */
num_transfers = atoi(argv[1]);
if((num_transfers < 1) || (num_transfers > NUM_HANDLES))
num_transfers = 3; /* a suitable low default */
}
else
num_transfers = 3; /* suitable default */
Reported by FlawFinder.
lib/hostip6.c
3 issues
Line: 82
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
printf("dump_addrinfo:\n");
for(; ai; ai = ai->ai_next) {
char buf[INET6_ADDRSTRLEN];
printf(" fam %2d, CNAME %s, ",
ai->ai_family, ai->ai_canonname ? ai->ai_canonname : "<none>");
Curl_printable_address(ai, buf, sizeof(buf));
printf("%s\n", buf);
}
Reported by FlawFinder.
Line: 110
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct addrinfo hints;
struct Curl_addrinfo *res;
int error;
char sbuf[12];
char *sbufptr = NULL;
#ifndef USE_RESOLVE_ON_IPS
char addrbuf[128];
#endif
int pf = PF_INET;
Reported by FlawFinder.
Line: 113
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char sbuf[12];
char *sbufptr = NULL;
#ifndef USE_RESOLVE_ON_IPS
char addrbuf[128];
#endif
int pf = PF_INET;
*waitp = 0; /* synchronous response only */
Reported by FlawFinder.
lib/gopher.c
3 issues
Line: 155
Column: 6
CWE codes:
126
return CURLE_OUT_OF_MEMORY;
/* Create selector. Degenerate cases: / and /1 => convert to "" */
if(strlen(gopherpath) <= 2) {
sel = (char *)"";
len = strlen(sel);
free(gopherpath);
}
else {
Reported by FlawFinder.
Line: 157
Column: 11
CWE codes:
126
/* Create selector. Degenerate cases: / and /1 => convert to "" */
if(strlen(gopherpath) <= 2) {
sel = (char *)"";
len = strlen(sel);
free(gopherpath);
}
else {
char *newp;
Reported by FlawFinder.
Line: 180
Column: 8
CWE codes:
126
for(;;) {
/* Break out of the loop if the selector is empty because OpenSSL and/or
LibreSSL fail with errno 0 if this is the case. */
if(strlen(sel) < 1)
break;
result = Curl_write(data, sockfd, sel, k, &amount);
if(!result) { /* Which may not have written it all! */
result = Curl_client_write(data, CLIENTWRITE_HEADER, sel, amount);
Reported by FlawFinder.
tests/libtest/lib1537.c
3 issues
Line: 56
Column: 44
CWE codes:
126
}
printf("%s\n", ptr);
raw = curl_easy_unescape(NULL, ptr, (int)strlen(ptr), &outlen);
printf("outlen == %d\n", outlen);
printf("unescape == original? %s\n",
memcmp(raw, a, outlen) ? "no" : "YES");
curl_free(raw);
Reported by FlawFinder.
Line: 63
Column: 33
CWE codes:
126
curl_free(raw);
/* deprecated API */
raw = curl_unescape(ptr, (int)strlen(ptr));
if(!raw) {
res = TEST_ERR_MAJOR_BAD;
goto test_cleanup;
}
outlen = (int)strlen(raw);
Reported by FlawFinder.
Line: 68
Column: 17
CWE codes:
126
res = TEST_ERR_MAJOR_BAD;
goto test_cleanup;
}
outlen = (int)strlen(raw);
printf("[old] outlen == %d\n", outlen);
printf("[old] unescape == original? %s\n",
memcmp(raw, a, outlen) ? "no" : "YES");
curl_free(raw);
curl_free(ptr);
Reported by FlawFinder.
CMake/CurlTests.c
3 issues
Line: 102
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
defined(HAVE_GETHOSTBYNAME_R_5_REENTRANT) || \
defined(HAVE_GETHOSTBYNAME_R_6) || \
defined(HAVE_GETHOSTBYNAME_R_6_REENTRANT)
char buffer[8192];
int h_errnop;
struct hostent *hp;
#endif
#if defined(HAVE_GETHOSTBYNAME_R_3) || \
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int
main () {
char buffer[1024];
/* This will not compile if strerror_r does not return a char* */
check(strerror_r(EACCES, buffer, sizeof(buffer))[0]);
return 0;
}
#endif
Reported by FlawFinder.
Line: 453
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int
main () {
char buffer[1024];
/* This will not compile if strerror_r does not return an int */
check(strerror_r(EACCES, buffer, sizeof(buffer)));
return 0;
}
#endif
Reported by FlawFinder.
tests/libtest/lib1915.c
3 issues
Line: 50
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
host = preload_hosts[s->index++];
if(host && (strlen(host) < e->namelen)) {
strcpy(e->name, host);
e->includeSubDomains = FALSE;
strcpy(e->expire, "20370320 01:02:03"); /* curl turns 39 that day
just before 31-bit time_t overflow */
fprintf(stderr, "add '%s'\n", host);
}
Reported by FlawFinder.
Line: 52
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(host && (strlen(host) < e->namelen)) {
strcpy(e->name, host);
e->includeSubDomains = FALSE;
strcpy(e->expire, "20370320 01:02:03"); /* curl turns 39 that day
just before 31-bit time_t overflow */
fprintf(stderr, "add '%s'\n", host);
}
else
return CURLSTS_DONE;
Reported by FlawFinder.
Line: 49
Column: 15
CWE codes:
126
(void)easy;
host = preload_hosts[s->index++];
if(host && (strlen(host) < e->namelen)) {
strcpy(e->name, host);
e->includeSubDomains = FALSE;
strcpy(e->expire, "20370320 01:02:03"); /* curl turns 39 that day
just before 31-bit time_t overflow */
fprintf(stderr, "add '%s'\n", host);
Reported by FlawFinder.
lib/dynbuf.c
3 issues
Line: 109
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if(len)
memcpy(&s->bufr[indx], mem, len);
s->leng = indx + len;
s->bufr[s->leng] = 0;
return CURLE_OK;
}
Reported by FlawFinder.
Line: 172
Column: 14
CWE codes:
126
*/
CURLcode Curl_dyn_add(struct dynbuf *s, const char *str)
{
size_t n = strlen(str);
DEBUGASSERT(s);
DEBUGASSERT(s->init == DYNINIT);
DEBUGASSERT(!s->leng || s->bufr);
return dyn_nappend(s, (unsigned char *)str, n);
}
Reported by FlawFinder.
Line: 198
Column: 60
CWE codes:
126
str = vaprintf(fmt, ap); /* this allocs a new string to append */
if(str) {
CURLcode result = dyn_nappend(s, (unsigned char *)str, strlen(str));
free(str);
return result;
}
/* If we failed, we cleanup the whole buffer and return error */
Curl_dyn_free(s);
Reported by FlawFinder.