The following issues were found
lib/curl_ntlm_core.c
22 issues
Line: 641
Column: 27
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
/* Calculate the timestamp */
#ifdef DEBUGBUILD
char *force_timestamp = getenv("CURL_FORCETIME");
if(force_timestamp)
time2filetime(&tw, (time_t) 0);
else
#endif
time2filetime(&tw, time(NULL));
Reported by FlawFinder.
Line: 161
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void setup_des_key(const unsigned char *key_56,
struct des_ctx *des)
{
char key[8];
/* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, key);
/* Set the key parity to odd */
Reported by FlawFinder.
Line: 184
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *key_56)
{
const CK_MECHANISM_TYPE mech = CKM_DES_ECB; /* DES cipher in ECB mode */
char key[8]; /* expanded 64 bit key */
SECItem key_item;
PK11SymKey *symkey = NULL;
SECItem *param = NULL;
PK11Context *ctx = NULL;
int out_len; /* not used, required by NSS */
Reported by FlawFinder.
Line: 243
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *key_56)
{
mbedtls_des_context ctx;
char key[8];
/* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, key);
/* Set the key parity to odd */
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
char key[8];
size_t out_len;
CCCryptorStatus err;
/* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, key);
Reported by FlawFinder.
Line: 285
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
{
char key[8];
_CIPHER_Control_T ctl;
/* Setup the cipher control structure */
ctl.Func_ID = ENCRYPT_ONLY;
ctl.Data_Len = sizeof(key);
Reported by FlawFinder.
Line: 314
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
BLOBHEADER hdr;
unsigned int len;
char key[8];
} blob;
DWORD len = 8;
/* Acquire the crypto provider */
if(!CryptAcquireContext(&hprov, NULL, NULL, PROV_RSA_FULL,
Reported by FlawFinder.
Line: 343
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return FALSE;
}
memcpy(out, in, 8);
/* Perform the encryption */
CryptEncrypt(hkey, 0, FALSE, 0, out, &len, len);
CryptDestroyKey(hkey);
Reported by FlawFinder.
Line: 403
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *lmbuffer /* 21 bytes */)
{
CURLcode result;
unsigned char pw[14];
static const unsigned char magic[] = {
0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 /* i.e. KGS!@#$% */
};
size_t len = CURLMIN(strlen(password), 14);
Reported by FlawFinder.
Line: 634
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int len = 0;
unsigned char *ptr = NULL;
unsigned char hmac_output[HMAC_MD5_LENGTH];
struct ms_filetime tw;
CURLcode result = CURLE_OK;
/* Calculate the timestamp */
Reported by FlawFinder.
lib/url.c
22 issues
Line: 2319
Column: 10
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
strcpy(envp, "_proxy");
/* read the protocol proxy: */
prox = curl_getenv(proxy_env);
/*
* We don't try the uppercase version of HTTP_PROXY because of
* security reasons:
*
Reported by FlawFinder.
Line: 2336
Column: 12
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if(!prox && !strcasecompare("http_proxy", proxy_env)) {
/* There was no lowercase variable, try the uppercase version: */
Curl_strntoupper(proxy_env, proxy_env, sizeof(proxy_env));
prox = curl_getenv(proxy_env);
}
envp = proxy_env;
if(prox) {
proxy = prox; /* use this */
Reported by FlawFinder.
Line: 2345
Column: 13
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
else {
envp = (char *)"all_proxy";
proxy = curl_getenv(envp); /* default proxy to use */
if(!proxy) {
envp = (char *)"ALL_PROXY";
proxy = curl_getenv(envp);
}
}
Reported by FlawFinder.
Line: 2348
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
proxy = curl_getenv(envp); /* default proxy to use */
if(!proxy) {
envp = (char *)"ALL_PROXY";
proxy = curl_getenv(envp);
}
}
if(proxy)
infof(data, "Uses proxy env variable %s == '%s'", envp, proxy);
Reported by FlawFinder.
Line: 2589
Column: 16
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if(!data->set.str[STRING_NOPROXY]) {
const char *p = "no_proxy";
no_proxy = curl_getenv(p);
if(!no_proxy) {
p = "NO_PROXY";
no_proxy = curl_getenv(p);
}
if(no_proxy) {
Reported by FlawFinder.
