The following issues were found
lib/smb.h
8 issues
Line: 169
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
unsigned short name_length;
unsigned int flags;
unsigned int root_fid;
unsigned int access;
curl_off_t allocation_size;
unsigned int ext_file_attributes;
unsigned int share_access;
unsigned int create_disposition;
unsigned int create_options;
Reported by FlawFinder.
Line: 39
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *user;
char *domain;
char *share;
unsigned char challenge[8];
unsigned int session_key;
unsigned short uid;
char *recv_buf;
size_t upload_size;
size_t send_size;
Reported by FlawFinder.
Line: 100
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char nbt_type;
unsigned char nbt_flags;
unsigned short nbt_length;
unsigned char magic[4];
unsigned char command;
unsigned int status;
unsigned char flags;
unsigned short flags2;
unsigned short pid_high;
Reported by FlawFinder.
Line: 106
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char flags;
unsigned short flags2;
unsigned short pid_high;
unsigned char signature[8];
unsigned short pad;
unsigned short tid;
unsigned short pid;
unsigned short uid;
unsigned short mid;
Reported by FlawFinder.
Line: 130
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short server_time_zone;
unsigned char encryption_key_length;
unsigned short byte_count;
char bytes[1];
} PACK;
struct andx {
unsigned char command;
unsigned char pad;
Reported by FlawFinder.
Line: 150
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int pad;
unsigned int capabilities;
unsigned short byte_count;
char bytes[1024];
} PACK;
struct smb_tree_connect {
unsigned char word_count;
struct andx andx;
Reported by FlawFinder.
Line: 159
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short flags;
unsigned short pw_len;
unsigned short byte_count;
char bytes[1024];
} PACK;
struct smb_nt_create {
unsigned char word_count;
struct andx andx;
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int impersonation_level;
unsigned char security_flags;
unsigned short byte_count;
char bytes[1024];
} PACK;
struct smb_nt_create_response {
struct smb_header h;
unsigned char word_count;
Reported by FlawFinder.
lib/vtls/gskit.c
8 issues
Line: 369
Column: 11
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK));
for(i = 0; i < CURL_GSKPROTO_LAST; i++) {
if(ctp->versions & (1 << i)) {
strcpy(ciphers[i].ptr, ctp->gsktoken);
ciphers[i].ptr += strlen(ctp->gsktoken);
}
}
}
Reported by FlawFinder.
Line: 419
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ciphers[CURL_GSKPROTO_TLSV10].buf, TRUE);
if(result == CURLE_UNSUPPORTED_PROTOCOL) {
result = CURLE_OK;
strcpy(ciphers[CURL_GSKPROTO_SSLV3].ptr,
ciphers[CURL_GSKPROTO_TLSV10].ptr);
}
}
/* Set-up other ciphers. */
Reported by FlawFinder.
Line: 530
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int m;
int i;
int ret = 0;
char buf[CURL_MAX_WRITE_SIZE];
if(!connssl->use || !connproxyssl->use)
return 0; /* No SSL over SSL: OK. */
FD_ZERO(&fds_read);
Reported by FlawFinder.
Line: 1194
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
int what;
int rc;
char buf[120];
int loop = 10; /* don't get stuck */
if(!BACKEND->handle)
return 0;
Reported by FlawFinder.
Line: 334
Column: 7
CWE codes:
126
/* We allocate GSKit buffers of the same size as the input string: since
GSKit tokens are always shorter than their cipher names, allocated buffers
will always be large enough to accommodate the result. */
l = strlen(cipherlist) + 1;
memset((char *) ciphers, 0, sizeof(ciphers));
for(i = 0; i < CURL_GSKPROTO_LAST; i++) {
ciphers[i].buf = malloc(l);
if(!ciphers[i].buf) {
while(i--)
Reported by FlawFinder.
Line: 370
Column: 29
CWE codes:
126
for(i = 0; i < CURL_GSKPROTO_LAST; i++) {
if(ctp->versions & (1 << i)) {
strcpy(ciphers[i].ptr, ctp->gsktoken);
ciphers[i].ptr += strlen(ctp->gsktoken);
}
}
}
/* Advance to next cipher name or end of string. */
Reported by FlawFinder.
Line: 578
Column: 9
CWE codes:
120
20
if(FD_ISSET(BACKEND->remotefd, &fds_read) &&
FD_ISSET(conn->sock[sockindex], &fds_write)) {
/* Pipe data to HTTPS proxy. */
n = read(BACKEND->remotefd, buf, sizeof(buf));
if(n < 0)
return -1;
if(n) {
i = gsk_secure_soc_write(connproxyssl->backend->handle, buf, n, &m);
if(i != GSK_OK || n != m)
Reported by FlawFinder.
