The following issues were found
lib/http_aws_sigv4.c
19 issues
Line: 234
Column: 21
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
#ifdef DEBUGBUILD
force_timestamp = getenv("CURL_FORCETIME");
if(force_timestamp)
clock = 0;
else
time(&clock);
#else
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
time_t clock;
struct tm tm;
char timestamp[17];
char date[9];
const char *content_type = Curl_checkheaders(data, "Content-Type");
char *canonical_headers = NULL;
char *signed_headers = NULL;
Curl_HttpReq httpreq;
Reported by FlawFinder.
Line: 89
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
time_t clock;
struct tm tm;
char timestamp[17];
char date[9];
const char *content_type = Curl_checkheaders(data, "Content-Type");
char *canonical_headers = NULL;
char *signed_headers = NULL;
Curl_HttpReq httpreq;
const char *method;
Reported by FlawFinder.
Line: 96
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
Curl_HttpReq httpreq;
const char *method;
const char *post_data = data->set.postfields ? data->set.postfields : "";
unsigned char sha_hash[32];
char sha_hex[65];
char *canonical_request = NULL;
char *request_type = NULL;
char *credential_scope = NULL;
char *str_to_sign = NULL;
Reported by FlawFinder.
Line: 97
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *method;
const char *post_data = data->set.postfields ? data->set.postfields : "";
unsigned char sha_hash[32];
char sha_hex[65];
char *canonical_request = NULL;
char *request_type = NULL;
char *credential_scope = NULL;
char *str_to_sign = NULL;
const char *user = data->state.aptr.user ? data->state.aptr.user : "";
Reported by FlawFinder.
Line: 105
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *user = data->state.aptr.user ? data->state.aptr.user : "";
const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
char *secret = NULL;
unsigned char tmp_sign0[32] = {0};
unsigned char tmp_sign1[32] = {0};
char *auth_headers = NULL;
DEBUGASSERT(!proxy);
(void)proxy;
Reported by FlawFinder.
Line: 106
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
char *secret = NULL;
unsigned char tmp_sign0[32] = {0};
unsigned char tmp_sign1[32] = {0};
char *auth_headers = NULL;
DEBUGASSERT(!proxy);
(void)proxy;
Reported by FlawFinder.
Line: 127
Column: 40
CWE codes:
126
tmp0 = data->set.str[STRING_AWS_SIGV4] ?
data->set.str[STRING_AWS_SIGV4] : "aws:amz";
tmp1 = strchr(tmp0, ':');
len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
if(len < 1) {
infof(data, "first provider can't be empty");
ret = CURLE_BAD_FUNCTION_ARGUMENT;
goto fail;
}
Reported by FlawFinder.
Line: 146
Column: 42
CWE codes:
126
if(tmp1) {
tmp0 = tmp1 + 1;
tmp1 = strchr(tmp0, ':');
len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
if(len < 1) {
infof(data, "second provider can't be empty");
ret = CURLE_BAD_FUNCTION_ARGUMENT;
goto fail;
}
Reported by FlawFinder.
Line: 166
Column: 44
CWE codes:
126
if(tmp1) {
tmp0 = tmp1 + 1;
tmp1 = strchr(tmp0, ':');
len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
if(len < 1) {
infof(data, "region can't be empty");
ret = CURLE_BAD_FUNCTION_ARGUMENT;
goto fail;
}
Reported by FlawFinder.
packages/OS400/ccsidcurl.c
19 issues
Line: 207
CWE codes:
672
d = cp;
}
return d;
}
static struct curl_slist *
slist_convert(int dccsid, struct curl_slist *from, int sccsid)
Reported by Cppcheck.
Line: 1242
CWE codes:
628
if(pfsize > SIZE_MAX)
pfsize = SIZE_MAX;
cp = malloc(pfsize);
if(!cp) {
result = CURLE_OUT_OF_MEMORY;
break;
}
Reported by Cppcheck.
Line: 60
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void
makeOS400IconvCode(char buf[ICONV_ID_SIZE], unsigned int ccsid)
{
/**
*** Convert a CCSID to the corresponding IBM iconv_open() character
*** code identifier.
*** This code is specific to the OS400 implementation of the iconv library.
Reported by FlawFinder.