Line: 2592
Column: 18
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
no_proxy = curl_getenv(p);
if(!no_proxy) {
p = "NO_PROXY";
no_proxy = curl_getenv(p);
}
if(no_proxy) {
infof(data, "Uses proxy env variable %s == '%s'", p, no_proxy);
}
}
Reported by FlawFinder.
Line: 3228
Column: 7
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
((conn->handler->protocol == CURLPROTO_HTTPS) ||
#ifdef CURLDEBUG
/* allow debug builds to circumvent the HTTPS restriction */
getenv("CURL_ALTSVC_HTTP")
#else
0
#endif
)) {
/* no connect_to match, try alt-svc! */
Reported by FlawFinder.
Line: 1622
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
host->name = host->encalloc;
}
else {
char buffer[STRERROR_LEN];
failf(data, "Failed to convert %s to ACE; %s", host->name,
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
return CURLE_URL_MALFORMAT;
}
#else
Reported by FlawFinder.
Line: 2303
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* For compatibility, the all-uppercase versions of these variables are
* checked if the lowercase versions don't exist.
*/
char proxy_env[128];
const char *protop = conn->handler->scheme;
char *envp = proxy_env;
char *prox;
#ifdef CURL_DISABLE_VERBOSE_STRINGS
(void)data;
Reported by FlawFinder.
Line: 2316
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*envp++ = (char)tolower((int)*protop++);
/* append _proxy */
strcpy(envp, "_proxy");
/* read the protocol proxy: */
prox = curl_getenv(proxy_env);
/*
Reported by FlawFinder.
lib/mqtt.c
22 issues
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* length of password provided */
pkt[start] = (char)((plen >> 8) & 0xFF);
pkt[start + 1] = (char)(plen & 0xFF);
memcpy(&pkt[start + 2], passwd, plen);
return 0;
}
/* add user to the CONN packet */
static int add_user(const char *username, const size_t ulen,
Reported by FlawFinder.
Line: 195
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* length of username provided */
pkt[start] = (unsigned char)((ulen >> 8) & 0xFF);
pkt[start + 1] = (unsigned char)(ulen & 0xFF);
memcpy(&pkt[start + 2], username, ulen);
return 0;
}
/* add client ID to the CONN packet */
static int add_client_id(const char *client_id, const size_t client_id_len,
Reported by FlawFinder.
Line: 207
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
pkt[start] = 0x00;
pkt[start + 1] = MQTT_CLIENTID_LEN;
memcpy(&pkt[start + 2], client_id, MQTT_CLIENTID_LEN);
return 0;
}
/* Set initial values of CONN packet */
static int init_connpack(char *packet, char *remain, int remain_pos)
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* packet type */
packet[0] = MQTT_MSG_CONNECT;
/* remaining length field */
memcpy(&packet[1], remain, remain_pos);
/* Fixed header ends */
/* Variable header starts */
/* protocol length */
packet[remain_pos + 1] = 0x00;
Reported by FlawFinder.
Line: 248
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc = 0;
/*remain length*/
int remain_pos = 0;
char remain[4] = {0};
size_t packetlen = 0;
size_t payloadlen = 0;
size_t start_user = 0;
size_t start_pwd = 0;
char client_id[MQTT_CLIENTID_LEN + 1] = "curl";
Reported by FlawFinder.
Line: 253
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t payloadlen = 0;
size_t start_user = 0;
size_t start_pwd = 0;
char client_id[MQTT_CLIENTID_LEN + 1] = "curl";
const size_t clen = strlen("curl");
char *packet = NULL;
/* extracting username from request */
const char *username = data->state.aptr.user ?
Reported by FlawFinder.
Line: 352
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result;
struct connectdata *conn = data->conn;
curl_socket_t sockfd = conn->sock[FIRSTSOCKET];
unsigned char readbuf[MQTT_CONNACK_LEN];
ssize_t nread;
result = Curl_read(data, sockfd, (char *)readbuf, MQTT_CONNACK_LEN, &nread);
if(result)
goto fail;
Reported by FlawFinder.
Line: 396
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t topiclen;
unsigned char *packet = NULL;
size_t packetlen;
char encodedsize[4];
size_t n;
struct connectdata *conn = data->conn;
result = mqtt_get_topic(data, &topic, &topiclen);
if(result)
Reported by FlawFinder.