Line: 1229
Column: 13
CWE codes:
120
20
notify alert from the server. No way to gsk_secure_soc_read() now, so
use read(). */
nread = read(conn->sock[sockindex], buf, sizeof(buf));
if(nread < 0) {
failf(data, "read: %s", strerror(errno));
rc = -1;
}
Reported by FlawFinder.
lib/sendf.c
8 issues
Line: 272
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
len = mvsnprintf(error, CURL_ERROR_SIZE, fmt, ap);
if(data->set.errorbuffer && !data->state.errorbuf) {
strcpy(data->set.errorbuffer, error);
data->state.errorbuf = TRUE; /* wrote error string */
}
error[len++] = '\n';
error[len] = '\0';
Curl_debug(data, CURLINFO_TEXT, error, len);
Reported by FlawFinder.
Line: 308
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
{
/* Allow debug builds to override this logic to force short sends
*/
char *p = getenv("CURL_SMALLSENDS");
if(p) {
size_t altsize = (size_t)strtoul(p, NULL, 10);
if(altsize)
len = CURLMIN(len, altsize);
}
Reported by FlawFinder.
Line: 207
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(psnd->recv_size > psnd->recv_processed) {
DEBUGASSERT(psnd->bindsock == conn->sock[num]);
copysize = CURLMIN(len, psnd->recv_size - psnd->recv_processed);
memcpy(buf, psnd->buffer + psnd->recv_processed, copysize);
psnd->recv_processed += copysize;
}
else
copysize = 0; /* buffer was allocated, but nothing was received */
Reported by FlawFinder.
Line: 247
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(data && data->set.verbose) {
va_list ap;
size_t len;
char buffer[MAXINFO + 2];
va_start(ap, fmt);
len = mvsnprintf(buffer, MAXINFO, fmt, ap);
va_end(ap);
buffer[len++] = '\n';
buffer[len] = '\0';
Reported by FlawFinder.
Line: 267
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(data->set.verbose || data->set.errorbuffer) {
va_list ap;
size_t len;
char error[CURL_ERROR_SIZE + 2];
va_start(ap, fmt);
len = mvsnprintf(error, CURL_ERROR_SIZE, fmt, ap);
if(data->set.errorbuffer && !data->state.errorbuf) {
strcpy(data->set.errorbuffer, error);
Reported by FlawFinder.
Line: 391
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*code = CURLE_AGAIN;
}
else {
char buffer[STRERROR_LEN];
failf(data, "Send failure: %s",
Curl_strerror(err, buffer, sizeof(buffer)));
data->state.os_errno = err;
*code = CURLE_SEND_ERROR;
}
Reported by FlawFinder.
Line: 462
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*code = CURLE_AGAIN;
}
else {
char buffer[STRERROR_LEN];
failf(data, "Recv failure: %s",
Curl_strerror(err, buffer, sizeof(buffer)));
data->state.os_errno = err;
*code = CURLE_RECV_ERROR;
}
Reported by FlawFinder.
Line: 715
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int rc = 0;
if(data->set.verbose) {
static const char s_infotype[CURLINFO_END][3] = {
"* ", "< ", "> ", "{ ", "} ", "{ ", "} " };
#ifdef CURL_DOES_CONVERSIONS
char *buf = NULL;
size_t conv_size = 0;
Reported by FlawFinder.
lib/setopt.c
8 issues
Line: 104
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(blob->flags & CURL_BLOB_COPY) {
/* put the data after the blob struct in memory */
nblob->data = (char *)nblob + sizeof(struct curl_blob);
memcpy(nblob->data, blob->data, blob->len);
}
*blobp = nblob;
return CURLE_OK;
}
Reported by FlawFinder.
Line: 482
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
result = CURLE_OUT_OF_MEMORY;
else {
if(data->set.postfieldsize)
memcpy(p, argptr, (size_t)data->set.postfieldsize);
data->set.str[STRING_COPYPOSTFIELDS] = p;
}
}
}
Reported by FlawFinder.
Line: 68
Column: 20
CWE codes:
126
char *str = strdup(s);
if(str) {
size_t len = strlen(str);
if(len > CURL_MAX_INPUT_LENGTH) {
free(str);
return CURLE_BAD_FUNCTION_ARGUMENT;
}
}
Reported by FlawFinder.
