The following issues were found
lib/vtls/bearssl.c
12 issues
Line: 49
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ssl_backend_data {
br_ssl_client_context ctx;
struct x509_context x509;
unsigned char buf[BR_SSL_BUFSIZE_BIDI];
br_x509_trust_anchor *anchors;
size_t anchors_len;
const char *protocols[2];
/* SSL client context is active */
bool active;
Reported by FlawFinder.
Line: 52
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char buf[BR_SSL_BUFSIZE_BIDI];
br_x509_trust_anchor *anchors;
size_t anchors_len;
const char *protocols[2];
/* SSL client context is active */
bool active;
/* size of pending write, yet to be flushed */
size_t pending_write;
};
Reported by FlawFinder.
Line: 67
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
br_x509_trust_anchor *anchors;
size_t anchors_len;
/* buffer for DN data */
unsigned char dn[1024];
size_t dn_len;
};
#define CAFILE_SOURCE_PATH 1
#define CAFILE_SOURCE_BLOB 2
Reported by FlawFinder.
Line: 89
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca->err = CURLE_FAILED_INIT;
return;
}
memcpy(ca->dn + ca->dn_len, buf, len);
ca->dn_len += len;
}
static void x509_push(void *ctx, const void *buf, size_t len)
{
Reported by FlawFinder.
Line: 113
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t new_anchors_len;
br_x509_pkey *pkey;
FILE *fp = 0;
unsigned char buf[BUFSIZ];
const unsigned char *p;
const char *name;
size_t n, i, pushed;
DEBUGASSERT(source->type == CAFILE_SOURCE_PATH
Reported by FlawFinder.
Line: 122
Column: 10
CWE codes:
362
|| source->type == CAFILE_SOURCE_BLOB);
if(source->type == CAFILE_SOURCE_PATH) {
fp = fopen(source->data, "rb");
if(!fp)
return CURLE_SSL_CACERT_BADFILE;
}
if(source->type == CAFILE_SOURCE_BLOB && source->len > (size_t)INT_MAX)
Reported by FlawFinder.
Line: 218
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca.err = CURLE_OUT_OF_MEMORY;
goto fail;
}
memcpy(ta->dn.data, ca.dn, ca.dn_len);
ta->dn.len = ca.dn_len;
switch(pkey->key_type) {
case BR_KEYTYPE_RSA:
ta->pkey.key.rsa.n = ta->dn.data + ta->dn.len;
memcpy(ta->pkey.key.rsa.n, pkey->key.rsa.n, pkey->key.rsa.nlen);
Reported by FlawFinder.
Line: 223
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch(pkey->key_type) {
case BR_KEYTYPE_RSA:
ta->pkey.key.rsa.n = ta->dn.data + ta->dn.len;
memcpy(ta->pkey.key.rsa.n, pkey->key.rsa.n, pkey->key.rsa.nlen);
ta->pkey.key.rsa.e = ta->pkey.key.rsa.n + ta->pkey.key.rsa.nlen;
memcpy(ta->pkey.key.rsa.e, pkey->key.rsa.e, pkey->key.rsa.elen);
break;
case BR_KEYTYPE_EC:
ta->pkey.key.ec.q = ta->dn.data + ta->dn.len;
Reported by FlawFinder.
Line: 225
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ta->pkey.key.rsa.n = ta->dn.data + ta->dn.len;
memcpy(ta->pkey.key.rsa.n, pkey->key.rsa.n, pkey->key.rsa.nlen);
ta->pkey.key.rsa.e = ta->pkey.key.rsa.n + ta->pkey.key.rsa.nlen;
memcpy(ta->pkey.key.rsa.e, pkey->key.rsa.e, pkey->key.rsa.elen);
break;
case BR_KEYTYPE_EC:
ta->pkey.key.ec.q = ta->dn.data + ta->dn.len;
memcpy(ta->pkey.key.ec.q, pkey->key.ec.q, pkey->key.ec.qlen);
break;
Reported by FlawFinder.
