├── LICENSE ├── NFACTOR_MC.cfg ├── README.md ├── analysis ├── CFGPartAnalysis.py ├── Cover.py ├── InitRun.py ├── MCSimulation.py ├── MallocExtractParam.py ├── Tar3.py ├── Tar3Ranges.py ├── TypeUtils.py ├── Units.py ├── VNode.py ├── VTree.py ├── VulAnalyzer.py ├── __init__.py ├── simprocedure │ ├── ExtractParams.py │ ├── UnConstraintRetValue.py │ ├── __init__.py │ ├── vul_memcpy.py │ ├── vul_memmove.py │ ├── vul_memset.py │ ├── vul_sprintf.py │ ├── vul_strcat.py │ ├── vul_strcpy.py │ ├── vul_strncat.py │ ├── vul_strncpy.py │ └── wcslen.py └── tar3 │ ├── bin │ ├── tar3.exe │ └── xval.exe │ ├── doc │ ├── 02itar2.pdf │ ├── 02metrics.pdf │ ├── 02moreodc.pdf │ ├── 02pairprog.pdf │ ├── 02re02.pdf │ ├── 02sereuse.pdf │ ├── 02trust.pdf │ ├── TAR2intro.pdf │ ├── TAR3Manual.pdf │ ├── ch4-TAR3.pdf │ ├── itarv2.pdf │ ├── kdd.pdf │ ├── lazyagents.pdf │ ├── mbtar.pdf │ ├── ml4re.pdf │ ├── soft.pdf │ └── truisms.pdf │ ├── sample │ ├── data.cfg │ ├── data.data │ ├── data.names │ ├── golf.cfg │ ├── golf.data │ ├── golf.names │ ├── shadow.cfg │ ├── shadow.data │ ├── shadow.names │ ├── tar3.bat │ ├── xval.bat │ └── xval_usage.txt │ └── source │ ├── tar3 │ ├── defns.h │ ├── deltaf.c │ ├── extern.h │ ├── generate.c │ ├── getdata.c │ ├── getnames.c │ ├── global.h │ ├── main.c │ ├── process.c │ ├── random.c │ ├── rawdata.c │ ├── sort.c │ ├── tar3 │ ├── test.c │ ├── types.h │ └── xvalsum.c │ └── xval │ ├── xval │ ├── xval.c │ └── xvalprep.c ├── benchmarks_running.py ├── requirements.txt ├── run.py └── tests ├── CWE121_Stack_Based_Buffer_Overflow ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_02.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_03.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_08.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_09.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_11.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_12.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_31.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_32.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_34.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_41.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_44.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67a.c │ └── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67b.c ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_02.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_08.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_09.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_11.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_12.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_15.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_32.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_41.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_44.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67a.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67b.c │ └── testcases.h ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_03.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_09.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_12.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_34.c │ └── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41.c ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_03.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_09.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_12.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_14.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31.c │ ├── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_34.c │ └── CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41.c ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_02.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_03.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_08.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_09.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_11.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_12.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_15.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_32.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_34.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_41.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_44.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67a.c │ └── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b.c ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_02.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_03.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_08.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_09.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_11.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_12.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_15.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_32.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_34.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_41.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_44.c │ ├── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67a.c │ └── CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b.c └── includes │ ├── io.c │ ├── std_testcase.h │ ├── std_testcase_io.h │ └── testcases.h ├── CWE122_Heap_Based_Buffer_Overflow ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_01.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_02.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_09.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_12.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_14.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_15.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_17.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_18.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_21.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_31.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_41.