Line: 418
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
packet[0] = MQTT_MSG_SUBSCRIBE;
memcpy(&packet[1], encodedsize, n);
packet[1 + n] = (conn->proto.mqtt.packetid >> 8) & 0xff;
packet[2 + n] = conn->proto.mqtt.packetid & 0xff;
packet[3 + n] = (topiclen >> 8) & 0xff;
packet[4 + n ] = topiclen & 0xff;
memcpy(&packet[5 + n], topic, topiclen);
Reported by FlawFinder.
Line: 423
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet[2 + n] = conn->proto.mqtt.packetid & 0xff;
packet[3 + n] = (topiclen >> 8) & 0xff;
packet[4 + n ] = topiclen & 0xff;
memcpy(&packet[5 + n], topic, topiclen);
packet[5 + n + topiclen] = 0; /* QoS zero */
result = mqtt_send(data, (char *)packet, packetlen);
fail:
Reported by FlawFinder.
lib/smb.c
22 issues
Line: 134
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Append a string to an SMB message */
#define MSGCAT(str) \
do { \
strcpy(p, (str)); \
p += strlen(str); \
} while(0)
/* Append a null-terminated string to an SMB message */
#define MSGCATNULL(str) \
Reported by FlawFinder.
Line: 141
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Append a null-terminated string to an SMB message */
#define MSGCATNULL(str) \
do { \
strcpy(p, (str)); \
p += strlen(str) + 1; \
} while(0)
/* SMB is mostly little endian */
#if (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \
Reported by FlawFinder.
Line: 548
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
msg.create_disposition = smb_swap32(SMB_FILE_OPEN);
}
msg.byte_count = smb_swap16((unsigned short) ++byte_count);
strcpy(msg.bytes, req->path);
return smb_send_message(data, SMB_COM_NT_CREATE_ANDX, &msg,
sizeof(msg) - sizeof(msg.bytes) + byte_count);
}
Reported by FlawFinder.
Line: 365
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(h, 0, sizeof(*h));
h->nbt_length = htons((unsigned short) (sizeof(*h) - sizeof(unsigned int) +
len));
memcpy((char *)h->magic, "\xffSMB", 4);
h->command = cmd;
h->flags = SMB_FLAGS_CANONICAL_PATHNAMES | SMB_FLAGS_CASELESS_PATHNAMES;
h->flags2 = smb_swap16(SMB_FLAGS2_IS_LONG_NAME | SMB_FLAGS2_KNOWS_LONG_NAME);
h->uid = smb_swap16(smbc->uid);
h->tid = smb_swap16(req->tid);
Reported by FlawFinder.
Line: 432
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return result;
smb_format_message(data, (struct smb_header *)data->state.ulbuf,
cmd, msg_len);
memcpy(data->state.ulbuf + sizeof(struct smb_header),
msg, msg_len);
return smb_send(data, sizeof(struct smb_header) + msg_len, 0);
}
Reported by FlawFinder.
Line: 451
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct smb_conn *smbc = &conn->proto.smbc;
struct smb_setup msg;
char *p = msg.bytes;
unsigned char lm_hash[21];
unsigned char lm[24];
unsigned char nt_hash[21];
unsigned char nt[24];
size_t byte_count = sizeof(lm) + sizeof(nt);
Reported by FlawFinder.
Line: 452
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct smb_setup msg;
char *p = msg.bytes;
unsigned char lm_hash[21];
unsigned char lm[24];
unsigned char nt_hash[21];
unsigned char nt[24];
size_t byte_count = sizeof(lm) + sizeof(nt);
byte_count += strlen(smbc->user) + strlen(smbc->domain);
Reported by FlawFinder.
Line: 453
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *p = msg.bytes;
unsigned char lm_hash[21];
unsigned char lm[24];
unsigned char nt_hash[21];
unsigned char nt[24];
size_t byte_count = sizeof(lm) + sizeof(nt);
byte_count += strlen(smbc->user) + strlen(smbc->domain);
byte_count += strlen(OS) + strlen(CLIENTNAME) + 4; /* 4 null chars */
Reported by FlawFinder.
Line: 454
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char lm_hash[21];
unsigned char lm[24];
unsigned char nt_hash[21];
unsigned char nt[24];
size_t byte_count = sizeof(lm) + sizeof(nt);
byte_count += strlen(smbc->user) + strlen(smbc->domain);
byte_count += strlen(OS) + strlen(CLIENTNAME) + 4; /* 4 null chars */
if(byte_count > sizeof(msg.bytes))
Reported by FlawFinder.