Line: 229
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case BR_KEYTYPE_EC:
ta->pkey.key.ec.q = ta->dn.data + ta->dn.len;
memcpy(ta->pkey.key.ec.q, pkey->key.ec.q, pkey->key.ec.qlen);
break;
}
break;
default:
ca.err = CURLE_SSL_CACERT_BADFILE;
Reported by FlawFinder.
docs/examples/synctime.c
12 issues
Line: 158
Column: 22
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
TmpStr1 & 2? */
AutoSyncTime = 0;
else {
int RetVal = sscanf((char *)(ptr), "Date: %25s %hu %s %hu %hu:%hu:%hu",
TmpStr1, &SYSTime.wDay, TmpStr2, &SYSTime.wYear,
&SYSTime.wHour, &SYSTime.wMinute,
&SYSTime.wSecond);
if(RetVal == 7) {
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct
{
char http_proxy[MAX_STRING1];
char proxy_user[MAX_STRING1];
char timeserver[MAX_STRING1];
} conf_t;
const char DefaultTimeServer[3][MAX_STRING1] =
Reported by FlawFinder.
Line: 107
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct
{
char http_proxy[MAX_STRING1];
char proxy_user[MAX_STRING1];
char timeserver[MAX_STRING1];
} conf_t;
const char DefaultTimeServer[3][MAX_STRING1] =
{
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char http_proxy[MAX_STRING1];
char proxy_user[MAX_STRING1];
char timeserver[MAX_STRING1];
} conf_t;
const char DefaultTimeServer[3][MAX_STRING1] =
{
"https://nist.time.gov/",
Reported by FlawFinder.
Line: 111
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char timeserver[MAX_STRING1];
} conf_t;
const char DefaultTimeServer[3][MAX_STRING1] =
{
"https://nist.time.gov/",
"https://www.google.com/"
};
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t SyncTime_CURL_WriteHeader(void *ptr, size_t size, size_t nmemb,
void *stream)
{
char TmpStr1[26], TmpStr2[26];
(void)stream;
if(ShowAllHeader == 1)
fprintf(stderr, "%s", (char *)(ptr));
Reported by FlawFinder.
Line: 215
Column: 15
CWE codes:
362
if(HttpGetBody == HTTP_COMMAND_HEAD)
curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
else {
outfile = fopen(OutFileName, "wb");
curl_easy_setopt(curl, CURLOPT_WRITEDATA, outfile);
}
curl_easy_setopt(curl, CURLOPT_URL, URL_Str);
res = curl_easy_perform(curl);
Reported by FlawFinder.
Line: 309
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
time_t tt_gmt;
double tzonediffFloat;
int tzonediffWord;
char timeBuf[61];
char tzoneBuf[16];
SyncTime_CURL_Init(curl, conf->http_proxy, conf->proxy_user);
/* Calculating time diff between GMT and localtime */
Reported by FlawFinder.
Line: 310
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
double tzonediffFloat;
int tzonediffWord;
char timeBuf[61];
char tzoneBuf[16];
SyncTime_CURL_Init(curl, conf->http_proxy, conf->proxy_user);
/* Calculating time diff between GMT and localtime */
tt = time(0);
Reported by FlawFinder.
Line: 154
Column: 10
CWE codes:
126
if(AutoSyncTime == 1) {
*TmpStr1 = 0;
*TmpStr2 = 0;
if(strlen((char *)(ptr)) > 50) /* Can prevent buffer overflow to
TmpStr1 & 2? */
AutoSyncTime = 0;
else {
int RetVal = sscanf((char *)(ptr), "Date: %25s %hu %s %hu %hu:%hu:%hu",
TmpStr1, &SYSTime.wDay, TmpStr2, &SYSTime.wYear,
Reported by FlawFinder.
lib/curlx.h
12 issues
Line: 94
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* If this define is set, we define all "standard" printf() functions to use
the curlx_* version instead. It makes the source code transparent and
easier to understand/patch. Undefine them first. */
# undef printf
# undef fprintf
# undef sprintf
# undef msnprintf
# undef vprintf
# undef vfprintf
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
the curlx_* version instead. It makes the source code transparent and
easier to understand/patch. Undefine them first. */
# undef printf
# undef fprintf
# undef sprintf
# undef msnprintf
# undef vprintf
# undef vfprintf
# undef vsprintf
Reported by FlawFinder.
Line: 96
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
easier to understand/patch. Undefine them first. */
# undef printf
# undef fprintf
# undef sprintf
# undef msnprintf
# undef vprintf
# undef vfprintf
# undef vsprintf
# undef mvsnprintf
Reported by FlawFinder.