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_42.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_44.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67a.c │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b.c ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_02.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_03.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_08.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_09.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_11.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_12.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_14.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_15.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_16.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_17.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_18.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_21.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_31.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_34.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_41.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_42.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_44.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_45.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67a.c │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b.c ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_01.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_02.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_03.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_08.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_09.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_11.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_12.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_14.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_15.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_16.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_17.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_18.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_21.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_31.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_34.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_41.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_42.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_44.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_45.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67a.c │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b.c ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_01.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_03.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_09.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_12.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_16.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_18.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_31.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_34.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_42.c │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memcpy_45.c ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_01.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_03.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_09.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_12.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_16.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_18.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_31.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_34.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_42.c │ └── CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_45.c ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_02.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_09.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_12.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_14.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_15.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_17.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_18.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_21.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_31.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_34.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_41.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_42.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_44.c │ ├── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67a.c │ └── CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b.c └── includes │ ├── io.c │ ├── std_testcase.h │ ├── std_testcase_io.h │ └── testcases.h ├── CWE415_Double_Free ├── CWE415_Double_Free__malloc_free_int │ ├── CWE415_Double_Free__malloc_free_int_01.c │ ├── CWE415_Double_Free__malloc_free_int_02.c │ ├── CWE415_Double_Free__malloc_free_int_09.c │ ├── CWE415_Double_Free__malloc_free_int_13.c │ ├── CWE415_Double_Free__malloc_free_int_31.c │ └── CWE415_Double_Free__malloc_free_int_42.c ├── CWE415_Double_Free__malloc_free_int64_t │ ├── CWE415_Double_Free__malloc_free_int64_t_01.c │ ├── CWE415_Double_Free__malloc_free_int64_t_06.c │ ├── CWE415_Double_Free__malloc_free_int64_t_08.c │ ├── CWE415_Double_Free__malloc_free_int64_t_13.c │ ├── CWE415_Double_Free__malloc_free_int64_t_17.c │ └── CWE415_Double_Free__malloc_free_int64_t_44.c ├── CWE415_Double_Free__malloc_free_long │ ├── CWE415_Double_Free__malloc_free_long_01.c │ ├── CWE415_Double_Free__malloc_free_long_03.c │ ├── CWE415_Double_Free__malloc_free_long_05.c │ ├── CWE415_Double_Free__malloc_free_long_10.c │ └── CWE415_Double_Free__malloc_free_long_16.c ├── CWE415_Double_Free__malloc_free_struct │ ├── CWE415_Double_Free__malloc_free_struct_01.c │ ├── CWE415_Double_Free__malloc_free_struct_07.c │ ├── CWE415_Double_Free__malloc_free_struct_11.c │ ├── CWE415_Double_Free__malloc_free_struct_12.c │ ├── CWE415_Double_Free__malloc_free_struct_15.c │ └── CWE415_Double_Free__malloc_free_struct_41.c ├── CWE415_Double_Free__malloc_free_wchar_t │ ├── CWE415_Double_Free__malloc_free_wchar_t_01.c │ ├── CWE415_Double_Free__malloc_free_wchar_t_04.c │ ├── CWE415_Double_Free__malloc_free_wchar_t_18.c │ ├── CWE415_Double_Free__malloc_free_wchar_t_21.c │ └── CWE415_Double_Free__malloc_free_wchar_t_34.c └── includes │ ├── io.c │ ├── std_testcase.h │ └── std_testcase_io.h ├── CWE416_Use_After_Free ├── CWE416_Use_After_Free__malloc_free_char │ ├── CWE416_Use_After_Free__malloc_free_char_01.c │ ├── CWE416_Use_After_Free__malloc_free_char_03.c │ ├── CWE416_Use_After_Free__malloc_free_char_04.c │ ├── CWE416_Use_After_Free__malloc_free_char_05.c │ ├── CWE416_Use_After_Free__malloc_free_char_06.c │ ├── CWE416_Use_After_Free__malloc_free_char_07.c │ ├── CWE416_Use_After_Free__malloc_free_char_08.c │ ├── CWE416_Use_After_Free__malloc_free_char_09.c │ ├── CWE416_Use_After_Free__malloc_free_char_10.c │ ├── CWE416_Use_After_Free__malloc_free_char_11.c │ ├── CWE416_Use_After_Free__malloc_free_char_14.c │ ├── CWE416_Use_After_Free__malloc_free_char_15.c │ ├── CWE416_Use_After_Free__malloc_free_char_16.c │ ├── CWE416_Use_After_Free__malloc_free_char_17.c │ └── CWE416_Use_After_Free__malloc_free_char_18.c ├── CWE416_Use_After_Free__malloc_free_long │ ├── CWE416_Use_After_Free__malloc_free_long_01.c │ ├── CWE416_Use_After_Free__malloc_free_long_06.c │ ├── CWE416_Use_After_Free__malloc_free_long_09.c │ └── CWE416_Use_After_Free__malloc_free_long_17.c └── includes │ ├── io.c │ ├── std_testcase.h │ └── std_testcase_io.h ├── Complex_Programs ├── CWE121_Stack_Based_Buffer_Overflow_Complex_Program.c ├── CWE122_Heap_Based_Buffer_Overflow_Complex_Program.c ├── CWE415_Double_Free_Complex_Program.c └── CWE416_Use_After_Free_Complex_Program.c └── executable.sh /NFACTOR_MC.cfg: -------------------------------------------------------------------------------- 1 | HOW_MANY 2 | 10 3 | #index begin from zero 4 | TYPES 5 | #int 6 | #int,char,int 7 | #nth param,array type , length 8 | 9 | 10 | ARRAYS 11 | 1,char *,100 12 | 2,char *,100 13 | #3,int,4 14 | #4,char *,80 15 | 16 | #nth param,normal dist 17 | DISTROS 18 | #1,normal 19 | #2,normal,05,50 20 | #3,normal,0,100 21 | #4,random 22 | #4,normal,0,2 23 | 24 | NPAIRS 25 | 2 26 | 27 | 28 | GROUPS 29 | #param_1:[50;60),[19;20],[21;90),[1000;2000] 30 | #param_2:[john-jeason-jack-jona] 31 | #param_3:[a-c),[A-Z] 32 | #param_4:[10;20],[-50;5] 33 | #param_5:[1{ 1 }2,5{ a;c }-9{ a;z }8{ 6 }] 34 | #param_5:[1{ 1 }2;5{ a;c }-9{ a;z }8{ 6 }] 35 | #param_5:[start;5{ a;z }] 36 | #param_5:[start,end{ a;c }-9{ a;z }8{ 6 }] 37 | #param_5:[jeason-john] 38 | #param_1:[1{ a;c }-5{ A;C }],[start;end{ a;z }-9{ a;z }8{ 6 }] ,[start;5{ 1;9 }] 39 | #param_1:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }] 40 | #param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }] 41 | param_1:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }] 42 | #,[start;end{ *;/ }],[start;end{ :;@ }],[start;end{ [;_ }],[start;end{ A;z }],[start;end{ *;~ }],[start,end{ 0;z }] 43 | #param_2:[-100;0],[0;100],[100;200],[200;300],[300;400] 44 | param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }] 45 | #,[start;end{ *;/ }],[start;end{ :;@ }],[start;end{ [;_ }],[start;end{ A;z }],[start;end{ *;~ }],[start,end{ 0;z }] 46 | #param_3:[-p] 47 | #param_3:[-100;0],[0;100],[100;200],[200;300],[300;400] 48 | #param_2:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ ;/ }],[start;end{ :;@ }],[start;end{ [;` }],[start;end{ \{;~ }],[start;end{ A;z }],[start;end{ ;~ }],[start,end{ 0;z }] 49 | #param_4:[start;end{ a;z }],[start;end{ A;Z }],[start;end{ 0;9 }],[start;end{ ;/ }],[start;end{ :;@ }],[start;end{ [;` }],[start;end{ \{;~ }],[start;end{ A;z }],[start;end{ ;~ }],[start,end{ 0;z }] 50 | 51 | 52 | -------------------------------------------------------------------------------- /analysis/InitRun.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Mon Dec 21 18:14:17 2020 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | 9 | from analysis.MCSimulation import MCSimulation 10 | from analysis.MallocExtractParam import mallocEx 11 | from analysis.TypeUtils import * 12 | 13 | class InitRun: 14 | def __init__(self,project,mc_config,cfg_analyses,target_func=None): 15 | self.project=project 16 | self.project.hook_symbol('malloc',mallocEx(num_args=1)) 17 | self.target_func=target_func 18 | self.cfg_analyses=cfg_analyses 19 | self.malloc_points=[] 20 | self.mc=MCSimulation(config_file=mc_config) 21 | for addr,func in self.cfg_analyses.getAddressOfFunctionCall('malloc'): 22 | if self.cfg_analyses.isReachableFromMain(func.name): 23 | self.malloc_points.append((addr,func)) 24 | 25 | 26 | 27 | def run(self,args_index=[]): 28 | flag=True 29 | res=None 30 | while flag: 31 | inSample = self.mc.generate(count=1)[0] 32 | inputs=[] 33 | 34 | for i in range(len(inSample)): 35 | tp=self.mc.getVarTypes(i) 36 | if 'int' in tp: 37 | inputs.append(getIntConcreteBV(int(inSample[i]))) 38 | elif isinstance(tp,tuple) and 'char*' in tp[0]: 39 | inputs.append(getCharStringConcreteBV(inSample[i][0:20])) 40 | else: 41 | inputs.append(getCharStringConcreteBV(inSample[i])) 42 | argss=[] 43 | if len(args_index) > 0: 44 | argss.append(self.project.filename) 45 | for indx in args_index: 46 | argss.append(inputs.pop(indx-1)) 47 | state=self.project.factory.entry_state(args=argss,stdin=angr.SimPacketsStream(name='stdin', content=inputs,),add_options=angr.options.unicorn) 48 | else: 49 | state=self.project.factory.entry_state(stdin=angr.SimPacketsStream(name='stdin', content=inputs,),add_options=angr.options.unicorn) 50 | state.libc.buf_symbolic_bytes=100 51 | simgr=self.project.factory.simulation_manager(state) 52 | simgr.explore(find=self._explore_states) 53 | 54 | res=dict(simgr.deadended[0].globals) 55 | if len(self.malloc_points) == len(res): 56 | flag=False 57 | return res 58 | 59 | 60 | def _explore_states(self,state): 61 | for addr,func in self.malloc_points: 62 | if addr in state.block().instruction_addrs: 63 | state.globals[addr]=None 64 | return False 65 | 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /analysis/MallocExtractParam.