The following issues were found
src/tool_operate.c
14 issues
Line: 162
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static curl_off_t vms_realfilesize(const char *name,
const struct_stat *stat_buf)
{
char buffer[8192];
curl_off_t count;
int ret_stat;
FILE * file;
/* !checksrc! disable FOPENMODE 1 */
Reported by FlawFinder.
Line: 168
Column: 10
CWE codes:
362
FILE * file;
/* !checksrc! disable FOPENMODE 1 */
file = fopen(name, "r"); /* VMS */
if(!file) {
return 0;
}
count = 0;
ret_stat = 1;
Reported by FlawFinder.
Line: 297
Column: 21
CWE codes:
362
case FAB$C_VAR:
case FAB$C_VFC:
case FAB$C_STMCR:
per->infd = open(per->uploadfile, O_RDONLY | O_BINARY);
break;
default:
per->infd = open(per->uploadfile, O_RDONLY | O_BINARY,
"rfm=stmlf", "ctx=stm");
}
Reported by FlawFinder.
Line: 300
Column: 21
CWE codes:
362
per->infd = open(per->uploadfile, O_RDONLY | O_BINARY);
break;
default:
per->infd = open(per->uploadfile, O_RDONLY | O_BINARY,
"rfm=stmlf", "ctx=stm");
}
}
if(per->infd == -1)
#else
Reported by FlawFinder.
Line: 306
Column: 19
CWE codes:
362
}
if(per->infd == -1)
#else
per->infd = open(per->uploadfile, O_RDONLY | O_BINARY);
if((per->infd == -1) || fstat(per->infd, &fileinfo))
#endif
{
helpf(global->errors, "Can't open '%s'!\n", per->uploadfile);
if(per->infd != -1) {
Reported by FlawFinder.
Line: 816
Column: 23
CWE codes:
362
/* open file for output: */
if(strcmp(config->headerfile, "-")) {
FILE *newfile;
newfile = fopen(config->headerfile, per->prev == NULL?"wb":"ab");
if(!newfile) {
warnf(global, "Failed to open %s\n", config->headerfile);
result = CURLE_WRITE_ERROR;
break;
}
Reported by FlawFinder.
Line: 853
Column: 24
CWE codes:
362
char *header = NULL;
/* open file for reading: */
FILE *file = fopen(config->etag_compare_file, FOPEN_READTEXT);
if(!file && !config->etag_save_file) {
errorf(global,
"Failed to open %s\n", config->etag_compare_file);
result = CURLE_READ_ERROR;
break;
Reported by FlawFinder.
Line: 895
Column: 29
CWE codes:
362
if(config->etag_save_file) {
/* open file for output: */
if(strcmp(config->etag_save_file, "-")) {
FILE *newfile = fopen(config->etag_save_file, "wb");
if(!newfile) {
warnf(
global,
"Failed to open %s\n", config->etag_save_file);
Reported by FlawFinder.
Line: 1015
Column: 26
CWE codes:
362
#ifdef __VMS
/* open file for output, forcing VMS output format into stream
mode which is needed for stat() call above to always work. */
FILE *file = fopen(outfile, "ab",
"ctx=stm", "rfm=stmlf", "rat=cr", "mrs=0");
#else
/* open file for output: */
FILE *file = fopen(per->outfile, "ab");
#endif
Reported by FlawFinder.
Line: 1019
Column: 26
CWE codes:
362
"ctx=stm", "rfm=stmlf", "rat=cr", "mrs=0");
#else
/* open file for output: */
FILE *file = fopen(per->outfile, "ab");
#endif
if(!file) {
errorf(global, "Can't open '%s'!\n", per->outfile);
result = CURLE_WRITE_ERROR;
break;
Reported by FlawFinder.
lib/curl_addrinfo.c
14 issues
Line: 559
CWE codes:
908
if(0 == res)
/* success */
curl_dbg_log("ADDR %s:%d getaddrinfo() = %p\n",
source, line, (void *)*result);
else
curl_dbg_log("ADDR %s:%d getaddrinfo() failed\n",
source, line);
return res;
}
Reported by Cppcheck.
