Hide Forgot
Description of problem: 1, /src/modules/rlm_perl/rlm_perl.c:415 embed = rad_malloc(4*(sizeof(char *))); memset(embed, 0, sizeof(4*(sizeof(char *)))); Expression sizeof(4*(sizeof(char *)) returns size of integer and I suppose there should be only 4*sizeof(char *). 2, /src/main/conffile.c:1558 I am not sure about necessity of breaking the case statement, so please check it. 3, /src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c:535,536 if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) { memcpy(buf, (char*) asn_time->data, asn_time->length); buf[asn_time->length] = '\0'; ... Variable asn_time->length is checked to range 0-256 but length of array buf is only 64. This can cause static array overrun on the lines number 535 and 536. 4, /src/lib/radius.c:862 Function returns without freeing variable tlv. 5, /src/main/realms.c:1759 The same as above mentioned case with variable rc. 6, /src/modules/rlm_perl/rlm_perl.c:428,457 Leaking memory allocated into variable embed. Version-Release number of selected component (if applicable): freeradius2-2.1.12-1.el5 Additional info: All of mentioned issues was found by coverity difference analysis done between versions 2.1.7-7.el5 and 2.1.12-1.el5.