Line: 481
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.capabilities = smb_swap32(SMB_CAP_LARGE_FILES);
msg.lengths[0] = smb_swap16(sizeof(lm));
msg.lengths[1] = smb_swap16(sizeof(nt));
memcpy(p, lm, sizeof(lm));
p += sizeof(lm);
memcpy(p, nt, sizeof(nt));
p += sizeof(nt);
MSGCATNULL(smbc->user);
MSGCATNULL(smbc->domain);
Reported by FlawFinder.
tests/server/mqttd.c
22 issues
Line: 147
Column: 14
CWE codes:
362
static void getconfig(void)
{
FILE *fp = fopen(configfile, FOPEN_READTEXT);
resetdefaults();
if(fp) {
char buffer[512];
logmsg("parse config file");
while(fgets(buffer, sizeof(buffer), fp)) {
Reported by FlawFinder.
Line: 150
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
FILE *fp = fopen(configfile, FOPEN_READTEXT);
resetdefaults();
if(fp) {
char buffer[512];
logmsg("parse config file");
while(fgets(buffer, sizeof(buffer), fp)) {
char key[32];
char value[32];
if(2 == sscanf(buffer, "%31s %31s", key, value)) {
Reported by FlawFinder.
Line: 153
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char buffer[512];
logmsg("parse config file");
while(fgets(buffer, sizeof(buffer), fp)) {
char key[32];
char value[32];
if(2 == sscanf(buffer, "%31s %31s", key, value)) {
if(!strcmp(key, "version")) {
config.version = byteval(value);
logmsg("version [%d] set", config.version);
Reported by FlawFinder.
Line: 154
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
logmsg("parse config file");
while(fgets(buffer, sizeof(buffer), fp)) {
char key[32];
char value[32];
if(2 == sscanf(buffer, "%31s %31s", key, value)) {
if(!strcmp(key, "version")) {
config.version = byteval(value);
logmsg("version [%d] set", config.version);
}
Reported by FlawFinder.
Line: 173
Column: 28
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
logmsg("error-CONNACK = %d", config.error_connack);
}
else if(!strcmp(key, "Testnum")) {
config.testnum = atoi(value);
logmsg("testnum = %d", config.testnum);
}
else if(!strcmp(key, "excessive-remaining")) {
logmsg("excessive-remaining set");
config.excessive_remaining = TRUE;
Reported by FlawFinder.
Line: 191
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void loghex(unsigned char *buffer, ssize_t len)
{
char data[12000];
ssize_t i;
unsigned char *ptr = buffer;
char *optr = data;
ssize_t width = 0;
int left = sizeof(data);
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
FILE *output,
unsigned char *buffer, ssize_t len)
{
char data[12000] = "";
ssize_t i;
unsigned char *ptr = buffer;
char *optr = data;
int left = sizeof(data);
Reported by FlawFinder.
Line: 403
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t packetlen;
ssize_t sendamount;
ssize_t rc;
unsigned char rembuffer[4];
int encodedlen;
if(config.excessive_remaining) {
/* manually set illegal remaining length */
rembuffer[0] = 0xff;
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
packet[0] = MQTT_MSG_PUBLISH; /* TODO: set QoS? */
memcpy(&packet[1], rembuffer, encodedlen);
(void)packetid;
/* packet_id if QoS is set */
packet[1 + encodedlen] = (unsigned char)(topiclen >> 8);
Reported by FlawFinder.
Line: 431
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet[1 + encodedlen] = (unsigned char)(topiclen >> 8);
packet[2 + encodedlen] = (unsigned char)(topiclen & 0xff);
memcpy(&packet[3 + encodedlen], topic, topiclen);
payloadindex = 3 + topiclen + encodedlen;
memcpy(&packet[payloadindex], payload, payloadlen);
sendamount = packetlen;
Reported by FlawFinder.
src/tool_getparam.c
21 issues
Line: 1448
Column: 15
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
size = outlen-1;
}
else {
strcpy(n, enc);
size = outlen-2; /* since no '=' was inserted */
}
curl_free(enc);
postdata = n;
}
Reported by FlawFinder.