Line: 98
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
# undef fprintf
# undef sprintf
# undef msnprintf
# undef vprintf
# undef vfprintf
# undef vsprintf
# undef mvsnprintf
# undef aprintf
# undef vaprintf
Reported by FlawFinder.
Line: 99
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
# undef sprintf
# undef msnprintf
# undef vprintf
# undef vfprintf
# undef vsprintf
# undef mvsnprintf
# undef aprintf
# undef vaprintf
Reported by FlawFinder.
Line: 100
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
# undef msnprintf
# undef vprintf
# undef vfprintf
# undef vsprintf
# undef mvsnprintf
# undef aprintf
# undef vaprintf
# define printf curlx_mprintf
Reported by FlawFinder.
Line: 105
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
# undef aprintf
# undef vaprintf
# define printf curlx_mprintf
# define fprintf curlx_mfprintf
# define sprintf curlx_msprintf
# define msnprintf curlx_msnprintf
# define vprintf curlx_mvprintf
# define vfprintf curlx_mvfprintf
Reported by FlawFinder.
Line: 106
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
# undef vaprintf
# define printf curlx_mprintf
# define fprintf curlx_mfprintf
# define sprintf curlx_msprintf
# define msnprintf curlx_msnprintf
# define vprintf curlx_mvprintf
# define vfprintf curlx_mvfprintf
# define mvsnprintf curlx_mvsnprintf
Reported by FlawFinder.
Line: 107
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
# define printf curlx_mprintf
# define fprintf curlx_mfprintf
# define sprintf curlx_msprintf
# define msnprintf curlx_msnprintf
# define vprintf curlx_mvprintf
# define vfprintf curlx_mvfprintf
# define mvsnprintf curlx_mvsnprintf
# define aprintf curlx_maprintf
Reported by FlawFinder.
Line: 109
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
# define fprintf curlx_mfprintf
# define sprintf curlx_msprintf
# define msnprintf curlx_msnprintf
# define vprintf curlx_mvprintf
# define vfprintf curlx_mvfprintf
# define mvsnprintf curlx_mvsnprintf
# define aprintf curlx_maprintf
# define vaprintf curlx_mvaprintf
#endif /* ENABLE_CURLX_PRINTF */
Reported by FlawFinder.
lib/vtls/wolfssl.c
12 issues
Line: 452
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifdef USE_HTTP2
if(data->state.httpwant >= CURL_HTTP_VERSION_2) {
strcpy(protocols + strlen(protocols), ALPN_H2 ",");
infof(data, "ALPN, offering %s", ALPN_H2);
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
Reported by FlawFinder.
Line: 457
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
infof(data, "ALPN, offering %s", ALPN_HTTP_1_1);
if(wolfSSL_UseALPN(backend->handle, protocols,
(unsigned)strlen(protocols),
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != SSL_SUCCESS) {
Reported by FlawFinder.
Line: 109
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int secretSz, void *ctx)
{
const char *label;
unsigned char client_random[SSL3_RANDOM_SIZE];
(void)ctx;
if(!ssl || !Curl_tls_keylog_enabled()) {
return 0;
}
Reported by FlawFinder.
Line: 444
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef HAVE_ALPN
if(conn->bits.tls_enable_alpn) {
char protocols[128];
*protocols = '\0';
/* wolfSSL's ALPN protocol name list format is a comma separated string of
protocols in descending order of preference, eg: "h2,http/1.1" */
Reported by FlawFinder.
Line: 565
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif /* OPENSSL_EXTRA */
if(ret != 1) {
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
int detail = SSL_get_error(backend->handle, ret);
if(SSL_ERROR_WANT_READ == detail) {
connssl->connecting_state = ssl_connect_2_reading;
return CURLE_OK;
Reported by FlawFinder.
Line: 776
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
int rc = SSL_write(backend->handle, mem, memlen);
if(rc <= 0) {
int err = SSL_get_error(backend->handle, rc);
Reported by FlawFinder.
Line: 809
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
(void) data;
if(backend->handle) {
char buf[32];
/* Maybe the server has already sent a close notify alert.
Read it to avoid an RST on the TCP connection. */
(void)SSL_read(backend->handle, buf, (int)sizeof(buf));
(void)SSL_shutdown(backend->handle);
SSL_free(backend->handle);
Reported by FlawFinder.
