The following issues were found
lib/version.c
29 issues
Line: 167
Column: 30
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
#ifdef DEBUGBUILD
/* Override version string when environment variable CURL_VERSION is set */
const char *debugversion = getenv("CURL_VERSION");
if(debugversion) {
strncpy(out, debugversion, sizeof(out)-1);
out[sizeof(out)-1] = '\0';
return out;
}
Reported by FlawFinder.
Line: 113
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *curl_version(void)
{
static char out[300];
char *outp;
size_t outlen;
const char *src[VERSION_PARTS];
#ifdef USE_SSL
char ssl_version[200];
Reported by FlawFinder.
Line: 116
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char out[300];
char *outp;
size_t outlen;
const char *src[VERSION_PARTS];
#ifdef USE_SSL
char ssl_version[200];
#endif
#ifdef HAVE_LIBZ
char z_version[40];
Reported by FlawFinder.
Line: 118
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t outlen;
const char *src[VERSION_PARTS];
#ifdef USE_SSL
char ssl_version[200];
#endif
#ifdef HAVE_LIBZ
char z_version[40];
#endif
#ifdef HAVE_BROTLI
Reported by FlawFinder.
Line: 121
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char ssl_version[200];
#endif
#ifdef HAVE_LIBZ
char z_version[40];
#endif
#ifdef HAVE_BROTLI
char br_version[40] = "brotli/";
#endif
#ifdef HAVE_ZSTD
Reported by FlawFinder.
Line: 124
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char z_version[40];
#endif
#ifdef HAVE_BROTLI
char br_version[40] = "brotli/";
#endif
#ifdef HAVE_ZSTD
char zst_version[40] = "zstd/";
#endif
#ifdef USE_ARES
Reported by FlawFinder.
Line: 127
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char br_version[40] = "brotli/";
#endif
#ifdef HAVE_ZSTD
char zst_version[40] = "zstd/";
#endif
#ifdef USE_ARES
char cares_version[40];
#endif
#if defined(USE_LIBIDN2)
Reported by FlawFinder.
Line: 130
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char zst_version[40] = "zstd/";
#endif
#ifdef USE_ARES
char cares_version[40];
#endif
#if defined(USE_LIBIDN2)
char idn_version[40];
#endif
#ifdef USE_LIBPSL
Reported by FlawFinder.
Line: 133
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char cares_version[40];
#endif
#if defined(USE_LIBIDN2)
char idn_version[40];
#endif
#ifdef USE_LIBPSL
char psl_version[40];
#endif
#if defined(HAVE_ICONV) && defined(CURL_DOES_CONVERSIONS)
Reported by FlawFinder.
Line: 136
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char idn_version[40];
#endif
#ifdef USE_LIBPSL
char psl_version[40];
#endif
#if defined(HAVE_ICONV) && defined(CURL_DOES_CONVERSIONS)
char iconv_version[40]="iconv";
#endif
#ifdef USE_SSH
Reported by FlawFinder.
lib/ftp.c
26 issues
Line: 998
Column: 13
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(Curl_inet_pton(AF_INET6, string_ftpport, sa6) == 1) {
/* ipv6 */
port_min = port_max = 0;
strcpy(addr, string_ftpport);
ip_end = NULL; /* this got no port ! */
}
else
#endif
/* (ipv4|domain|interface):port(-range) */
Reported by FlawFinder.
Line: 1008
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
else
/* ipv4|interface */
strcpy(addr, string_ftpport);
}
/* parse the port */
if(ip_end != NULL) {
port_start = strchr(ip_end, ':');
Reported by FlawFinder.
Line: 928
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ftp_conn *ftpc = &conn->proto.ftpc;
curl_socket_t portsock = CURL_SOCKET_BAD;
char myhost[MAX_IPADR_LEN + 1] = "";
struct Curl_sockaddr_storage ss;
struct Curl_addrinfo *res, *ai;
curl_socklen_t sslen;
char hbuf[NI_MAXHOST];
Reported by FlawFinder.
Line: 933
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct Curl_sockaddr_storage ss;
struct Curl_addrinfo *res, *ai;
curl_socklen_t sslen;
char hbuf[NI_MAXHOST];
struct sockaddr *sa = (struct sockaddr *)&ss;
struct sockaddr_in * const sa4 = (void *)sa;
#ifdef ENABLE_IPV6
struct sockaddr_in6 * const sa6 = (void *)sa;
#endif
Reported by FlawFinder.
