Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libpam-radius-auth-1.4.0/src/md5.c
Examining data/libpam-radius-auth-1.4.0/src/md5.h
Examining data/libpam-radius-auth-1.4.0/src/pam_radius_auth.h
Examining data/libpam-radius-auth-1.4.0/src/radius.h
Examining data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c
FINAL RESULTS:
data/libpam-radius-auth-1.4.0/src/md5.h:24:45: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
# error Failed determining endianness of system
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:85:2: [4] (format) vsprintf:
Potential format string problem (CWE-134). Make format string constant.
vsprintf(buffer, format, args);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:98:2: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(conf_file, CONF_FILE);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:121:4: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
strcpy(conf_file,*argv+5);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:635:7: [4] (buffer) sscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
if (sscanf(p, "%s %s %d", hostname, secret, &timeout) < 2) {
data/libpam-radius-auth-1.4.0/src/md5.c:107:4: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, len);
data/libpam-radius-auth-1.4.0/src/md5.c:110:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p, buf, t);
data/libpam-radius-auth-1.4.0/src/md5.c:119:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, 64);
data/libpam-radius-auth-1.4.0/src/md5.c:128:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(ctx->in, buf, len);
data/libpam-radius-auth-1.4.0/src/md5.c:135:24: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void MD5Final(unsigned char digest[16], struct MD5Context *ctx)
data/libpam-radius-auth-1.4.0/src/md5.c:172:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(digest, ctx->buf, 16);
data/libpam-radius-auth-1.4.0/src/md5.h:46:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char in[64];
data/libpam-radius-auth-1.4.0/src/md5.h:51:24: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
void MD5Final(unsigned char digest[16], struct MD5Context *);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:68:8: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
static char conf_file[BUFFER_SIZE]; /* configuration file */
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:82:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[BUFFER_SIZE];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:133:20: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
conf->retries = atoi(*argv+6);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:172:26: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
conf->max_challenge = atoi(*argv+14);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:197:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buf[6];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:224:14: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
cur_byte = atoi(buf);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:302:21: [2] (integer) atoi:
Unless checked, the resulting number can exceed the expected range
(CWE-190). If source untrusted, check both minimum and maximum, even if the
input had no minus sign (large numbers can roll over into negative number;
consider saving to an unsigned value if that is intended).
unsigned int i = atoi(p) & 0xffff;
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:363:11: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
int fd = open("/dev/urandom",O_RDONLY); /* Linux: get *real* random numbers */
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:415:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(((char *)request) + len, server->secret, secretlen);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:427:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char calculated[AUTH_VECTOR_LEN];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:428:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char reply[AUTH_VECTOR_LEN];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:434:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(reply, response->vector, AUTH_VECTOR_LEN); /* save the reply */
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:435:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(response->vector, request->vector, AUTH_VECTOR_LEN); /* sent vector */
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:494:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(p->data, data, length);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:520:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char misc[AUTH_VECTOR_LEN];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:523:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char hashed[256 + AUTH_PASS_LEN]; /* can't be longer than this */
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:531:2: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(hashed, password, length);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:574:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(attr->data, hashed, length); /* overwrite the packet */
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:598:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hostname[BUFFER_SIZE];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:599:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char secret[BUFFER_SIZE];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:601:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char buffer[BUFFER_SIZE];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:610:17: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if ((fserver = fopen (conf_file, "r")) == (FILE*)NULL) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:703:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char hostname[256];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1072:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recv_buffer[4096];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1073:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char send_buffer[4096];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1193:3: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char challenge[BUFFER_SIZE];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1213:3: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
memcpy(challenge, a_reply->data, a_reply->length - 2);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1303:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recv_buffer[4096];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1304:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char send_buffer[4096];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1349:2: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
sprintf(recv_buffer, "%08d", (int) getpid());
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1403:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char recv_buffer[4096];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1404:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char send_buffer[4096];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.h:54:11: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
unsigned char data[1];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.h:77:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char prompt[MAXPROMPT];
data/libpam-radius-auth-1.4.0/src/radius.h:190:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[32];
data/libpam-radius-auth-1.4.0/src/radius.h:197:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char attrname[32];
data/libpam-radius-auth-1.4.0/src/radius.h:198:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[32];
data/libpam-radius-auth-1.4.0/src/radius.h:204:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char name[32];
data/libpam-radius-auth-1.4.0/src/radius.h:208:2: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char strvalue[AUTH_STRING_LEN];
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:116:8: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen(*argv+5) >= sizeof(conf_file)) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:160:9: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if (strlen((char*)*argv+7) >= (MAXPROMPT - 3)) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:367:16: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
int bytes = read(fd, vector + total, AUTH_VECTOR_LEN - total);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:410:18: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int secretlen = strlen(server->secret);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:451:48: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
MD5Update(&my_md5, (unsigned char *) secret, strlen(secret));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:522:15: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
int length = strlen(password);
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:553:51: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
MD5Update(&md5_secret, (unsigned char *) secret, strlen(secret));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:715:63: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
add_attribute(request, PW_USER_NAME, (unsigned char *) user, strlen(user));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:750:80: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
add_attribute(request, PW_NAS_IDENTIFIER, (unsigned char *) conf->client_id, strlen(conf->client_id));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1085:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((user == NULL) || (strlen(user) > MAXPWNAM)) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1174:4: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(rhost));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1227:11: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
strlen(rhost));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1316:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((user == NULL) || (strlen(user) > MAXPWNAM)) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1350:76: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
add_attribute(request, PW_ACCT_SESSION_ID, (unsigned char *) recv_buffer, strlen(recv_buffer));
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1416:25: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
if ((user == NULL) || (strlen(user) > MAXPWNAM)) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.c:1508:17: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
} else if (strlen(new_password) < 6) {
data/libpam-radius-auth-1.4.0/src/pam_radius_auth.h:110:45: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
#define _pam_forget(X) if (X) {memset(X, 0, strlen(X));free(X);X = NULL;}
ANALYSIS SUMMARY:
Hits = 69
Lines analyzed = 2350 in approximately 0.09 seconds (27514 lines/second)
Physical Source Lines of Code (SLOC) = 1463
Hits@level = [0] 4 [1] 17 [2] 47 [3] 0 [4] 5 [5] 0
Hits@level+ = [0+] 73 [1+] 69 [2+] 52 [3+] 5 [4+] 5 [5+] 0
Hits/KSLOC@level+ = [0+] 49.8975 [1+] 47.1634 [2+] 35.5434 [3+] 3.41763 [4+] 3.41763 [5+] 0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.