The following issues were found
tests/dictserver.py
11 issues
Line: 50
Column: 16
VERIFIED_RSP = "WE ROOLZ: {pid}"
def dictserver(options):
"""
Starts up a TCP server with a DICT handler and serves DICT requests
forever.
"""
if options.pidfile:
Reported by Pylint.
Line: 133
Column: 19
return parser.parse_args()
def setup_logging(options):
"""
Set up logging from the command line options
"""
root_logger = logging.getLogger()
add_stdout = False
Reported by Pylint.
Line: 187
Column: 12
# Run main script.
try:
rc = dictserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
os.unlink(options.pidfile)
Reported by Pylint.
Line: 60
Column: 44
# see tests/server/util.c function write_pidfile
if os.name == "nt":
pid += 65536
with open(options.pidfile, "w") as f:
f.write(str(pid))
local_bind = (options.host, options.port)
log.info("[DICT] Listening on %s", local_bind)
Reported by Pylint.
Line: 112
Column: 1
log.exception("[DICT] IOError hit during request")
def get_options():
parser = argparse.ArgumentParser()
parser.add_argument("--port", action="store", default=9016,
type=int, help="port to listen on")
parser.add_argument("--host", action="store", default=HOST,
Reported by Pylint.
Line: 166
Column: 1
root_logger.addHandler(stdout_handler)
class ScriptRC(object):
"""Enum for script return codes"""
SUCCESS = 0
FAILURE = 1
EXCEPTION = 2
Reported by Pylint.
Line: 166
Column: 1
root_logger.addHandler(stdout_handler)
class ScriptRC(object):
"""Enum for script return codes"""
SUCCESS = 0
FAILURE = 1
EXCEPTION = 2
Reported by Pylint.
Line: 173
Column: 1
EXCEPTION = 2
class ScriptException(Exception):
pass
if __name__ == '__main__':
# Get the options from the user.
Reported by Pylint.
Line: 186
Column: 9
# Run main script.
try:
rc = dictserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
Reported by Pylint.
Line: 187
Column: 5
# Run main script.
try:
rc = dictserver(options)
except Exception as e:
log.exception(e)
rc = ScriptRC.EXCEPTION
if options.pidfile and os.path.isfile(options.pidfile):
os.unlink(options.pidfile)
Reported by Pylint.
lib/krb5.c
11 issues
Line: 725
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if(buf[decoded_len - 1] == '\n')
buf[decoded_len - 1] = '\0';
strcpy(buffer, buf);
free(buf);
return ret_code;
}
static int sec_set_protection_level(struct Curl_easy *data)
Reported by FlawFinder.
Line: 64
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
ssize_t bytes_written;
#define SBUF_SIZE 1024
char s[SBUF_SIZE];
size_t write_len;
char *sptr = s;
CURLcode result = CURLE_OK;
#ifdef HAVE_GSSAPI
enum protection_level data_sec = conn->data_prot;
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!write_len || write_len > (sizeof(s) -3))
return CURLE_BAD_FUNCTION_ARGUMENT;
memcpy(&s, cmd, write_len);
strcpy(&s[write_len], "\r\n"); /* append a trailing CRLF */
write_len += 2;
bytes_written = 0;
result = Curl_convert_to_network(data, s, write_len);
Reported by FlawFinder.
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return CURLE_BAD_FUNCTION_ARGUMENT;
memcpy(&s, cmd, write_len);
strcpy(&s[write_len], "\r\n"); /* append a trailing CRLF */
write_len += 2;
bytes_written = 0;
result = Curl_convert_to_network(data, s, write_len);
/* Curl_convert_to_network calls failf if unsuccessful */
Reported by FlawFinder.
Line: 151
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
if(maj != GSS_S_COMPLETE) {
if(len >= 4)
strcpy(buf, "599 ");
return -1;
}
memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length);
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length);
gss_release_buffer(&min, &dec);
return len;
}
Reported by FlawFinder.
Line: 189
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*to = malloc(enc.length);
if(!*to)
return -1;
memcpy(*to, enc.value, enc.length);
len = curlx_uztosi(enc.length);
gss_release_buffer(&min, &enc);
return len;
}
Reported by FlawFinder.
