The following issues were found

src/os/unix/ngx_freebsd_init.c
3 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 92 Column: 10 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

              #else
    char  *mo;

    mo = getenv("MALLOC_OPTIONS");

    if (mo && ngx_strchr(mo, 'J')) {
        ngx_debug_malloc = 1;
    }
#endif

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 13 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              

/* FreeBSD 3.0 at least */
char    ngx_freebsd_kern_ostype[16];
char    ngx_freebsd_kern_osrelease[128];
int     ngx_freebsd_kern_osreldate;
int     ngx_freebsd_hw_ncpu;
int     ngx_freebsd_kern_ipc_somaxconn;
u_long  ngx_freebsd_net_inet_tcp_sendspace;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 14 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
/* FreeBSD 3.0 at least */
char    ngx_freebsd_kern_ostype[16];
char    ngx_freebsd_kern_osrelease[128];
int     ngx_freebsd_kern_osreldate;
int     ngx_freebsd_hw_ncpu;
int     ngx_freebsd_kern_ipc_somaxconn;
u_long  ngx_freebsd_net_inet_tcp_sendspace;

Reported by FlawFinder.

src/core/ngx_string.h
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 106 Column: 42 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

               * gcc3 compiles memcpy(d, s, 4) to the inline "mov"es.
 * icc8 compile memcpy(d, s, 4) to the inline "mov"es or XMM moves.
 */
#define ngx_memcpy(dst, src, n)   (void) memcpy(dst, src, n)
#define ngx_cpymem(dst, src, n)   (((u_char *) memcpy(dst, src, n)) + (n))

#endif

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 107 Column: 48 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

               * icc8 compile memcpy(d, s, 4) to the inline "mov"es or XMM moves.
 */
#define ngx_memcpy(dst, src, n)   (void) memcpy(dst, src, n)
#define ngx_cpymem(dst, src, n)   (((u_char *) memcpy(dst, src, n)) + (n))

#endif


#if ( __INTEL_COMPILER >= 800 )

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 61 Column: 29 CWE codes: 126 

              

#define ngx_strstr(s1, s2)  strstr((const char *) s1, (const char *) s2)
#define ngx_strlen(s)       strlen((const char *) s)

size_t ngx_strnlen(u_char *p, size_t n);

#define ngx_strchr(s1, c)   strchr((const char *) s1, (int) c)

Reported by FlawFinder.

src/os/unix/ngx_solaris_init.c
3 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 12 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              #include <ngx_core.h>


char ngx_solaris_sysname[20];
char ngx_solaris_release[10];
char ngx_solaris_version[50];


static ngx_os_io_t ngx_solaris_io = {

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 13 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              

char ngx_solaris_sysname[20];
char ngx_solaris_release[10];
char ngx_solaris_version[50];


static ngx_os_io_t ngx_solaris_io = {
    ngx_unix_recv,

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 14 Column: 1 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
char ngx_solaris_sysname[20];
char ngx_solaris_release[10];
char ngx_solaris_version[50];


static ngx_os_io_t ngx_solaris_io = {
    ngx_unix_recv,
    ngx_readv_chain,

Reported by FlawFinder.

src/os/win32/ngx_files.h
3 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 72 Column: 73 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              #define NGX_FILE_ERROR              0


ngx_fd_t ngx_open_file(u_char *name, u_long mode, u_long create, u_long access);
#define ngx_open_file_n             "CreateFile()"

#define NGX_FILE_RDONLY             GENERIC_READ
#define NGX_FILE_WRONLY             GENERIC_WRITE
#define NGX_FILE_RDWR               GENERIC_READ|GENERIC_WRITE

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 89 Column: 45 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              #define NGX_FILE_OWNER_ACCESS       0


#define ngx_open_tempfile(name, persistent, access)                          \
    CreateFile((const char *) name,                                          \
               GENERIC_READ|GENERIC_WRITE,                                   \
               FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,           \
               NULL,                                                         \
               CREATE_NEW,                                                   \

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 197 Column: 30 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              #define ngx_close_dir_n             "FindClose()"


#define ngx_create_dir(name, access) CreateDirectory((const char *) name, NULL)
#define ngx_create_dir_n            "CreateDirectory()"


#define ngx_delete_dir(name)        RemoveDirectory((const char *) name)
#define ngx_delete_dir_n            "RemoveDirectory()"

Reported by FlawFinder.

src/mail/ngx_mail_auth_http_module.c
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 225 Column: 41 CWE codes: 120 20 

              
    ctx->handler = ngx_mail_auth_http_ignore_status_line;

    ngx_add_timer(ctx->peer.connection->read, ahcf->timeout);
    ngx_add_timer(ctx->peer.connection->write, ahcf->timeout);

    if (rc == NGX_OK) {
        ngx_mail_auth_http_write_handler(ctx->peer.connection->write);
        return;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 731 Column: 46 CWE codes: 120 20 

