From e90ebf54b52c2053a90a36d19dcc9c740993b3c3 Mon Sep 17 00:00:00 2001 From: David Carlos Date: Thu, 30 Mar 2017 10:52:02 -0300 Subject: [PATCH] Add parser to flawfinder - Add only one cwe in Firehose report - Retrieve flawfinder version from report. - Use enumerate instead of counter. - Add tests - Add comment about multiple cwes. - Fix regex. --- docs/parsers.rst | 4 + firehose/parsers/flawfinder.py | 118 + .../flawfinder/flawfinder-report-1 | 6952 +++++++++++++++++ tests/parsers/test_flawfinder_parser.py | 61 + 4 files changed, 7135 insertions(+) create mode 100644 firehose/parsers/flawfinder.py create mode 100644 tests/parsers/example-output/flawfinder/flawfinder-report-1 create mode 100644 tests/parsers/test_flawfinder_parser.py diff --git a/docs/parsers.rst b/docs/parsers.rst index c61b960..83621d7 100644 --- a/docs/parsers.rst +++ b/docs/parsers.rst @@ -48,3 +48,7 @@ turn them into :py:class:`firehose.model.Analysis` instances. * gcc.py Parser for warnings emitted by `GCC `_. + +* flawfinder.py + + Parser for warnings emitted by `flawfinder `_. diff --git a/firehose/parsers/flawfinder.py b/firehose/parsers/flawfinder.py new file mode 100644 index 0000000..ea43389 --- /dev/null +++ b/firehose/parsers/flawfinder.py @@ -0,0 +1,118 @@ +#!/usr/bin/env python +# +# Copyright 2017 David Carlos +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 +# USA + +import sys +import re +from subprocess import check_output +from firehose.model import Message, Point, \ + File, Location, Generator, Metadata, Analysis, Issue + + +def main(): + """ Main entry to flawfinder parser """ + try: + arg_file = sys.argv[1] + report = open(arg_file, 'r') + except IOError as e: + raise e + except IndexError: + print("Missing input file") + analysis = parse_file(report) + sys.stdout.write(str(analysis.to_xml())) + sys.stdout.write('\n') + + +def parse_file(infile): + """ Parser flawfinder output + + :infile: file-like object + :returns: Firehose Analysis object, representing the final XML. + + Flawfinder can generate multiple cwes for a single issue. + Firehose's models does not supports multiple CWEs. + For now, when multiple CWEs ocurrs, we get only the first one. + + A issue was created to track this bug: + https://github.com/fedora-static-analysis/firehose/issues/35 + """ + + line = infile.readline() + generator = Generator(name='flawfinder', + version=get_flawfinder_version(line)) + metadata = Metadata(generator, None, None, None) + analysis = Analysis(metadata, []) + issue_line_pattern = "(\.?\/?([a-z0-9]+\_?\/?\.?)+)\:([0-9]+)\:" + issue_severity_pattern = "\[([0-9]+)\]" + issue_testid_pattern = "\(([a-z]+)\)" + whitespace = "\s+" + + first_line_pattern = (issue_line_pattern + whitespace + + issue_severity_pattern + whitespace + + issue_testid_pattern) + prog = re.compile(first_line_pattern) + while line: + if prog.search(line) and line != "\n": + issue_path = prog.search(line).group(1) + issue_line = prog.search(line).group(3) + issue_severity = prog.search(line).group(4) + testid = prog.search(line).group(5) + + location = Location(file=File(issue_path, None), + function=None, + point=Point(int(issue_line), 0)) + + message_line = infile.readline() + issue_message = "" + cwes = [] + while not prog.search(message_line) and message_line != "\n": + issue_message += " " + message_line + cwes.extend([int(cwe) for cwe in re.findall("CWE-([0-9]+)", issue_message)]) + message_line = infile.readline() + + line = message_line + if cwes: + first_cwe = int(cwes[0]) + else: + first_cwe = None + + issue = Issue(first_cwe, testid, location, + Message(text=issue_message), notes=None, + trace=None, severity=issue_severity, customfields=None) + + analysis.results.append(issue) + else: + line = infile.readline() + + return analysis + + +def get_flawfinder_version(first_line): + """Retrieve flawfinder version from report. + :first_line: first line of the flawfinder report. + :returns: flawfinder version. + """ + + pattern = "version\s([0-9]?.[0-9]*)" + prog = re.compile(pattern) + try: + return prog.search(first_line).groups()[0] + except IndexError: + return None + +if __name__ == '__main__': + main() diff --git a/tests/parsers/example-output/flawfinder/flawfinder-report-1 b/tests/parsers/example-output/flawfinder/flawfinder-report-1 new file mode 100644 index 0000000..46f03c3 --- /dev/null +++ b/tests/parsers/example-output/flawfinder/flawfinder-report-1 @@ -0,0 +1,6952 @@ +Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler. +Number of rules (primarily dangerous function names) in C/C++ ruleset: 169 +./docs/examples/asiohiper.cpp:78: [4] (shell) system: + This causes a new program to execute and is difficult to use safely + (CWE-78). try using a library call that implements the same functionality + if available. +./docs/examples/asiohiper.cpp:97: [4] (shell) system: + This causes a new program to execute and is difficult to use safely + (CWE-78). try using a library call that implements the same functionality + if available. +./docs/examples/asiohiper.cpp:199: [4] (shell) system: + This causes a new program to execute and is difficult to use safely + (CWE-78). try using a library call that implements the same functionality + if available. +./docs/examples/asiohiper.cpp:359: [4] (shell) system: + This causes a new program to execute and is difficult to use safely + (CWE-78). try using a library call that implements the same functionality + if available. +./docs/examples/cookie_interface.c:92: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./docs/examples/cookie_interface.c:92: [4] (format) _snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./docs/examples/evhiperfifo.c:76: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./docs/examples/htmltidy.c:56: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./docs/examples/rtsp.c:170: [4] (buffer) sscanf: + The scanf() family's %s operation, without a limit specification, permits + buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a + differen input function. +./docs/examples/synctime.c:155: [4] (buffer) sscanf: + The scanf() family's %s operation, without a limit specification, permits + buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a + different input function. +./lib/curl_ntlm_core.c:717: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curl_ntlm_wb.c:180: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./lib/curl_ntlm_wb.c:225: [4] (shell) execl: + This causes a new program to execute and is difficult to use safely + (CWE-78). try using a library call that implements the same functionality + if available. +./lib/curl_ntlm_wb.c:232: [4] (shell) execl: + This causes a new program to execute and is difficult to use safely + (CWE-78). try using a library call that implements the same functionality + if available. +./lib/curl_printf.h:32: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:33: [4] (format) fprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:34: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curl_printf.h:35: [4] (format) vprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:36: [4] (format) vfprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:37: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curl_printf.h:40: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:41: [4] (format) fprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:42: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curl_printf.h:43: [4] (format) vprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:44: [4] (format) vfprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curl_printf.h:45: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curl_printf.h:51: [4] (buffer) sprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curl_printf.h:52: [4] (buffer) vsprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curl_printf.h:53: [4] (buffer) sprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curl_printf.h:54: [4] (buffer) vsprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curlx.h:91: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:92: [4] (format) fprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:93: [4] (buffer) sprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curlx.h:94: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curlx.h:95: [4] (format) vprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:96: [4] (format) vfprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:97: [4] (buffer) vsprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curlx.h:98: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curlx.h:102: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:103: [4] (format) fprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:104: [4] (buffer) sprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curlx.h:105: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/curlx.h:106: [4] (format) vprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:107: [4] (format) vfprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/curlx.h:108: [4] (buffer) vsprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/curlx.h:109: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/ftp.c:1056: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/ftp.c:1066: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/inet_ntop.c:69: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/inet_ntop.c:166: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/ldap.c:698: [4] (format) vfprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./lib/memdebug.c:476: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/mprintf.c:957: [4] (buffer) sprintf: + Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or + vsnprintf. +./lib/progress.c:43: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/progress.c:71: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/security.c:123: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/security.c:406: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/sendf.c:230: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/sendf.c:247: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/smb.c:121: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/smb.c:126: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/smb.c:527: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/smb.h:167: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./lib/socks.c:238: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/socks_gssapi.c:68: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/socks_gssapi.c:89: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/ssh.c:829: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./lib/ssh.c:834: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./lib/ssh.c:842: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./lib/ssh.c:845: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./lib/system_win32.c:310: [4] (buffer) _tcscpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using a function version that stops copying at the end of the + buffer. +./lib/system_win32.c:311: [4] (buffer) _tcscpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using a function version that stops copying at the end of the + buffer. +./lib/tftp.c:411: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/tftp.c:502: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/vauth/krb5_sspi.c:411: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/vauth/ntlm.c:402: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/vauth/ntlm.c:674: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./lib/version.c:88: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/vtls/cyassl.c:368: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/vtls/cyassl.c:373: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/vtls/gskit.c:359: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/vtls/gskit.c:409: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./lib/vtls/openssl.c:3238: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./packages/OS400/os400sys.c:1129: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./packages/OS400/os400sys.c:1161: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./packages/OS400/os400sys.c:1193: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./src/tool_cb_prg.c:94: [4] (format) fprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./src/tool_dirhie.c:138: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./src/tool_dirhie.c:142: [4] (race) access: + This usually indicates a security flaw. If an attacker can change anything + along the path between the call to access() and the file's actual use + (e.g., by moving files), the attacker can exploit the race condition + (CWE-362/CWE-367). Set up the correct permissions (e.g., using setuid()) + and try to open the file directly. +./src/tool_getparam.c:1251: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./src/tool_help.c:338: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./src/tool_main.c:103: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./src/tool_msgs.c:47: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./src/tool_msgs.c:112: [4] (format) vfprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./src/tool_paramhlp.c:82: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./src/tool_parsecfg.c:351: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./src/tool_setopt.c:553: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./src/tool_writeout.c:315: [4] (format) fprintf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./tests/libtest/first.c:97: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./tests/libtest/lib1900.c:66: [4] (buffer) fscanf: + The scanf() family's %s operation, without a limit specification, permits + buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a + different input function. +./tests/libtest/lib1900.c:73: [4] (buffer) fscanf: + The scanf() family's %s operation, without a limit specification, permits + buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a + different input function. +./tests/libtest/lib518.c:137: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:145: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:203: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:211: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:238: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:239: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:262: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:290: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:301: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:321: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:349: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:353: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:360: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:361: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:380: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib518.c:437: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:138: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:146: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:198: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:206: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:236: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:279: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:291: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:315: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:343: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:347: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:355: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:367: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:384: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib537.c:441: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/libtest/lib547.c:57: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./tests/libtest/lib555.c:56: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./tests/server/fake_ntlm.c:101: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/server/getpart.c:47: [4] (format) printf: + If format strings can be influenced by an attacker, they can be exploited + (CWE-134). Use a constant for the format specification. +./tests/server/getpart.c:404: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./tests/server/getpart.c:410: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./tests/server/getpart.c:416: [4] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). +./tests/server/util.c:119: [4] (format) vsnprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./tests/server/util.c:189: [4] (format) snprintf: + If format strings can be influenced by an attacker, they can be exploited, + and note that sprintf variations do not always \0-terminate (CWE-134). Use + a constant for the format specification. +./docs/examples/curlx.c:331: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./include/curl/curl.h:2050: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/config-dos.h:152: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_gethostname.c:67: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_ntlm_core.c:699: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_ntlm_wb.c:143: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_ntlm_wb.c:145: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_ntlm_wb.c:147: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_ntlm_wb.c:173: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_setup.h:652: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/curl_threads.h:42: [3] (misc) InitializeCriticalSection: + Exceptions can be thrown in low-memory situations. Use + InitializeCriticalSectionAndSpinCount instead. +./lib/curl_threads.h:46: [3] (misc) EnterCriticalSection: + On some versions of Windows, exceptions can be thrown in low-memory + situations. Use InitializeCriticalSectionAndSpinCount instead. +./lib/curlx.h:75: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/getenv.c:39: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/getenv.c:45: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/getenv.c:51: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/ldap.c:691: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/netrc.c:72: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/rand.c:45: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/setup-vms.h:37: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/setup-vms.h:50: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/setup-vms.h:52: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/ssh.c:818: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/system_win32.c:291: [3] (misc) LoadLibrary: + Ensure that the full path to the library is specified, or current directory + may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to + find library path, if you aren't already. +./lib/system_win32.c:317: [3] (misc) LoadLibrary: + Ensure that the full path to the library is specified, or current directory + may be used (CWE-829, CWE-20). Use registry entry or GetWindowsDirectory to + find library path, if you aren't already. +./lib/url.c:4819: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/url.c:4821: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/url.c:4837: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/url.c:4854: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/url.c:4860: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/url.c:4862: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./lib/vtls/nss.c:1235: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./src/tool_homedir.c:57: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./src/tool_main.c:264: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./src/tool_vms.c:56: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./tests/libtest/first.c:91: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./tests/libtest/first.c:105: [3] (buffer) curl_getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./tests/libtest/sethostname.c:32: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./tests/server/fake_ntlm.c:165: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./tests/server/fake_ntlm.c:180: [3] (buffer) getenv: + Environment variables are untrustable input if they can be set by an + attacker. They can have any content and length, and the same variable can + be set more than once (CWE-807, CWE-20). Check environment variables + carefully before using them. +./CMake/CurlTests.c:116: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./CMake/CurlTests.c:512: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./CMake/CurlTests.c:526: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/anyauthput.c:137: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/asiohiper.cpp:75: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/asiohiper.cpp:360: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/cookie_interface.c:71: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/curlgtk.c:55: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/curlx.c:157: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/evhiperfifo.c:99: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/evhiperfifo.c:373: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/evhiperfifo.c:410: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/fileupload.c:39: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/fopen.c:121: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/fopen.c:246: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/fopen.c:358: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/fopen.c:406: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/fopen.c:462: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/fopen.c:471: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/fopen.c:495: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/fopen.c:519: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftp-wildcard.c:122: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftpget.c:41: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftpgetresp.c:49: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftpgetresp.c:52: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftpsget.c:43: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftpupload.c:88: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/ftpuploadresume.c:88: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/getinmemory.c:52: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/ghiper.c:82: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/ghiper.c:393: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/hiperfifo.c:95: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/hiperfifo.c:353: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/hiperfifo.c:392: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/href_extractor.c:42: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/href_extractor.c:55: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/htmltidy.c:78: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/htmltitle.cpp:65: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/http2-download.c:150: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/http2-download.c:154: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/http2-download.c:193: [2] (integer) atoi: + Unless checked, the resulting number can exceed the expected range + (CWE-190). If source untrusted, check both minimum and maximum, even if the + input had no minus sign (large numbers can roll over into negative number; + consider saving to an unsigned value if that is intended). +./docs/examples/http2-serverpush.c:130: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/http2-serverpush.c:166: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/http2-serverpush.c:175: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/http2-upload.c:114: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/http2-upload.c:185: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/http2-upload.c:186: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/http2-upload.c:191: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/http2-upload.c:199: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/http2-upload.c:250: [2] (integer) atoi: + Unless checked, the resulting number can exceed the expected range + (CWE-190). If source untrusted, check both minimum and maximum, even if the + input had no minus sign (large numbers can roll over into negative number; + consider saving to an unsigned value if that is intended). +./docs/examples/httpput.c:81: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/imap-append.c:75: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/multi-uv.c:76: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/multi-uv.c:82: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/multithread.c:42: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/postinmemory.c:49: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/rtsp.c:92: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/rtsp.c:150: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./docs/examples/rtsp.c:166: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/sendrecv.c:130: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/sepheaders.c:61: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/sepheaders.c:68: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/sftpget.c:52: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/simplessl.c:74: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/smooth-gtk-thread.c:89: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/smtp-mail.c:76: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/smtp-multi.c:77: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/smtp-ssl.c:77: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/smtp-tls.c:77: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./docs/examples/synctime.c:103: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/synctime.c:104: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/synctime.c:105: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/synctime.c:108: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/synctime.c:139: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/synctime.c:210: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/synctime.c:264: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/synctime.c:265: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/url2file.c:67: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./docs/examples/xmlstream.c:80: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./include/curl/curlrules.h:141: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./include/curl/curlrules.h:151: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./include/curl/curlrules.h:161: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./include/curl/curlrules.h:171: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./include/curl/curlrules.h:181: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/asyn-ares.c:670: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/asyn-thread.c:270: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/asyn-thread.c:600: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/base64.c:177: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/base64.c:178: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/connect.c:270: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/connect.c:394: [2] (integer) atoi: + Unless checked, the resulting number can exceed the expected range + (CWE-190). If source untrusted, check both minimum and maximum, even if the + input had no minus sign (large numbers can roll over into negative number; + consider saving to an unsigned value if that is intended). +./lib/connect.c:602: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/connect.c:603: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/connect.c:701: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/connect.c:828: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/connect.c:995: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/connect.c:1350: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/content_encoding.c:357: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/content_encoding.c:380: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/cookie.c:378: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/cookie.c:636: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/cookie.c:979: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/cookie.c:1347: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/curl_addrinfo.c:173: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_addrinfo.c:338: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_addrinfo.c:347: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_addrinfo.c:374: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_addrinfo.c:421: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_addrinfo.c:427: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_addrinfo.c:515: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_fnmatch.c:74: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_fnmatch.c:316: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_gssapi.c:120: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_multibyte.c:45: [2] (buffer) MultiByteToWideChar: + Requires maximum length in CHARACTERS, not bytes (CWE-120). +./lib/curl_multibyte.c:50: [2] (buffer) MultiByteToWideChar: + Requires maximum length in CHARACTERS, not bytes (CWE-120). +./lib/curl_ntlm_core.c:164: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:184: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:202: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:228: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:286: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:309: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:338: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:367: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:444: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:569: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:688: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:723: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:724: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:727: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:736: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:764: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:765: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/curl_ntlm_core.c:768: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:769: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:776: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_core.c:777: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/curl_ntlm_wb.c:124: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/dotdot.c:174: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/escape.c:168: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/file.c:75: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/file.c:77: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/file.c:341: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/formdata.c:768: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/formdata.c:773: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/formdata.c:856: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/formdata.c:978: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/formdata.c:1310: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/formdata.c:1332: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/formdata.c:1419: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/formdata.c:1441: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/formdata.c:1444: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/formdata.c:1521: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/formdata.c:1529: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ftp.c:985: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:990: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:996: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:1179: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ftp.c:1892: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:2355: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:3503: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:4037: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ftp.c:4049: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/getenv.c:38: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/hash.c:109: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/hostip.c:780: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/hostip.c:781: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/hostip4.c:140: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/hostip6.c:137: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/hostip6.c:168: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/hostip6.c:171: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http.c:267: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:1006: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:1026: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:1121: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:1277: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:1736: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http.c:2044: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:2046: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:2048: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:2864: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http.c:3269: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:543: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http2.c:626: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http2.c:951: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http2.c:1287: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http2.c:1389: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http2.c:1425: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http2.c:1749: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:1771: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:1784: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:1789: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:1820: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:1831: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/http2.c:2077: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/http_chunks.h:83: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/idn_win32.c:77: [2] (buffer) wchar_t: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/idn_win32.c:97: [2] (buffer) wchar_t: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/if2ip.c:138: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/if2ip.c:139: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/if2ip.c:200: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/if2ip.c:231: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/if2ip.c:243: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/if2ip.h:53: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/imap.c:1057: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/imap.h:77: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/inet_ntop.c:52: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/inet_ntop.c:86: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/inet_pton.c:97: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/inet_pton.c:132: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/inet_pton.c:155: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/inet_pton.c:231: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/krb5.c:91: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/krb5.c:95: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/krb5.c:139: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md4.c:57: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/md4.c:227: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md4.c:231: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md4.c:242: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md5.c:54: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/md5.c:80: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/md5.c:82: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md5.c:122: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/md5.c:154: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/md5.c:224: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/md5.c:416: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md5.c:420: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/md5.c:431: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/memdebug.c:117: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/memdebug.c:235: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/memdebug.c:260: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/memdebug.c:421: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/memdebug.h:146: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/memdebug.h:147: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/mprintf.c:583: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/mprintf.c:586: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/mprintf.c:891: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/multi.c:2444: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/multi.c:2523: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/multi.c:2884: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/netrc.c:79: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/netrc.c:110: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/netrc.c:117: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/non-ascii.c:66: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/openldap.c:193: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/openldap.c:198: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/parsedate.c:97: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/parsedate.c:354: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/parsedate.h:25: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/parsedate.h:26: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/pingpong.c:300: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/pingpong.c:432: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/pop3.c:461: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/pop3.c:462: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/pop3.c:684: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/progress.c:36: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/progress.c:342: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/progress.c:353: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/progress.c:354: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/progress.c:355: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/rand.c:51: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/rand.c:73: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/rtsp.c:623: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/rtsp.c:697: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/rtsp.c:812: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/security.c:120: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/security.c:226: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:190: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:228: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/sendf.c:481: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:533: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:699: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:723: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:737: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/sendf.c:741: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/sendf.c:753: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sendf.c:809: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.c:351: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smb.c:413: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smb.c:431: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.c:432: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.c:433: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.c:434: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.c:461: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smb.c:463: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smb.c:681: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smb.h:37: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.h:98: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.h:104: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.h:128: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.h:148: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.h:157: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smb.h:180: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smtp.c:1538: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/smtp.c:1618: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smtp.c:1636: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/smtp.c:1648: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/sockaddr.h:37: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks.c:117: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks.c:176: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks.c:216: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks.c:377: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks.c:518: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks.c:522: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks.c:585: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks.c:611: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks_gssapi.c:55: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks_gssapi.c:77: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/socks_gssapi.c:123: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks_gssapi.c:142: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:199: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:264: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:323: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:379: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:388: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:404: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:416: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:458: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:499: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_gssapi.c:511: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:86: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks_sspi.c:202: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:286: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:380: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:409: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:443: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:445: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:447: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:463: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:476: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:520: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:530: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/socks_sspi.c:574: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/socks_sspi.c:586: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:435: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:437: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:449: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:453: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:463: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:662: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ssh.c:1140: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/ssh.c:2059: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/ssh.c:3379: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/strdup.c:51: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/strdup.c:74: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/strerror.c:646: [2] (buffer) wchar_t: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/strerror.c:684: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/strerror.c:697: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/strerror.c:735: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/strerror.c:736: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/strerror.c:1018: [2] (buffer) wchar_t: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:160: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:161: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:167: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:346: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:822: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:823: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:890: [2] (integer) atoi: + Unless checked, the resulting number can exceed the expected range + (CWE-190). If source untrusted, check both minimum and maximum, even if the + input had no minus sign (large numbers can roll over into negative number; + consider saving to an unsigned value if that is intended). +./lib/telnet.c:927: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:932: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:933: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/telnet.c:1227: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/tftp.c:453: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/tftp.c:1110: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/transfer.c:164: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/transfer.c:190: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/transfer.c:193: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/transfer.c:330: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/transfer.c:335: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/transfer.c:1463: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/transfer.c:1610: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:1051: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:4265: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/url.c:4344: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/url.c:4451: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:4516: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:4519: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:4564: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/url.c:4817: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/url.c:4834: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/url.c:5081: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/url.c:5082: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/url.c:5319: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:5327: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:5335: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/url.c:5405: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:297: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:470: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:924: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:953: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:960: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:1083: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:1171: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:1174: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:1306: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:1307: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/urldata.h:1714: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/cleartext.c:92: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/cleartext.c:94: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/cleartext.c:96: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/cram.c:100: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:353: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:354: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:355: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:356: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:357: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:358: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:359: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:360: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:362: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:532: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:533: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:671: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:672: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:674: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:675: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest.c:676: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest_sspi.c:271: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest_sspi.c:272: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/digest_sspi.c:515: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_gssapi.c:298: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_gssapi.c:336: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_gssapi.c:337: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_sspi.c:231: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_sspi.c:360: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_sspi.c:410: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_sspi.c:461: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_sspi.c:463: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/krb5_sspi.c:465: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:194: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:309: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:383: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:509: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:511: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:515: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:520: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:557: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:559: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:596: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:597: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:598: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:607: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:613: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:614: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:634: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:636: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vauth/ntlm.c:762: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:774: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:805: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:813: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vauth/ntlm.c:821: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/version.c:80: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/version.c:154: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/version.c:346: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/version.c:349: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/axtls.c:631: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/cyassl.c:136: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/cyassl.c:360: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/cyassl.c:443: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/cyassl.c:642: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/cyassl.c:687: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/darwinssl.c:805: [2] (integer) atoi: + Unless checked, the resulting number can exceed the expected range + (CWE-190). If source untrusted, check both minimum and maximum, even if the + input had no minus sign (large numbers can roll over into negative number; + consider saving to an unsigned value if that is intended). +./lib/vtls/darwinssl.c:806: [2] (integer) atoi: + Unless checked, the resulting number can exceed the expected range + (CWE-190). If source untrusted, check both minimum and maximum, even if the + input had no minus sign (large numbers can roll over into negative number; + consider saving to an unsigned value if that is intended). +./lib/vtls/darwinssl.c:1281: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/darwinssl.c:1661: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/darwinssl.c:1663: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/vtls/darwinssl.c:1694: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/darwinssl.c:1755: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/darwinssl.c:2044: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/darwinssl.c:2325: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gskit.c:614: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gskit.c:1232: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gtls.c:245: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/vtls/gtls.c:872: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gtls.c:935: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gtls.c:1132: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gtls.c:1133: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gtls.c:1493: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/gtls.c:1657: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/gtls.c:1676: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/mbedtls.c:175: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/mbedtls.c:463: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/mbedtls.c:533: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/nss.c:726: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/nss.c:835: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/nss.c:1258: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/nss.c:1877: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/nss.c:1882: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/nss.c:1888: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/openssl.c:171: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/openssl.c:244: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:444: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/vtls/openssl.c:658: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/openssl.c:841: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:935: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:1229: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/openssl.c:1507: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:1508: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:1979: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:1985: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/openssl.c:1993: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/openssl.c:2234: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:2266: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./lib/vtls/openssl.c:2370: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:2407: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:2409: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:2821: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/vtls/openssl.c:3132: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:3167: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:3193: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/openssl.c:3240: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/polarssl.c:155: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/polarssl.c:364: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/polarssl.c:399: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/polarssl.c:405: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/polarssl.c:469: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/schannel.c:116: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/schannel.c:300: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/schannel.c:307: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/schannel.c:517: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/schannel.c:943: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/schannel.c:1198: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/schannel.c:1323: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/schannel.c:1606: [2] (buffer) TCHAR: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./lib/vtls/vtls.c:672: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/vtls.c:824: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./lib/vtls/vtls.c:861: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./lib/x509asn1.c:300: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/ccsidcurl.c:58: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./packages/OS400/ccsidcurl.c:84: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./packages/OS400/ccsidcurl.c:85: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./packages/OS400/ccsidcurl.c:133: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/ccsidcurl.c:470: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/ccsidcurl.c:476: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/ccsidcurl.c:728: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./packages/OS400/os400sys.c:769: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/os400sys.c:789: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/os400sys.c:1219: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/OS400/os400sys.c:1333: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./packages/vms/curl_crtl_init.c:180: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_cb_dbg.c:53: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_cb_dbg.c:82: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_cb_hdr.c:153: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_cb_hdr.c:226: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_cb_prg.c:47: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_cb_prg.c:48: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_cb_wrt.c:47: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_cb_wrt.c:57: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_doswin.c:338: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_doswin.c:434: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_doswin.c:490: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_easysrc.c:181: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_formparse.c:151: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_formparse.c:153: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_formparse.c:154: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_getparam.c:720: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_getparam.c:1206: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_getparam.c:1272: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_getparam.c:1328: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_getparam.c:1331: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_getparam.c:1774: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_getparam.c:1910: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_getpass.c:230: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_homedir.c:36: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_main.c:100: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:135: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:153: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:171: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:191: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:193: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_metalink.c:210: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:212: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_metalink.c:229: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:231: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_metalink.c:283: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:300: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:317: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:337: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:355: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:373: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:410: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:431: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:452: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:565: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_metalink.c:602: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_metalink.c:623: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_msgs.c:45: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_operate.c:149: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_operate.c:155: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operate.c:194: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_operate.c:325: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operate.c:604: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operate.c:608: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operate.c:660: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operate.c:663: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operate.c:669: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_operhlp.c:178: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_paramhlp.c:61: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_paramhlp.c:418: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_paramhlp.c:419: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_paramhlp.c:454: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_parsecfg.c:51: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_parsecfg.c:72: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_parsecfg.c:118: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./src/tool_parsecfg.c:330: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_setopt.c:225: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./src/tool_setopt.c:229: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./src/tool_setopt.c:233: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./src/tool_setopt.c:237: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./src/tool_setopt.c:241: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./src/tool_setopt.c:302: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_setopt.c:345: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_setopt.c:494: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_strdup.c:42: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_urlglob.c:56: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_urlglob.c:367: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_urlglob.c:456: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_urlglob.c:598: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./src/tool_urlglob.c:685: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./src/tool_writeenv.c:76: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/chkhostname.c:30: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/first.c:94: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/first.c:121: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1502.c:49: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1506.c:39: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1506.c:40: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1510.c:37: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1510.c:38: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1512.c:41: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1512.c:44: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1515.c:121: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1515.c:134: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1517.c:48: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib1520.c:63: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib1525.c:42: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib1526.c:41: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib1527.c:41: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib1529.c:31: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1900.c:33: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1900.c:35: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1900.c:36: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1900.c:55: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib1900.c:61: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib1900.c:114: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib500.c:97: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib505.c:56: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib510.c:51: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib518.c:55: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib518.c:87: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib518.c:108: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib518.c:109: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib518.c:110: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib518.c:134: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib518.c:142: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib518.c:200: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib518.c:208: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib518.c:326: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib525.c:56: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib530.c:39: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib537.c:56: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib537.c:88: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib537.c:110: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib537.c:111: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib537.c:135: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib537.c:143: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib537.c:195: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib537.c:203: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib537.c:320: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib540.c:191: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib541.c:48: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib544.c:70: [2] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant string. +./tests/libtest/lib552.c:124: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib552.c:134: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib553.c:36: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib553.c:48: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib553.c:56: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib556.c:74: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:61: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:68: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:75: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:82: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:89: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:96: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:103: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:1409: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:1442: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib557.c:1546: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/libtest/lib566.c:54: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib568.c:79: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib568.c:83: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib569.c:44: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib571.c:109: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib572.c:98: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib572.c:102: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib578.c:34: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib579.c:56: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib579.c:80: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/lib582.c:245: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib591.c:51: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/lib599.c:83: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/libtest/libntlmconnect.c:56: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/libtest/testtrace.c:92: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/fake_ntlm.c:113: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/fake_ntlm.c:186: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/fake_ntlm.c:204: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/fake_ntlm.c:224: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/fake_ntlm.c:246: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/getpart.c:183: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/getpart.c:218: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/getpart.c:253: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/getpart.c:254: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/getpart.c:255: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/getpart.c:256: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/getpart.c:257: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/getpart.c:317: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/getpart.c:379: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/getpart.c:399: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/rtspd.c:95: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:100: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:337: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:338: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:339: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:340: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:424: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:504: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/rtspd.c:515: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/rtspd.c:688: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:744: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:910: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:912: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:942: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:991: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:1015: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:1056: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:1140: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/rtspd.c:1422: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:1427: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/rtspd.c:1430: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sockfilt.c:476: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sockfilt.c:930: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sockfilt.c:931: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:95: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:102: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:362: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:461: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:462: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:463: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:795: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:861: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:1050: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:1078: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:1108: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:1122: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:1145: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:1185: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:1254: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:1416: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:1417: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:1917: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:1942: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/sws.c:1969: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/sws.c:2314: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/tftp.h:45: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/tftpd.c:128: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/tftpd.c:498: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/tftpd.c:571: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/tftpd.c:574: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/tftpd.c:576: [2] (misc) open: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/tftpd.c:638: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/tftpd.c:967: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/tftpd.c:1077: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/tftpd.c:1143: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/tftpd.c:1148: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/tftpd.c:1195: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/tftpd.c:1430: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/server/util.c:68: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/util.c:92: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/util.c:98: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/util.c:122: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/util.c:140: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/util.c:188: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/server/util.c:256: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/server/util.c:274: [2] (misc) fopen: + Check when opening files - can an attacker redirect it (via symlinks), + force the opening of special file type (e.g., device files), move things + around to create a race condition, control its ancestors, or change its + contents? (CWE-362). +./tests/unit/unit1304.c:28: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1304.c:52: [2] (buffer) memcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Make sure destination can always hold the source data. +./tests/unit/unit1307.c:34: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1307.c:35: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1395.c:71: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1398.c:32: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1398.c:35: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1600.c:44: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./tests/unit/unit1601.c:39: [2] (buffer) char: + Statically-sized arrays can be improperly restricted, leading to potential + overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + functions that limit length, or ensure that the size is larger than the + maximum possible length. +./docs/examples/anyauthput.c:110: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./docs/examples/asiohiper.cpp:319: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./docs/examples/cookie_interface.c:95: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/cookie_interface.c:112: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/curlx.c:449: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/curlx.c:451: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/curlx.c:492: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/curlx.c:493: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/curlx.c:493: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/evhiperfifo.c:380: [1] (buffer) fscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./docs/examples/fopen.c:486: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/hiperfifo.c:362: [1] (buffer) fscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./docs/examples/http2-download.c:152: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/http2-serverpush.c:172: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/http2-upload.c:133: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/http2-upload.c:190: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/http2-upload.c:193: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/imap-append.c:74: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/imap-append.c:114: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/multi-uv.c:80: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/post-callback.c:63: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/postinmemory.c:86: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:53: [1] (buffer) getchar: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./docs/examples/rtsp.c:154: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/rtsp.c:217: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:218: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:219: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:221: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:242: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/rtsp.c:242: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:252: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/rtsp.c:252: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/rtsp.c:256: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/rtsp.c:256: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/sendrecv.c:65: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/simplepost.c:44: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/smtp-mail.c:75: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/smtp-multi.c:76: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/smtp-ssl.c:76: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/smtp-tls.c:76: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/synctime.c:151: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/synctime.c:187: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/synctime.c:190: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./docs/examples/synctime.c:277: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:286: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:289: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:301: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:319: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:321: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:326: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:340: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./docs/examples/synctime.c:356: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/asyn-thread.c:273: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/asyn-thread.c:647: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/base64.c:114: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/base64.c:191: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/base64.c:237: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/base64.c:243: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/base64.c:250: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/base64.c:269: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/conncache.c:156: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/conncache.c:168: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:269: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:277: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:278: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:281: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:282: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:322: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/connect.c:647: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/cookie.c:122: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:123: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:158: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:172: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:188: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:231: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:428: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:429: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:915: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:1034: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:1035: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:1041: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/cookie.c:1042: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_addrinfo.c:502: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_gethostname.c:69: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/curl_gssapi.c:95: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/curl_ntlm_core.c:448: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_ntlm_core.c:537: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_ntlm_wb.c:262: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_sasl.c:385: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_setup_once.h:131: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/curl_sspi.c:179: [1] (buffer) _tcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/curl_sspi.c:188: [1] (buffer) _tcsncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/curl_sspi.c:206: [1] (buffer) _tcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/dotdot.c:55: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/dotdot.c:173: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/escape.c:94: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/escape.c:128: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/escape.c:153: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/file.c:479: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/file.c:496: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/file.c:569: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/formdata.c:94: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:204: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:204: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:206: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:206: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:655: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:669: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:842: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/formdata.c:1120: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:1016: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:1019: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:1020: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:1022: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:1023: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:1040: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/ftp.c:1062: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/ftp.c:1324: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ftp.c:1524: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:2110: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ftp.c:2134: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ftp.c:2321: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ftp.c:3244: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:3245: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:4045: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:4207: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:4355: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ftp.c:4356: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/gopher.c:89: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/gopher.c:91: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/gopher.c:102: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostcheck.c:74: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostcheck.c:77: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostip.c:304: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostip.c:390: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostip.c:804: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostip.c:824: [1] (buffer) sscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./lib/hostip.c:845: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/hostip4.c:147: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/hostip6.c:214: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/http.c:181: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:205: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:300: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/http.c:303: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:416: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:840: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:1221: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:1305: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:1333: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:1694: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/http.c:1969: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2035: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2036: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2037: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2081: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2084: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/http.c:2250: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2549: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2761: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:2799: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:3275: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/http.c:3444: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http.c:3675: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http2.c:225: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/http2.c:333: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http2.c:1749: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http2.c:1771: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http2.c:1784: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http2.c:1789: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http2.c:1820: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http_digest.c:63: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http_negotiate.c:78: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http_negotiate.c:82: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http_ntlm.c:73: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/http_proxy.c:522: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/idn_win32.c:96: [1] (buffer) wcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/if2ip.c:170: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/if2ip.c:178: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/if2ip.c:222: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/imap.c:252: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/imap.c:293: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/imap.c:403: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/imap.c:1029: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/imap.c:1438: [1] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant character. +./lib/imap.c:1768: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/imap.c:1838: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/inet_ntop.c:58: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/inet_ntop.c:64: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/inet_ntop.c:148: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/inet_ntop.c:151: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/krb5.c:197: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ldap.c:454: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ldap.c:514: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/md5.c:516: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/memdebug.c:231: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/memdebug.c:255: [1] (buffer) wcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/mprintf.c:835: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/mprintf.c:893: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/mprintf.c:959: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/openldap.c:202: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/openldap.c:267: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/parsedate.c:358: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pingpong.c:191: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pipeline.c:273: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pop3.c:303: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pop3.c:478: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pop3.c:481: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pop3.c:488: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/pop3.c:657: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/pop3.c:708: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/progress.c:52: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:55: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:74: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:78: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:86: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:90: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:96: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:100: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:104: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/progress.c:112: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/rand.c:48: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/rand.c:76: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/rtsp.c:517: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/rtsp.c:790: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/security.c:243: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/sendf.c:232: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/sendf.c:250: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/sendf.c:254: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/sendf.c:283: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/sendf.c:617: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/sendf.c:830: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/sendf.c:832: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:122: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:127: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:437: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:437: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:438: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:438: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:482: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:482: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:483: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:509: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smb.c:515: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smtp.c:291: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smtp.c:715: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/smtp.c:859: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:210: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:227: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:236: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:253: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:387: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:499: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks.c:500: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks_gssapi.c:126: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks_gssapi.c:149: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks_gssapi.c:152: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks_gssapi.c:153: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/socks_sspi.c:89: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks_sspi.c:107: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/socks_sspi.c:110: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/socks_sspi.c:111: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:113: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:234: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:441: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:671: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ssh.c:678: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:776: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:900: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:936: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:938: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1075: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1248: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1253: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1440: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1511: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1533: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1535: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1556: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1575: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1577: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1600: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1618: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1639: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1675: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1703: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1720: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1741: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1772: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1801: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1906: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1932: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:1972: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:2048: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:2073: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ssh.c:2106: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:2129: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ssh.c:2140: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/ssh.c:2186: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:2213: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:3335: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/ssh.c:3344: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/strcase.h:46: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/strdup.c:42: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/strerror.c:612: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:656: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:661: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:675: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:687: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:689: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:699: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:701: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:707: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:709: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:1004: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:1006: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:1013: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:1049: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/strerror.c:1051: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/strerror.c:1064: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/system_win32.c:306: [1] (buffer) _tcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/system_win32.c:310: [1] (buffer) _tcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/system_win32.c:311: [1] (buffer) _tcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/telnet.c:832: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/telnet.c:844: [1] (buffer) sscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./lib/telnet.c:849: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/telnet.c:857: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/telnet.c:940: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/telnet.c:941: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/telnet.c:952: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/telnet.c:953: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/telnet.c:964: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/telnet.c:970: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/telnet.c:973: [1] (buffer) sscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./lib/telnet.c:974: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/telnet.c:981: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/telnet.c:1627: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/tftp.c:328: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/tftp.c:409: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/tftp.c:412: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/tftp.c:493: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/tftp.c:496: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/tftp.c:496: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/tftp.c:505: [1] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant character. +./lib/tftp.c:513: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/tftp.c:521: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/transfer.c:182: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/transfer.c:195: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/transfer.c:206: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/transfer.c:218: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/transfer.c:1437: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/transfer.c:1599: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:317: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:2767: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:2773: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4002: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4298: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4337: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4406: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4443: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4444: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4460: [1] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant character. +./lib/url.c:4472: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4502: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4504: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4506: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4509: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4509: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4558: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4567: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/url.c:4581: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4584: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4740: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:4745: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:5043: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:5086: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/url.c:5091: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./lib/url.c:5408: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/url.c:5698: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/url.c:6067: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/cleartext.c:73: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/cleartext.c:74: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/cleartext.c:125: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/cram.c:61: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/cram.c:104: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/cram.c:109: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:63: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:144: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vauth/digest.c:195: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:265: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:289: [1] (buffer) strcpy: + Does not check for buffer overflows when copying to destination (CWE-120). + Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily + misused). Risk is low because the source is a constant character. +./lib/vauth/digest.c:396: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vauth/digest.c:405: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:408: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:411: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:421: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:424: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:429: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vauth/digest.c:445: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:448: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:452: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vauth/digest.c:465: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:469: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:472: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:475: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:482: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vauth/digest.c:691: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vauth/digest.c:694: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest.c:870: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest_sspi.c:113: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest_sspi.c:295: [1] (buffer) _tcslen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest_sspi.c:336: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/digest_sspi.c:460: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/krb5_gssapi.c:113: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/krb5_gssapi.c:232: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/krb5_sspi.c:296: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/krb5_sspi.c:395: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/ntlm.c:285: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/ntlm.c:543: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/ntlm.c:552: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/ntlm_sspi.c:199: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/oauth2.c:81: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/spnego_gssapi.c:112: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vauth/vauth.c:136: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/version.c:89: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/version.c:104: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:110: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:116: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:122: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:127: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:133: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:137: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:143: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:162: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/version.c:391: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/axtls.c:680: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/cyassl.c:305: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/cyassl.c:368: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/cyassl.c:373: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/cyassl.c:377: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/cyassl.c:724: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/cyassl.c:726: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/cyassl.c:728: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/darwinssl.c:139: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/vtls/darwinssl.c:861: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/darwinssl.c:977: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/darwinssl.c:1262: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/darwinssl.c:1407: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/darwinssl.c:1568: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/darwinssl.c:1674: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/vtls/darwinssl.c:2355: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/vtls/darwinssl.c:2384: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/gskit.c:324: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/gskit.c:360: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/gskit.c:661: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/vtls/gskit.c:1262: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/vtls/gskit.c:1281: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). Risk is low because the source is a constant string. +./lib/vtls/gskit.c:1282: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/gtls.c:224: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/gtls.c:544: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/gtls.c:1600: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/mbedtls.c:728: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/nss.c:404: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/nss.c:2130: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/openssl.c:169: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/openssl.c:1156: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/openssl.c:1237: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/openssl.c:1250: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/openssl.c:1551: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/openssl.c:1573: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/openssl.c:2259: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/openssl.c:2372: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/openssl.c:2433: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/openssl.c:3265: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/polarssl.c:661: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/schannel.c:1514: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/vtls.c:661: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/vtls.c:669: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/vtls/vtls.c:697: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/vtls.c:818: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/vtls/vtls.c:837: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/warnless.c:483: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/warnless.h:78: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/warnless.h:79: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./lib/x509asn1.c:213: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./lib/x509asn1.c:1129: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./lib/x509asn1.c:1183: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:129: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:174: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:246: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:318: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:428: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:434: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:437: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:440: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:443: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:446: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:449: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:452: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:524: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:549: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:574: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/ccsidcurl.c:749: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:249: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:292: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:298: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:324: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:334: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:522: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:933: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:958: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:968: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1004: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1015: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1033: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1074: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1117: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1149: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/OS400/os400sys.c:1181: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/vms/curl_crtl_init.c:103: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/vms/curl_crtl_init.c:132: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/vms/curl_crtl_init.c:137: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/vms/curl_crtl_init.c:141: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/vms/report_openssl_version.c:84: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./packages/vms/report_openssl_version.c:89: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_cb_dbg.c:68: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_cb_hdr.c:205: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_cb_hdr.c:227: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_cb_prg.c:93: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_cb_prg.c:130: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_cb_rea.c:42: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./src/tool_dirhie.c:111: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_dirhie.c:132: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_dirhie.c:134: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_dirhie.c:140: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_doswin.c:166: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:179: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./src/tool_doswin.c:233: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:247: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:292: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:357: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:507: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:511: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./src/tool_doswin.c:516: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:521: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./src/tool_doswin.c:564: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:567: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:591: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_doswin.c:593: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_formparse.c:179: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_formparse.c:217: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_formparse.c:217: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_formparse.c:335: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:313: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:342: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./src/tool_getparam.c:394: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:443: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:591: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1223: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1240: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1247: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_getparam.c:1284: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1303: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1309: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1406: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getparam.c:1780: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_getpass.c:87: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_getpass.c:100: [1] (buffer) getchar: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./src/tool_getpass.c:237: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./src/tool_main.c:101: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_main.c:115: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_metalink.c:624: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./src/tool_metalink.c:675: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_metalink.c:898: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_msgs.c:41: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_operate.c:1728: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_operhlp.c:83: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_operhlp.c:179: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_panykey.c:41: [1] (buffer) getchar: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./src/tool_paramhlp.c:75: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_paramhlp.c:146: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_paramhlp.c:168: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_paramhlp.c:210: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_paramhlp.c:393: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_paramhlp.c:421: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_paramhlp.c:440: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:64: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:64: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:65: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_parsecfg.c:90: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:91: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:92: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_parsecfg.c:176: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:344: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_parsecfg.c:345: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_setopt.c:217: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_setopt.c:245: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_setopt.c:305: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_setopt.c:316: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_setopt.c:316: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_setopt.c:348: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_setopt.c:359: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_setopt.c:359: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_setopt.c:516: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_strdup.c:33: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:438: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:448: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:459: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_urlglob.c:559: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_urlglob.c:561: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:574: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_urlglob.c:577: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:609: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:639: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_urlglob.c:649: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./src/tool_urlglob.c:653: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_xattr.c:66: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_xattr.c:68: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./src/tool_xattr.c:71: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/first.c:95: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/first.c:109: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/first.c:127: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