Line: 84
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
iconv_open_CCSID(unsigned int ccsidout, unsigned int ccsidin,
unsigned int cstr)
{
char fromcode[ICONV_ID_SIZE];
char tocode[ICONV_ID_SIZE];
/**
*** Like iconv_open(), but character codes are given as CCSIDs.
*** If `cstr' is non-zero, conversion is set up to stop whenever a
Reported by FlawFinder.
Line: 85
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int cstr)
{
char fromcode[ICONV_ID_SIZE];
char tocode[ICONV_ID_SIZE];
/**
*** Like iconv_open(), but character codes are given as CCSIDs.
*** If `cstr' is non-zero, conversion is set up to stop whenever a
*** null character is encountered.
Reported by FlawFinder.
Line: 132
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = lslen < dlen? lslen: dlen;
if(s != d && i > 0)
memcpy(d, s, i);
return i;
}
if(slen < 0) {
Reported by FlawFinder.
Line: 470
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy data and convert strings. */
memcpy((char *) id, (char *) p, sizeof(*p));
if(id->protocols) {
int i = nproto * sizeof(id->protocols[0]);
id->protocols = (const char * const *) cp;
Reported by FlawFinder.
Line: 476
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i = nproto * sizeof(id->protocols[0]);
id->protocols = (const char * const *) cp;
memcpy(cp, (char *) p->protocols, i);
cp += i;
n -= i;
for(i = 0; id->protocols[i]; i++)
if(convert_version_info_string(((const char * *) id->protocols) + i,
Reported by FlawFinder.
Line: 714
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(nargs != skip)
if(Curl_is_formadd_string(forms[nargs].option))
if(forms[nargs].value)
free((char *) forms[nargs].value);
free((char *) forms);
}
Reported by FlawFinder.
Line: 128
Column: 30
CWE codes:
126
dccsid = ASCII_CCSID;
if(sccsid == dccsid) {
lslen = slen >= 0? slen: strlen(s) + 1;
i = lslen < dlen? lslen: dlen;
if(s != d && i > 0)
memcpy(d, s, i);
Reported by FlawFinder.
src/tool_doswin.c
19 issues
Line: 314
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SANITIZEcode msdosify(char **const sanitized, const char *file_name,
int flags)
{
char dos_name[PATH_MAX];
static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */
"|<>/\\\":?*"; /* illegal in DOS & W95 */
static const char *illegal_chars_w95 = &illegal_chars_dos[8];
int idx, dot_idx;
const char *s = file_name;
Reported by FlawFinder.
Line: 410
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*d = 'x';
}
else {
memcpy(d, "plus", 4);
d += 3;
}
}
s++;
idx++;
Reported by FlawFinder.
Line: 466
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* retrieve such a file would fail at best and wedge us at worst. We need
* to rename such files. */
char *p, *base;
char fname[PATH_MAX];
#ifdef MSDOS
struct_stat st_buf;
#endif
if(!sanitized)
Reported by FlawFinder.
Line: 631
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
backend != CURLSSLBACKEND_SCHANNEL) {
DWORD res_len;
TCHAR buf[PATH_MAX];
TCHAR *ptr = NULL;
buf[0] = TEXT('\0');
res_len = SearchPath(NULL, bundle_file, NULL, PATH_MAX, buf, &ptr);
Reported by FlawFinder.
Line: 681
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef UNICODE
/* sizeof(mod.szExePath) is the max total bytes of wchars. the max total
bytes of multibyte chars won't be more than twice that. */
char buffer[sizeof(mod.szExePath) * 2];
if(!WideCharToMultiByte(CP_ACP, 0, mod.szExePath, -1,
buffer, sizeof(buffer), NULL, NULL))
goto error;
path = buffer;
#else
Reported by FlawFinder.
Line: 142
Column: 9
CWE codes:
126
does not discount the path information therefore we shouldn't use it. */
max_sanitized_len = (PATH_MAX-1 > 255) ? 255 : PATH_MAX-1;
len = strlen(file_name);
if(len > max_sanitized_len) {
if(!(flags & SANITIZE_ALLOW_TRUNCATE) ||
truncate_dryrun(file_name, max_sanitized_len))
return SANITIZE_ERR_INVALID_PATH;
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
120
if(!target)
return SANITIZE_ERR_OUT_OF_MEMORY;
strncpy(target, file_name, len);
target[len] = '\0';
#ifndef MSDOS
if((flags & SANITIZE_ALLOW_PATH) && !strncmp(target, "\\\\?\\", 4))
/* Skip the literal path prefix \\?\ */
Reported by FlawFinder.