Line: 949
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short port_max = 0;
unsigned short port;
bool possibly_non_local = TRUE;
char buffer[STRERROR_LEN];
char *addr = NULL;
/* Step 1, figure out what is requested,
* accepted format :
* (ipv4|ipv6|domain|interface)?(:port(-range)?)?
Reported by FlawFinder.
Line: 1124
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* step 3, bind to a suitable local address */
memcpy(sa, ai->ai_addr, ai->ai_addrlen);
sslen = ai->ai_addrlen;
for(port = port_min; port <= port_max;) {
if(sa->sa_family == AF_INET)
sa4->sin_port = htons(port);
Reported by FlawFinder.
Line: 1257
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if(PORT == fcmd) {
/* large enough for [IP address],[num],[num] */
char target[sizeof(myhost) + 20];
char *source = myhost;
char *dest = target;
/* translate x.x.x.x to x,x,x,x */
while(source && *source) {
Reported by FlawFinder.
Line: 1853
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *ptr = strchr(str, '(');
if(ptr) {
unsigned int num;
char separator[4];
ptr++;
if(5 == sscanf(ptr, "%c%c%c%u%c",
&separator[0],
&separator[1],
&separator[2],
Reported by FlawFinder.
Line: 2086
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(6 == sscanf(&data->state.buffer[4], "%04d%02d%02d%02d%02d%02d",
&year, &month, &day, &hour, &minute, &second)) {
/* we have a time, reformat it */
char timebuf[24];
msnprintf(timebuf, sizeof(timebuf),
"%04d%02d%02d %02d:%02d:%02d GMT",
year, month, day, hour, minute, second);
/* now, convert this into a time() value: */
data->info.filetime = Curl_getdate_capped(timebuf);
Reported by FlawFinder.
Line: 2102
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftpc->file &&
data->set.get_filetime &&
(data->info.filetime >= 0) ) {
char headerbuf[128];
int headerbuflen;
time_t filetime = data->info.filetime;
struct tm buffer;
const struct tm *tm = &buffer;
Reported by FlawFinder.
tests/server/socksd.c
25 issues
Line: 158
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
config.reqcmd = CONFIG_REQCMD;
config.connectrep = CONFIG_CONNECTREP;
config.port = CONFIG_PORT;
strcpy(config.addr, CONFIG_ADDR);
strcpy(config.user, "user");
strcpy(config.password, "password");
}
static unsigned char byteval(char *value)
Reported by FlawFinder.
Line: 199
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
logmsg("nmethods_max [%d] set", config.nmethods_max);
}
else if(!strcmp(key, "backend")) {
strcpy(config.addr, value);
logmsg("backend [%s] set", config.addr);
}
else if(!strcmp(key, "backendport")) {
config.port = shortval(value);
logmsg("backendport [%d] set", config.port);
Reported by FlawFinder.
Line: 207
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
logmsg("backendport [%d] set", config.port);
}
else if(!strcmp(key, "user")) {
strcpy(config.user, value);
logmsg("user [%s] set", config.user);
}
else if(!strcmp(key, "password")) {
strcpy(config.password, value);
logmsg("password [%s] set", config.password);
Reported by FlawFinder.
Line: 211
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
logmsg("user [%s] set", config.user);
}
else if(!strcmp(key, "password")) {
strcpy(config.password, value);
logmsg("password [%s] set", config.password);
}
/* Methods:
o X'00' NO AUTHENTICATION REQUIRED
o X'01' GSSAPI
Reported by FlawFinder.
Line: 121
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reqcmd;
unsigned char connectrep;
unsigned short port; /* backend port */
char addr[32]; /* backend IPv4 numerical */
char user[256];
char password[256];
};
#define CONFIG_VERSION 5
Reported by FlawFinder.
Line: 122
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char connectrep;
unsigned short port; /* backend port */
char addr[32]; /* backend IPv4 numerical */
char user[256];
char password[256];
};
#define CONFIG_VERSION 5
#define CONFIG_NMETHODS_MIN 1 /* unauth, gssapi, auth */
Reported by FlawFinder.