Line: 845
Column: 27
CWE codes:
362
case 'v': /* --stderr */
if(strcmp(nextarg, "-")) {
FILE *newfile = fopen(nextarg, FOPEN_WRITETEXT);
if(!newfile)
warnf(global, "Failed to open %s!\n", nextarg);
else {
if(global->errors_fopened)
fclose(global->errors);
Reported by FlawFinder.
Line: 1011
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case 's': { /* --local-port */
/* 16bit base 10 is 5 digits, but we allow 6 so that this catches
overflows, not just truncates */
char lrange[7]="";
char *p = nextarg;
while(ISDIGIT(*p))
p++;
if(*p) {
/* if there's anything more than a plain decimal number */
Reported by FlawFinder.
Line: 1401
Column: 20
CWE codes:
362
set_binmode(stdin);
}
else {
file = fopen(p, "rb");
if(!file)
warnf(global,
"Couldn't read data from file \"%s\", this makes "
"an empty POST.\n", nextarg);
}
Reported by FlawFinder.
Line: 1469
Column: 18
CWE codes:
362
set_binmode(stdin);
}
else {
file = fopen(nextarg, "rb");
if(!file)
warnf(global, "Couldn't read data from file \"%s\", this makes "
"an empty POST.\n", nextarg);
}
Reported by FlawFinder.
Line: 1525
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
Curl_safefree(postdata);
return PARAM_NO_MEM;
}
memcpy(config->postfields, oldpost, (size_t)oldlen);
/* use byte value 0x26 for '&' to accommodate non-ASCII platforms */
config->postfields[oldlen] = '\x26';
memcpy(&config->postfields[oldlen + 1], postdata, size);
config->postfields[oldlen + 1 + size] = '\0';
Curl_safefree(oldpost);
Reported by FlawFinder.
Line: 1528
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(config->postfields, oldpost, (size_t)oldlen);
/* use byte value 0x26 for '&' to accommodate non-ASCII platforms */
config->postfields[oldlen] = '\x26';
memcpy(&config->postfields[oldlen + 1], postdata, size);
config->postfields[oldlen + 1 + size] = '\0';
Curl_safefree(oldpost);
Curl_safefree(postdata);
config->postfieldsize += size + 1;
}
Reported by FlawFinder.
Line: 1857
Column: 38
CWE codes:
362
char *string;
size_t len;
bool use_stdin = !strcmp(&nextarg[1], "-");
FILE *file = use_stdin?stdin:fopen(&nextarg[1], FOPEN_READTEXT);
if(!file)
warnf(global, "Failed to open %s!\n", &nextarg[1]);
else {
err = file2memory(&string, &len, file);
if(!err && string) {
Reported by FlawFinder.
Line: 2076
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
claimed that to be a good way, why this code is added to work-around
it. */
if(ISDIGIT(*nextarg) && !strchr(nextarg, '-')) {
char buffer[32];
curl_off_t off;
if(curlx_strtoofft(nextarg, NULL, 10, &off)) {
warnf(global, "unsupported range point\n");
return PARAM_BAD_USE;
}
Reported by FlawFinder.
Line: 2213
Column: 18
CWE codes:
362
}
else {
fname = nextarg;
file = fopen(nextarg, FOPEN_READTEXT);
}
Curl_safefree(config->writeout);
err = file2string(&config->writeout, file);
if(file && (file != stdin))
fclose(file);
Reported by FlawFinder.
lib/vtls/schannel.c
20 issues
Line: 211
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
get_alg_id_by_name(char *name)
{
char tmp[LONGEST_ALG_ID] = { 0 };
char *nameEnd = strchr(name, ':');
size_t n = nameEnd ? min((size_t)(nameEnd - name), LONGEST_ALG_ID - 1) : \
min(strlen(name), LONGEST_ALG_ID - 1);
strncpy(tmp, name, n);
tmp[n] = 0;
Reported by FlawFinder.
Line: 542
Column: 19
CWE codes:
362
&cert_store_path, &cert_thumbprint_str);
if(result && (data->set.ssl.primary.clientcert[0]!='\0'))
fInCert = fopen(data->set.ssl.primary.clientcert, "rb");
if(result && !fInCert) {
failf(data, "schannel: Failed to get certificate location"
" or file for %s",
data->set.ssl.primary.clientcert);
Reported by FlawFinder.