Line: 209
Column: 9
CWE codes:
126
if(sc)
return sc;
target = p;
len = strlen(target);
if(len > max_sanitized_len) {
free(target);
return SANITIZE_ERR_INVALID_PATH;
}
Reported by FlawFinder.
Line: 223
Column: 11
CWE codes:
126
if(sc)
return sc;
target = p;
len = strlen(target);
if(len > max_sanitized_len) {
free(target);
return SANITIZE_ERR_INVALID_PATH;
}
Reported by FlawFinder.
Line: 268
Column: 9
CWE codes:
126
if(!path)
return SANITIZE_ERR_BAD_ARGUMENT;
len = strlen(path);
if(truncate_pos > len)
return SANITIZE_ERR_BAD_ARGUMENT;
if(!len || !truncate_pos)
Reported by FlawFinder.
tests/libtest/lib557.c
19 issues
Line: 67
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct unsshort_st {
unsigned short num; /* unsigned short */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
struct sigshort_st {
short num; /* signed short */
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sigshort_st {
short num; /* signed short */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
struct unsint_st {
unsigned int num; /* unsigned int */
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct unsint_st {
unsigned int num; /* unsigned int */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
struct sigint_st {
int num; /* signed int */
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sigint_st {
int num; /* signed int */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
struct unslong_st {
unsigned long num; /* unsigned long */
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct unslong_st {
unsigned long num; /* unsigned long */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
struct siglong_st {
long num; /* signed long */
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct siglong_st {
long num; /* signed long */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
struct curloff_st {
curl_off_t num; /* curl_off_t */
Reported by FlawFinder.
Line: 109
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct curloff_st {
curl_off_t num; /* curl_off_t */
const char *expected; /* expected string */
char result[BUFSZ]; /* result string */
};
static struct unsshort_st us_test[USHORT_TESTS_ARRSZ];
static struct sigshort_st ss_test[SSHORT_TESTS_ARRSZ];
Reported by FlawFinder.
Line: 1415
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int test_string_formatting(void)
{
int errors = 0;
char buf[256];
curl_msnprintf(buf, sizeof(buf), "%0*d%s", 2, 9, "foo");
errors += string_check(buf, "09foo");
curl_msnprintf(buf, sizeof(buf), "%*.*s", 5, 2, "foo");
errors += string_check(buf, " fo");
Reported by FlawFinder.
Line: 1448
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int test_weird_arguments(void)
{
int errors = 0;
char buf[256];
int rc;
/* MAX_PARAMETERS is 128, try exact 128! */
rc = curl_msnprintf(buf, sizeof(buf),
"%d%d%d%d%d%d%d%d%d%d" /* 10 */
Reported by FlawFinder.
Line: 1565
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int test_float_formatting(void)
{
int errors = 0;
char buf[512]; /* larger than max float size */
curl_msnprintf(buf, sizeof(buf), "%f", 9.0);
errors += string_check(buf, "9.000000");
curl_msnprintf(buf, sizeof(buf), "%.1f", 9.1);
errors += string_check(buf, "9.1");
Reported by FlawFinder.
lib/socks_sspi.c
18 issues
Line: 54
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
status != SEC_I_COMPLETE_AND_CONTINUE &&
status != SEC_I_COMPLETE_NEEDED &&
status != SEC_I_CONTINUE_NEEDED) {
char buffer[STRERROR_LEN];
failf(data, "SSPI error: %s failed: %s", function,
Curl_sspi_strerror(status, buffer, sizeof(buffer)));
return 1;
}
return 0;
Reported by FlawFinder.
Line: 87
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *service_name = NULL;
unsigned short us_length;
unsigned long qop;
unsigned char socksreq[4]; /* room for GSS-API exchange header only */
const char *service = data->set.str[STRING_PROXY_SERVICE_NAME] ?
data->set.str[STRING_PROXY_SERVICE_NAME] : "rcmd";
const size_t service_length = strlen(service);
/* GSS-API request looks like
Reported by FlawFinder.