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Mon Dec 14 18:08:03 2020 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | 9 | import angr 10 | 11 | class mallocEx(angr.SimProcedure): 12 | def run(self,arg,count=None): 13 | f=angr.SIM_PROCEDURES['libc']['malloc'] 14 | re = self.inline_call(f,arg).ret_expr 15 | values=[] 16 | for addr,size in self.state.globals.items(): 17 | if size is None: 18 | values.append((addr,arg.to_claripy())) 19 | for addr,value in values : 20 | self.state.globals[addr]=self.state.solver.eval(value,cast_to=int) 21 | if (count is not None) and (len(self.state.globals.keys()) == count): 22 | self.exit(1) 23 | return re 24 | 25 | -------------------------------------------------------------------------------- /analysis/Tar3Ranges.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Nov 1 19:12:42 2020 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | 9 | from collections import Counter 10 | 11 | class Range: 12 | 13 | def __init__(self): 14 | self.var_names=[] 15 | self.bound={} 16 | 17 | def addRange(self,reng): 18 | for var_name,bnd in reng: 19 | self.var_names.append(var_name) 20 | self.bound[var_name]=bnd 21 | 22 | def correctBounds(self,reng): 23 | for var_name,bnd in reng: 24 | bound=self.bound[var_name] 25 | old_upper=float(bound[1]) 26 | old_lower=float(bound[0]) 27 | new_upper=float(bnd[1]) 28 | new_lower=float(bnd[0]) 29 | 30 | if new_upper > old_upper and new_lower >= old_upper: 31 | bound[1]=new_upper 32 | elif new_upper <= old_lower and new_lower < old_lower : 33 | bound[0]=new_lower 34 | else: 35 | if new_upper < old_upper : 36 | bound[1]=str(new_upper) 37 | if new_lower > old_lower : 38 | bound[0] = str(new_lower) 39 | 40 | def isMatch(self,var_names): 41 | return Counter(var_names) == Counter(self.var_names) 42 | 43 | def pp(self): 44 | content='' 45 | for name in self.var_names: 46 | if content == '': 47 | content='{0}:{1}'.format(name,self.bound.get(name)) 48 | else: 49 | content=content+' And {0}:{1}'.format(name,self.bound.get(name)) 50 | print(content) 51 | 52 | -------------------------------------------------------------------------------- /analysis/VNode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Fri Sep 11 23:39:17 2020 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | class _VNode: 9 | def __init__(self,inode=None,addr=None,block=None,constraints=None,parent_addr=None,satisfiable=False): 10 | if block is None: 11 | self.blocks=[] 12 | else: 13 | self.blocks=[block] 14 | 15 | if constraints is None: 16 | self.constraints=[] 17 | else: 18 | self.constraints=constraints 19 | self.addr=addr 20 | self.Term=[] 21 | self.V=[] 22 | self.v=[] 23 | self._called=[] 24 | self.inode=inode 25 | self._has_child=False 26 | self._parent_addr=parent_addr 27 | self._satisfiable=satisfiable 28 | self._vul_susp=False 29 | self._extra_vul_const=[] 30 | self._vulMsg=[] 31 | self._stack={} 32 | 33 | def _setUpStack(self,stack_values,parent={}): 34 | if len(parent) > 0: 35 | self._stack=parent.copy() 36 | for addr,value in stack_values: 37 | self._stack[addr]=value 38 | 39 | 40 | def _correctStack(self,new_stack): 41 | for addr,value in new_stack.items(): 42 | self._stack[addr]=value 43 | 44 | def isEqual(self,other,isEntryLoop=False): 45 | 46 | if isEntryLoop: 47 | if self.addr == other.addr: 48 | return True 49 | 50 | if self._parent_addr != other._parent_addr: 51 | return False 52 | 53 | 54 | if self.addr != other.addr: 55 | return False 56 | 57 | 58 | 59 | return True 60 | 61 | 62 | 63 | def addVulMessage(self,mesg): 64 | self._vulMsg.append(mesg) 65 | 66 | 67 | def setSatisfaiablilyStatus(self,status): 68 | self._satisfiable=status 69 | 70 | def setVulSusp(self,value): 71 | self._vul_susp=value 72 | 73 | def addVulConstraint(self,constraint): 74 | self._extra_vul_const.append(constraint) 75 | 76 | 77 | def addSystemIn(self,V): 78 | self.V.append(V) 79 | 80 | def _addCallee(self,addr): 81 | self._called.append(addr) 82 | 83 | def addUnitIn(self,v): 84 | self.v.append(v) 85 | 86 | def checkISINParent(self,item_con,parent_cons): 87 | for item in parent_cons: 88 | if item_con is item: 89 | return True 90 | return False 91 | 92 | def addConstraints(self,consts,parent): 93 | self.constraints=consts 94 | for item in self.constraints: 95 | if self.checkISINParent(item,parent.constraints) == False: 96 | self.Term.append(item) 97 | 98 | for item in parent.constraints: 99 | if self.checkISINParent(item,self.constraints) == False: 100 | self.constraints.append(item) 101 | 102 | 103 | 104 | def addBlock(self,addr): 105 | self.blocks.append(addr) 106 | 107 | @classmethod 108 | def getNodeNumber(cls): 109 | return cls.inode 110 | 111 | def pp(self): 112 | content='Node-{0}\nConstraints: {1}\nUnitInputs: {2}\nSystemInputs: {3}\nBasicBlocks Addr: {4}\nCallees: {5}\n'.format(self.inode,self.constraints,self.v,self.V,self.blocks,self._called) 113 | print(content) 114 | 115 | def __str__(self): 116 | return 'Node-{0}'.format(self.inode) 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /analysis/__init__.py: -------------------------------------------------------------------------------- 1 | import logging 2 | 3 | 4 | 5 | logging.disable(logging.CRITICAL) 6 | 7 | -------------------------------------------------------------------------------- /analysis/simprocedure/ExtractParams.py: -------------------------------------------------------------------------------- 1 | """ 2 | Created on Sun Feb 14 10:07:03 2021 3 | 4 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 5 | """ 6 | import angr ,claripy 7 | import numpy as np 8 | 9 | class SimExtractParams(angr.SimProcedure): 10 | 11 | def run(self, *args, pointers=None): 12 | self.state.globals['args']=[] 13 | for numb,typ in