Line: 440
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ftp_code;
ssize_t nread = 0;
va_list args;
char print_buffer[50];
va_start(args, message);
mvsnprintf(print_buffer, sizeof(print_buffer), message, args);
va_end(args);
Reported by FlawFinder.
Line: 542
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if(buf->size - buf->index < len)
len = buf->size - buf->index;
memcpy(data, (char *)buf->data + buf->index, len);
buf->index += len;
return len;
}
/* Matches Curl_recv signature */
Reported by FlawFinder.
Line: 75
Column: 15
CWE codes:
126
if(!cmd)
return CURLE_BAD_FUNCTION_ARGUMENT;
write_len = strlen(cmd);
if(!write_len || write_len > (sizeof(s) -3))
return CURLE_BAD_FUNCTION_ARGUMENT;
memcpy(&s, cmd, write_len);
strcpy(&s[write_len], "\r\n"); /* append a trailing CRLF */
Reported by FlawFinder.
tests/server/util.c
11 issues
Line: 78
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
char *data_to_hex(char *data, size_t len)
{
static char buf[256*3];
size_t i;
char *optr = buf;
char *iptr = data;
if(len > 255)
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void logmsg(const char *msg, ...)
{
va_list ap;
char buffer[2048 + 1];
FILE *logfp;
struct timeval tv;
time_t sec;
struct tm *now;
char timebuf[20];
Reported by FlawFinder.
Line: 107
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct timeval tv;
time_t sec;
struct tm *now;
char timebuf[20];
static time_t epoch_offset;
static int known_offset;
if(!serverlogfile) {
fprintf(stderr, "Error: serverlogfile not set\n");
Reported by FlawFinder.
Line: 133
Column: 11
CWE codes:
362
mvsnprintf(buffer, sizeof(buffer), msg, ap);
va_end(ap);
logfp = fopen(serverlogfile, "ab");
if(logfp) {
fprintf(logfp, "%s %s\n", timebuf, buffer);
fclose(logfp);
}
else {
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* use instead of perror() on generic windows */
void win32_perror(const char *msg)
{
char buf[512];
DWORD err = SOCKERRNO;
if(!FormatMessageA((FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS), NULL, err,
LANG_NEUTRAL, buf, sizeof(buf), NULL))
Reported by FlawFinder.
Line: 201
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
FILE *test2fopen(long testno)
{
FILE *stream;
char filename[256];
/* first try the alternative, preprocessed, file */
msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, ".", testno);
stream = fopen(filename, "rb");
if(stream)
return stream;
Reported by FlawFinder.
Line: 204
Column: 12
CWE codes:
362
char filename[256];
/* first try the alternative, preprocessed, file */
msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, ".", testno);
stream = fopen(filename, "rb");
if(stream)
return stream;
/* then try the source version */
msnprintf(filename, sizeof(filename), TEST_DATA_PATH, path, testno);
Reported by FlawFinder.
Line: 210
Column: 12
CWE codes:
362
/* then try the source version */
msnprintf(filename, sizeof(filename), TEST_DATA_PATH, path, testno);
stream = fopen(filename, "rb");
return stream;
}
/*
Reported by FlawFinder.
Line: 295
Column: 13
CWE codes:
362
curl_off_t pid;
pid = our_getpid();
pidfile = fopen(filename, "wb");
if(!pidfile) {
logmsg("Couldn't write pid file: %s %s", filename, strerror(errno));
return 0; /* fail */
}
fprintf(pidfile, "%" CURL_FORMAT_CURL_OFF_T "\n", pid);
Reported by FlawFinder.