1502.c:54: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1506.c:49: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1506.c:73: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1510.c:47: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1510.c:77: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1512.c:52: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1512.c:62: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1515.c:125: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1515.c:135: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1517.c:62: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1520.c:62: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1525.c:38: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1525.c:39: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1525.c:42: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1525.c:43: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1525.c:85: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1526.c:37: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1526.c:38: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1526.c:41: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1526.c:42: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1526.c:88: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1527.c:37: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1527.c:38: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1527.c:41: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1527.c:42: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1527.c:86: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib1529.c:32: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib1900.c:116: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib508.c:58: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib510.c:50: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib518.c:60: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:62: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:240: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:291: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:328: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:350: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:354: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:362: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:400: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:415: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:438: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib518.c:442: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib530.c:56: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:61: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:63: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:280: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:322: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:344: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:348: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:356: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:404: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:419: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:442: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib537.c:445: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib540.c:203: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib547.c:55: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib547.c:58: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib547.c:114: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib553.c:78: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/lib554.c:79: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib554.c:109: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib555.c:54: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib555.c:57: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib555.c:101: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib556.c:76: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:206: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:376: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:526: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:754: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:903: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:1131: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:1360: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib557.c:1390: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib579.c:79: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/lib582.c:41: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/libtest/lib582.c:114: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/libtest/lib582.c:120: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/libtest/lib582.c:310: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/libtest/lib582.c:326: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/libtest/lib582.c:355: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/libtest/libauthretry.c:34: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/libauthretry.c:41: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/libntlmconnect.c:106: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/libtest/libntlmconnect.c:149: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/libntlmconnect.c:153: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/libtest/sethostname.c:34: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./tests/libtest/testtrace.c:109: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/fake_ntlm.c:65: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/fake_ntlm.c:79: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/fake_ntlm.c:169: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/fake_ntlm.c:245: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/getpart.c:106: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/getpart.c:156: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:352: [1] (buffer) sscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./tests/server/rtspd.c:383: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:383: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:384: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:387: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:418: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:457: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:461: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:466: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:542: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:582: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:626: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:691: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:692: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:693: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:696: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:708: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:720: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:922: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:952: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:954: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:955: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:983: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/rtspd.c:989: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/rtspd.c:1145: [1] (buffer) sscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./tests/server/rtspd.c:1242: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sockfilt.c:293: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/server/sockfilt.c:309: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/server/sockfilt.c:310: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/server/sockfilt.c:362: [1] (buffer) read: + Check buffer boundaries if used in a loop including recursive loops + (CWE-120, CWE-20). +./tests/server/sockfilt.c:486: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sockfilt.c:492: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sockfilt.c:498: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sockfilt.c:1067: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sockfilt.c:1068: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sockfilt.c:1069: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sockfilt.c:1162: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sockfilt.c:1398: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sockfilt.c:1415: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:392: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:396: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:401: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:406: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:410: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:499: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:499: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:500: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:503: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:536: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:557: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:628: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:679: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:689: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:733: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:798: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:800: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:801: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:804: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:816: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:836: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:1058: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:1088: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:1089: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:1091: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:1093: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:1105: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:1116: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:1118: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:1259: [1] (buffer) sscanf: + It's unclear if the %s limit in the format string is small enough + (CWE-120). Check that the limit is sufficiently small, or use a different + input function. +./tests/server/sws.c:2023: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:2040: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/sws.c:2085: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/sws.c:2144: [1] (buffer) strncpy: + Easily used incorrectly; doesn't always \0-terminate or check for invalid + pointers (CWE-120). +./tests/server/sws.c:2311: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/tftpd.c:572: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/tftpd.c:724: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/tftpd.c:1149: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/tftpd.c:1192: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/tftpd.c:1426: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/server/util.c:80: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/util.c:115: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/server/util.c:145: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/unit/unit1304.c:52: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1305.c:133: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1396.c:101: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:63: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:64: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:65: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:66: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:70: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:72: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:75: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:77: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:80: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:82: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:86: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:88: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:92: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:94: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:96: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:98: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:102: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:104: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:106: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:110: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:112: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:116: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:118: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:120: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:124: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:126: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:128: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:132: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:136: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:138: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:142: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1603.c:144: [1] (buffer) strlen: + Does not handle strings that are not \0-terminated; if given one it may + perform an over-read (it could cause a crash if unprotected) (CWE-126). +./tests/unit/unit1604.c:49: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. +./tests/unit/unit1604.c:61: [1] (port) snprintf: + On some very old systems, snprintf is incorrectly implemented and permits + buffer overflows; there are also incompatible standard definitions of it. + Check it during installation, or use something else. + +ANALYSIS SUMMARY: + +Hits = 1804 +Lines analyzed = 188366 in approximately 3.01 seconds (62585 lines/second) +Physical Source Lines of Code (SLOC) = 122850 +Hits@level = [0] 0 [1] 833 [2] 791 [3] 40 [4] 140 [5] 0 +Hits@level+ = [0+] 1804 [1+] 1804 [2+] 971 [3+] 180 [4+] 140 [5+] 0 +Hits/KSLOC@level+ = [0+] 14.6846 [1+] 14.6846 [2+] 7.90395 [3+] 1.4652 [4+] 1.1396 [5+] 0 +Dot directories skipped = 1 (--followdotdir overrides) +Minimum risk level = 1 +Not every hit is necessarily a security vulnerability. +There may be other security vulnerabilities; review your code! +See 'Secure Programming for Linux and Unix HOWTO' +(http://www.dwheeler.com/secure-programs) for more information. diff --git a/tests/parsers/test_flawfinder_parser.py b/tests/parsers/test_flawfinder_parser.py new file mode 100644 index 0000000..457ea09 --- /dev/null +++ b/tests/parsers/test_flawfinder_parser.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python +# +# Copyright 2017 David Carlos +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 +# USA + +import os +import unittest + +from firehose.parsers.flawfinder import parse_file +from firehose.model import Analysis, Issue, Sut, Trace + +class TestParseXml(unittest.TestCase): + def parse_example(self, filename): + try: + path = os.path.join(os.path.dirname(__file__), + 'example-output', + 'flawfinder', + filename) + with open(path) as infile: + return parse_file(infile) + except IOError: + print("Example input not found") + + def test_flawfinder_report(self): + a = self.parse_example('flawfinder-report-1') + self.assertEqual(a.metadata.generator.name, 'flawfinder') + self.assertEqual(a.metadata.generator.version, '1.31') + self.assertEqual(a.metadata.sut, None) + self.assertEqual(a.metadata.file_, None) + self.assertEqual(a.metadata.stats, None) + self.assertEqual(a.metadata.stats, None) + w0 = a.results[0] + self.assertEqual(w0.cwe, 78) + expected_message = 'This causes a new program to execute ' \ + 'and is difficult to use safely\n (CWE-78). ' \ + 'try using a library call that implements ' \ + 'the same functionality\n if available.' + self.assertEqual(w0.message.text.strip(), expected_message) + self.assertEqual(w0.testid, 'shell') + self.assertEqual(len(a.results), 1804) + w3 = a.results[4] + self.assertEqual(w3.location.file.givenpath , "./docs/examples/cookie_interface.c") + self.assertEqual(w3.testid, 'format') + some_w = a.results[1801] + self.assertEqual(some_w.cwe, 126) + self.assertEqual(some_w.testid, 'buffer') + other_w = a.results[1802] + self.assertEqual(other_w.cwe, None)