scanning the C file attached flawfinder misreports line numbers for some possible problems. example: main.c:923: [1] (buffer) strlen: Does not handle strings that are not \0-terminated (it could cause a crash if unprotected). i = strlen(p) + 1; Line 923 of main.c is actually just: {
Created attachment 52119 [details] source code from sendmail
This is a bug, not a vulnerability. Reassigning to maintainer... oops... no metadata.xml... so reassigning to bug-wranglers :)
Re-assign.
Added a patch, flawfinder-1.26-r1 shows the correct line numbers now. Also e-mailed the author about this.