Line: 123
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short port; /* backend port */
char addr[32]; /* backend IPv4 numerical */
char user[256];
char password[256];
};
#define CONFIG_VERSION 5
#define CONFIG_NMETHODS_MIN 1 /* unauth, gssapi, auth */
#define CONFIG_NMETHODS_MAX 3
Reported by FlawFinder.
Line: 159
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
config.connectrep = CONFIG_CONNECTREP;
config.port = CONFIG_PORT;
strcpy(config.addr, CONFIG_ADDR);
strcpy(config.user, "user");
strcpy(config.password, "password");
}
static unsigned char byteval(char *value)
{
Reported by FlawFinder.
Line: 160
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
config.port = CONFIG_PORT;
strcpy(config.addr, CONFIG_ADDR);
strcpy(config.user, "user");
strcpy(config.password, "password");
}
static unsigned char byteval(char *value)
{
unsigned long num = strtoul(value, NULL, 10);
Reported by FlawFinder.
Line: 177
Column: 14
CWE codes:
362
static void getconfig(void)
{
FILE *fp = fopen(configfile, FOPEN_READTEXT);
resetdefaults();
if(fp) {
char buffer[512];
logmsg("parse config file");
while(fgets(buffer, sizeof(buffer), fp)) {
Reported by FlawFinder.
lib/vauth/ntlm.c
25 issues
Line: 194
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!ntlm->target_info)
return CURLE_OUT_OF_MEMORY;
memcpy(ntlm->target_info, &type2[target_info_offset], target_info_len);
}
}
ntlm->target_info_len = target_info_len;
Reported by FlawFinder.
Line: 294
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ntlm->flags = Curl_read32_le(&type2[20]);
memcpy(ntlm->nonce, &type2[24], 8);
if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
result = ntlm_decode_type2_target(data, type2ref, ntlm);
if(result) {
infof(data, "NTLM handshake failure (bad type-2 message)");
Reported by FlawFinder.
Line: 498
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result = CURLE_OK;
size_t size;
unsigned char ntlmbuf[NTLM_BUFSIZE];
int lmrespoff;
unsigned char lmresp[24]; /* fixed-size */
#ifdef USE_NTRESPONSES
int ntrespoff;
unsigned int ntresplen = 24;
Reported by FlawFinder.
Line: 500
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t size;
unsigned char ntlmbuf[NTLM_BUFSIZE];
int lmrespoff;
unsigned char lmresp[24]; /* fixed-size */
#ifdef USE_NTRESPONSES
int ntrespoff;
unsigned int ntresplen = 24;
unsigned char ntresp[24]; /* fixed-size */
unsigned char *ptr_ntresp = &ntresp[0];
Reported by FlawFinder.
Line: 504
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef USE_NTRESPONSES
int ntrespoff;
unsigned int ntresplen = 24;
unsigned char ntresp[24]; /* fixed-size */
unsigned char *ptr_ntresp = &ntresp[0];
unsigned char *ntlmv2resp = NULL;
#endif
bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
char host[HOSTNAME_MAX + 1] = "";
Reported by FlawFinder.
Line: 509
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *ntlmv2resp = NULL;
#endif
bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
char host[HOSTNAME_MAX + 1] = "";
const char *user;
const char *domain = "";
size_t hostoff = 0;
size_t useroff = 0;
size_t domoff = 0;
Reported by FlawFinder.
Line: 549
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
USE_NTRESPONSES */
if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
# if defined(USE_NTLM_V2)
unsigned char ntbuffer[0x18];
unsigned char entropy[8];
unsigned char ntlmv2hash[0x18];
/* Full NTLM version 2
Although this cannot be negotiated, it is used here if available, as
Reported by FlawFinder.
Line: 550
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
# if defined(USE_NTLM_V2)
unsigned char ntbuffer[0x18];
unsigned char entropy[8];
unsigned char ntlmv2hash[0x18];
/* Full NTLM version 2
Although this cannot be negotiated, it is used here if available, as
servers featuring extended security are likely supporting also
Reported by FlawFinder.