Line: 832
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[num];
struct ssl_backend_data *backend = connssl->backend;
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
int buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
int nread = SSL_read(backend->handle, buf, buffsize);
if(nread < 0) {
int err = SSL_get_error(backend->handle, nread);
Reported by FlawFinder.
Line: 400
Column: 27
CWE codes:
126
struct in6_addr addr6;
#endif
const char * const hostname = SSL_HOST_NAME();
size_t hostname_len = strlen(hostname);
if((hostname_len < USHRT_MAX) &&
(0 == Curl_inet_pton(AF_INET, hostname, &addr4)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, hostname, &addr6)) &&
#endif
Reported by FlawFinder.
Line: 452
Column: 26
CWE codes:
126
#ifdef USE_HTTP2
if(data->state.httpwant >= CURL_HTTP_VERSION_2) {
strcpy(protocols + strlen(protocols), ALPN_H2 ",");
infof(data, "ALPN, offering %s", ALPN_H2);
}
#endif
strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
Reported by FlawFinder.
lib/vtls/gtls.c
12 issues
Line: 594
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
if(!prioritysrp)
return CURLE_OUT_OF_MEMORY;
strcpy(prioritysrp, prioritylist);
strcpy(prioritysrp + len, ":" GNUTLS_SRP);
rc = gnutls_priority_set_direct(session, prioritysrp, &err);
free(prioritysrp);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
Reported by FlawFinder.
Line: 595
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(!prioritysrp)
return CURLE_OUT_OF_MEMORY;
strcpy(prioritysrp, prioritylist);
strcpy(prioritysrp + len, ":" GNUTLS_SRP);
rc = gnutls_priority_set_direct(session, prioritysrp, &err);
free(prioritysrp);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
infof(data, "This GnuTLS does not support SRP");
Reported by FlawFinder.
Line: 143
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tm buffer;
const struct tm *tm = &buffer;
char str[96];
CURLcode result = Curl_gmtime(stamp, &buffer);
if(result)
return;
msnprintf(str,
Reported by FlawFinder.
Line: 170
Column: 7
CWE codes:
362
long filelen;
void *ptr;
f = fopen(file, "rb");
if(!f)
return loaded_file;
if(fseek(f, 0, SEEK_END) != 0
|| (filelen = ftell(f)) < 0
|| fseek(f, 0, SEEK_SET) != 0
Reported by FlawFinder.
Line: 823
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
gnutls_x509_crt_t x509_cert, x509_issuer;
gnutls_datum_t issuerp;
gnutls_datum_t certfields;
char certname[65] = ""; /* limited to 64 chars by ASN.1 */
size_t size;
time_t certclock;
const char *ptr;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
Reported by FlawFinder.
Line: 888
Column: 32
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return result;
for(i = 0; i < cert_list_size; i++) {
const char *beg = (const char *) chainp[i].data;
const char *end = beg + chainp[i].size;
result = Curl_extract_certinfo(data, i, beg, end);
if(result)
return result;
Reported by FlawFinder.
Line: 1086
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#else
#define use_addr in_addr
#endif
unsigned char addrbuf[sizeof(struct use_addr)];
size_t addrlen = 0;
if(Curl_inet_pton(AF_INET, hostname, addrbuf) > 0)
addrlen = 4;
#ifdef ENABLE_IPV6
Reported by FlawFinder.
Line: 1097
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
if(addrlen) {
unsigned char certaddr[sizeof(struct use_addr)];
int i;
for(i = 0; ; i++) {
size_t certaddrlen = sizeof(certaddr);
int ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr,
Reported by FlawFinder.
Line: 1436
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ssl_backend_data *backend = connssl->backend;
if(backend->session) {
char buf[32];
/* Maybe the server has already sent a close notify alert.
Read it to avoid an RST on the TCP connection. */
(void)gnutls_record_recv(backend->session, buf, sizeof(buf));
gnutls_bye(backend->session, GNUTLS_SHUT_WR);
gnutls_deinit(backend->session);
Reported by FlawFinder.