pointers.items(): 14 | argRes=None 15 | if typ == 'intPointer': 16 | addr=args[numb-1].ast.args[0] 17 | argRes=int(np.int32(self.state.mem[addr].long.concrete)) 18 | elif typ == 'charPointer': 19 | addr = args[numb - 1].to_claripy() 20 | value=self.state.mem[addr].string.concrete 21 | if isinstance(value,str): 22 | argRes=value 23 | else: 24 | argRes=value.decode('ascii','replace') 25 | argRes=argRes+'\x00' 26 | elif typ == 'floatPointer': 27 | addr=args[numb-1].ast.args[0] 28 | value=self.state.mem[addr].long.concrete 29 | tmp_val=claripy.BVV(value,32) 30 | argRes=tmp_val.raw_to_fp().args[0] 31 | elif typ == 'doublePointer': 32 | addr=args[numb-1].ast.args[0] 33 | value=self.state.mem[addr].long.concrete 34 | tmp_val=claripy.BVV(value,64) 35 | fp=tmp_val.raw_to_fp() 36 | argRes=tmp_val.raw_to_fp().args[0] 37 | elif typ in 'char': 38 | argRes=chr(args[numb-1].ast.args[0]) 39 | elif typ in 'int': 40 | val=args[numb-1].ast 41 | argRes=int(np.int32(self.state.solver.eval(val))) 42 | elif typ in 'float': 43 | tmp_val=claripy.BVV(args[numb-1].args[0],32) 44 | argRes=tmp_val.raw_to_fp().args[0] 45 | elif typ == "double": 46 | tmp_val=claripy.BVV(args[numb-1].args[0],64) 47 | argRes=tmp_val.raw_to_fp().args[0] 48 | else: 49 | argRes=args[numb-1] 50 | self.state.globals['args'].append(argRes) 51 | self.exit(0) 52 | return 0 53 | 54 | -------------------------------------------------------------------------------- /analysis/simprocedure/UnConstraintRetValue.py: -------------------------------------------------------------------------------- 1 | """ 2 | Created on Sun Feb 14 10:07:03 2021 3 | 4 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 5 | """ 6 | import angr,claripy 7 | 8 | class ExeFunc(angr.SimProcedure): 9 | def run(*argv): 10 | pass 11 | #return claripy.BVS('UNConstrainRetValue',8) 12 | -------------------------------------------------------------------------------- /analysis/simprocedure/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/simprocedure/__init__.py -------------------------------------------------------------------------------- /analysis/simprocedure/vul_memcpy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sat Feb 13 22:07:00 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr,claripy 9 | 10 | class _memcpy_vul(angr.SimProcedure): 11 | def run(self,dst_addr, src_addr ,limit): 12 | strlen = angr.SIM_PROCEDURES['libc']['strlen'] 13 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy'] 14 | hist_addr=self.state.history.bbl_addrs.hardcopy 15 | self.state.globals['block_addr']=hist_addr 16 | 17 | if self.state.solver.symbolic(limit) ==False: 18 | limit=self.state.solver.eval(limit.to_claripy()) 19 | else: 20 | limit=limit.to_claripy() 21 | 22 | con_res=['memcpy',limit] 23 | 24 | self.state.globals['extra_const'].append(tuple(con_res)) 25 | 26 | self.inline_call(memcpy, dst_addr, src_addr,limit) 27 | 28 | return dst_addr 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_memmove.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sat Feb 13 22:07:00 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamal 7 | """ 8 | import angr,claripy 9 | 10 | class _memmove_vul(angr.SimProcedure): 11 | def run(self,dst_addr, src_addr ,limit): 12 | strlen = angr.SIM_PROCEDURES['libc']['strlen'] 13 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy'] 14 | 15 | hist_addr=self.state.history.bbl_addrs.hardcopy 16 | self.state.globals['block_addr']=hist_addr 17 | 18 | if self.state.solver.symbolic(limit) ==False: 19 | limit=self.state.solver.eval(limit.to_claripy()) 20 | else: 21 | limit=limit.to_claripy() 22 | 23 | con_res=['memmove',limit] 24 | 25 | self.state.globals['extra_const'].append(tuple(con_res)) 26 | 27 | self.inline_call(memcpy, dst_addr, src_addr,limit) 28 | 29 | return dst_addr 30 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_memset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr,claripy 9 | 10 | class _memset_vul(angr.SimProcedure): 11 | def run(self, dst_addr, char, num): 12 | memset = angr.SIM_PROCEDURES['libc']['memset'] 13 | hist_addr=self.state.history.bbl_addrs.hardcopy 14 | self.state.globals['block_addr']=hist_addr 15 | 16 | if self.state.solver.symbolic(num) ==False: 17 | self.state.globals['extra_const'].append(('memset',self.state.solver.eval(num.to_claripy()))) 18 | else: 19 | self.state.globals['extra_const'].append(('memset',num.to_claripy())) 20 | 21 | 22 | self.inline_call(memset,dst_addr,char,num) 23 | return dst_addr 24 | 25 | 26 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_sprintf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | from angr.procedures.stubs.format_parser import FormatParser 9 | import angr,claripy 10 | 11 | class _sprintf_vul(FormatParser): 12 | def run(self, dst_ptr): 13 | fmt_str = self._parse(1) 14 | out_str = fmt_str.replace(2, self.arg) 15 | 16 | hist_addr=self.state.history.bbl_addrs.hardcopy 17 | self.state.globals['block_addr']=hist_addr 18 | if self.state.solver.symbolic(out_str) ==False: 19 | value=self.state.solver.eval(out_str,cast_to=bytes).decode('ascii') 20 | self.state.globals['extra_const'].append(('sprintf',value)) 21 | 22 | self.state.memory.store(dst_ptr, out_str) 23 | 24 | self.state.memory.store(dst_ptr + (out_str.size() // 8), self.state.solver.BVV(0, 8)) 25 | 26 | return self.state.solver.BVV(out_str.size()//8, self.state.arch.bits) 27 | 28 | 29 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_strcat.