Line: 309
Column: 20
CWE codes:
362
/* store the used port number in a file */
int write_portfile(const char *filename, int port)
{
FILE *portfile = fopen(filename, "wb");
if(!portfile) {
logmsg("Couldn't write port file: %s %s", filename, strerror(errno));
return 0; /* fail */
}
fprintf(portfile, "%d\n", port);
Reported by FlawFinder.
lib/curl_ntlm_wb.c
11 issues
Line: 186
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#endif
ntlm_auth = NTLM_WB_FILE;
if(access(ntlm_auth, X_OK) != 0) {
failf(data, "Could not access ntlm_auth: %s errno %d: %s",
ntlm_auth, errno, Curl_strerror(errno, buffer, sizeof(buffer)));
goto done;
}
Reported by FlawFinder.
Line: 226
Column: 7
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
if(domain)
execl(ntlm_auth, ntlm_auth,
"--helper-protocol", "ntlmssp-client-1",
"--use-cached-creds",
"--username", username,
"--domain", domain,
NULL);
Reported by FlawFinder.
Line: 233
Column: 7
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
"--domain", domain,
NULL);
else
execl(ntlm_auth, ntlm_auth,
"--helper-protocol", "ntlmssp-client-1",
"--use-cached-creds",
"--username", username,
NULL);
Reported by FlawFinder.
Line: 149
Column: 16
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
empty one anyway. Perhaps they have an implementation of the
ntlm_auth helper which *doesn't* need it so we might as well try */
if(!username || !username[0]) {
username = getenv("NTLMUSER");
if(!username || !username[0])
username = getenv("LOGNAME");
if(!username || !username[0])
username = getenv("USER");
#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
Reported by FlawFinder.
Line: 151
Column: 18
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if(!username || !username[0]) {
username = getenv("NTLMUSER");
if(!username || !username[0])
username = getenv("LOGNAME");
if(!username || !username[0])
username = getenv("USER");
#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
if((!username || !username[0]) &&
!getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
Reported by FlawFinder.
Line: 153
Column: 18
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if(!username || !username[0])
username = getenv("LOGNAME");
if(!username || !username[0])
username = getenv("USER");
#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
if((!username || !username[0]) &&
!getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
pw_res) {
username = pw.pw_name;
Reported by FlawFinder.
Line: 179
Column: 21
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
NTLM challenge/response which only accepts commands and output
strings pre-written in test case definitions */
#ifdef DEBUGBUILD
ntlm_auth_alloc = curl_getenv("CURL_NTLM_WB_FILE");
if(ntlm_auth_alloc)
ntlm_auth = ntlm_auth_alloc;
else
#endif
ntlm_auth = NTLM_WB_FILE;
Reported by FlawFinder.
Line: 126
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *ntlm_auth_alloc = NULL;
#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
struct passwd pw, *pw_res;
char pwbuf[1024];
#endif
char buffer[STRERROR_LEN];
#if defined(CURL_DISABLE_VERBOSE_STRINGS)
(void) data;
Reported by FlawFinder.
Line: 128
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct passwd pw, *pw_res;
char pwbuf[1024];
#endif
char buffer[STRERROR_LEN];
#if defined(CURL_DISABLE_VERBOSE_STRINGS)
(void) data;
#endif
Reported by FlawFinder.
Line: 264
Column: 19
CWE codes:
126
static CURLcode ntlm_wb_response(struct Curl_easy *data, struct ntlmdata *ntlm,
const char *input, curlntlm state)
{
size_t len_in = strlen(input), len_out = 0;
struct dynbuf b;
char *ptr = NULL;
unsigned char *buf = (unsigned char *)data->state.buffer;
Curl_dyn_init(&b, MAX_NTLM_WB_RESPONSE);
Reported by FlawFinder.
lib/hsts.c
10 issues
Line: 59
Column: 19
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
time_t deltatime; /* allow for "adjustments" for unit test purposes */
static time_t debugtime(void *unused)
{
char *timestr = getenv("CURL_TIME");
(void)unused;
if(timestr) {
curl_off_t val;
(void)curlx_strtoofft(timestr, NULL, 10, &val);
Reported by FlawFinder.
Line: 329
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLcode result = CURLE_OK;
FILE *out;
char *tempstore;
unsigned char randsuffix[9];
if(!h)
/* no cache activated */
return CURLE_OK;
Reported by FlawFinder.