Line: 1490
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(backend->session) {
ssize_t result;
bool done = FALSE;
char buf[120];
while(!done) {
int what = SOCKET_READABLE(conn->sock[sockindex],
SSL_SHUTDOWN_TIMEOUT);
if(what > 0) {
Reported by FlawFinder.
lib/vauth/digest_sspi.c
12 issues
Line: 201
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s_pSecFn->CompleteAuthToken(&credentials, &resp_desc);
else if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {
#if !defined(CURL_DISABLE_VERBOSE_STRINGS)
char buffer[STRERROR_LEN];
#endif
s_pSecFn->FreeCredentialsHandle(&credentials);
Curl_sspi_free_identity(p_identity);
free(spn);
Reported by FlawFinder.
Line: 256
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* If domain is blank or unset, check challenge message for realm */
if(!identity->Domain || !identity->DomainLength) {
for(;;) {
char value[DIGEST_MAX_VALUE_LENGTH];
char content[DIGEST_MAX_CONTENT_LENGTH];
/* Pass all additional spaces here */
while(*chlg && ISSPACE(*chlg))
chlg++;
Reported by FlawFinder.
Line: 257
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!identity->Domain || !identity->DomainLength) {
for(;;) {
char value[DIGEST_MAX_VALUE_LENGTH];
char content[DIGEST_MAX_CONTENT_LENGTH];
/* Pass all additional spaces here */
while(*chlg && ISSPACE(*chlg))
chlg++;
Reported by FlawFinder.
Line: 331
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Check for the 'stale' directive */
for(;;) {
char value[DIGEST_MAX_VALUE_LENGTH];
char content[DIGEST_MAX_CONTENT_LENGTH];
while(*p && ISSPACE(*p))
p++;
Reported by FlawFinder.
Line: 332
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Check for the 'stale' directive */
for(;;) {
char value[DIGEST_MAX_VALUE_LENGTH];
char content[DIGEST_MAX_CONTENT_LENGTH];
while(*p && ISSPACE(*p))
p++;
if(!Curl_auth_digest_get_pair(p, value, content, &p))
Reported by FlawFinder.
Line: 591
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s_pSecFn->CompleteAuthToken(&credentials, &resp_desc);
else if(status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {
#if !defined(CURL_DISABLE_VERBOSE_STRINGS)
char buffer[STRERROR_LEN];
#endif
s_pSecFn->FreeCredentialsHandle(&credentials);
Curl_sspi_free_identity(p_identity);
Reported by FlawFinder.
Line: 624
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy the generated response */
memcpy(resp, output_token, output_token_len);
resp[output_token_len] = 0;
/* Return the response */
*outptr = resp;
*outlen = output_token_len;
Reported by FlawFinder.
Line: 280
Column: 49
CWE codes:
126
free(identity->Domain);
identity->Domain = dup_domain.tbyte_ptr;
identity->DomainLength = curlx_uztoul(_tcslen(dup_domain.tchar_ptr));
dup_domain.tchar_ptr = NULL;
curlx_unicodefree(domain.tchar_ptr);
}
else {
Reported by FlawFinder.
Line: 321
Column: 20
CWE codes:
126
CURLcode Curl_auth_decode_digest_http_message(const char *chlg,
struct digestdata *digest)
{
size_t chlglen = strlen(chlg);
/* We had an input token before so if there's another one now that means we
provided bad credentials in the previous request or it's stale. */
if(digest->input_token) {
bool stale = false;
Reported by FlawFinder.
Line: 451
Column: 43
CWE codes:
126
chlg_buf[0].cbBuffer = 0;
chlg_buf[1].BufferType = SECBUFFER_PKG_PARAMS;
chlg_buf[1].pvBuffer = (void *) request;
chlg_buf[1].cbBuffer = curlx_uztoul(strlen((const char *) request));
chlg_buf[2].BufferType = SECBUFFER_PKG_PARAMS;
chlg_buf[2].pvBuffer = (void *) uripath;
chlg_buf[2].cbBuffer = curlx_uztoul(strlen((const char *) uripath));
chlg_buf[3].BufferType = SECBUFFER_PKG_PARAMS;
chlg_buf[3].pvBuffer = NULL;
Reported by FlawFinder.
lib/curl_path.c
12 issues
Line: 180
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
relativePath = (cp[0] == '/' && cp[1] == '~' && cp[2] == '/');
/* Handling for relative path - prepend home directory */
if(relativePath) {
strcpy(*path, homedir);
pathLength = strlen(homedir);
(*path)[pathLength++] = '/';
(*path)[pathLength] = '\0';
cp += 3;
}
Reported by FlawFinder.