Line: 123
Column: 47
CWE codes:
126
/* Parse the login details if specified. It not then we treat NULL as a hint
to clear the existing data */
if(option) {
result = Curl_parse_login_details(option, strlen(option),
(userp ? &user : NULL),
(passwdp ? &passwd : NULL),
NULL);
}
Reported by FlawFinder.
Line: 745
Column: 10
CWE codes:
126
if(argptr) {
struct curl_slist *cl;
/* general protection against mistakes and abuse */
if(strlen(argptr) > CURL_MAX_INPUT_LENGTH)
return CURLE_BAD_FUNCTION_ARGUMENT;
/* append the cookie file name to the list of file names, and deal with
them later */
cl = curl_slist_append(data->state.cookielist, argptr);
if(!cl) {
Reported by FlawFinder.
Line: 846
Column: 10
CWE codes:
126
data->cookies = Curl_cookie_init(data, NULL, NULL, TRUE);
/* general protection against mistakes and abuse */
if(strlen(argptr) > CURL_MAX_INPUT_LENGTH)
return CURLE_BAD_FUNCTION_ARGUMENT;
argptr = strdup(argptr);
if(!argptr || !data->cookies) {
result = CURLE_OUT_OF_MEMORY;
free(argptr);
Reported by FlawFinder.
Line: 2777
Column: 39
CWE codes:
126
case CURLOPT_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
data->set.ssl.authtype = CURL_TLSAUTH_SRP;
else
data->set.ssl.authtype = CURL_TLSAUTH_NONE;
break;
#ifndef CURL_DISABLE_PROXY
Reported by FlawFinder.
Line: 2786
Column: 39
CWE codes:
126
case CURLOPT_PROXY_TLSAUTH_TYPE:
argptr = va_arg(param, char *);
if(!argptr ||
strncasecompare(argptr, "SRP", strlen("SRP")))
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
else
data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
break;
#endif
Reported by FlawFinder.
src/tool_paramhlp.c
8 issues
Line: 70
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct curlx_dynbuf dyn;
curlx_dyn_init(&dyn, MAX_FILE2STRING);
if(file) {
char buffer[256];
while(fgets(buffer, sizeof(buffer), file)) {
char *ptr = strchr(buffer, '\r');
if(ptr)
*ptr = '\0';
Reported by FlawFinder.
Line: 96
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct curlx_dynbuf dyn;
curlx_dyn_init(&dyn, MAX_FILE2MEMORY);
do {
char buffer[4096];
nread = fread(buffer, 1, sizeof(buffer), file);
if(nread)
if(curlx_dyn_addn(&dyn, buffer, nread))
return PARAM_NO_MEM;
} while(nread);
Reported by FlawFinder.
Line: 456
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!psep && **userpwd != ';') {
/* no password present, prompt for one */
char passwd[2048] = "";
char prompt[256];
struct curlx_dynbuf dyn;
curlx_dyn_init(&dyn, MAX_USERPWDLENGTH);
if(osep)
Reported by FlawFinder.
Line: 457
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(!psep && **userpwd != ';') {
/* no password present, prompt for one */
char passwd[2048] = "";
char prompt[256];
struct curlx_dynbuf dyn;
curlx_dyn_init(&dyn, MAX_USERPWDLENGTH);
if(osep)
*osep = '\0';
Reported by FlawFinder.
Line: 119
Column: 18
CWE codes:
126
* argument out so that the username:password isn't displayed in the
* system process list */
if(str) {
size_t len = strlen(str);
memset(str, ' ', len);
}
#else
(void)str;
#endif
Reported by FlawFinder.
Line: 144
Column: 44
CWE codes:
126
num = strtol(str, &endptr, base);
if(errno == ERANGE)
return PARAM_NUMBER_TOO_LARGE;
if((endptr != str) && (endptr == str + strlen(str))) {
*val = num;
return PARAM_OK; /* Ok */
}
}
return PARAM_BAD_NUMERIC; /* badness */
Reported by FlawFinder.
Line: 237
Column: 44
CWE codes:
126
/* too large */
return PARAM_NUMBER_TOO_LARGE;
}
if((endptr != str) && (endptr == str + strlen(str))) {
*val = num;
return PARAM_OK; /* Ok */
}
}
return PARAM_BAD_NUMERIC; /* badness */
Reported by FlawFinder.