Line: 350
Column: 9
CWE codes:
362
if(!tempstore)
return CURLE_OUT_OF_MEMORY;
out = fopen(tempstore, FOPEN_WRITETEXT);
if(!out)
result = CURLE_WRITE_ERROR;
else {
fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
"# This file was generated by libcurl! Edit at your own risk.\n",
Reported by FlawFinder.
Line: 398
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
example.com "20191231 10:00:00"
.example.net "20191231 10:00:00"
*/
char host[MAX_HSTS_HOSTLEN + 1];
char date[MAX_HSTS_DATELEN + 1];
int rc;
rc = sscanf(line,
"%" MAX_HSTS_HOSTLENSTR "s \"%" MAX_HSTS_DATELENSTR "[^\"]\"",
Reported by FlawFinder.
Line: 399
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.example.net "20191231 10:00:00"
*/
char host[MAX_HSTS_HOSTLEN + 1];
char date[MAX_HSTS_DATELEN + 1];
int rc;
rc = sscanf(line,
"%" MAX_HSTS_HOSTLENSTR "s \"%" MAX_HSTS_DATELENSTR "[^\"]\"",
host, date);
Reported by FlawFinder.
Line: 433
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CURLSTScode sc;
DEBUGASSERT(h);
do {
char buffer[257];
struct curl_hstsentry e;
e.name = buffer;
e.namelen = sizeof(buffer)-1;
e.includeSubDomains = FALSE; /* default */
e.expire[0] = 0;
Reported by FlawFinder.
Line: 487
Column: 8
CWE codes:
362
if(!h->filename)
return CURLE_OUT_OF_MEMORY;
fp = fopen(file, FOPEN_READTEXT);
if(fp) {
line = malloc(MAX_HSTS_LINE);
if(!line)
goto fail;
while(Curl_get_line(line, MAX_HSTS_LINE, fp)) {
Reported by FlawFinder.
Line: 241
Column: 19
CWE codes:
126
{
if(h) {
time_t now = time(NULL);
size_t hlen = strlen(hostname);
struct Curl_llist_element *e;
struct Curl_llist_element *n;
for(e = h->list.head; e; e = n) {
struct stsentry *sts = e->ptr;
n = e->next;
Reported by FlawFinder.
Line: 254
Column: 24
CWE codes:
126
continue;
}
if(subdomain && sts->includeSubDomains) {
size_t ntail = strlen(sts->host);
if(ntail < hlen) {
size_t offs = hlen - ntail;
if((hostname[offs-1] == '.') &&
Curl_strncasecompare(&hostname[offs], sts->host, ntail))
return sts;
Reported by FlawFinder.
Line: 283
Column: 15
CWE codes:
126
CURLcode result;
e.name = (char *)sts->host;
e.namelen = strlen(sts->host);
e.includeSubDomains = sts->includeSubDomains;
result = Curl_gmtime((time_t)sts->expires, &stamp);
if(result)
return result;
Reported by FlawFinder.
src/tool_formparse.c
10 issues
Line: 200
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(nitems) {
if(sip->data) {
/* Return data from memory. */
memcpy(buffer, sip->data + curlx_sotouz(sip->curpos), nitems);
}
else {
/* Read from stdin. */
nitems = fread(buffer, 1, nitems, stdin);
if(ferror(stdin)) {
Reported by FlawFinder.
Line: 280
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(!cp)
ret = CURLE_OUT_OF_MEMORY;
else {
memcpy(cp, m->data, size + 1);
ret = convert_to_network(cp, size);
if(!ret)
ret = curl_mime_data(part, cp, CURL_ZERO_TERMINATED);
free(cp);
}
Reported by FlawFinder.
Line: 430
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t pos = 0;
bool incomment = FALSE;
int lineno = 1;
char hdrbuf[999]; /* Max. header length + 1. */
for(;;) {
int c = getc(fp);
if(c == EOF || (!pos && !ISSPACE(c))) {
/* Strip and flush the current header. */
Reported by FlawFinder.
