The following issues were found
lib/vauth/krb5_gssapi.c
3 issues
Line: 266
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* If given, append the authorization identity. */
if(authzid && *authzid)
memcpy(message + 4, authzid, messagelen - 4);
/* Setup the "authentication data" security buffer */
input_token.value = message;
input_token.length = messagelen;
Reported by FlawFinder.
Line: 107
Column: 24
CWE codes:
126
/* Populate the SPN structure */
spn_token.value = spn;
spn_token.length = strlen(spn);
/* Import the SPN */
major_status = gss_import_name(&minor_status, &spn_token,
GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
if(GSS_ERROR(major_status)) {
Reported by FlawFinder.
Line: 251
Column: 19
CWE codes:
126
/* Allocate our message */
messagelen = 4;
if(authzid)
messagelen += strlen(authzid);
message = malloc(messagelen);
if(!message)
return CURLE_OUT_OF_MEMORY;
/* Populate the message with the security layer and client supported receive
Reported by FlawFinder.
lib/vquic/vquic.c
3 issues
Line: 54
Column: 26
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
size_t scidlen,
int *qlogfdp)
{
const char *qlog_dir = getenv("QLOGDIR");
*qlogfdp = -1;
if(qlog_dir) {
struct dynbuf fname;
CURLcode result;
unsigned int i;
Reported by FlawFinder.
Line: 65
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!result)
result = Curl_dyn_add(&fname, "/");
for(i = 0; (i < scidlen) && !result; i++) {
char hex[3];
msnprintf(hex, 3, "%02x", scid[i]);
result = Curl_dyn_add(&fname, hex);
}
if(!result)
result = Curl_dyn_add(&fname, ".qlog");
Reported by FlawFinder.
Line: 73
Column: 20
CWE codes:
362
result = Curl_dyn_add(&fname, ".qlog");
if(!result) {
int qlogfd = open(Curl_dyn_ptr(&fname), QLOGMODE,
data->set.new_file_perms);
if(qlogfd != -1)
*qlogfdp = qlogfd;
}
Curl_dyn_free(&fname);
Reported by FlawFinder.
lib/vtls/rustls.c
3 issues
Line: 159
CWE codes:
682
while(plain_bytes_copied < plainlen) {
rresult = rustls_connection_read(rconn,
(uint8_t *)plainbuf + plain_bytes_copied,
plainlen - plain_bytes_copied,
&n);
if(rresult == RUSTLS_RESULT_ALERT_CLOSE_NOTIFY) {
*err = CURLE_OK;
return 0;
Reported by Cppcheck.
Line: 126
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t tls_bytes_read = 0;
size_t plain_bytes_copied = 0;
rustls_result rresult = 0;
char errorbuf[255];
rustls_io_result io_error;
io_error = rustls_connection_read_tls(rconn, read_cb,
&conn->sock[sockindex], &tls_bytes_read);
if(io_error == EAGAIN || io_error == EWOULDBLOCK) {
Reported by FlawFinder.
Line: 297
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char *hostname = conn->host.name;
char errorbuf[256];
size_t errorlen;
int result;
rustls_slice_bytes alpn[2] = {
{ (const uint8_t *)ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH },
{ (const uint8_t *)ALPN_H2, ALPN_H2_LENGTH },
Reported by FlawFinder.
lib/x509asn1.c
3 issues
Line: 303
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Just copy. */
outlength = inlength;
if(outlength)
memcpy(buf, from, outlength);
}
else {
for(outlength = 0; from < end;) {
int charsize;
unsigned int wc;
Reported by FlawFinder.
Line: 1206
Column: 40
CWE codes:
126
case 2: /* DNS name. */
len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
name.beg, name.end);
if(len > 0 && (size_t)len == strlen(dnsname))
matched = Curl_cert_hostcheck(dnsname, hostname);
else
matched = 0;
free(dnsname);
break;
Reported by FlawFinder.
Line: 1264
Column: 8
CWE codes:
126
free(dnsname);
return CURLE_OUT_OF_MEMORY;
}
if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */
failf(data, "SSL: illegal cert name field");
else if(Curl_cert_hostcheck((const char *) dnsname, hostname)) {
infof(data, " common name: %s (matched)", dnsname);
free(dnsname);
return CURLE_OK;
Reported by FlawFinder.
src/tool_dirhie.c
3 issues
Line: 150
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
skip = true;
#endif
/* the output string doesn't start with a separator */
strcpy(dirbuildup, tempdir);
}
else
msnprintf(dirbuildup, outlen, "%s%s", DIR_CHAR, tempdir);
}
/* Create directory. Ignore access denied error to allow traversal. */
Reported by FlawFinder.
Line: 111
Column: 12
CWE codes:
126
CURLcode result = CURLE_OK;
size_t outlen;
outlen = strlen(outfile);
outdup = strdup(outfile);
if(!outdup)
return CURLE_OUT_OF_MEMORY;
dirbuildup = malloc(outlen + 1);
Reported by FlawFinder.
Line: 133
Column: 21
CWE codes:
126
/* since strtok returns a token for the last word even
if not ending with DIR_CHAR, we need to prune it */
if(tempdir2 != NULL) {
size_t dlen = strlen(dirbuildup);
if(dlen)
msnprintf(&dirbuildup[dlen], outlen - dlen, "%s%s", DIR_CHAR, tempdir);
else {
if(outdup == tempdir) {
#if defined(MSDOS) || defined(WIN32)
Reported by FlawFinder.
src/tool_getpass.c
3 issues
Line: 226
Column: 12
CWE codes:
362
{
ssize_t nread;
bool disabled;
int fd = open("/dev/tty", O_RDONLY);
if(-1 == fd)
fd = STDIN_FILENO; /* use stdin if the tty couldn't be used */
disabled = ttyecho(FALSE, fd); /* disable terminal echo */
Reported by FlawFinder.