Line: 430
Column: 42
CWE codes:
126
if((*val == LONG_MIN || *val == LONG_MAX) && errno == ERANGE)
return PARAM_NUMBER_TOO_LARGE;
#endif
if((endptr != str) && (endptr == str + strlen(str)))
return PARAM_OK;
return PARAM_BAD_NUMERIC;
}
Reported by FlawFinder.
lib/pop3.c
8 issues
Line: 432
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pop3_conn *pop3c = &conn->proto.pop3c;
size_t i;
struct MD5_context *ctxt;
unsigned char digest[MD5_DIGEST_LEN];
char secret[2 * MD5_DIGEST_LEN + 1];
/* Check we have a username and password to authenticate with and end the
connect phase if we don't */
if(!conn->bits.user_passwd) {
Reported by FlawFinder.
Line: 433
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t i;
struct MD5_context *ctxt;
unsigned char digest[MD5_DIGEST_LEN];
char secret[2 * MD5_DIGEST_LEN + 1];
/* Check we have a username and password to authenticate with and end the
connect phase if we don't */
if(!conn->bits.user_passwd) {
state(data, POP3_STOP);
Reported by FlawFinder.
Line: 658
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
/* Copy the timestamp */
memcpy(pop3c->apoptimestamp, line + i, timestamplen);
pop3c->apoptimestamp[timestamplen] = '\0';
/* If the timestamp does not contain '@' it is not (as required by
RFC-1939) conformant to the RFC-822 message id syntax, and we
therefore do not use APOP authentication. */
Reported by FlawFinder.
Line: 256
Column: 16
CWE codes:
126
*/
static void pop3_get_message(char *buffer, char **outptr)
{
size_t len = strlen(buffer);
char *message = NULL;
if(len > 2) {
/* Find the start of the message */
len -= 2;
Reported by FlawFinder.
Line: 449
Column: 32
CWE codes:
126
return CURLE_OUT_OF_MEMORY;
Curl_MD5_update(ctxt, (const unsigned char *) pop3c->apoptimestamp,
curlx_uztoui(strlen(pop3c->apoptimestamp)));
Curl_MD5_update(ctxt, (const unsigned char *) conn->passwd,
curlx_uztoui(strlen(conn->passwd)));
/* Finalise the digest */
Reported by FlawFinder.
Line: 452
Column: 32
CWE codes:
126
curlx_uztoui(strlen(pop3c->apoptimestamp)));
Curl_MD5_update(ctxt, (const unsigned char *) conn->passwd,
curlx_uztoui(strlen(conn->passwd)));
/* Finalise the digest */
Curl_MD5_final(ctxt, digest);
/* Convert the calculated 16 octet digest into a 32 byte hex string */
Reported by FlawFinder.
Line: 630
Column: 16
CWE codes:
126
struct connectdata *conn = data->conn;
struct pop3_conn *pop3c = &conn->proto.pop3c;
const char *line = data->state.buffer;
size_t len = strlen(line);
(void)instate; /* no use for this yet */
if(pop3code != '+') {
failf(data, "Got unexpected pop3-server response");
Reported by FlawFinder.
Line: 689
Column: 16
CWE codes:
126
struct connectdata *conn = data->conn;
struct pop3_conn *pop3c = &conn->proto.pop3c;
const char *line = data->state.buffer;
size_t len = strlen(line);
(void)instate; /* no use for this yet */
/* Do we have a untagged continuation response? */
if(pop3code == '*') {
Reported by FlawFinder.
src/tool_parsecfg.c
8 issues
Line: 50
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef WIN32
static FILE *execpath(const char *filename)
{
char filebuffer[512];
/* Get the filename of our executable. GetModuleFileName is already declared
* via inclusions done in setup header file. We assume that we are using
* the ASCII version here.
*/
unsigned long len = GetModuleFileNameA(0, filebuffer, sizeof(filebuffer));
Reported by FlawFinder.
Line: 66
Column: 16
CWE codes:
362
remaining = sizeof(filebuffer) - strlen(filebuffer);
if(strlen(filename) < remaining - 1) {
msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename);
return fopen(filebuffer, FOPEN_READTEXT);
}
}
}
return NULL;
Reported by FlawFinder.
Line: 113
Column: 16
CWE codes:
362
}
/* Check if the file exists - if not, try _curlrc */
file = fopen(pathalloc, FOPEN_READTEXT);
if(file) {
filename = pathalloc;
break;
}
prefix = '_';
Reported by FlawFinder.
Line: 134
Column: 14
CWE codes:
362
if(!file && filename) { /* no need to fopen() again */
if(strcmp(filename, "-"))
file = fopen(filename, FOPEN_READTEXT);
else
file = stdin;
}
if(file) {
Reported by FlawFinder.