Line: 170
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca->ai_next = NULL;
ca->ai_addr = (void *)((char *)ca + sizeof(struct Curl_addrinfo));
memcpy(ca->ai_addr, ai->ai_addr, ss_size);
if(namelen) {
ca->ai_canonname = (void *)((char *)ca->ai_addr + ss_size);
memcpy(ca->ai_canonname, ai->ai_canonname, namelen);
}
Reported by FlawFinder.
Line: 174
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(namelen) {
ca->ai_canonname = (void *)((char *)ca->ai_addr + ss_size);
memcpy(ca->ai_canonname, ai->ai_canonname, namelen);
}
/* if the return list is empty, this becomes the first element */
if(!cafirst)
cafirst = ca;
Reported by FlawFinder.
Line: 298
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ai->ai_addr = (void *)((char *)ai + sizeof(struct Curl_addrinfo));
/* then put the name after the address */
ai->ai_canonname = (char *)ai->ai_addr + ss_size;
memcpy(ai->ai_canonname, he->h_name, namelen);
if(!firstai)
/* store the pointer we want to return from this function */
firstai = ai;
Reported by FlawFinder.
Line: 322
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case AF_INET:
addr = (void *)ai->ai_addr; /* storage area for this info */
memcpy(&addr->sin_addr, curr, sizeof(struct in_addr));
addr->sin_family = (CURL_SA_FAMILY_T)(he->h_addrtype);
addr->sin_port = htons((unsigned short)port);
break;
#ifdef ENABLE_IPV6
Reported by FlawFinder.
Line: 331
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case AF_INET6:
addr6 = (void *)ai->ai_addr; /* storage area for this info */
memcpy(&addr6->sin6_addr, curr, sizeof(struct in6_addr));
addr6->sin6_family = (CURL_SA_FAMILY_T)(he->h_addrtype);
addr6->sin6_port = htons((unsigned short)port);
break;
#endif
}
Reported by FlawFinder.
Line: 358
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct in6_addr ina6;
#endif
} addrentry;
char *h_addr_list[2];
};
/*
* Curl_ip2addr()
Reported by FlawFinder.
Line: 405
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case AF_INET:
addrsize = sizeof(struct in_addr);
addrentry = (void *)&buf->addrentry.ina4;
memcpy(addrentry, inaddr, sizeof(struct in_addr));
break;
#ifdef ENABLE_IPV6
case AF_INET6:
addrsize = sizeof(struct in6_addr);
addrentry = (void *)&buf->addrentry.ina6;
Reported by FlawFinder.
Line: 411
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case AF_INET6:
addrsize = sizeof(struct in6_addr);
addrentry = (void *)&buf->addrentry.ina6;
memcpy(addrentry, inaddr, sizeof(struct in6_addr));
break;
#endif
default:
free(hoststr);
free(buf);
Reported by FlawFinder.
Line: 502
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Abstract Unix domain socket have NULL prefix instead of suffix */
if(abstract)
memcpy(sa_un->sun_path + 1, path, path_len - 1);
else
memcpy(sa_un->sun_path, path, path_len); /* copy NUL byte */
return ai;
}
Reported by FlawFinder.
lib/socks.c
14 issues
Line: 352
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* append hostname */
hostnamelen = strlen(hostname) + 1; /* length including NUL */
if(hostnamelen <= 255)
strcpy((char *)socksreq + packetsize, hostname);
else {
failf(data, "SOCKS4: too long host name");
return CURLPX_LONG_HOSTNAME;
}
packetsize += hostnamelen;
Reported by FlawFinder.
Line: 295
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(hp) {
struct sockaddr_in *saddr_in;
char buf[64];
Curl_printable_address(hp, buf, sizeof(buf));
saddr_in = (struct sockaddr_in *)(void *)hp->ai_addr;
socksreq[4] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[0];
socksreq[5] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[1];
Reported by FlawFinder.
Line: 332
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return CURLPX_LONG_USER;
}
/* copy the proxy name WITH trailing zero */
memcpy(socksreq + 8, proxy_user, plen + 1);
}
/*
* Make connection
*/
Reported by FlawFinder.
Line: 512
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct connectdata *conn = data->conn;
unsigned char *socksreq = (unsigned char *)data->state.buffer;
char dest[256] = "unknown"; /* printable hostname:port */
int idx;
ssize_t actualread;
ssize_t written;
CURLcode result;
curl_socket_t sockfd = conn->sock[sockindex];
Reported by FlawFinder.