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr,claripy 9 | 10 | class _strcat_vul(angr.SimProcedure): 11 | def run(self,dst_addr, src_addr): 12 | strlen = angr.SIM_PROCEDURES['libc']['strlen'] 13 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy'] 14 | 15 | hist_addr=self.state.history.bbl_addrs.hardcopy 16 | self.state.globals['block_addr']=hist_addr 17 | 18 | src_len = self.inline_call(strlen, src_addr).ret_expr 19 | dst_len = self.inline_call(strlen, dst_addr).ret_expr 20 | 21 | mem_src=self.state.memory.load(src_addr,10) 22 | if self.state.solver.symbolic(mem_src) ==False: 23 | value=self.state.mem[src_addr.to_claripy()].string.concrete.decode('ascii') 24 | self.state.globals['extra_const'].append(('strcat',dst_len,len(value))) 25 | else: 26 | if isinstance(dst_len,angr.state_plugins.sim_action_object.SimActionObject): 27 | dst_len=dst_len.to_claripy() 28 | self.state.globals['extra_const'].append(('strcat',dst_len,src_len)) 29 | self.inline_call(memcpy, dst_addr + dst_len, src_addr,src_len+1) 30 | 31 | return dst_addr 32 | 33 | 34 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_strcpy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr,claripy 9 | 10 | class _strcpy_vul(angr.SimProcedure): 11 | def run(self,dst_addr, src_addr): 12 | strlen = angr.SIM_PROCEDURES['libc']['strlen'] 13 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy'] 14 | 15 | hist_addr=self.state.history.bbl_addrs.hardcopy 16 | self.state.globals['block_addr']=hist_addr 17 | 18 | src_len = self.inline_call(strlen, src_addr).ret_expr 19 | 20 | mem_src=self.state.memory.load(src_addr,10) 21 | if self.state.solver.symbolic(mem_src) ==False: 22 | value=self.state.mem[src_addr.to_claripy()].string.concrete.decode('ascii','replace') 23 | self.state.globals['extra_const'].append(value) 24 | else: 25 | self.state.globals['extra_const'].append(src_len) 26 | 27 | print(self.state.globals['extra_const']) 28 | self.inline_call(memcpy, dst_addr, src_addr,src_len+1) 29 | 30 | return dst_addr 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_strncat.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr,claripy 9 | 10 | class _strncat_vul(angr.SimProcedure): 11 | def run(self,dst_addr, src_addr ,limit): 12 | strlen = angr.SIM_PROCEDURES['libc']['strlen'] 13 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy'] 14 | 15 | hist_addr=self.state.history.bbl_addrs.hardcopy 16 | self.state.globals['block_addr']=hist_addr 17 | 18 | if self.state.solver.symbolic(limit) ==False: 19 | limit=self.state.solver.eval(limit.to_claripy()) 20 | else: 21 | limit=limit.to_claripy() 22 | 23 | con_res=['strncat',limit] 24 | 25 | self.state.globals['extra_const'].append(tuple(con_res)) 26 | 27 | self.inline_call(memcpy, dst_addr, src_addr,limit) 28 | 29 | return dst_addr 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /analysis/simprocedure/vul_strncpy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr,claripy 9 | 10 | class _strncpy_vul(angr.SimProcedure): 11 | def run(self,dst_addr, src_addr ,limit): 12 | strlen = angr.SIM_PROCEDURES['libc']['strlen'] 13 | memcpy = angr.SIM_PROCEDURES['libc']['memcpy'] 14 | 15 | hist_addr=self.state.history.bbl_addrs.hardcopy 16 | self.state.globals['block_addr']=hist_addr 17 | 18 | if self.state.solver.symbolic(limit) ==False: 19 | limit=self.state.solver.eval(limit.to_claripy()) 20 | else: 21 | limit=limit.to_claripy() 22 | 23 | con_res=['strncpy',limit] 24 | 25 | self.state.globals['extra_const'].append(tuple(con_res)) 26 | 27 | self.inline_call(memcpy, dst_addr, src_addr,limit) 28 | 29 | return dst_addr 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /analysis/simprocedure/wcslen.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sun Feb 14 10:07:03 2021 5 | 6 | @author: Sara Baradaran, Mahdi Heidari, Ali Kamali 7 | """ 8 | import angr 9 | 10 | class wcslen(angr.SimProcedure): 11 | def run(self, s): 12 | print('in wcslen') 13 | f=angr.SIM_PROCEDURES['libc']['strlen'] 14 | self.state.globals['iswchar']=True 15 | re = self.inline_call(f,s,wchar=True).ret_expr 16 | return re 17 | -------------------------------------------------------------------------------- /analysis/tar3/bin/tar3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/bin/tar3.exe -------------------------------------------------------------------------------- /analysis/tar3/bin/xval.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/bin/xval.exe -------------------------------------------------------------------------------- /analysis/tar3/doc/02itar2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02itar2.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/02metrics.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02metrics.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/02moreodc.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02moreodc.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/02pairprog.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02pairprog.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/02re02.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02re02.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/02sereuse.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02sereuse.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/02trust.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/02trust.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/TAR2intro.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/TAR2intro.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/TAR3Manual.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/TAR3Manual.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/ch4-TAR3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/ch4-TAR3.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/itarv2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/itarv2.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/kdd.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/kdd.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/lazyagents.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/lazyagents.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/mbtar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/mbtar.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/ml4re.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/ml4re.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/soft.