Line: 57
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
/* It is referenced to the home directory, so strip the leading '/~/' */
memcpy(real_path, working_path + 3, working_path_len - 2);
else
memcpy(real_path, working_path, 1 + working_path_len);
}
else if(data->conn->handler->protocol & CURLPROTO_SFTP) {
if((working_path_len > 1) && (working_path[1] == '~')) {
Reported by FlawFinder.
Line: 59
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* It is referenced to the home directory, so strip the leading '/~/' */
memcpy(real_path, working_path + 3, working_path_len - 2);
else
memcpy(real_path, working_path, 1 + working_path_len);
}
else if(data->conn->handler->protocol & CURLPROTO_SFTP) {
if((working_path_len > 1) && (working_path[1] == '~')) {
size_t homelen = strlen(homedir);
real_path = malloc(homelen + working_path_len + 1);
Reported by FlawFinder.
Line: 71
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* It is referenced to the home directory, so strip the
leading '/' */
memcpy(real_path, homedir, homelen);
real_path[homelen] = '/';
real_path[homelen + 1] = '\0';
if(working_path_len > 3) {
memcpy(real_path + homelen + 1, working_path + 3,
1 + working_path_len -3);
Reported by FlawFinder.
Line: 75
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
real_path[homelen] = '/';
real_path[homelen + 1] = '\0';
if(working_path_len > 3) {
memcpy(real_path + homelen + 1, working_path + 3,
1 + working_path_len -3);
}
}
else {
real_path = malloc(working_path_len + 1);
Reported by FlawFinder.
Line: 85
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
free(working_path);
return CURLE_OUT_OF_MEMORY;
}
memcpy(real_path, working_path, 1 + working_path_len);
}
}
free(working_path);
Reported by FlawFinder.
Line: 187
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cp += 3;
}
/* Copy path name up until first "whitespace" */
memcpy(&(*path)[pathLength], cp, (int)(end - cp));
pathLength += (int)(end - cp);
(*path)[pathLength] = '\0';
}
return CURLE_OK;
Reported by FlawFinder.
Line: 63
Column: 24
CWE codes:
126
}
else if(data->conn->handler->protocol & CURLPROTO_SFTP) {
if((working_path_len > 1) && (working_path[1] == '~')) {
size_t homelen = strlen(homedir);
real_path = malloc(homelen + working_path_len + 1);
if(!real_path) {
free(working_path);
return CURLE_OUT_OF_MEMORY;
}
Reported by FlawFinder.
Line: 131
Column: 20
CWE codes:
126
/* Ignore leading whitespace */
cp += strspn(cp, WHITESPACE);
/* Allocate enough space for home directory and filename + separator */
fullPathLength = strlen(cp) + strlen(homedir) + 2;
*path = malloc(fullPathLength);
if(!*path)
return CURLE_OUT_OF_MEMORY;
/* Check for quoted filenames */
Reported by FlawFinder.
Line: 131
Column: 33
CWE codes:
126
/* Ignore leading whitespace */
cp += strspn(cp, WHITESPACE);
/* Allocate enough space for home directory and filename + separator */
fullPathLength = strlen(cp) + strlen(homedir) + 2;
*path = malloc(fullPathLength);
if(!*path)
return CURLE_OUT_OF_MEMORY;
/* Check for quoted filenames */
Reported by FlawFinder.
docs/examples/rtsp.c
12 issues
Line: 95
Column: 18
CWE codes:
362
const char *sdp_filename)
{
CURLcode res = CURLE_OK;
FILE *sdp_fp = fopen(sdp_filename, "wb");
printf("\nRTSP: DESCRIBE %s\n", uri);
if(!sdp_fp) {
fprintf(stderr, "Could not open '%s' for writing\n", sdp_filename);
sdp_fp = stdout;
}
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
size_t namelen)
{
const char *s = strrchr(url, '/');
strcpy(sdp_filename, "video.sdp");
if(s != NULL) {
s++;
if(s[0] != '\0') {
snprintf(sdp_filename, namelen, "%s.sdp", s);
}
Reported by FlawFinder.