Line: 205
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
socksreq[0] = 1; /* GSS-API subnegotiation version */
socksreq[1] = 1; /* authentication message type */
us_length = htons((short)sspi_send_token.cbBuffer);
memcpy(socksreq + 2, &us_length, sizeof(short));
code = Curl_write_plain(data, sock, (char *)socksreq, 4, &written);
if(code || (4 != written)) {
failf(data, "Failed to send SSPI authentication request.");
free(service_name);
Reported by FlawFinder.
Line: 289
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLE_COULDNT_CONNECT;
}
memcpy(&us_length, socksreq + 2, sizeof(short));
us_length = ntohs(us_length);
sspi_recv_token.cbBuffer = us_length;
sspi_recv_token.pvBuffer = malloc(us_length);
Reported by FlawFinder.
Line: 383
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(data->set.socks5_gssapi_nec) {
us_length = htons((short)1);
memcpy(socksreq + 2, &us_length, sizeof(short));
}
else {
status = s_pSecFn->QueryContextAttributes(&sspi_context,
SECPKG_ATTR_SIZES,
&sspi_sizes);
Reported by FlawFinder.
Line: 412
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLE_OUT_OF_MEMORY;
}
memcpy(sspi_w_token[1].pvBuffer, &gss_enc, 1);
sspi_w_token[2].BufferType = SECBUFFER_PADDING;
sspi_w_token[2].cbBuffer = sspi_sizes.cbBlockSize;
sspi_w_token[2].pvBuffer = malloc(sspi_sizes.cbBlockSize);
if(!sspi_w_token[2].pvBuffer) {
s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
Reported by FlawFinder.
Line: 446
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLE_OUT_OF_MEMORY;
}
memcpy(sspi_send_token.pvBuffer, sspi_w_token[0].pvBuffer,
sspi_w_token[0].cbBuffer);
memcpy((PUCHAR) sspi_send_token.pvBuffer +(int)sspi_w_token[0].cbBuffer,
sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
memcpy((PUCHAR) sspi_send_token.pvBuffer
+ sspi_w_token[0].cbBuffer
Reported by FlawFinder.
Line: 448
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(sspi_send_token.pvBuffer, sspi_w_token[0].pvBuffer,
sspi_w_token[0].cbBuffer);
memcpy((PUCHAR) sspi_send_token.pvBuffer +(int)sspi_w_token[0].cbBuffer,
sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
memcpy((PUCHAR) sspi_send_token.pvBuffer
+ sspi_w_token[0].cbBuffer
+ sspi_w_token[1].cbBuffer,
sspi_w_token[2].pvBuffer, sspi_w_token[2].cbBuffer);
Reported by FlawFinder.
Line: 450
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sspi_w_token[0].cbBuffer);
memcpy((PUCHAR) sspi_send_token.pvBuffer +(int)sspi_w_token[0].cbBuffer,
sspi_w_token[1].pvBuffer, sspi_w_token[1].cbBuffer);
memcpy((PUCHAR) sspi_send_token.pvBuffer
+ sspi_w_token[0].cbBuffer
+ sspi_w_token[1].cbBuffer,
sspi_w_token[2].pvBuffer, sspi_w_token[2].cbBuffer);
s_pSecFn->FreeContextBuffer(sspi_w_token[0].pvBuffer);
Reported by FlawFinder.
Line: 466
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sspi_w_token[2].cbBuffer = 0;
us_length = htons((short)sspi_send_token.cbBuffer);
memcpy(socksreq + 2, &us_length, sizeof(short));
}
code = Curl_write_plain(data, sock, (char *)socksreq, 4, &written);
if(code || (4 != written)) {
failf(data, "Failed to send SSPI encryption request.");
Reported by FlawFinder.
tests/server/getpart.c
17 issues
Line: 47
Column: 17
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define EAT_WORD(p) while(*(p) && !ISSPACE(*(p)) && ('>' != *(p))) (p)++
#ifdef DEBUG_GETPART
#define show(x) printf x
#else
#define show(x) Curl_nop_stmt
#endif
#if defined(_MSC_VER) && defined(_DLL)
Reported by FlawFinder.