Line: 608
Column: 23
CWE codes:
120
pszPassword = (WCHAR*)malloc(sizeof(WCHAR)*(pwd_len + 1));
if(pszPassword) {
if(pwd_len > 0)
str_w_len = MultiByteToWideChar(CP_UTF8,
MB_ERR_INVALID_CHARS,
data->set.ssl.key_passwd, (int)pwd_len,
pszPassword, (int)(pwd_len + 1));
if((str_w_len >= 0) && (str_w_len <= (int)pwd_len))
Reported by FlawFinder.
Line: 732
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CertFreeCertificateContext(client_certs[0]);
if(sspi_status != SEC_E_OK) {
char buffer[STRERROR_LEN];
failf(data, "schannel: AcquireCredentialsHandle failed: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
Curl_safefree(BACKEND->cred);
switch(sspi_status) {
case SEC_E_INSUFFICIENT_MEMORY:
Reported by FlawFinder.
Line: 763
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SecBuffer inbuf;
SecBufferDesc inbuf_desc;
#ifdef HAS_ALPN
unsigned char alpn_buffer[128];
#endif
SECURITY_STATUS sspi_status = SEC_E_OK;
struct Curl_schannel_cred *old_cred = NULL;
struct in_addr addr;
#ifdef ENABLE_IPV6
Reported by FlawFinder.
Line: 894
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef USE_HTTP2
if(data->state.httpwant >= CURL_HTTP_VERSION_2) {
alpn_buffer[cur++] = ALPN_H2_LENGTH;
memcpy(&alpn_buffer[cur], ALPN_H2, ALPN_H2_LENGTH);
cur += ALPN_H2_LENGTH;
infof(data, "schannel: ALPN, offering %s", ALPN_H2);
}
#endif
Reported by FlawFinder.
Line: 901
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
alpn_buffer[cur++] = ALPN_HTTP_1_1_LENGTH;
memcpy(&alpn_buffer[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
cur += ALPN_HTTP_1_1_LENGTH;
infof(data, "schannel: ALPN, offering %s", ALPN_HTTP_1_1);
*list_len = curlx_uitous(cur - list_start_index);
*extension_len = *list_len + sizeof(unsigned int) + sizeof(unsigned short);
Reported by FlawFinder.
Line: 961
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
curlx_unicodefree(host_name);
if(sspi_status != SEC_I_CONTINUE_NEEDED) {
char buffer[STRERROR_LEN];
Curl_safefree(BACKEND->ctxt);
switch(sspi_status) {
case SEC_E_INSUFFICIENT_MEMORY:
failf(data, "schannel: initial InitializeSecurityContext failed: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
Reported by FlawFinder.
Line: 1137
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy received handshake data into input buffer */
memcpy(inbuf[0].pvBuffer, BACKEND->encdata_buffer,
BACKEND->encdata_offset);
host_name = curlx_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
Reported by FlawFinder.
Line: 1204
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
else {
char buffer[STRERROR_LEN];
switch(sspi_status) {
case SEC_E_INSUFFICIENT_MEMORY:
failf(data, "schannel: next InitializeSecurityContext failed: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
return CURLE_OUT_OF_MEMORY;
Reported by FlawFinder.
lib/telnet.c
19 issues
Line: 155
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int himq[256];
int him_preferred[256];
int subnegotiation[256];
char subopt_ttype[32]; /* Set with suboption TTYPE */
char subopt_xdisploc[128]; /* Set with suboption XDISPLOC */
unsigned short subopt_wsx; /* Set with suboption NAWS */
unsigned short subopt_wsy; /* Set with suboption NAWS */
TelnetReceive telrcv_state;
struct curl_slist *telnet_vars; /* Environment variables */
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int him_preferred[256];
int subnegotiation[256];
char subopt_ttype[32]; /* Set with suboption TTYPE */
char subopt_xdisploc[128]; /* Set with suboption XDISPLOC */
unsigned short subopt_wsx; /* Set with suboption NAWS */
unsigned short subopt_wsy; /* Set with suboption NAWS */
TelnetReceive telrcv_state;
struct curl_slist *telnet_vars; /* Environment variables */
Reported by FlawFinder.
Line: 163
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct curl_slist *telnet_vars; /* Environment variables */
/* suboptions */
unsigned char subbuffer[SUBBUFSIZE];
unsigned char *subpointer, *subend; /* buffer for sub-options */
};
/*
Reported by FlawFinder.