Line: 172
Column: 18
CWE codes:
362
{
int max_len = 256;
char *s = malloc(max_len);
FILE *sdp_fp = fopen(sdp_filename, "rb");
control[0] = '\0';
if(sdp_fp != NULL) {
while(fgets(s, max_len - 2, sdp_fp) != NULL) {
sscanf(s, " a = control: %32s", control);
}
Reported by FlawFinder.
Line: 53
Column: 8
CWE codes:
120
20
newt = oldt;
newt.c_lflag &= ~( ICANON | ECHO);
tcsetattr(STDIN_FILENO, TCSANOW, &newt);
ch = getchar();
tcsetattr(STDIN_FILENO, TCSANOW, &oldt);
return ch;
}
#endif
Reported by FlawFinder.
Line: 176
Column: 7
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
control[0] = '\0';
if(sdp_fp != NULL) {
while(fgets(s, max_len - 2, sdp_fp) != NULL) {
sscanf(s, " a = control: %32s", control);
}
fclose(sdp_fp);
}
free(s);
}
Reported by FlawFinder.
Line: 224
Column: 24
CWE codes:
126
}
else {
const char *url = argv[1];
char *uri = malloc(strlen(url) + 32);
char *sdp_filename = malloc(strlen(url) + 32);
char *control = malloc(strlen(url) + 32);
CURLcode res;
get_sdp_filename(url, sdp_filename, strlen(url) + 32);
if(argc == 3) {
Reported by FlawFinder.
Line: 225
Column: 33
CWE codes:
126
else {
const char *url = argv[1];
char *uri = malloc(strlen(url) + 32);
char *sdp_filename = malloc(strlen(url) + 32);
char *control = malloc(strlen(url) + 32);
CURLcode res;
get_sdp_filename(url, sdp_filename, strlen(url) + 32);
if(argc == 3) {
transport = argv[2];
Reported by FlawFinder.
Line: 226
Column: 28
CWE codes:
126
const char *url = argv[1];
char *uri = malloc(strlen(url) + 32);
char *sdp_filename = malloc(strlen(url) + 32);
char *control = malloc(strlen(url) + 32);
CURLcode res;
get_sdp_filename(url, sdp_filename, strlen(url) + 32);
if(argc == 3) {
transport = argv[2];
}
Reported by FlawFinder.
Line: 228
Column: 41
CWE codes:
126
char *sdp_filename = malloc(strlen(url) + 32);
char *control = malloc(strlen(url) + 32);
CURLcode res;
get_sdp_filename(url, sdp_filename, strlen(url) + 32);
if(argc == 3) {
transport = argv[2];
}
/* initialize curl */
Reported by FlawFinder.
Line: 249
Column: 23
CWE codes:
126
my_curl_easy_setopt(curl, CURLOPT_URL, url);
/* request server options */
snprintf(uri, strlen(url) + 32, "%s", url);
rtsp_options(curl, uri);
/* request session description and write response to sdp file */
rtsp_describe(curl, uri, sdp_filename);
Reported by FlawFinder.
tests/dictserver.py
11 issues
Line: 50
Column: 16
VERIFIED_RSP = "WE ROOLZ: {pid}"
def dictserver(options):
"""
Starts up a TCP server with a DICT handler and serves DICT requests
forever.
"""
if options.pidfile:
Reported by Pylint.
Line: 133
Column: 19
return parser.parse_args()
def setup_logging(options):
"""
Set up logging from the command line options
"""
root_logger = logging.getLogger()
add_stdout = False
Reported by Pylint.
Line: 187
Column: 12
# Run main script.
try:
rc = dictserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
os.unlink(options.pidfile)
Reported by Pylint.
Line: 60
Column: 44
# see tests/server/util.c function write_pidfile
if os.name == "nt":
pid += 65536
with open(options.pidfile, "w") as f:
f.write(str(pid))
local_bind = (options.host, options.port)
log.info("[DICT] Listening on %s", local_bind)
Reported by Pylint.
Line: 112
Column: 1
log.exception("[DICT] IOError hit during request")
def get_options():
parser = argparse.ArgumentParser()
parser.add_argument("--port", action="store", default=9016,
type=int, help="port to listen on")
parser.add_argument("--host", action="store", default=HOST,
Reported by Pylint.
Line: 166
Column: 1
root_logger.addHandler(stdout_handler)
class ScriptRC(object):
"""Enum for script return codes"""
SUCCESS = 0
FAILURE = 1
EXCEPTION = 2
Reported by Pylint.