Line: 433
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(STATE_OUTSIDE == state) {
/* outermost element (<testcase>) */
strcpy(couter, ptag);
state = STATE_OUTER;
continue;
}
else if(STATE_OUTER == state) {
/* start of a main section */
Reported by FlawFinder.
Line: 439
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
else if(STATE_OUTER == state) {
/* start of a main section */
strcpy(cmain, ptag);
state = STATE_INMAIN;
continue;
}
else if(STATE_INMAIN == state) {
/* start of a sub section */
Reported by FlawFinder.
Line: 445
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
else if(STATE_INMAIN == state) {
/* start of a sub section */
strcpy(csub, ptag);
state = STATE_INSUB;
if(!strcmp(cmain, main) && !strcmp(csub, sub)) {
/* start of wanted part */
in_wanted_part = 1;
if(strstr(patt, "base64="))
Reported by FlawFinder.
Line: 93
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!convbuf)
return CURLE_OUT_OF_MEMORY;
memcpy(convbuf, indata, insize);
*outbuf = convbuf;
return CURLE_OK;
}
/*
Reported by FlawFinder.
Line: 212
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* memcpy to support binary blobs */
memcpy(*dst_buf + *dst_len, src_buf, src_len);
*dst_len += src_len;
*(*dst_buf + *dst_len) = '\0';
return GPE_OK;
}
Reported by FlawFinder.
Line: 247
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* memcpy to support binary blobs */
memcpy(*buf, buf64, src_len);
*len = src_len;
*(*buf + src_len) = '\0';
free(buf64);
Reported by FlawFinder.
Line: 282
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *main, const char *sub, FILE *stream)
{
# define MAX_TAG_LEN 200
char couter[MAX_TAG_LEN + 1]; /* current outermost section */
char cmain[MAX_TAG_LEN + 1]; /* current main section */
char csub[MAX_TAG_LEN + 1]; /* current sub section */
char ptag[MAX_TAG_LEN + 1]; /* potential tag */
char patt[MAX_TAG_LEN + 1]; /* potential attributes */
char *buffer = NULL;
Reported by FlawFinder.
Line: 283
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
# define MAX_TAG_LEN 200
char couter[MAX_TAG_LEN + 1]; /* current outermost section */
char cmain[MAX_TAG_LEN + 1]; /* current main section */
char csub[MAX_TAG_LEN + 1]; /* current sub section */
char ptag[MAX_TAG_LEN + 1]; /* potential tag */
char patt[MAX_TAG_LEN + 1]; /* potential attributes */
char *buffer = NULL;
char *ptr;
Reported by FlawFinder.
Line: 284
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
# define MAX_TAG_LEN 200
char couter[MAX_TAG_LEN + 1]; /* current outermost section */
char cmain[MAX_TAG_LEN + 1]; /* current main section */
char csub[MAX_TAG_LEN + 1]; /* current sub section */
char ptag[MAX_TAG_LEN + 1]; /* potential tag */
char patt[MAX_TAG_LEN + 1]; /* potential attributes */
char *buffer = NULL;
char *ptr;
char *end;
Reported by FlawFinder.
lib/vquic/quiche.c
16 issues
Line: 223
Column: 17
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if(result)
return result;
keylog_file = getenv("SSLKEYLOGFILE");
if(keylog_file)
quiche_config_log_keys(qs->cfg);
qs->conn = quiche_connect(conn->host.name, (const uint8_t *) qs->scid,
Reported by FlawFinder.
Line: 183
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result;
struct quicsocket *qs = &conn->hequic[sockindex];
char *keylog_file = NULL;
char ipbuf[40];
int port;
#ifdef DEBUG_QUICHE
/* initialize debug log callback only once */
static int debug_log_init = 0;
Reported by FlawFinder.
Line: 255
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* extract the used address as a string */
if(!Curl_addr2string((struct sockaddr*)addr, addrlen, ipbuf, &port)) {
char buffer[STRERROR_LEN];
failf(data, "ssrem inet_ntop() failed with errno %d: %s",
SOCKERRNO, Curl_strerror(SOCKERRNO, buffer, sizeof(buffer)));
return CURLE_BAD_FUNCTION_ARGUMENT;
}
Reported by FlawFinder.