Line: 91
Column: 28
CWE codes:
126
sts = sys$qiow(0, chan,
IO$_READPROMPT | IO$M_NOECHO,
&iosb, 0, 0, buffer, buflen, 0, 0,
prompt, strlen(prompt));
if((sts & 1) && (iosb.iosb$w_status & 1))
buffer[iosb.iosb$w_bcnt] = '\0';
sys$dassgn(chan);
Reported by FlawFinder.
Line: 233
Column: 11
CWE codes:
120
20
disabled = ttyecho(FALSE, fd); /* disable terminal echo */
fputs(prompt, stderr);
nread = read(fd, password, buflen);
if(nread > 0)
password[--nread] = '\0'; /* null-terminate where enter is stored */
else
password[0] = '\0'; /* got nothing */
Reported by FlawFinder.
src/tool_help.c
3 issues
Line: 969
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
const char *const *proto;
printf(CURL_ID "%s\n", curl_version());
#ifdef CURL_PATCHSTAMP
printf("Release-Date: %s, security patched: %s\n",
LIBCURL_TIMESTAMP, CURL_PATCHSTAMP);
#else
printf("Release-Date: %s\n", LIBCURL_TIMESTAMP);
Reported by FlawFinder.
Line: 984
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
puts(""); /* newline */
}
if(curlinfo->features) {
char *featp[ sizeof(feats) / sizeof(feats[0]) + 1];
size_t numfeat = 0;
unsigned int i;
printf("Features:");
for(i = 0; i < sizeof(feats)/sizeof(feats[0]); i++) {
if(curlinfo->features & feats[i].bitmask)
Reported by FlawFinder.
Line: 990
Column: 29
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printf("Features:");
for(i = 0; i < sizeof(feats)/sizeof(feats[0]); i++) {
if(curlinfo->features & feats[i].bitmask)
featp[numfeat++] = (char *)feats[i].name;
}
qsort(&featp[0], numfeat, sizeof(char *), featcomp);
for(i = 0; i< numfeat; i++)
printf(" %s", featp[i]);
puts(""); /* newline */
Reported by FlawFinder.
src/tool_msgs.c
3 issues
Line: 117
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
fputs("curl: ", errors); /* prefix it */
vfprintf(errors, fmt, ap);
va_end(ap);
}
fprintf(errors, "curl: try 'curl --help' "
#ifdef USE_MANUAL
"or 'curl --manual' "
Reported by FlawFinder.
Line: 42
Column: 24
CWE codes:
126
const char *fmt,
va_list ap)
{
size_t width = (79 - strlen(prefix));
if(!config->mute) {
size_t len;
char *ptr;
char *print_buffer;
Reported by FlawFinder.
Line: 51
Column: 11
CWE codes:
126
print_buffer = curlx_mvaprintf(fmt, ap);
if(!print_buffer)
return;
len = strlen(print_buffer);
ptr = print_buffer;
while(len > 0) {
fputs(prefix, config->errors);
Reported by FlawFinder.
src/tool_xattr.c
3 issues
Line: 111
Column: 54
CWE codes:
126
freeptr = stripcredentials(&value);
if(value) {
#ifdef HAVE_FSETXATTR_6
err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0);
#elif defined(HAVE_FSETXATTR_5)
err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0);
#elif defined(__FreeBSD_version)
{
ssize_t rc = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER,
Reported by FlawFinder.
Line: 113
Column: 54
CWE codes:
126
#ifdef HAVE_FSETXATTR_6
err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0);
#elif defined(HAVE_FSETXATTR_5)
err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0);
#elif defined(__FreeBSD_version)
{
ssize_t rc = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER,
mappings[i].attr, value, strlen(value));
/* FreeBSD's extattr_set_fd returns the length of the extended
Reported by FlawFinder.
Line: 117
Column: 64
CWE codes:
126
#elif defined(__FreeBSD_version)
{
ssize_t rc = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER,
mappings[i].attr, value, strlen(value));
/* FreeBSD's extattr_set_fd returns the length of the extended
attribute */
err = (rc < 0 ? -1 : 0);
}
#endif
Reported by FlawFinder.
tests/libtest/lib1537.c
3 issues
Line: 56
Column: 44
CWE codes:
126
}
printf("%s\n", ptr);
raw = curl_easy_unescape(NULL, ptr, (int)strlen(ptr), &outlen);
printf("outlen == %d\n", outlen);
printf("unescape == original? %s\n",
memcmp(raw, a, outlen) ? "no" : "YES");
curl_free(raw);
Reported by FlawFinder.
Line: 63
Column: 33
CWE codes:
126
curl_free(raw);
/* deprecated API */
raw = curl_unescape(ptr, (int)strlen(ptr));
if(!raw) {
res = TEST_ERR_MAJOR_BAD;
goto test_cleanup;
}
outlen = (int)strlen(raw);
Reported by FlawFinder.
Line: 68
Column: 17
CWE codes:
126
res = TEST_ERR_MAJOR_BAD;
goto test_cleanup;
}
outlen = (int)strlen(raw);
printf("[old] outlen == %d\n", outlen);
printf("[old] unescape == original? %s\n",
memcmp(raw, a, outlen) ? "no" : "YES");
curl_free(raw);
curl_free(ptr);
Reported by FlawFinder.