Line: 551
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
# if defined(USE_NTLM_V2)
unsigned char ntbuffer[0x18];
unsigned char entropy[8];
unsigned char ntlmv2hash[0x18];
/* Full NTLM version 2
Although this cannot be negotiated, it is used here if available, as
servers featuring extended security are likely supporting also
NTLMv2. */
Reported by FlawFinder.
Line: 584
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ptr_ntresp = ntlmv2resp;
# else /* defined(USE_NTLM_V2) */
unsigned char ntbuffer[0x18];
unsigned char tmp[0x18];
unsigned char md5sum[MD5_DIGEST_LEN];
unsigned char entropy[8];
/* NTLM version 1 with extended security. */
Reported by FlawFinder.
lib/vquic/ngtcp2.c
25 issues
Line: 117
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
(void)user_data; /* TODO, use this to do infof() instead long-term */
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fprintf(stderr, "\n");
}
#endif
Reported by FlawFinder.
Line: 175
Column: 18
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
const gnutls_datum_t *secret)
{
gnutls_datum_t crandom;
gnutls_datum_t srandom;
gnutls_session_get_random(session, &crandom, &srandom);
if(crandom.size != 32) {
return -1;
}
Reported by FlawFinder.
Line: 177
Column: 49
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
gnutls_datum_t crandom;
gnutls_datum_t srandom;
gnutls_session_get_random(session, &crandom, &srandom);
if(crandom.size != 32) {
return -1;
}
Curl_tls_keylog_write(label, crandom.data, secret->data, secret->size);
Reported by FlawFinder.
Line: 208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
now */
assert(crypto_data->len + len <= crypto_data->alloclen);
memcpy(&crypto_data->buf[crypto_data->len], data, len);
crypto_data->len += len;
rv = ngtcp2_conn_submit_crypto_data(
qs->qconn, level, (uint8_t *)(&crypto_data->buf[crypto_data->len] - len),
len);
Reported by FlawFinder.
Line: 288
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SSL_CTX_set_default_verify_paths(ssl_ctx);
if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) {
char error_buffer[256];
ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
failf(data, "SSL_CTX_set_ciphersuites: %s", error_buffer);
return NULL;
}
Reported by FlawFinder.
Line: 739
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result;
ngtcp2_path path; /* TODO: this must be initialized properly */
struct quicsocket *qs = &conn->hequic[sockindex];
char ipbuf[40];
int port;
int qfd;
if(qs->conn)
Curl_quic_disconnect(data, conn, sockindex);
Reported by FlawFinder.
Line: 749
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* extract the used address as a string */
if(!Curl_addr2string((struct sockaddr*)addr, addrlen, ipbuf, &port)) {
char buffer[STRERROR_LEN];
failf(data, "ssrem inet_ntop() failed with errno %d: %s",
SOCKERRNO, Curl_strerror(SOCKERRNO, buffer, sizeof(buffer)));
return CURLE_BAD_FUNCTION_ARGUMENT;
}
Reported by FlawFinder.
Line: 950
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy as much as possible to the receive buffer */
if(stream->len) {
size_t len = CURLMIN(ncopy, stream->len);
memcpy(stream->mem, buf, len);
stream->len -= len;
stream->memlen += len;
stream->mem += len;
buf += len;
ncopy -= len;
Reported by FlawFinder.
Line: 1061
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(h3name.len == sizeof(":status") - 1 &&
!memcmp(":status", h3name.base, h3name.len)) {
char line[14]; /* status line is always 13 characters long */
size_t ncopy;
int status = decode_status_code(h3val.base, h3val.len);
DEBUGASSERT(status != -1);
ncopy = msnprintf(line, sizeof(line), "HTTP/3 %03d \r\n", status);
result = write_data(stream, line, ncopy);
Reported by FlawFinder.
Line: 1192
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t overlen = Curl_dyn_len(&stream->overflow);
size_t ncopy = CURLMIN(overlen, stream->len);
if(ncopy > 0) {
memcpy(stream->mem, Curl_dyn_ptr(&stream->overflow), ncopy);
stream->len -= ncopy;
stream->mem += ncopy;
stream->memlen += ncopy;
if(ncopy != overlen)
/* make the buffer only keep the tail */
Reported by FlawFinder.
lib/hostip.c
24 issues
Line: 520
CWE codes:
401
sa.sin_family = AF_INET;
sa.sin_port = htons(port16);
if(Curl_inet_pton(AF_INET, "127.0.0.1", (char *)&ipv4) < 1)
return NULL;
memcpy(&sa.sin_addr, &ipv4, sizeof(ipv4));
ca->ai_flags = 0;
ca->ai_family = AF_INET;
ca->ai_socktype = SOCK_STREAM;
Reported by Cppcheck.