Line: 496
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *endpos;
char *tp;
char sep;
char type_major[128] = "";
char type_minor[128] = "";
char *endct = NULL;
struct curl_slist *headers = NULL;
if(ptype)
Reported by FlawFinder.
Line: 497
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *tp;
char sep;
char type_major[128] = "";
char type_minor[128] = "";
char *endct = NULL;
struct curl_slist *headers = NULL;
if(ptype)
*ptype = NULL;
Reported by FlawFinder.
Line: 581
Column: 14
CWE codes:
362
endpos--;
sep = *p;
*endpos = '\0';
fp = fopen(hdrfile, FOPEN_READTEXT);
if(!fp)
warnf(config->global, "Cannot read from %s: %s\n", hdrfile,
strerror(errno));
else {
int i = read_field_headers(config, hdrfile, fp, &headers);
Reported by FlawFinder.
Line: 274
Column: 25
CWE codes:
126
#ifdef CURL_DOES_CONVERSIONS
/* Our data is always textual: convert it to ASCII. */
{
size_t size = strlen(m->data);
char *cp = malloc(size + 1);
if(!cp)
ret = CURLE_OUT_OF_MEMORY;
else {
Reported by FlawFinder.
Line: 433
Column: 13
CWE codes:
120
20
char hdrbuf[999]; /* Max. header length + 1. */
for(;;) {
int c = getc(fp);
if(c == EOF || (!pos && !ISSPACE(c))) {
/* Strip and flush the current header. */
while(hdrlen && ISSPACE(hdrbuf[hdrlen - 1]))
hdrlen--;
if(hdrlen) {
Reported by FlawFinder.
Line: 537
Column: 39
CWE codes:
126
}
/* now point beyond the content-type specifier */
p = type + strlen(type_major) + strlen(type_minor) + 1;
for(endct = p; *p && *p != ';' && *p != endchar; p++)
if(!ISSPACE(*p))
endct = p + 1;
sep = *p;
}
Reported by FlawFinder.
Line: 537
Column: 18
CWE codes:
126
}
/* now point beyond the content-type specifier */
p = type + strlen(type_major) + strlen(type_minor) + 1;
for(endct = p; *p && *p != ';' && *p != endchar; p++)
if(!ISSPACE(*p))
endct = p + 1;
sep = *p;
}
Reported by FlawFinder.
tests/libtest/lib518.c
10 issues
Line: 53
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int *fd = NULL;
static struct rlimit num_open;
static char msgbuff[256];
static void store_errmsg(const char *msg, int err)
{
if(!err)
msnprintf(msgbuff, sizeof(msgbuff), "%s", msg);
Reported by FlawFinder.
Line: 85
Column: 14
CWE codes:
362
fpa[i] = NULL;
}
for(i = 0; i < 3; i++) {
fpa[i] = fopen(DEV_NULL, FOPEN_READTEXT);
if(!fpa[i]) {
store_errmsg("fopen failed", errno);
fprintf(stderr, "%s\n", msgbuff);
ret = 0;
break;
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int *memchunk = NULL;
char *fmt;
struct rlimit rl;
char strbuff[256];
char strbuff1[81];
char strbuff2[81];
char fmt_u[] = "%u";
char fmt_lu[] = "%lu";
#ifdef HAVE_LONGLONG
Reported by FlawFinder.
Line: 107
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *fmt;
struct rlimit rl;
char strbuff[256];
char strbuff1[81];
char strbuff2[81];
char fmt_u[] = "%u";
char fmt_lu[] = "%lu";
#ifdef HAVE_LONGLONG
char fmt_llu[] = "%llu";
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rlimit rl;
char strbuff[256];
char strbuff1[81];
char strbuff2[81];
char fmt_u[] = "%u";
char fmt_lu[] = "%lu";
#ifdef HAVE_LONGLONG
char fmt_llu[] = "%llu";
Reported by FlawFinder.
Line: 132
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifdef RLIM_INFINITY
if(rl.rlim_cur == RLIM_INFINITY)
strcpy(strbuff, "INFINITY");
else
#endif
msnprintf(strbuff, sizeof(strbuff), fmt, rl.rlim_cur);
fprintf(stderr, "initial soft limit: %s\n", strbuff);
Reported by FlawFinder.