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/soft.pdf -------------------------------------------------------------------------------- /analysis/tar3/doc/truisms.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/doc/truisms.pdf -------------------------------------------------------------------------------- /analysis/tar3/sample/data.cfg: -------------------------------------------------------------------------------- 1 | granularity: 4 2 | maxNumber: 10 3 | minSize: 1 4 | maxSize: 2 5 | randomTrials: 100 6 | futileTrials: 30 7 | bestClass : 62% 8 | -------------------------------------------------------------------------------- /analysis/tar3/sample/data.data: -------------------------------------------------------------------------------- 1 | 50,50,good 2 | 116,102,good 3 | 119,111,good 4 | 82,81,good 5 | 54,54,good 6 | 78,86,good 7 | 55,49,good 8 | 85,81,good 9 | 116,116,good 10 | -------------------------------------------------------------------------------- /analysis/tar3/sample/data.names: -------------------------------------------------------------------------------- 1 | |Class: 2 | bad,good 3 | 4 | |Attributes : 4 5 | 6 | NOW 7 | 8 | CHANGES 9 | 10 | SCORE 11 | 4,8 12 | -------------------------------------------------------------------------------- /analysis/tar3/sample/golf.cfg: -------------------------------------------------------------------------------- 1 | granularity: 4 2 | maxNumber: 10 3 | minSize: 1 4 | maxSize: 4 5 | randomTrials: 100 6 | futileTrials: 30 7 | bestClass : 42% 8 | -------------------------------------------------------------------------------- /analysis/tar3/sample/golf.data: -------------------------------------------------------------------------------- 1 | Sunny,85,86,False,None 2 | Sunny,80,90,True,None 3 | Sunny,72,95,False,None 4 | Rain,65,70,True,None 5 | Rain,65,70,True,None 6 | Rain,70,96,False,Some 7 | Rain,68,80,False,Some 8 | Rain,75,80,False,Some 9 | Sunny,69,70,False,Lots 10 | Sunny,75,70,True,Lots 11 | Overcast,83,88,False,Lots 12 | Overcast,64,65,True,Lots 13 | Overcast,72,90,True,Lots 14 | Overcast,81,75,False,Lots 15 | -------------------------------------------------------------------------------- /analysis/tar3/sample/golf.names: -------------------------------------------------------------------------------- 1 | |Class: 2 | None,Some,Lots 3 | 4 | |Attributes : 4 5 | Outlook:Sunny,Rain,Overcast 6 | Temp:continuous 7 | Humidity:continuous 8 | Windy:True,False 9 | 10 | NOW 11 | Outlook:true 12 | Temp:true 13 | Humidity:true 14 | Windy:true 15 | 16 | CHANGES 17 | Outlook:true 18 | Temp:true 19 | Humidity:true 20 | Windy:True 21 | 22 | SCORE 23 | 2,4,8 24 | -------------------------------------------------------------------------------- /analysis/tar3/sample/shadow.cfg: -------------------------------------------------------------------------------- 1 | granularity: 4 2 | maxNumber: 10 3 | minSize: 1 4 | maxSize: 4 5 | randomTrials: 100 6 | futileTrials: 30 7 | bestClass : 42% 8 | -------------------------------------------------------------------------------- /analysis/tar3/sample/shadow.data: -------------------------------------------------------------------------------- 1 | -72,118,6285986842816126458,082259467843261318,good 2 | -193,1,786864510225301167,53696684562121602270,bad 3 | 133,49,41168486242589526421,4112870881966486,bad 4 | -26,7,4220393476054403851,7026012411366343640,bad 5 | 101,-37,13489267505555475059,86991058312657543,bad 6 | -30,58,1866604664826342119,1222448726443874325,good 7 | -162,115,77681786442656674666,66515868466913177,bad 8 | 34,-22,25607426788273231931,65222977817613118728,bad 9 | 89,-83,23124732786685151760,186013874751315689,bad 10 | 6,-53,7489285160257428766,36601143883850794542,bad 11 | 29,8,20401077168048538049,2737323460184555815,good 12 | -9,4,52232514676559865760,7966395729776562362,bad 13 | -9,15,3750349147836726565,6447914459684835263,bad 14 | -45,-51,82819152545469282083,4115239462171911635,bad 15 | -81,-109,44478691377037291126,2133793083749892176,bad 16 | -95,-78,3313582679337113567,6672569119268250387,good 17 | -75,-59,21508137401131848839,105640856585802829,bad 18 | -29,-105,32289130365628375871,3518196921678794272,bad 19 | 55,15,44241612126538448423,77103068606792143334,bad 20 | 33,-41,63794469806667322540,2241315559181783362,bad 21 | 60,-67,29201444592479776441,114076836451675124,good 22 | 69,-50,5464326964129025371,286001690536847765,bad 23 | -76,-256,8824704271843706016,6885387594253428,bad 24 | 103,-62,17743273786149118034,915780411271173763,bad 25 | -55,63,7933661541332436917,15701185266638582216,bad 26 | 36,-26,5552756665437484418,6527491511186503639,good 27 | -91,-99,1458453906418548583,27141377444228531660,bad 28 | 57,228,3971642883583842875,316141371891165149,bad 29 | 5,-186,86196237642782863846,32501087535754709086,bad 30 | -1,102,886119121622402163,76446937525253854643,bad 31 | -------------------------------------------------------------------------------- /analysis/tar3/sample/shadow.names: -------------------------------------------------------------------------------- 1 | |Class: 2 | bad,good 3 | 4 | |Attributes : 4 5 | var_1:continuous 6 | var_2:continuous 7 | var_3:continuous 8 | var_4:continuous 9 | 10 | NOW 11 | var_1:true 12 | var_2:true 13 | var_3:true 14 | var_4:true 15 | 16 | CHANGES 17 | var_1:true 18 | var_2:true 19 | var_3:true 20 | var_4:true 21 | 22 | SCORE 23 | 4,8 24 | -------------------------------------------------------------------------------- /analysis/tar3/sample/tar3.bat: -------------------------------------------------------------------------------- 1 | ..\bin\tar3.exe iris > iris.out 2 | 3 | -------------------------------------------------------------------------------- /analysis/tar3/sample/xval.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | ..\bin\xval.exe ..