Line: 267
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct Curl_dns_entry *dns = NULL;
size_t entry_len;
char entry_id[MAX_HOSTCACHE_LEN];
/* Create an entry id, based upon the hostname and port */
create_hostcache_id(hostname, port, entry_id, sizeof(entry_id));
entry_len = strlen(entry_id);
Reported by FlawFinder.
Line: 421
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *hostname,
int port)
{
char entry_id[MAX_HOSTCACHE_LEN];
size_t entry_len;
struct Curl_dns_entry *dns;
struct Curl_dns_entry *dns2;
#ifndef CURL_DISABLE_SHUFFLE_DNS
Reported by FlawFinder.
Line: 472
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const size_t ss_size = sizeof(struct sockaddr_in6);
const size_t hostlen = strlen("localhost");
struct sockaddr_in6 sa6;
unsigned char ipv6[16];
unsigned short port16 = (unsigned short)(port & 0xffff);
ca = calloc(sizeof(struct Curl_addrinfo) + ss_size + hostlen + 1, 1);
if(!ca)
return NULL;
Reported by FlawFinder.
Line: 484
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sa6.sin6_scope_id = 0;
if(Curl_inet_pton(AF_INET6, "::1", ipv6) < 1)
return NULL;
memcpy(&sa6.sin6_addr, ipv6, sizeof(ipv6));
ca->ai_flags = 0;
ca->ai_family = AF_INET6;
ca->ai_socktype = SOCK_STREAM;
ca->ai_protocol = IPPROTO_TCP;
Reported by FlawFinder.
Line: 493
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca->ai_addrlen = (curl_socklen_t)ss_size;
ca->ai_next = NULL;
ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
memcpy(ca->ai_addr, &sa6, ss_size);
ca->ai_canonname = (char *)ca->ai_addr + ss_size;
strcpy(ca->ai_canonname, "localhost");
return ca;
}
#else
Reported by FlawFinder.
Line: 495
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
memcpy(ca->ai_addr, &sa6, ss_size);
ca->ai_canonname = (char *)ca->ai_addr + ss_size;
strcpy(ca->ai_canonname, "localhost");
return ca;
}
#else
#define get_localhost6(x) NULL
#endif
Reported by FlawFinder.
Line: 521
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sa.sin_port = htons(port16);
if(Curl_inet_pton(AF_INET, "127.0.0.1", (char *)&ipv4) < 1)
return NULL;
memcpy(&sa.sin_addr, &ipv4, sizeof(ipv4));
ca->ai_flags = 0;
ca->ai_family = AF_INET;
ca->ai_socktype = SOCK_STREAM;
ca->ai_protocol = IPPROTO_TCP;
Reported by FlawFinder.
Line: 529
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca->ai_protocol = IPPROTO_TCP;
ca->ai_addrlen = (curl_socklen_t)ss_size;
ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
memcpy(ca->ai_addr, &sa, ss_size);
ca->ai_canonname = (char *)ca->ai_addr + ss_size;
strcpy(ca->ai_canonname, "localhost");
ca->ai_next = get_localhost6(port);
return ca;
}
Reported by FlawFinder.
Line: 531
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
memcpy(ca->ai_addr, &sa, ss_size);
ca->ai_canonname = (char *)ca->ai_addr + ss_size;
strcpy(ca->ai_canonname, "localhost");
ca->ai_next = get_localhost6(port);
return ca;
}
#ifdef ENABLE_IPV6
Reported by FlawFinder.
lib/mime.c
24 issues
Line: 1449
Column: 33
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
char *base;
struct_stat sbuf;
if(stat(filename, &sbuf) || access(filename, R_OK))
result = CURLE_READ_ERROR;
part->data = strdup(filename);
if(!part->data)
result = CURLE_OUT_OF_MEMORY;
Reported by FlawFinder.