Line: 693
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
failf(data, "Excessive user name length for proxy auth");
return CURLPX_LONG_USER;
}
memcpy(socksreq + len, proxy_user, proxy_user_len);
}
len += proxy_user_len;
socksreq[len++] = (unsigned char) proxy_password_len;
if(proxy_password && proxy_password_len) {
/* the length must fit in a single byte */
Reported by FlawFinder.
Line: 703
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
failf(data, "Excessive password length for proxy auth");
return CURLPX_LONG_PASSWD;
}
memcpy(socksreq + len, proxy_password, proxy_password_len);
}
len += proxy_password_len;
sxstate(data, CONNECT_AUTH_SEND);
sx->outstanding = len;
sx->outp = socksreq;
Reported by FlawFinder.
Line: 861
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!socks5_resolve_local) {
socksreq[len++] = 3; /* ATYP: domain name = 3 */
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
len += hostname_len;
infof(data, "SOCKS5 connect to %s:%d (remotely resolved)",
hostname, remote_port);
}
/* FALLTHROUGH */
Reported by FlawFinder.
Line: 326
Column: 21
CWE codes:
126
*/
socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
if(proxy_user) {
size_t plen = strlen(proxy_user);
if(plen >= (size_t)data->set.buffer_size - 8) {
failf(data, "Too long SOCKS proxy user name, can't use!");
return CURLPX_LONG_USER;
}
/* copy the proxy name WITH trailing zero */
Reported by FlawFinder.
Line: 340
Column: 9
CWE codes:
126
*/
{
size_t packetsize = 9 +
strlen((char *)socksreq + 8); /* size including NUL */
/* If SOCKS4a, set special invalid IP address 0.0.0.x */
if(protocol4a) {
size_t hostnamelen = 0;
socksreq[4] = 0;
Reported by FlawFinder.
Line: 350
Column: 23
CWE codes:
126
socksreq[6] = 0;
socksreq[7] = 1;
/* append hostname */
hostnamelen = strlen(hostname) + 1; /* length including NUL */
if(hostnamelen <= 255)
strcpy((char *)socksreq + packetsize, hostname);
else {
failf(data, "SOCKS4: too long host name");
return CURLPX_LONG_HOSTNAME;
Reported by FlawFinder.
lib/vssh/libssh.c
14 issues
Line: 357
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) {
int i;
char md5buffer[33];
const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5];
rc = ssh_get_publickey_hash(pubkey, SSH_PUBLICKEY_HASH_MD5,
&hash, &hlen);
if(rc != SSH_OK || hlen != 16) {
Reported by FlawFinder.
Line: 1469
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(sshc->readdir_line, sshc->readdir_longentry,
sshc->readdir_currLen);
if((sshc->readdir_attrs->flags & SSH_FILEXFER_ATTR_PERMISSIONS) &&
((sshc->readdir_attrs->permissions & S_IFMT) ==
S_IFLNK)) {
sshc->readdir_linkPath = aprintf("%s%s", protop->path,
Reported by FlawFinder.
Line: 404
Column: 22
CWE codes:
126
goto cleanup;
}
knownkey.key = known_base64;
knownkey.len = strlen(known_base64);
switch(ssh_key_type(knownhostsentry->publickey)) {
case SSH_KEYTYPE_RSA:
knownkey.keytype = CURLKHTYPE_RSA;
break;
Reported by FlawFinder.
Line: 474
Column: 20
CWE codes:
126
goto cleanup;
foundkey.key = found_base64;
foundkey.len = strlen(found_base64);
switch(ssh_key_type(pubkey)) {
case SSH_KEYTYPE_RSA:
foundkey.keytype = CURLKHTYPE_RSA;
break;
Reported by FlawFinder.
Line: 1166
Column: 67
CWE codes:
126
break;
}
result = Curl_client_write(data, CLIENTWRITE_HEADER, tmp, strlen(tmp));
free(tmp);
if(result) {
state(data, SSH_SFTP_CLOSE);
sshc->nextstate = SSH_NO_STATE;
sshc->actualcode = result;
Reported by FlawFinder.