Line: 353
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool my_get_line(FILE *fp, struct curlx_dynbuf *db,
bool *error)
{
char buf[4096];
*error = FALSE;
do {
/* fgets() returns s on success, and NULL on error or when end of file
occurs while no characters have been read. */
if(!fgets(buf, sizeof(buf), fp))
Reported by FlawFinder.
Line: 63
Column: 40
CWE codes:
126
size_t remaining;
*lastdirchar = 0;
/* If we have enough space, build the RC filename */
remaining = sizeof(filebuffer) - strlen(filebuffer);
if(strlen(filename) < remaining - 1) {
msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename);
return fopen(filebuffer, FOPEN_READTEXT);
}
}
Reported by FlawFinder.
Line: 64
Column: 10
CWE codes:
126
*lastdirchar = 0;
/* If we have enough space, build the RC filename */
remaining = sizeof(filebuffer) - strlen(filebuffer);
if(strlen(filename) < remaining - 1) {
msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename);
return fopen(filebuffer, FOPEN_READTEXT);
}
}
}
Reported by FlawFinder.
Line: 199
Column: 24
CWE codes:
126
if(*line == '\"') {
/* quoted parameter, do the quote dance */
line++;
param = malloc(strlen(line) + 1); /* parameter */
if(!param) {
/* out of memory */
rc = 1;
break;
}
Reported by FlawFinder.
lib/urldata.h
7 issues
Line: 407
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TCHAR *spn;
#else
unsigned int flags;
unsigned char nonce[8];
unsigned int target_info_len;
void *target_info; /* TargetInfo received in the ntlm type-2 message */
#if defined(NTLM_WB_ENABLED)
/* used for communication with Samba's winbind daemon helper ntlm_auth */
Reported by FlawFinder.
Line: 611
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dnsprobe {
CURL *easy;
int dnstype;
unsigned char dohbuffer[512];
size_t dohlen;
struct dynbuf serverdoh;
};
struct dohdata {
Reported by FlawFinder.
Line: 975
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for the last attempt. When the connection is actually established
these are updated with data which comes directly from the socket. */
char primary_ip[MAX_IPADR_LEN];
unsigned char ip_version; /* copied from the Curl_easy at creation time */
char *user; /* user name string, allocated */
char *passwd; /* password string, allocated */
char *options; /* options string, allocated */
Reported by FlawFinder.
Line: 1156
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
without disturbing information which is still alive, and that might be
reused, in the connection cache. */
char conn_primary_ip[MAX_IPADR_LEN];
int conn_primary_port;
char conn_local_ip[MAX_IPADR_LEN];
int conn_local_port;
const char *conn_scheme;
unsigned int conn_protocol;
Reported by FlawFinder.
Line: 1158
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char conn_primary_ip[MAX_IPADR_LEN];
int conn_primary_port;
char conn_local_ip[MAX_IPADR_LEN];
int conn_local_port;
const char *conn_scheme;
unsigned int conn_protocol;
struct curl_certinfo certs; /* info about the certs, only populated in
OpenSSL, GnuTLS, Schannel, NSS and GSKit
Reported by FlawFinder.
Line: 1741
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long new_file_perms; /* Permissions to use when creating remote files */
long new_directory_perms; /* Permissions to use when creating remote dirs */
long ssh_auth_types; /* allowed SSH auth types */
char *str[STRING_LAST]; /* array of strings, pointing to allocated memory */
struct curl_blob *blobs[BLOB_LAST];
unsigned int scope_id; /* Scope id for IPv6 */
long allowed_protocols;
long redir_protocols;
struct curl_slist *mail_rcpt; /* linked list of mail recipients */
Reported by FlawFinder.
Line: 1905
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
the state etc are also kept. This array is mostly used to detect when a
socket is to be removed from the hash. See singlesocket(). */
curl_socket_t sockets[MAX_SOCKSPEREASYHANDLE];
unsigned char actions[MAX_SOCKSPEREASYHANDLE]; /* action for each socket in
sockets[] */
int numsocks;
struct Names dns;
struct Curl_multi *multi; /* if non-NULL, points to the multi handle
Reported by FlawFinder.
lib/mprintf.c
7 issues
Line: 960
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* NOTE NOTE NOTE!! Not all sprintf implementations return number of
output characters */
(sprintf)(work, formatbuf, p->data.dnum);
DEBUGASSERT(strlen(work) <= sizeof(work));
for(fptr = work; *fptr; fptr++)
OUTCHAR(*fptr);
}
break;
Reported by FlawFinder.