Line: 131
Column: 20
CWE codes:
362
#ifndef __VMS
#define filesize(name, stat_data) (stat_data.st_size)
#define fopen_read fopen
#else
#include <fabdef.h>
/*
Reported by FlawFinder.
Line: 149
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_off_t VmsRealFileSize(const char *name,
const struct_stat *stat_buf)
{
char buffer[8192];
curl_off_t count;
int ret_stat;
FILE * file;
file = fopen(name, FOPEN_READTEXT); /* VMS */
Reported by FlawFinder.
Line: 154
Column: 10
CWE codes:
362
int ret_stat;
FILE * file;
file = fopen(name, FOPEN_READTEXT); /* VMS */
if(!file)
return 0;
count = 0;
ret_stat = 1;
Reported by FlawFinder.
Line: 210
Column: 12
CWE codes:
362
case FAB$C_VAR:
case FAB$C_VFC:
case FAB$C_STMCR:
return fopen(file, FOPEN_READTEXT); /* VMS */
break;
default:
return fopen(file, FOPEN_READTEXT, "rfm=stmlf", "ctx=stm");
}
}
Reported by FlawFinder.
Line: 213
Column: 12
CWE codes:
362
return fopen(file, FOPEN_READTEXT); /* VMS */
break;
default:
return fopen(file, FOPEN_READTEXT, "rfm=stmlf", "ctx=stm");
}
}
#define fopen_read vmsfopenread
#endif
Reported by FlawFinder.
Line: 370
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = insize;
if(size)
memcpy(buffer, st->buf + st->bufbeg, size);
st->bufbeg += size;
return size;
}
Reported by FlawFinder.
Line: 537
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *ptr = buffer;
size_t cursize = 0;
int softlinebreak;
char buf[4];
/* On all platforms, input is supposed to be ASCII compatible: for this
reason, we use hexadecimal ASCII codes in this function rather than
character constants that can be interpreted as non-ascii on some
platforms. Preserve ASCII encoding on output too. */
Reported by FlawFinder.
Line: 604
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
}
if(softlinebreak) {
strcpy(buf, "\x3D\x0D\x0A"); /* "=\r\n" */
len = 3;
consumed = 0;
}
}
Reported by FlawFinder.
Line: 618
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Append to output buffer. */
memcpy(ptr, buf, len);
cursize += len;
ptr += len;
size -= len;
st->pos += len;
if(buf[len - 1] == '\x0A') /* '\n' */
Reported by FlawFinder.
packages/OS400/os400sys.c
23 issues
Line: 1090
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ldap_memfree() and ldap_memalloc() does not exist. The solution is to
overwrite the EBCDIC buffer with ASCII to return it. */
strcpy(cp, cp2);
free(cp2);
return cp;
}
char *
Reported by FlawFinder.
Line: 1121
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ldap_memfree() and ldap_memalloc() does not exist. The solution is to
overwrite the EBCDIC buffer with ASCII to return it. */
strcpy(cp, cp2);
free(cp2);
return cp;
}
char *
Reported by FlawFinder.
Line: 1152
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ldap_memfree() and ldap_memalloc() does not exist. The solution is to
overwrite the EBCDIC buffer with ASCII to return it. */
strcpy(cp, cp2);
free(cp2);
return cp;
}
#endif /* CURL_DISABLE_LDAP */
Reported by FlawFinder.
Line: 734
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
QadrtConvertE2A(t, buf->value, i, i);
memcpy(buf->value, t, i);
free(t);
}
return 0;
}
Reported by FlawFinder.
Line: 753
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!in_name || !in_name->value || !in_name->length)
return gss_import_name(minor_status, in_name, in_name_type, out_name);
memcpy((char *) &in, (char *) in_name, sizeof(in));
i = in.length;
in.value = malloc(i + 1);
if(!in.value) {
if(minor_status)
Reported by FlawFinder.
Line: 1176
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy((char *) dstaddr, (char *) srcaddr, srclen);
switch(srcaddr->sa_family) {
case AF_UNIX:
srcu = (const struct sockaddr_un *) srcaddr;
Reported by FlawFinder.
Line: 1213
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy((char *) dstaddr, (char *) srcaddr, srclen);
if(srclen >= offsetof(struct sockaddr_storage, ss_family) +
sizeof(srcaddr->ss_family)) {
switch(srcaddr->ss_family) {
Reported by FlawFinder.