Line: 1205
Column: 25
CWE codes:
126
if(data->set.upload)
state(data, SSH_SFTP_UPLOAD_INIT);
else {
if(protop->path[strlen(protop->path)-1] == '/')
state(data, SSH_SFTP_READDIR_INIT);
else
state(data, SSH_SFTP_DOWNLOAD_INIT);
}
break;
Reported by FlawFinder.
Line: 1259
Column: 15
CWE codes:
126
if(((err == SSH_FX_NO_SUCH_FILE || err == SSH_FX_FAILURE ||
err == SSH_FX_NO_SUCH_PATH)) &&
(data->set.ftp_create_missing_dirs &&
(strlen(protop->path) > 1))) {
/* try to create the path remotely */
rc = 0;
sshc->secondCreateDirs = 1;
state(data, SSH_SFTP_CREATE_DIRS_INIT);
break;
Reported by FlawFinder.
Line: 1356
Column: 10
CWE codes:
126
}
case SSH_SFTP_CREATE_DIRS_INIT:
if(strlen(protop->path) > 1) {
sshc->slash_pos = protop->path + 1; /* ignore the leading '/' */
state(data, SSH_SFTP_CREATE_DIRS);
}
else {
state(data, SSH_SFTP_UPLOAD_INIT);
Reported by FlawFinder.
Line: 1432
Column: 29
CWE codes:
126
if(sshc->readdir_attrs) {
sshc->readdir_filename = sshc->readdir_attrs->name;
sshc->readdir_longentry = sshc->readdir_attrs->longname;
sshc->readdir_len = strlen(sshc->readdir_filename);
if(data->set.list_only) {
char *tmpLine;
tmpLine = aprintf("%s\n", sshc->readdir_filename);
Reported by FlawFinder.
Line: 1460
Column: 35
CWE codes:
126
sshc->readdir_len);
}
else {
sshc->readdir_currLen = strlen(sshc->readdir_longentry);
sshc->readdir_totalLen = 80 + sshc->readdir_currLen;
sshc->readdir_line = calloc(sshc->readdir_totalLen, 1);
if(!sshc->readdir_line) {
state(data, SSH_SFTP_CLOSE);
sshc->actualcode = CURLE_OUT_OF_MEMORY;
Reported by FlawFinder.
lib/altsvc.c
14 issues
Line: 423
Column: 19
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
return */
static time_t debugtime(void *unused)
{
char *timestr = getenv("CURL_TIME");
(void)unused;
if(timestr) {
unsigned long val = strtol(timestr, NULL, 10);
return (time_t)val;
}
Reported by FlawFinder.
Line: 145
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Example line:
h2 example.com 443 h3 shiny.example.com 8443 "20191231 10:00:00" 1
*/
char srchost[MAX_ALTSVC_HOSTLEN + 1];
char dsthost[MAX_ALTSVC_HOSTLEN + 1];
char srcalpn[MAX_ALTSVC_ALPNLEN + 1];
char dstalpn[MAX_ALTSVC_ALPNLEN + 1];
char date[MAX_ALTSVC_DATELEN + 1];
unsigned int srcport;
Reported by FlawFinder.
Line: 146
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
h2 example.com 443 h3 shiny.example.com 8443 "20191231 10:00:00" 1
*/
char srchost[MAX_ALTSVC_HOSTLEN + 1];
char dsthost[MAX_ALTSVC_HOSTLEN + 1];
char srcalpn[MAX_ALTSVC_ALPNLEN + 1];
char dstalpn[MAX_ALTSVC_ALPNLEN + 1];
char date[MAX_ALTSVC_DATELEN + 1];
unsigned int srcport;
unsigned int dstport;
Reported by FlawFinder.
Line: 147
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
char srchost[MAX_ALTSVC_HOSTLEN + 1];
char dsthost[MAX_ALTSVC_HOSTLEN + 1];
char srcalpn[MAX_ALTSVC_ALPNLEN + 1];
char dstalpn[MAX_ALTSVC_ALPNLEN + 1];
char date[MAX_ALTSVC_DATELEN + 1];
unsigned int srcport;
unsigned int dstport;
unsigned int prio;
Reported by FlawFinder.