                                  return;
                }

                ngx_add_timer(s->connection->read, (ngx_msec_t) (timer * 1000));

                s->connection->read->handler = ngx_mail_auth_sleep_handler;

                return;
            }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 748 Column: 46 CWE codes: 120 20 

                                  return;
                }

                ngx_add_timer(s->connection->read, (ngx_msec_t) (timer * 1000));

                s->connection->read->handler = ngx_mail_auth_sleep_handler;

                return;
            }

Reported by FlawFinder.

src/event/ngx_event_accept.c
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 229 Column: 18 CWE codes: 120 20 

                      }
#endif

        rev = c->read;
        wev = c->write;

        wev->ready = 1;

        if (ngx_event_flags & NGX_USE_IOCP_EVENT) {

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 374 Column: 30 CWE codes: 120 20 

                          continue;
        }

        if (ngx_add_event(c->read, NGX_READ_EVENT, 0) == NGX_ERROR) {
            return NGX_ERROR;
        }
    }

    return NGX_OK;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 412 Column: 30 CWE codes: 120 20 

              
#endif

        if (ngx_del_event(c->read, NGX_READ_EVENT, NGX_DISABLE_EVENT)
            == NGX_ERROR)
        {
            return NGX_ERROR;
        }
    }

Reported by FlawFinder.

src/event/modules/ngx_win32_poll_module.c
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 155 Column: 16 CWE codes: 120 20 

              #endif

    } else {
        e = c->read;
#if (NGX_WRITE_EVENT != POLLOUT)
        event = POLLOUT;
#endif
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 211 Column: 16 CWE codes: 120 20 

              #endif

    } else {
        e = c->read;
#if (NGX_WRITE_EVENT != POLLOUT)
        event = POLLOUT;
#endif
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 381 Column: 21 CWE codes: 120 20 

                      if ((revents & POLLIN) && c->read->active) {
            found = 1;

            ev = c->read;
            ev->ready = 1;
            ev->available = -1;

            queue = ev->accept ? &ngx_posted_accept_events
                               : &ngx_posted_events;

Reported by FlawFinder.

src/event/modules/ngx_poll_module.c
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 136 Column: 16 CWE codes: 120 20 

              #endif

    } else {
        e = c->read;
#if (NGX_WRITE_EVENT != POLLOUT)
        event = POLLOUT;
#endif
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 189 Column: 16 CWE codes: 120 20 

              #endif

    } else {
        e = c->read;
#if (NGX_WRITE_EVENT != POLLOUT)
        event = POLLOUT;
#endif
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 371 Column: 21 CWE codes: 120 20 

                      if ((revents & POLLIN) && c->read->active) {
            found = 1;

            ev = c->read;
            ev->ready = 1;
            ev->available = -1;

            queue = ev->accept ? &ngx_posted_accept_events
                               : &ngx_posted_events;

Reported by FlawFinder.

src/http/modules/ngx_http_limit_req_module.c
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 314 Column: 39 CWE codes: 120 20 

                  r->main->limit_req_status = NGX_HTTP_LIMIT_REQ_DELAYED;

    if (r->connection->read->ready) {
        ngx_post_event(r->connection->read, &ngx_posted_events);

    } else {
        if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
            return NGX_HTTP_INTERNAL_SERVER_ERROR;
        }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 317 Column: 50 CWE codes: 120 20 

                      ngx_post_event(r->connection->read, &ngx_posted_events);

    } else {
        if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
            return NGX_HTTP_INTERNAL_SERVER_ERROR;
        }
    }

    r->read_event_handler = ngx_http_test_reading;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 351 Column: 46 CWE codes: 120 20 

                      return;
    }

    if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
        ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
        return;
    }

    r->read_event_handler = ngx_http_block_reading;

Reported by FlawFinder.

src/event/modules/ngx_eventport_module.c
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 330 Column: 16 CWE codes: 120 20 

              #endif

    } else {
        e = c->read;
        prev = POLLIN;
#if (NGX_WRITE_EVENT != POLLOUT)
        events = POLLOUT;
#endif
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 385 Column: 16 CWE codes: 120 20 

                      event = POLLOUT;

    } else {
        e = c->read;
        event = POLLIN;
    }

    if (e->oneshot) {
        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 554 Column: 22 CWE codes: 120 20 

                          }

            c = ev->data;
            rev = c->read;
            wev = c->write;

            rev->active = 0;
            wev->active = 0;

Reported by FlawFinder.