Line: 672
Column: 29
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!end || end == hdbuf)
goto fail;
nva[0].name = (unsigned char *)":method";
nva[0].name_len = strlen((char *)nva[0].name);
nva[0].value = (unsigned char *)hdbuf;
nva[0].value_len = (size_t)(end - hdbuf);
hdbuf = end + 1;
Reported by FlawFinder.
Line: 689
Column: 29
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!end || end == hdbuf)
goto fail;
nva[1].name = (unsigned char *)":path";
nva[1].name_len = strlen((char *)nva[1].name);
nva[1].value = (unsigned char *)hdbuf;
nva[1].value_len = (size_t)(end - hdbuf);
nva[2].name = (unsigned char *)":scheme";
nva[2].name_len = strlen((char *)nva[2].name);
Reported by FlawFinder.
Line: 694
Column: 29
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nva[1].value_len = (size_t)(end - hdbuf);
nva[2].name = (unsigned char *)":scheme";
nva[2].name_len = strlen((char *)nva[2].name);
if(conn->handler->flags & PROTOPT_SSL)
nva[2].value = (unsigned char *)"https";
else
nva[2].value = (unsigned char *)"http";
nva[2].value_len = strlen((char *)nva[2].value);
Reported by FlawFinder.
Line: 699
Column: 30
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nva[2].value = (unsigned char *)"https";
else
nva[2].value = (unsigned char *)"http";
nva[2].value_len = strlen((char *)nva[2].value);
authority_idx = 0;
i = 3;
while(i < nheader) {
Reported by FlawFinder.
Line: 728
Column: 33
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(hlen == 4 && strncasecompare("host", hdbuf, 4)) {
authority_idx = i;
nva[i].name = (unsigned char *)":authority";
nva[i].name_len = strlen((char *)nva[i].name);
}
else {
nva[i].name_len = (size_t)(end - hdbuf);
/* Lower case the header name for HTTP/3 */
Curl_strntolower((char *)hdbuf, hdbuf, nva[i].name_len);
Reported by FlawFinder.
Line: 733
Column: 25
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
else {
nva[i].name_len = (size_t)(end - hdbuf);
/* Lower case the header name for HTTP/3 */
Curl_strntolower((char *)hdbuf, hdbuf, nva[i].name_len);
nva[i].name = (unsigned char *)hdbuf;
}
hdbuf = end + 1;
while(*hdbuf == ' ' || *hdbuf == '\t')
++hdbuf;
Reported by FlawFinder.
Line: 742
Column: 34
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
end = line_end;
#if 0 /* This should probably go in more or less like this */
switch(inspect_header((const char *)nva[i].name, nva[i].namelen, hdbuf,
end - hdbuf)) {
case HEADERINST_IGNORE:
/* skip header fields prohibited by HTTP/2 specification. */
--nheader;
continue;
Reported by FlawFinder.
lib/vtls/sectransp.c
16 issues
Line: 979
Column: 12
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
/* Parse the version: */
os_version_major = strtok_r(os_version, ".", &tok_buf);
os_version_minor = strtok_r(NULL, ".", &tok_buf);
*major = atoi(os_version_major);
*minor = atoi(os_version_minor);
free(os_version);
}
#endif /* CURL_BUILD_MAC */
Reported by FlawFinder.
Line: 980
Column: 12
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
os_version_major = strtok_r(os_version, ".", &tok_buf);
os_version_minor = strtok_r(NULL, ".", &tok_buf);
*major = atoi(os_version_major);
*minor = atoi(os_version_minor);
free(os_version);
}
#endif /* CURL_BUILD_MAC */
/* Apple provides a myriad of ways of getting information about a certificate
Reported by FlawFinder.
Line: 2194
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int fd;
ssize_t n, len = 0, cap = 512;
unsigned char buf[512], *data;
fd = open(file, 0);
if(fd < 0)
return -1;
Reported by FlawFinder.
Line: 2196
Column: 8
CWE codes:
362
ssize_t n, len = 0, cap = 512;
unsigned char buf[512], *data;
fd = open(file, 0);
if(fd < 0)
return -1;
data = malloc(cap);
if(!data) {
Reported by FlawFinder.
Line: 2227
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(data + len, buf, n);
len += n;
}
data[len] = '\0';
*out = data;
Reported by FlawFinder.