Line: 584
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long param_num = 0; /* parameter counter */
struct va_stack vto[MAX_PARAMETERS];
char *endpos[MAX_PARAMETERS];
char **end;
char work[BUFFSIZE];
struct va_stack *p;
/* 'workend' points to the final buffer byte position, but with an extra
Reported by FlawFinder.
Line: 586
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct va_stack vto[MAX_PARAMETERS];
char *endpos[MAX_PARAMETERS];
char **end;
char work[BUFFSIZE];
struct va_stack *p;
/* 'workend' points to the final buffer byte position, but with an extra
byte as margin to avoid the (false?) warning Coverity gives us
otherwise */
Reported by FlawFinder.
Line: 890
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case FORMAT_DOUBLE:
{
char formatbuf[32]="%";
char *fptr = &formatbuf[1];
size_t left = sizeof(formatbuf)-strlen(formatbuf);
int len;
width = -1;
Reported by FlawFinder.
Line: 834
Column: 17
CWE codes:
126
else if(prec != -1)
len = (size_t)prec;
else
len = strlen(str);
width -= (len > LONG_MAX) ? LONG_MAX : (long)len;
if(p->flags & FLAGS_ALT)
OUTCHAR('"');
Reported by FlawFinder.
Line: 892
Column: 41
CWE codes:
126
{
char formatbuf[32]="%";
char *fptr = &formatbuf[1];
size_t left = sizeof(formatbuf)-strlen(formatbuf);
int len;
width = -1;
if(p->flags & FLAGS_WIDTH)
width = p->width;
Reported by FlawFinder.
Line: 961
Column: 21
CWE codes:
126
/* NOTE NOTE NOTE!! Not all sprintf implementations return number of
output characters */
(sprintf)(work, formatbuf, p->data.dnum);
DEBUGASSERT(strlen(work) <= sizeof(work));
for(fptr = work; *fptr; fptr++)
OUTCHAR(*fptr);
}
break;
Reported by FlawFinder.
lib/vauth/cleartext.c
7 issues
Line: 87
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Calculate the reply */
if(zlen)
memcpy(plainauth, authzid, zlen);
plainauth[zlen] = '\0';
memcpy(plainauth + zlen + 1, authcid, clen);
plainauth[zlen + clen + 1] = '\0';
memcpy(plainauth + zlen + clen + 2, passwd, plen);
plainauth[plainlen] = '\0';
Reported by FlawFinder.
Line: 89
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(zlen)
memcpy(plainauth, authzid, zlen);
plainauth[zlen] = '\0';
memcpy(plainauth + zlen + 1, authcid, clen);
plainauth[zlen + clen + 1] = '\0';
memcpy(plainauth + zlen + clen + 2, passwd, plen);
plainauth[plainlen] = '\0';
Curl_bufref_set(out, plainauth, plainlen, curl_free);
return CURLE_OK;
Reported by FlawFinder.
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
plainauth[zlen] = '\0';
memcpy(plainauth + zlen + 1, authcid, clen);
plainauth[zlen + clen + 1] = '\0';
memcpy(plainauth + zlen + clen + 2, passwd, plen);
plainauth[plainlen] = '\0';
Curl_bufref_set(out, plainauth, plainlen, curl_free);
return CURLE_OK;
}
Reported by FlawFinder.
Line: 71
Column: 33
CWE codes:
126
size_t clen;
size_t plen;
zlen = (authzid == NULL ? 0 : strlen(authzid));
clen = strlen(authcid);
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) ||
Reported by FlawFinder.
Line: 72
Column: 10
CWE codes:
126
size_t plen;
zlen = (authzid == NULL ? 0 : strlen(authzid));
clen = strlen(authcid);
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) ||
(plen > (SIZE_T_MAX/2 - 2)))
Reported by FlawFinder.
Line: 73
Column: 10
CWE codes:
126
zlen = (authzid == NULL ? 0 : strlen(authzid));
clen = strlen(authcid);
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) ||
(plen > (SIZE_T_MAX/2 - 2)))
return CURLE_OUT_OF_MEMORY;
Reported by FlawFinder.
Line: 112
Column: 32
CWE codes:
126
*/
CURLcode Curl_auth_create_login_message(const char *valuep, struct bufref *out)
{
Curl_bufref_set(out, valuep, strlen(valuep), NULL);
return CURLE_OK;
}
/*
* Curl_auth_create_external_message()
Reported by FlawFinder.