Line: 303
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void send_negotiation(struct Curl_easy *data, int cmd, int option)
{
unsigned char buf[3];
ssize_t bytes_written;
struct connectdata *conn = data->conn;
buf[0] = CURL_IAC;
buf[1] = (unsigned char)cmd;
Reported by FlawFinder.
Line: 775
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct curl_slist *head;
struct curl_slist *beg;
char option_keyword[128] = "";
char option_arg[256] = "";
struct TELNET *tn = data->req.p.telnet;
struct connectdata *conn = data->conn;
CURLcode result = CURLE_OK;
int binary_option;
Reported by FlawFinder.
Line: 776
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct curl_slist *head;
struct curl_slist *beg;
char option_keyword[128] = "";
char option_arg[256] = "";
struct TELNET *tn = data->req.p.telnet;
struct connectdata *conn = data->conn;
CURLcode result = CURLE_OK;
int binary_option;
Reported by FlawFinder.
Line: 843
Column: 25
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
/* To take care or not of the 8th bit in data exchange */
if(strcasecompare(option_keyword, "BINARY")) {
binary_option = atoi(option_arg);
if(binary_option != 1) {
tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
}
continue;
Reported by FlawFinder.
Line: 878
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void suboption(struct Curl_easy *data)
{
struct curl_slist *v;
unsigned char temp[2048];
ssize_t bytes_written;
size_t len;
int err;
char varname[128] = "";
char varval[128] = "";
Reported by FlawFinder.
Line: 882
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t bytes_written;
size_t len;
int err;
char varname[128] = "";
char varval[128] = "";
struct TELNET *tn = data->req.p.telnet;
struct connectdata *conn = data->conn;
printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2);
Reported by FlawFinder.
Line: 883
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t len;
int err;
char varname[128] = "";
char varval[128] = "";
struct TELNET *tn = data->req.p.telnet;
struct connectdata *conn = data->conn;
printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2);
switch(CURL_SB_GET(tn)) {
Reported by FlawFinder.
lib/http_aws_sigv4.c
19 issues
Line: 234
Column: 21
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
#ifdef DEBUGBUILD
force_timestamp = getenv("CURL_FORCETIME");
if(force_timestamp)
clock = 0;
else
time(&clock);
#else
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
time_t clock;
struct tm tm;
char timestamp[17];
char date[9];
const char *content_type = Curl_checkheaders(data, "Content-Type");
char *canonical_headers = NULL;
char *signed_headers = NULL;
Curl_HttpReq httpreq;
Reported by FlawFinder.
Line: 89
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
time_t clock;
struct tm tm;
char timestamp[17];
char date[9];
const char *content_type = Curl_checkheaders(data, "Content-Type");
char *canonical_headers = NULL;
char *signed_headers = NULL;
Curl_HttpReq httpreq;
const char *method;
Reported by FlawFinder.
Line: 96
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
Curl_HttpReq httpreq;
const char *method;
const char *post_data = data->set.postfields ? data->set.postfields : "";
unsigned char sha_hash[32];
char sha_hex[65];
char *canonical_request = NULL;
char *request_type = NULL;
char *credential_scope = NULL;
char *str_to_sign = NULL;
Reported by FlawFinder.
Line: 97
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *method;
const char *post_data = data->set.postfields ? data->set.postfields : "";
unsigned char sha_hash[32];
char sha_hex[65];
char *canonical_request = NULL;
char *request_type = NULL;
char *credential_scope = NULL;
char *str_to_sign = NULL;
const char *user = data->state.aptr.user ? data->state.aptr.user : "";
Reported by FlawFinder.
Line: 105
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *user = data->state.aptr.user ? data->state.aptr.user : "";
const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
char *secret = NULL;
unsigned char tmp_sign0[32] = {0};
unsigned char tmp_sign1[32] = {0};
char *auth_headers = NULL;
DEBUGASSERT(!proxy);
(void)proxy;
Reported by FlawFinder.
Line: 106
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
char *secret = NULL;
unsigned char tmp_sign0[32] = {0};
unsigned char tmp_sign1[32] = {0};
char *auth_headers = NULL;
DEBUGASSERT(!proxy);
(void)proxy;
Reported by FlawFinder.