Line: 148
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char srchost[MAX_ALTSVC_HOSTLEN + 1];
char dsthost[MAX_ALTSVC_HOSTLEN + 1];
char srcalpn[MAX_ALTSVC_ALPNLEN + 1];
char dstalpn[MAX_ALTSVC_ALPNLEN + 1];
char date[MAX_ALTSVC_DATELEN + 1];
unsigned int srcport;
unsigned int dstport;
unsigned int prio;
unsigned int persist;
Reported by FlawFinder.
Line: 149
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char dsthost[MAX_ALTSVC_HOSTLEN + 1];
char srcalpn[MAX_ALTSVC_ALPNLEN + 1];
char dstalpn[MAX_ALTSVC_ALPNLEN + 1];
char date[MAX_ALTSVC_DATELEN + 1];
unsigned int srcport;
unsigned int dstport;
unsigned int prio;
unsigned int persist;
int rc;
Reported by FlawFinder.
Line: 200
Column: 8
CWE codes:
362
if(!asi->filename)
return CURLE_OUT_OF_MEMORY;
fp = fopen(file, FOPEN_READTEXT);
if(fp) {
line = malloc(MAX_ALTSVC_LINE);
if(!line)
goto fail;
while(Curl_get_line(line, MAX_ALTSVC_LINE, fp)) {
Reported by FlawFinder.
Line: 333
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result = CURLE_OK;
FILE *out;
char *tempstore;
unsigned char randsuffix[9];
if(!altsvc)
/* no cache activated */
return CURLE_OK;
Reported by FlawFinder.
Line: 354
Column: 9
CWE codes:
362
if(!tempstore)
return CURLE_OUT_OF_MEMORY;
out = fopen(tempstore, FOPEN_WRITETEXT);
if(!out)
result = CURLE_WRITE_ERROR;
else {
fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
"# This file was generated by libcurl! Edit at your own risk.\n",
Reported by FlawFinder.
Line: 394
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!len || (len >= buflen))
return CURLE_BAD_FUNCTION_ARGUMENT;
memcpy(alpnbuf, protop, len);
alpnbuf[len] = 0;
return CURLE_OK;
}
/* altsvc_flush() removes all alternatives for this source origin from the
Reported by FlawFinder.
lib/vtls/schannel_verify.c
14 issues
Line: 156
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
NULL,
NULL,
(const void **)&cert_context)) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: failed to extract certificate from CA file "
"'%s': %s",
ca_file_text,
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
Reported by FlawFinder.
Line: 185
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
NULL);
CertFreeCertificateContext(cert_context);
if(!add_cert_result) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: failed to add certificate from CA file '%s' "
"to certificate store: %s",
ca_file_text,
Curl_winapi_strerror(GetLastError(), buffer,
Reported by FlawFinder.
Line: 233
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ca_file_tstr = curlx_convert_UTF8_to_tchar((char *)ca_file);
if(!ca_file_tstr) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: invalid path name for CA file '%s': %s",
ca_file,
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
Reported by FlawFinder.
Line: 255
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
FILE_ATTRIBUTE_NORMAL,
NULL);
if(ca_file_handle == INVALID_HANDLE_VALUE) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: failed to open CA file '%s': %s",
ca_file,
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
Reported by FlawFinder.
Line: 265
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if(!GetFileSizeEx(ca_file_handle, &file_size)) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: failed to determine size of CA file '%s': %s",
ca_file,
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
Reported by FlawFinder.
Line: 296
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
bytes_to_read, &bytes_read, NULL)) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: failed to read from CA file '%s': %s",
ca_file,
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
Reported by FlawFinder.
Line: 586
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
&pCertContextServer);
if((sspi_status != SEC_E_OK) || !pCertContextServer) {
char buffer[STRERROR_LEN];
failf(data, "schannel: Failed to read remote certificate context: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
result = CURLE_PEER_FAILED_VERIFICATION;
}
Reported by FlawFinder.
Line: 613
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CERT_STORE_CREATE_NEW_FLAG,
NULL);
if(!trust_store) {
char buffer[STRERROR_LEN];
failf(data, "schannel: failed to create certificate store: %s",
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
}
else {
Reported by FlawFinder.
Line: 652
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CertCreateCertificateChainEngine(
(CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
if(!create_engine_result) {
char buffer[STRERROR_LEN];
failf(data,
"schannel: failed to create certificate chain engine: %s",
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
}
Reported by FlawFinder.