Line: 243
Column: 7
CWE codes:
126
if(!s)
return (char *) NULL;
i = strlen(s) + 1;
cp = Curl_thread_buffer(key, MAX_CONV_EXPANSION * i + 1);
if(cp) {
i = QadrtConvertE2A(cp, s, MAX_CONV_EXPANSION * i, i);
cp[i] = '\0';
Reported by FlawFinder.
Line: 286
Column: 44
CWE codes:
126
int i;
if(enodename) {
i = QadrtConvertE2A(nodename, enodename,
nodenamelen - 1, strlen(enodename));
nodename[i] = '\0';
}
if(eservname) {
i = QadrtConvertE2A(servname, eservname,
Reported by FlawFinder.
Line: 292
Column: 44
CWE codes:
126
if(eservname) {
i = QadrtConvertE2A(servname, eservname,
servnamelen - 1, strlen(eservname));
servname[i] = '\0';
}
}
free(enodename);
Reported by FlawFinder.
lib/cookie.c
23 issues
Line: 479
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(httpheader) {
/* This line was read off a HTTP-header */
char name[MAX_NAME];
char what[MAX_NAME];
const char *ptr;
const char *semiptr;
size_t linelength = strlen(lineptr);
Reported by FlawFinder.
Line: 480
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(httpheader) {
/* This line was read off a HTTP-header */
char name[MAX_NAME];
char what[MAX_NAME];
const char *ptr;
const char *semiptr;
size_t linelength = strlen(lineptr);
if(linelength > MAX_COOKIE_LINE) {
Reported by FlawFinder.
Line: 792
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t pathlen = (endslash-path + 1); /* include end slash */
co->path = malloc(pathlen + 1); /* one extra for the zero byte */
if(co->path) {
memcpy(co->path, path, pathlen);
co->path[pathlen] = 0; /* null-terminate */
co->spath = sanitize_cookie_path(co->path);
if(!co->spath)
badcookie = TRUE; /* out of memory bad */
}
Reported by FlawFinder.
Line: 1196
Column: 15
CWE codes:
362
fp = NULL;
}
else
fp = file?fopen(file, FOPEN_READTEXT):NULL;
c->newsession = newsession; /* new session? */
if(fp) {
char *lineptr;
Reported by FlawFinder.
Line: 1605
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
use_stdout = TRUE;
}
else {
unsigned char randsuffix[9];
if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
return 2;
tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
Reported by FlawFinder.
Line: 1614
Column: 11
CWE codes:
362
if(!tempstore)
return CURLE_OUT_OF_MEMORY;
out = fopen(tempstore, FOPEN_WRITETEXT);
if(!out) {
error = CURLE_WRITE_ERROR;
goto error;
}
}
Reported by FlawFinder.
Line: 124
Column: 30
CWE codes:
126
static bool tailmatch(const char *cooke_domain, const char *hostname)
{
size_t cookie_domain_len = strlen(cooke_domain);
size_t hostname_len = strlen(hostname);
if(hostname_len < cookie_domain_len)
return FALSE;
Reported by FlawFinder.
Line: 125
Column: 25
CWE codes:
126
static bool tailmatch(const char *cooke_domain, const char *hostname)
{
size_t cookie_domain_len = strlen(cooke_domain);
size_t hostname_len = strlen(hostname);
if(hostname_len < cookie_domain_len)
return FALSE;
if(!strcasecompare(cooke_domain, hostname + hostname_len-cookie_domain_len))
Reported by FlawFinder.
Line: 161
Column: 21
CWE codes:
126
bool ret = FALSE;
/* cookie_path must not have last '/' separator. ex: /sample */
cookie_path_len = strlen(cookie_path);
if(1 == cookie_path_len) {
/* cookie_path must be '/' */
return TRUE;
}
Reported by FlawFinder.