Line: 127
Column: 40
CWE codes:
126
tmp0 = data->set.str[STRING_AWS_SIGV4] ?
data->set.str[STRING_AWS_SIGV4] : "aws:amz";
tmp1 = strchr(tmp0, ':');
len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
if(len < 1) {
infof(data, "first provider can't be empty");
ret = CURLE_BAD_FUNCTION_ARGUMENT;
goto fail;
}
Reported by FlawFinder.
Line: 146
Column: 42
CWE codes:
126
if(tmp1) {
tmp0 = tmp1 + 1;
tmp1 = strchr(tmp0, ':');
len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
if(len < 1) {
infof(data, "second provider can't be empty");
ret = CURLE_BAD_FUNCTION_ARGUMENT;
goto fail;
}
Reported by FlawFinder.
Line: 166
Column: 44
CWE codes:
126
if(tmp1) {
tmp0 = tmp1 + 1;
tmp1 = strchr(tmp0, ':');
len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
if(len < 1) {
infof(data, "region can't be empty");
ret = CURLE_BAD_FUNCTION_ARGUMENT;
goto fail;
}
Reported by FlawFinder.
src/tool_doswin.c
19 issues
Line: 314
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SANITIZEcode msdosify(char **const sanitized, const char *file_name,
int flags)
{
char dos_name[PATH_MAX];
static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */
"|<>/\\\":?*"; /* illegal in DOS & W95 */
static const char *illegal_chars_w95 = &illegal_chars_dos[8];
int idx, dot_idx;
const char *s = file_name;
Reported by FlawFinder.
Line: 410
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*d = 'x';
}
else {
memcpy(d, "plus", 4);
d += 3;
}
}
s++;
idx++;
Reported by FlawFinder.
Line: 466
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* retrieve such a file would fail at best and wedge us at worst. We need
* to rename such files. */
char *p, *base;
char fname[PATH_MAX];
#ifdef MSDOS
struct_stat st_buf;
#endif
if(!sanitized)
Reported by FlawFinder.
Line: 631
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
backend != CURLSSLBACKEND_SCHANNEL) {
DWORD res_len;
TCHAR buf[PATH_MAX];
TCHAR *ptr = NULL;
buf[0] = TEXT('\0');
res_len = SearchPath(NULL, bundle_file, NULL, PATH_MAX, buf, &ptr);
Reported by FlawFinder.
Line: 681
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef UNICODE
/* sizeof(mod.szExePath) is the max total bytes of wchars. the max total
bytes of multibyte chars won't be more than twice that. */
char buffer[sizeof(mod.szExePath) * 2];
if(!WideCharToMultiByte(CP_ACP, 0, mod.szExePath, -1,
buffer, sizeof(buffer), NULL, NULL))
goto error;
path = buffer;
#else
Reported by FlawFinder.
Line: 142
Column: 9
CWE codes:
126
does not discount the path information therefore we shouldn't use it. */
max_sanitized_len = (PATH_MAX-1 > 255) ? 255 : PATH_MAX-1;
len = strlen(file_name);
if(len > max_sanitized_len) {
if(!(flags & SANITIZE_ALLOW_TRUNCATE) ||
truncate_dryrun(file_name, max_sanitized_len))
return SANITIZE_ERR_INVALID_PATH;
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
120
if(!target)
return SANITIZE_ERR_OUT_OF_MEMORY;
strncpy(target, file_name, len);
target[len] = '\0';
#ifndef MSDOS
if((flags & SANITIZE_ALLOW_PATH) && !strncmp(target, "\\\\?\\", 4))
/* Skip the literal path prefix \\?\ */
Reported by FlawFinder.
Line: 209
Column: 9
CWE codes:
126
if(sc)
return sc;
target = p;
len = strlen(target);
if(len > max_sanitized_len) {
free(target);
return SANITIZE_ERR_INVALID_PATH;
}
Reported by FlawFinder.
Line: 223
Column: 11
CWE codes:
126
if(sc)
return sc;
target = p;
len = strlen(target);
if(len > max_sanitized_len) {
free(target);
return SANITIZE_ERR_INVALID_PATH;
}
Reported by FlawFinder.
Line: 268
Column: 9
CWE codes:
126
if(!path)
return SANITIZE_ERR_BAD_ARGUMENT;
len = strlen(path);
if(truncate_pos > len)
return SANITIZE_ERR_BAD_ARGUMENT;
if(!len || !truncate_pos)
Reported by FlawFinder.