Line: 676
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CERT_CHAIN_REVOCATION_CHECK_CHAIN),
NULL,
&pChainContext)) {
char buffer[STRERROR_LEN];
failf(data, "schannel: CertGetCertificateChain failed: %s",
Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
pChainContext = NULL;
result = CURLE_PEER_FAILED_VERIFICATION;
}
Reported by FlawFinder.
lib/strerror.c
13 issues
Line: 661
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
get_winapi_error(int err, char *buf, size_t buflen)
{
char *p;
wchar_t wbuf[256];
if(!buflen)
return NULL;
*buf = '\0';
Reported by FlawFinder.
Line: 768
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* so we must copy that string unconditionally (if non-NULL).
*/
{
char buffer[256];
char *msg = strerror_r(err, buffer, sizeof(buffer));
if(msg)
strncpy(buf, msg, max);
else
msnprintf(buf, max, "Unknown error %d", err);
Reported by FlawFinder.
Line: 781
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* The buffer size should be at least NAME_MAX (256)
*/
{
char buffer[256];
if(OK == strerror_r(err, buffer))
strncpy(buf, buffer, max);
else
msnprintf(buf, max, "Unknown error %d", err);
}
Reported by FlawFinder.
Line: 978
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
err);
}
else {
char txtbuf[80];
char msgbuf[256];
msnprintf(txtbuf, sizeof(txtbuf), "%s (0x%08X)", txt, err);
if(get_winapi_error(err, msgbuf, sizeof(msgbuf)))
Reported by FlawFinder.
Line: 979
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
else {
char txtbuf[80];
char msgbuf[256];
msnprintf(txtbuf, sizeof(txtbuf), "%s (0x%08X)", txt, err);
if(get_winapi_error(err, msgbuf, sizeof(msgbuf)))
msnprintf(buf, buflen, "%s - %s", txtbuf, msgbuf);
Reported by FlawFinder.
Line: 645
Column: 3
CWE codes:
120
default:
return NULL;
}
strncpy(buf, p, len);
buf [len-1] = '\0';
return buf;
#endif
}
#endif /* USE_WINSOCK */
Reported by FlawFinder.
Line: 738
Column: 5
CWE codes:
120
#if defined(WIN32)
/* 'sys_nerr' is the maximum errno number, it is not widely portable */
if(err >= 0 && err < sys_nerr)
strncpy(buf, strerror(err), max);
else
#endif
{
if(
#ifdef USE_WINSOCK
Reported by FlawFinder.
Line: 771
Column: 7
CWE codes:
120
char buffer[256];
char *msg = strerror_r(err, buffer, sizeof(buffer));
if(msg)
strncpy(buf, msg, max);
else
msnprintf(buf, max, "Unknown error %d", err);
}
#elif defined(HAVE_STRERROR_R) && defined(HAVE_VXWORKS_STRERROR_R)
/*
Reported by FlawFinder.
Line: 783
Column: 7
CWE codes:
120
{
char buffer[256];
if(OK == strerror_r(err, buffer))
strncpy(buf, buffer, max);
else
msnprintf(buf, max, "Unknown error %d", err);
}
#else
{
Reported by FlawFinder.
Line: 791
Column: 7
CWE codes:
120
{
const char *msg = strerror(err);
if(msg)
strncpy(buf, msg, max);
else
msnprintf(buf, max, "Unknown error %d", err);
}
#endif
Reported by FlawFinder.
src/tool_setopt.c
13 issues
Line: 258
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for(s = str; len; s++, len--) {
c = *s;
if(c == '\n') {
strcpy(e, "\\n");
e += 2;
}
else if(c == '\r') {
strcpy(e, "\\r");
e += 2;
Reported by FlawFinder.
Line: 262
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
e += 2;
}
else if(c == '\r') {
strcpy(e, "\\r");
e += 2;
}
else if(c == '\t') {
strcpy(e, "\\t");
e += 2;
Reported by FlawFinder.
Line: 266
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
e += 2;
}
else if(c == '\t') {
strcpy(e, "\\t");
e += 2;
}
else if(c == '\\') {
strcpy(e, "\\\\");
e += 2;
Reported by FlawFinder.