Line: 166
Column: 1
root_logger.addHandler(stdout_handler)
class ScriptRC(object):
"""Enum for script return codes"""
SUCCESS = 0
FAILURE = 1
EXCEPTION = 2
Reported by Pylint.
Line: 173
Column: 1
EXCEPTION = 2
class ScriptException(Exception):
pass
if __name__ == '__main__':
# Get the options from the user.
Reported by Pylint.
Line: 186
Column: 9
# Run main script.
try:
rc = dictserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
Reported by Pylint.
Line: 187
Column: 5
# Run main script.
try:
rc = dictserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
os.unlink(options.pidfile)
Reported by Pylint.
lib/doh.c
11 issues
Line: 152
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* label is non-empty, process it */
*dnsp++ = (unsigned char)labellen;
memcpy(dnsp, hostp, labellen);
dnsp += labellen;
hostp += labellen;
/* advance past dot, but only if there is one */
if(dot)
hostp++;
Reported by FlawFinder.
Line: 499
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(d->numaddr < DOH_MAX_ADDR) {
struct dohaddr *a = &d->addr[d->numaddr];
a->type = DNS_TYPE_A;
memcpy(&a->ip.v4, &doh[index], 4);
d->numaddr++;
}
return DOH_OK;
}
Reported by FlawFinder.
Line: 513
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(d->numaddr < DOH_MAX_ADDR) {
struct dohaddr *a = &d->addr[d->numaddr];
a->type = DNS_TYPE_AAAA;
memcpy(&a->ip.v6, &doh[index], 16);
d->numaddr++;
}
return DOH_OK;
}
Reported by FlawFinder.
Line: 777
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
else if(a->type == DNS_TYPE_AAAA) {
int j;
char buffer[128];
char *ptr;
size_t len;
msnprintf(buffer, 128, "DoH AAAA: ");
ptr = &buffer[10];
len = 118;
Reported by FlawFinder.
Line: 857
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ai->ai_addr = (void *)((char *)ai + sizeof(struct Curl_addrinfo));
ai->ai_canonname = (void *)((char *)ai->ai_addr + ss_size);
memcpy(ai->ai_canonname, hostname, hostlen);
if(!firstai)
/* store the pointer we want to return from this function */
firstai = ai;
Reported by FlawFinder.
Line: 881
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case AF_INET:
addr = (void *)ai->ai_addr; /* storage area for this info */
DEBUGASSERT(sizeof(struct in_addr) == sizeof(de->addr[i].ip.v4));
memcpy(&addr->sin_addr, &de->addr[i].ip.v4, sizeof(struct in_addr));
addr->sin_family = addrtype;
addr->sin_port = htons((unsigned short)port);
break;
#ifdef ENABLE_IPV6
Reported by FlawFinder.
Line: 890
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case AF_INET6:
addr6 = (void *)ai->ai_addr; /* storage area for this info */
DEBUGASSERT(sizeof(struct in6_addr) == sizeof(de->addr[i].ip.v6));
memcpy(&addr6->sin6_addr, &de->addr[i].ip.v6, sizeof(struct in6_addr));
addr6->sin6_family = addrtype;
addr6->sin6_port = htons((unsigned short)port);
break;
#endif
}
Reported by FlawFinder.
Line: 86
Column: 26
CWE codes:
126
size_t len, /* buffer size */
size_t *olen) /* output length */
{
const size_t hostlen = strlen(host);
unsigned char *orig = dnsp;
const char *hostp = host;
/* The expected output length is 16 bytes more than the length of
* the QNAME-encoding of the host name.
Reported by FlawFinder.
Line: 144
Column: 18
CWE codes:
126
if(dot)
labellen = dot - hostp;
else
labellen = strlen(hostp);
if((labellen > 63) || (!labellen)) {
/* label is too long or too short, error out */
*olen = 0;
return DOH_DNS_BAD_LABEL;
}
Reported by FlawFinder.
Line: 787
Column: 13
CWE codes:
126
size_t l;
msnprintf(ptr, len, "%s%02x%02x", j?":":"", d->addr[i].ip.v6[j],
d->addr[i].ip.v6[j + 1]);
l = strlen(ptr);
len -= l;
ptr += l;
}
infof(data, "%s", buffer);
}
Reported by FlawFinder.