Line: 2405
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLE_OUT_OF_MEMORY;
}
buflen = ca_info_blob->len;
memcpy(certbuf, ca_info_blob->data, ca_info_blob->len);
certbuf[ca_info_blob->len]='\0';
}
else if(cafile) {
if(read_cert(cafile, &certbuf, &buflen) < 0) {
failf(data, "SSL: failed to read or invalid CA certificate");
Reported by FlawFinder.
Line: 2514
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!realpubkey)
break;
memcpy(realpubkey, spkiHeader, spkiHeaderLength);
memcpy(realpubkey + spkiHeaderLength, pubkey, pubkeylen);
result = Curl_pin_peer_pubkey(data, pinnedpubkey, realpubkey,
realpubkeylen);
Reported by FlawFinder.
Line: 2515
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
memcpy(realpubkey, spkiHeader, spkiHeaderLength);
memcpy(realpubkey + spkiHeaderLength, pubkey, pubkeylen);
result = Curl_pin_peer_pubkey(data, pinnedpubkey, realpubkey,
realpubkeylen);
} while(0);
Reported by FlawFinder.
Line: 3189
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t nread;
int what;
int rc;
char buf[120];
int loop = 10; /* avoid getting stuck */
if(!backend->ssl_ctx)
return 0;
Reported by FlawFinder.
Line: 849
Column: 12
CWE codes:
120
20
for(;;) {
bytesRead = 0;
rrtn = read(sock, currData, bytesToGo);
if(rrtn <= 0) {
/* this is guesswork... */
theErr = errno;
if(rrtn == 0) { /* EOF = server hung up */
/* the framework will turn this into errSSLClosedNoNotify */
Reported by FlawFinder.
lib/tftp.c
16 issues
Line: 388
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
{
if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
return CURLE_TFTP_ILLEGAL;
strcpy(buf, option);
*csize += strlen(option) + 1;
return CURLE_OK;
}
static CURLcode tftp_connect_for_tx(struct tftp_state_data *state,
Reported by FlawFinder.
Line: 484
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* optional addition of TFTP options */
if(!data->set.tftp_no_options) {
char buf[64];
/* add tsize option */
if(data->set.upload && (data->state.infilesize != -1))
msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
data->state.infilesize);
else
Reported by FlawFinder.
Line: 533
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
data->conn->ip_addr->ai_addr,
data->conn->ip_addr->ai_addrlen);
if(senddata != (ssize_t)sbytes) {
char buffer[STRERROR_LEN];
failf(data, "%s", Curl_strerror(SOCKERRNO, buffer, sizeof(buffer)));
}
free(filename);
break;
Reported by FlawFinder.
Line: 585
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t sbytes;
int rblock;
struct Curl_easy *data = state->data;
char buffer[STRERROR_LEN];
switch(event) {
case TFTP_EVENT_DATA:
/* Is this the block we expect? */
Reported by FlawFinder.
Line: 709
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result = CURLE_OK;
struct SingleRequest *k = &data->req;
size_t cb; /* Bytes currently read */
char buffer[STRERROR_LEN];
switch(event) {
case TFTP_EVENT_ACK:
case TFTP_EVENT_OACK:
Reported by FlawFinder.
Line: 1036
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc = bind(state->sockfd, (struct sockaddr *)&state->local_addr,
conn->ip_addr->ai_addrlen);
if(rc) {
char buffer[STRERROR_LEN];
failf(data, "bind() failed; %s",
Curl_strerror(SOCKERRNO, buffer, sizeof(buffer)));
return CURLE_COULDNT_CONNECT;
}
conn->bits.bound = TRUE;
Reported by FlawFinder.
Line: 1118
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&fromaddr,
&fromlen);
if(state->remote_addrlen == 0) {
memcpy(&state->remote_addr, &fromaddr, fromlen);
state->remote_addrlen = fromlen;
}
/* Sanity check packet length */
if(state->rbytes < 4) {
Reported by FlawFinder.
Line: 1256
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(rc == -1) {
/* bail out */
int error = SOCKERRNO;
char buffer[STRERROR_LEN];
failf(data, "%s", Curl_strerror(error, buffer, sizeof(buffer)));
state->event = TFTP_EVENT_ERROR;
}
else if(rc) {
result = tftp_receive_packet(data);
Reported by FlawFinder.