Line: 140
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifdef RLIM_INFINITY
if(rl.rlim_max == RLIM_INFINITY)
strcpy(strbuff, "INFINITY");
else
#endif
msnprintf(strbuff, sizeof(strbuff), fmt, rl.rlim_max);
fprintf(stderr, "initial hard limit: %s\n", strbuff);
Reported by FlawFinder.
Line: 198
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifdef RLIM_INFINITY
if(rl.rlim_cur == RLIM_INFINITY)
strcpy(strbuff, "INFINITY");
else
#endif
msnprintf(strbuff, sizeof(strbuff), fmt, rl.rlim_cur);
fprintf(stderr, "current soft limit: %s\n", strbuff);
Reported by FlawFinder.
Line: 206
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifdef RLIM_INFINITY
if(rl.rlim_max == RLIM_INFINITY)
strcpy(strbuff, "INFINITY");
else
#endif
msnprintf(strbuff, sizeof(strbuff), fmt, rl.rlim_max);
fprintf(stderr, "current hard limit: %s\n", strbuff);
Reported by FlawFinder.
Line: 324
Column: 11
CWE codes:
362
/* open a dummy descriptor */
fd[0] = open(DEV_NULL, O_RDONLY);
if(fd[0] < 0) {
msnprintf(strbuff, sizeof(strbuff), "opening of %s failed", DEV_NULL);
store_errmsg(strbuff, errno);
fprintf(stderr, "%s\n", msgbuff);
free(fd);
Reported by FlawFinder.
lib/vtls/keylog.c
10 issues
Line: 51
Column: 24
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
char *keylog_file_name;
if(!keylog_file_fp) {
keylog_file_name = curl_getenv("SSLKEYLOGFILE");
if(keylog_file_name) {
keylog_file_fp = fopen(keylog_file_name, FOPEN_APPENDTEXT);
if(keylog_file_fp) {
#ifdef WIN32
if(setvbuf(keylog_file_fp, NULL, _IONBF, 0))
Reported by FlawFinder.
Line: 53
Column: 24
CWE codes:
362
if(!keylog_file_fp) {
keylog_file_name = curl_getenv("SSLKEYLOGFILE");
if(keylog_file_name) {
keylog_file_fp = fopen(keylog_file_name, FOPEN_APPENDTEXT);
if(keylog_file_fp) {
#ifdef WIN32
if(setvbuf(keylog_file_fp, NULL, _IONBF, 0))
#else
if(setvbuf(keylog_file_fp, NULL, _IOLBF, 4096))
Reported by FlawFinder.
Line: 90
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
/* The current maximum valid keylog line length LF and NUL is 195. */
size_t linelen;
char buf[256];
if(!keylog_file_fp || !line) {
return false;
}
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return false;
}
memcpy(buf, line, linelen);
if(line[linelen - 1] != '\n') {
buf[linelen++] = '\n';
}
buf[linelen] = '\0';
Reported by FlawFinder.
Line: 115
Column: 29
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
bool
Curl_tls_keylog_write(const char *label,
const unsigned char client_random[CLIENT_RANDOM_SIZE],
const unsigned char *secret, size_t secretlen)
{
const char *hex = "0123456789ABCDEF";
size_t pos, i;
Reported by FlawFinder.
Line: 116
Column: 38
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool
Curl_tls_keylog_write(const char *label,
const unsigned char client_random[CLIENT_RANDOM_SIZE],
const unsigned char *secret, size_t secretlen)
{
const char *hex = "0123456789ABCDEF";
size_t pos, i;
char line[KEYLOG_LABEL_MAXLEN + 1 + 2 * CLIENT_RANDOM_SIZE + 1 +
Reported by FlawFinder.
Line: 121
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const char *hex = "0123456789ABCDEF";
size_t pos, i;
char line[KEYLOG_LABEL_MAXLEN + 1 + 2 * CLIENT_RANDOM_SIZE + 1 +
2 * SECRET_MAXLEN + 1 + 1];
if(!keylog_file_fp) {
return false;
}
Reported by FlawFinder.