Line: 270
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
e += 2;
}
else if(c == '\\') {
strcpy(e, "\\\\");
e += 2;
}
else if(c == '"') {
strcpy(e, "\\\"");
e += 2;
Reported by FlawFinder.
Line: 274
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
e += 2;
}
else if(c == '"') {
strcpy(e, "\\\"");
e += 2;
}
else if(!isprint(c)) {
msnprintf(e, 5, "\\x%02x", (unsigned)c);
e += 4;
Reported by FlawFinder.
Line: 342
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(config->libcurl && !skip && !ret) {
/* we only use this for real if --libcurl was used */
char preamble[80]; /* should accommodate any symbol name */
long rest = lval; /* bits not handled yet */
const struct NameValue *nv = NULL;
msnprintf(preamble, sizeof(preamble),
"curl_easy_setopt(hnd, %s, ", name);
for(nv = nvlist; nv->name; nv++) {
Reported by FlawFinder.
Line: 385
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(config->libcurl && !skip && !ret) {
/* we only use this for real if --libcurl was used */
char preamble[80];
unsigned long rest = (unsigned long)lval;
const struct NameValueUnsigned *nv = NULL;
msnprintf(preamble, sizeof(preamble),
"curl_easy_setopt(hnd, %s, ", name);
for(nv = nvlist; nv->name; nv++) {
Reported by FlawFinder.
Line: 489
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *cp = malloc(size + 1);
NULL_CHECK(cp);
memcpy(cp, part->data, size + 1);
ret = convert_to_network(cp, size);
data = cp;
}
#else
data = part->data;
Reported by FlawFinder.
Line: 652
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *name, CURLoption tag, ...)
{
va_list arg;
char buf[256];
const char *value = NULL;
bool remark = FALSE;
bool skip = FALSE;
bool escape = FALSE;
char *escaped = NULL;
Reported by FlawFinder.
Line: 241
Column: 11
CWE codes:
126
unsigned int cutoff = 0;
if(len == ZERO_TERMINATED)
len = strlen(str);
if(len > MAX_STRING_LENGTH_OUTPUT) {
/* cap ridiculously long strings */
len = MAX_STRING_LENGTH_OUTPUT;
cutoff = 3;
Reported by FlawFinder.
lib/vtls/wolfssl.c
12 issues
Line: 452
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifdef USE_HTTP2
if(data->state.httpwant >= CURL_HTTP_VERSION_2) {
strcpy(protocols + strlen(protocols), ALPN_H2 ",");
infof(data, "ALPN, offering %s", ALPN_H2);
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
Reported by FlawFinder.
Line: 457
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
infof(data, "ALPN, offering %s", ALPN_HTTP_1_1);
if(wolfSSL_UseALPN(backend->handle, protocols,
(unsigned)strlen(protocols),
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != SSL_SUCCESS) {
Reported by FlawFinder.
Line: 109
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int secretSz, void *ctx)
{
const char *label;
unsigned char client_random[SSL3_RANDOM_SIZE];
(void)ctx;
if(!ssl || !Curl_tls_keylog_enabled()) {
return 0;
}
Reported by FlawFinder.
Line: 444
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef HAVE_ALPN
if(conn->bits.tls_enable_alpn) {
char protocols[128];
*protocols = '\0';
/* wolfSSL's ALPN protocol name list format is a comma separated string of
protocols in descending order of preference, eg: "h2,http/1.1" */
Reported by FlawFinder.
Line: 565
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif /* OPENSSL_EXTRA */
if(ret != 1) {
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
int detail = SSL_get_error(backend->handle, ret);
if(SSL_ERROR_WANT_READ == detail) {
connssl->connecting_state = ssl_connect_2_reading;
return CURLE_OK;
Reported by FlawFinder.
Line: 776
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
int rc = SSL_write(backend->handle, mem, memlen);
if(rc <= 0) {
int err = SSL_get_error(backend->handle, rc);
Reported by FlawFinder.
Line: 809
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
(void) data;
if(backend->handle) {
char buf[32];
/* Maybe the server has already sent a close notify alert.
Read it to avoid an RST on the TCP connection. */
(void)SSL_read(backend->handle, buf, (int)sizeof(buf));
(void)SSL_shutdown(backend->handle);
SSL_free(backend->handle);
Reported by FlawFinder.