Line: 175
Column: 11
CWE codes:
126
*pos = 0x0;
/* #-fragments are already cut off! */
if(0 == strlen(uri_path) || uri_path[0] != '/') {
strstore(&uri_path, "/");
if(!uri_path)
return FALSE;
}
Reported by FlawFinder.
lib/connect.c
23 issues
Line: 271
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
memset(&sa, 0, sizeof(struct Curl_sockaddr_storage));
if(dev && (strlen(dev)<255) ) {
char myhost[256] = "";
int done = 0; /* -1 for error, 1 for address found */
bool is_interface = FALSE;
bool is_host = FALSE;
static const char *if_prefix = "if!";
static const char *host_prefix = "host!";
Reported by FlawFinder.
Line: 404
Column: 34
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
Curl_printable_address. The latter returns only numeric scope
IDs and the former returns none at all. So the scope ID, if
present, is known to be numeric */
si6->sin6_scope_id = atoi(scope_ptr);
#endif
}
sizeof_sa = sizeof(struct sockaddr_in6);
}
else
Reported by FlawFinder.
Line: 455
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curl_socklen_t size = sizeof(add);
memset(&add, 0, sizeof(struct Curl_sockaddr_storage));
if(getsockname(sockfd, (struct sockaddr *) &add, &size) < 0) {
char buffer[STRERROR_LEN];
data->state.os_errno = error = SOCKERRNO;
failf(data, "getsockname() failed with errno %d: %s",
error, Curl_strerror(error, buffer, sizeof(buffer)));
return CURLE_INTERFACE_FAILED;
}
Reported by FlawFinder.
Line: 481
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
break;
}
{
char buffer[STRERROR_LEN];
data->state.os_errno = error = SOCKERRNO;
failf(data, "bind failed with errno %d: %s",
error, Curl_strerror(error, buffer, sizeof(buffer)));
}
Reported by FlawFinder.
Line: 612
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
char *local_ip, int local_port)
{
memcpy(data->info.conn_primary_ip, conn->primary_ip, MAX_IPADR_LEN);
if(local_ip && local_ip[0])
memcpy(data->info.conn_local_ip, local_ip, MAX_IPADR_LEN);
else
data->info.conn_local_ip[0] = 0;
data->info.conn_scheme = conn->handler->scheme;
Reported by FlawFinder.
Line: 614
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy(data->info.conn_primary_ip, conn->primary_ip, MAX_IPADR_LEN);
if(local_ip && local_ip[0])
memcpy(data->info.conn_local_ip, local_ip, MAX_IPADR_LEN);
else
data->info.conn_local_ip[0] = 0;
data->info.conn_scheme = conn->handler->scheme;
data->info.conn_protocol = conn->handler->protocol;
data->info.conn_primary_port = conn->port;
Reported by FlawFinder.
Line: 686
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn, curl_socket_t sockfd)
{
#ifdef HAVE_GETPEERNAME
char buffer[STRERROR_LEN];
struct Curl_sockaddr_storage ssrem;
curl_socklen_t plen;
int port;
plen = sizeof(struct Curl_sockaddr_storage);
memset(&ssrem, 0, sizeof(ssrem));
Reported by FlawFinder.
Line: 717
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *local_ip, int *local_port)
{
#ifdef HAVE_GETSOCKNAME
char buffer[STRERROR_LEN];
struct Curl_sockaddr_storage ssloc;
curl_socklen_t slen;
slen = sizeof(struct Curl_sockaddr_storage);
memset(&ssloc, 0, sizeof(ssloc));
if(getsockname(sockfd, (struct sockaddr*) &ssloc, &slen)) {
Reported by FlawFinder.
Line: 750
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 'local_ip' and 'local_port' get filled with local's numerical
ip address and port number whenever an outgoing connection is
**established** from the primary socket to a remote address. */
char local_ip[MAX_IPADR_LEN] = "";
int local_port = -1;
if(conn->transport == TRNSPRT_TCP) {
if(!conn->bits.reuse && !conn->bits.tcp_fastopen) {
Curl_conninfo_remote(data, conn, sockfd);
Reported by FlawFinder.
Line: 977
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(conn->tempaddr[i]) {
CURLcode status;
#ifndef CURL_DISABLE_VERBOSE_STRINGS
char ipaddress[MAX_IPADR_LEN];
char buffer[STRERROR_LEN];
Curl_printable_address(conn->tempaddr[i], ipaddress,
sizeof(ipaddress));
infof(data, "connect to %s port %u failed: %s",
ipaddress, conn->port,
Reported by FlawFinder.