Line: 134
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return false;
}
memcpy(line, label, pos);
line[pos++] = ' ';
/* Client Random */
for(i = 0; i < CLIENT_RANDOM_SIZE; i++) {
line[pos++] = hex[client_random[i] >> 4];
Reported by FlawFinder.
Line: 96
Column: 13
CWE codes:
126
return false;
}
linelen = strlen(line);
if(linelen == 0 || linelen > sizeof(buf) - 2) {
/* Empty line or too big to fit in a LF and NUL. */
return false;
}
Reported by FlawFinder.
Line: 128
Column: 9
CWE codes:
126
return false;
}
pos = strlen(label);
if(pos > KEYLOG_LABEL_MAXLEN || !secretlen || secretlen > SECRET_MAXLEN) {
/* Should never happen - sanity check anyway. */
return false;
}
Reported by FlawFinder.
lib/smtp.c
10 issues
Line: 225
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
only send the response code instead as per Section 4.2. */
if(line[3] == ' ' || len == 5) {
char tmpline[6];
result = TRUE;
memset(tmpline, '\0', sizeof(tmpline));
memcpy(tmpline, line, (len == 5 ? 5 : 3));
*resp = curlx_sltosi(strtol(tmpline, NULL, 10));
Reported by FlawFinder.
Line: 229
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
result = TRUE;
memset(tmpline, '\0', sizeof(tmpline));
memcpy(tmpline, line, (len == 5 ? 5 : 3));
*resp = curlx_sltosi(strtol(tmpline, NULL, 10));
/* Make sure real server never sends internal value */
if(*resp == 1)
*resp = 0;
Reported by FlawFinder.
Line: 1694
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct connectdata *conn = data->conn;
struct smtp_conn *smtpc = &conn->proto.smtpc;
const char *path = &data->state.up.path[1]; /* skip leading path */
char localhost[HOSTNAME_MAX + 1];
/* Calculate the path if necessary */
if(!*path) {
if(!Curl_gethostname(localhost, sizeof(localhost)))
path = localhost;
Reported by FlawFinder.
Line: 1846
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
else if(smtp->eob) {
/* A previous substring matched so output that first */
memcpy(&scratch[si], &SMTP_EOB[eob_sent], smtp->eob - eob_sent);
si += smtp->eob - eob_sent;
/* Then compare the first byte */
if(SMTP_EOB[0] == data->req.upload_fromhere[i])
smtp->eob = 1;
Reported by FlawFinder.
Line: 1864
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Do we have a match for CRLF. as per RFC-5321, sect. 4.5.2 */
if(SMTP_EOB_FIND_LEN == smtp->eob) {
/* Copy the replacement data to the target buffer */
memcpy(&scratch[si], &SMTP_EOB_REPL[eob_sent],
SMTP_EOB_REPL_LEN - eob_sent);
si += SMTP_EOB_REPL_LEN - eob_sent;
smtp->eob = 0;
eob_sent = 0;
}
Reported by FlawFinder.
Line: 1876
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(smtp->eob - eob_sent) {
/* A substring matched before processing ended so output that now */
memcpy(&scratch[si], &SMTP_EOB[eob_sent], smtp->eob - eob_sent);
si += smtp->eob - eob_sent;
}
/* Only use the new buffer if we replaced something */
if(si != nread) {
Reported by FlawFinder.
Line: 254
Column: 16
CWE codes:
126
*/
static void smtp_get_message(char *buffer, char **outptr)
{
size_t len = strlen(buffer);
char *message = NULL;
if(len > 4) {
/* Find the start of the message */
len -= 4;
Reported by FlawFinder.
Line: 860
Column: 16
CWE codes:
126
CURLcode result = CURLE_OK;
struct smtp_conn *smtpc = &conn->proto.smtpc;
const char *line = data->state.buffer;
size_t len = strlen(line);
(void)instate; /* no use for this yet */
if(smtpcode/100 != 2 && smtpcode != 1) {
if(data->set.use_ssl <= CURLUSESSL_TRY || conn->ssl[FIRSTSOCKET].use)
Reported by FlawFinder.