Line: 832
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[num];
struct ssl_backend_data *backend = connssl->backend;
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
int buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
int nread = SSL_read(backend->handle, buf, buffsize);
if(nread < 0) {
int err = SSL_get_error(backend->handle, nread);
Reported by FlawFinder.
Line: 400
Column: 27
CWE codes:
126
struct in6_addr addr6;
#endif
const char * const hostname = SSL_HOST_NAME();
size_t hostname_len = strlen(hostname);
if((hostname_len < USHRT_MAX) &&
(0 == Curl_inet_pton(AF_INET, hostname, &addr4)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, hostname, &addr6)) &&
#endif
Reported by FlawFinder.
Line: 452
Column: 26
CWE codes:
126
#ifdef USE_HTTP2
if(data->state.httpwant >= CURL_HTTP_VERSION_2) {
strcpy(protocols + strlen(protocols), ALPN_H2 ",");
infof(data, "ALPN, offering %s", ALPN_H2);
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
Reported by FlawFinder.
lib/vtls/gtls.c
12 issues
Line: 594
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
if(!prioritysrp)
return CURLE_OUT_OF_MEMORY;
strcpy(prioritysrp, prioritylist);
strcpy(prioritysrp + len, ":" GNUTLS_SRP);
rc = gnutls_priority_set_direct(session, prioritysrp, &err);
free(prioritysrp);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
Reported by FlawFinder.
Line: 595
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(!prioritysrp)
return CURLE_OUT_OF_MEMORY;
strcpy(prioritysrp, prioritylist);
strcpy(prioritysrp + len, ":" GNUTLS_SRP);
rc = gnutls_priority_set_direct(session, prioritysrp, &err);
free(prioritysrp);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
infof(data, "This GnuTLS does not support SRP");
Reported by FlawFinder.
Line: 143
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tm buffer;
const struct tm *tm = &buffer;
char str[96];
CURLcode result = Curl_gmtime(stamp, &buffer);
if(result)
return;
msnprintf(str,
Reported by FlawFinder.
Line: 170
Column: 7
CWE codes:
362
long filelen;
void *ptr;
f = fopen(file, "rb");
if(!f)
return loaded_file;
if(fseek(f, 0, SEEK_END) != 0
|| (filelen = ftell(f)) < 0
|| fseek(f, 0, SEEK_SET) != 0
Reported by FlawFinder.
Line: 823
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
gnutls_x509_crt_t x509_cert, x509_issuer;
gnutls_datum_t issuerp;
gnutls_datum_t certfields;
char certname[65] = ""; /* limited to 64 chars by ASN.1 */
size_t size;
time_t certclock;
const char *ptr;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
Reported by FlawFinder.
Line: 888
Column: 32
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return result;
for(i = 0; i < cert_list_size; i++) {
const char *beg = (const char *) chainp[i].data;
const char *end = beg + chainp[i].size;
result = Curl_extract_certinfo(data, i, beg, end);
if(result)
return result;
Reported by FlawFinder.
Line: 1086
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#else
#define use_addr in_addr
#endif
unsigned char addrbuf[sizeof(struct use_addr)];
size_t addrlen = 0;
if(Curl_inet_pton(AF_INET, hostname, addrbuf) > 0)
addrlen = 4;
#ifdef ENABLE_IPV6
Reported by FlawFinder.
Line: 1097
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
if(addrlen) {
unsigned char certaddr[sizeof(struct use_addr)];
int i;
for(i = 0; ; i++) {
size_t certaddrlen = sizeof(certaddr);
int ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr,
Reported by FlawFinder.
Line: 1436
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ssl_backend_data *backend = connssl->backend;
if(backend->session) {
char buf[32];
/* Maybe the server has already sent a close notify alert.
Read it to avoid an RST on the TCP connection. */
(void)gnutls_record_recv(backend->session, buf, sizeof(buf));
gnutls_bye(backend->session, GNUTLS_SHUT_WR);
gnutls_deinit(backend->session);
Reported by FlawFinder.
Line: 1490
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(backend->session) {
ssize_t result;
bool done = FALSE;
char buf[120];
while(!done) {
int what = SOCKET_READABLE(conn->sock[sockindex],
SSL_SHUTDOWN_TIMEOUT);
if(what > 0) {
Reported by FlawFinder.