Line: 305
Column: 17
CWE codes:
126
if(loc > len)
return NULL;
*value = &buf[strlen(*option) + 1];
return &buf[loc];
}
static CURLcode tftp_parse_option_ack(struct tftp_state_data *state,
Reported by FlawFinder.
Line: 386
Column: 8
CWE codes:
126
static CURLcode tftp_option_add(struct tftp_state_data *state, size_t *csize,
char *buf, const char *option)
{
if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
return CURLE_TFTP_ILLEGAL;
strcpy(buf, option);
*csize += strlen(option) + 1;
return CURLE_OK;
}
Reported by FlawFinder.
lib/socks.c
14 issues
Line: 352
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* append hostname */
hostnamelen = strlen(hostname) + 1; /* length including NUL */
if(hostnamelen <= 255)
strcpy((char *)socksreq + packetsize, hostname);
else {
failf(data, "SOCKS4: too long host name");
return CURLPX_LONG_HOSTNAME;
}
packetsize += hostnamelen;
Reported by FlawFinder.
Line: 295
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(hp) {
struct sockaddr_in *saddr_in;
char buf[64];
Curl_printable_address(hp, buf, sizeof(buf));
saddr_in = (struct sockaddr_in *)(void *)hp->ai_addr;
socksreq[4] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[0];
socksreq[5] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[1];
Reported by FlawFinder.
Line: 332
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLPX_LONG_USER;
}
/* copy the proxy name WITH trailing zero */
memcpy(socksreq + 8, proxy_user, plen + 1);
}
/*
* Make connection
*/
Reported by FlawFinder.
Line: 512
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct connectdata *conn = data->conn;
unsigned char *socksreq = (unsigned char *)data->state.buffer;
char dest[256] = "unknown"; /* printable hostname:port */
int idx;
ssize_t actualread;
ssize_t written;
CURLcode result;
curl_socket_t sockfd = conn->sock[sockindex];
Reported by FlawFinder.
Line: 693
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
failf(data, "Excessive user name length for proxy auth");
return CURLPX_LONG_USER;
}
memcpy(socksreq + len, proxy_user, proxy_user_len);
}
len += proxy_user_len;
socksreq[len++] = (unsigned char) proxy_password_len;
if(proxy_password && proxy_password_len) {
/* the length must fit in a single byte */
Reported by FlawFinder.
Line: 703
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
failf(data, "Excessive password length for proxy auth");
return CURLPX_LONG_PASSWD;
}
memcpy(socksreq + len, proxy_password, proxy_password_len);
}
len += proxy_password_len;
sxstate(data, CONNECT_AUTH_SEND);
sx->outstanding = len;
sx->outp = socksreq;
Reported by FlawFinder.
Line: 861
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!socks5_resolve_local) {
socksreq[len++] = 3; /* ATYP: domain name = 3 */
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
len += hostname_len;
infof(data, "SOCKS5 connect to %s:%d (remotely resolved)",
hostname, remote_port);
}
/* FALLTHROUGH */
Reported by FlawFinder.
Line: 326
Column: 21
CWE codes:
126
*/
socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
if(proxy_user) {
size_t plen = strlen(proxy_user);
if(plen >= (size_t)data->set.buffer_size - 8) {
failf(data, "Too long SOCKS proxy user name, can't use!");
return CURLPX_LONG_USER;
}
/* copy the proxy name WITH trailing zero */
Reported by FlawFinder.
Line: 340
Column: 9
CWE codes:
126
*/
{
size_t packetsize = 9 +
strlen((char *)socksreq + 8); /* size including NUL */
/* If SOCKS4a, set special invalid IP address 0.0.0.x */
if(protocol4a) {
size_t hostnamelen = 0;
socksreq[4] = 0;
Reported by FlawFinder.
Line: 350
Column: 23
CWE codes:
126
socksreq[6] = 0;
socksreq[7] = 1;
/* append hostname */
hostnamelen = strlen(hostname) + 1; /* length including NUL */
if(hostnamelen <= 255)
strcpy((char *)socksreq + packetsize, hostname);
else {
failf(data, "SOCKS4: too long host name");
return CURLPX_LONG_HOSTNAME;
Reported by FlawFinder.