Line: 1009
Column: 16
CWE codes:
126
CURLcode result = CURLE_OK;
struct SMTP *smtp = data->req.p.smtp;
char *line = data->state.buffer;
size_t len = strlen(line);
(void)instate; /* no use for this yet */
if((smtp->rcpt && smtpcode/100 != 2 && smtpcode != 553 && smtpcode != 1) ||
(!smtp->rcpt && smtpcode/100 != 2 && smtpcode != 1)) {
Reported by FlawFinder.
Line: 1774
Column: 12
CWE codes:
126
if(!dup)
return CURLE_OUT_OF_MEMORY;
length = strlen(dup);
if(length) {
if(dup[length - 1] == '>')
dup[length - 1] = '\0';
}
Reported by FlawFinder.
tests/server/sockfilt.c
9 issues
Line: 347
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void lograw(unsigned char *buffer, ssize_t len)
{
char data[120];
ssize_t i;
unsigned char *ptr = buffer;
char *optr = data;
ssize_t width = 0;
int left = sizeof(data);
Reported by FlawFinder.
Line: 923
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 'buffer' is this excessively large only to be able to support things like
test 1003 which tests exceedingly large server response lines */
unsigned char buffer[17010];
char data[16];
if(got_exit_signal) {
logmsg("signalled to die, exiting...");
return FALSE;
Reported by FlawFinder.
Line: 924
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 'buffer' is this excessively large only to be able to support things like
test 1003 which tests exceedingly large server response lines */
unsigned char buffer[17010];
char data[16];
if(got_exit_signal) {
logmsg("signalled to die, exiting...");
return FALSE;
}
Reported by FlawFinder.
Line: 164
Column: 12
CWE codes:
120
20
handle = GetStdHandle(STD_INPUT_HANDLE);
}
else {
return read(fd, buf, count);
}
if(GetConsoleMode(handle, &mode)) {
success = ReadConsole(handle, buf, curlx_uztoul(count), &rcount, NULL);
}
Reported by FlawFinder.
Line: 180
Column: 9
CWE codes:
120
20
errno = GetLastError();
return -1;
}
#undef read
#define read(a,b,c) read_wincon(a,b,c)
/*
* write-wrapper to support writing to stdout and stderr on Windows.
*/
Reported by FlawFinder.
Line: 181
Column: 9
CWE codes:
120
20
return -1;
}
#undef read
#define read(a,b,c) read_wincon(a,b,c)
/*
* write-wrapper to support writing to stdout and stderr on Windows.
*/
static ssize_t write_wincon(int fd, const void *buf, size_t count)
Reported by FlawFinder.
Line: 232
Column: 18
CWE codes:
120
20
ssize_t nread = 0;
do {
ssize_t rc = read(filedes,
(unsigned char *)buffer + nread, nbytes - nread);
if(got_exit_signal) {
logmsg("signalled to die");
return -1;
Reported by FlawFinder.
Line: 1056
Column: 29
CWE codes:
126
/* Question asking us what PORT number we are listening to.
Replies to PORT with "IPv[num]/[port]" */
msnprintf((char *)buffer, sizeof(buffer), "%s/%hu\n", ipv_inuse, port);
buffer_len = (ssize_t)strlen((char *)buffer);
msnprintf(data, sizeof(data), "PORT\n%04zx\n", buffer_len);
if(!write_stdout(data, 10))
return FALSE;
if(!write_stdout(buffer, buffer_len))
return FALSE;
Reported by FlawFinder.
Line: 1398
Column: 35
CWE codes:
126
if(argc>arg) {
char *endptr;
unsigned long ulnum = strtoul(argv[arg], &endptr, 10);
if((endptr != argv[arg] + strlen(argv[arg])) ||
(ulnum < 1025UL) || (ulnum > 65535UL)) {
fprintf(stderr, "sockfilt: invalid --connect argument (%s)\n",
argv[arg]);
return 0;
}
Reported by FlawFinder.