\bin\tar3.exe iris 10 4 | 5 | echo on -------------------------------------------------------------------------------- /analysis/tar3/sample/xval_usage.txt: -------------------------------------------------------------------------------- 1 | xval usage: 2 | 3 | xval is now compatible with both tar2(v2.2) and tar3(tar2r version) 4 | 5 | Command line parameters: 6 | xval -p filestem N: perform datafile split on filestem.data 7 | xval tar2 filestem N: N-way validation with tar2 on filestem 8 | xval tar2r filestem N: N-way validation with tar2r on filestem 9 | 10 | Specify path for tar2/tar2r/filestem if they are in different folders. 11 | 12 | exp: 13 | c:\prog\xvalnew\debug\xval.exe c:\prog\tar2r\debug\tar2.exe iris 10 14 | (path for xval) (path for tar2) (filestem=iris) (N=10) 15 | 16 | A easy way to perform the xval trial is to copy tar2.exe and xval.exe and 17 | all the data files into the same the directory and issue the command: 18 | xval tar2 filestem N 19 | 20 | xval first splits the data file in to N .data file and N.test files, which results in: 21 | XDF[0..N-1].data 22 | XDF[0..N-1].test 23 | (Note: old xval results in XDF.data[0..N-1] and XDF.test[0..N-1] 24 | 25 | Then xval invokes tar2 or tar3 N times, generates N result files and one summary file. 26 | 27 | After done, it automatically delete XDF*.data and XDF*.test 28 | 29 | -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/defns.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | 10 | #define false 0 11 | #define true 1 12 | #define Nil 0 13 | #define Unknown -999 /* must be int */ 14 | #define Invalid -998 /* must be int */ 15 | 16 | #define Max(a,b) ((a)>(b)? a:b) 17 | #define Min(a,b) ((a)<(b)? a:b) 18 | #define Round(x) ((int) (x+0.5)) 19 | 20 | #define ForEach(v,f,l) for(v=f;v<=l;++v) 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/extern.h: -------------------------------------------------------------------------------- 1 | /*****************************************/ 2 | /* Global data declaration */ 3 | /* ----------------------- */ 4 | /*****************************************/ 5 | 6 | extern short MaxAtt, /* max att number */ 7 | MaxClass, /* max class number */ 8 | *MaxAttVal, /* number of values for each att */ 9 | *MaxAttNow, /* number of values for each att in Now */ 10 | *MaxAttChg; /* number of values for each att in Changes*/ 11 | 12 | extern long MaxItem; /* max data item number */ 13 | 14 | extern int MaxTreat, /* max treatment number */ 15 | TreatSetSpace, /* space allocated to TreatSet*/ 16 | MaxDistSet, /* max DistSet number */ 17 | MaxFailedRx, /* max FailedTreatSet number */ 18 | FailedRxSpace; /* space allocated to FailedRx */ 19 | 20 | 21 | extern BandInfo *AttBand; /* band info for each attribute */ 22 | 23 | extern Description *Item; /* data items */ 24 | 25 | extern DistItem *DistSet; /* deltaf distribution set */ 26 | 27 | extern TreatItem *TreatSet, /* treatment set */ 28 | *FailedRx; /* failed treatment set */ 29 | 30 | extern String *ClassName, /* class names */ 31 | *AttName, /* att names */ 32 | **AttValName, /* att value names */ 33 | **AttValNow, /* att value names in Now */ 34 | **AttValChg, /* att value names in Changes */ 35 | FileName; /* family name of files */ 36 | 37 | extern float Baseline, /* the baseline worth */ 38 | MinWorth; /* the baseline worth */ 39 | 40 | extern Boolean ReverseClass; /* flag of class order */ 41 | 42 | 43 | /*****************************************/ 44 | /* Global parameter declaration */ 45 | /* ---------------------------- */ 46 | /*****************************************/ 47 | 48 | extern short Granularity; /* parameter indicate the percentile bands */ 49 | 50 | extern float Step, /* step factor for the score function */ 51 | Skew; /* option for skew/not skew the worth */ 52 | extern int MaxTreatNum, /* maximum treatment number */ 53 | MinTreatSize, /* minimum treatment size */ 54 | MaxTreatSize, /* maximum treatment size */ 55 | FutileTrials, /* maximum successive futile trials allowed */ 56 | RandomTrials; /* number of random trials conducted */ -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/global.h: -------------------------------------------------------------------------------- 1 | /*****************************************/ 2 | /* Global data definition */ 3 | /* ----------------------- */ 4 | /*****************************************/ 5 | 6 | short MaxAtt, /* max att number */ 7 | MaxClass, /* max class number */ 8 | *MaxAttVal, /* number of values for each att */ 9 | *MaxAttNow, /* number of values for each att in Now */ 10 | *MaxAttChg; /* number of values for each att in Changes */ 11 | 12 | long MaxItem; /* max data item number */ 13 | int MaxTreat, /* max treatment number */ 14 | TreatSetSpace, /* space allocated to TreatSet*/ 15 | MaxDistSet, /* max DistSet number */ 16 | MaxFailedRx, /* max FailedTreatSet number */ 17 | FailedRxSpace; /* space allocated to FailedRx */ 18 | 19 | BandInfo *AttBand; /* band info for each attribute */ 20 | 21 | Description *Item; /* data items */ 22 | 23 | TreatItem *TreatSet, /* treatment set */ 24 | *FailedRx; /* failed treatment set */ 25 | 26 | DistItem *DistSet; /* deltaf distribution set */ 27 | 28 | String *ClassName, /* class names */ 29 | *AttName, /* att names */ 30 | **AttValName, /* att value names */ 31 | **AttValNow, /* att value names in Now */ 32 | **AttValChg, /* att value names in Changes */ 33 | FileName; /* family name of files */ 34 | 35 | float Baseline, /* the baseline worth */ 36 | MinWorth; /* the baseline worth */ 37 | 38 | Boolean ReverseClass; /* flag of class order */ 39 | 40 | /*****************************************/ 41 | /* Global parameter definition */ 42 | /* --------------------------- */ 43 | /*****************************************/ 44 | 45 | short Granularity; /* parameter indicate the percentile bands */ 46 | 47 | float Step, /* step factor for the score function */ 48 | Skew; /* option for skew/not skew the worth */ 49 | 50 | int MaxTreatNum, /* maximum treatment number */ 51 | MinTreatSize, /* minimum treatment size */ 52 | MaxTreatSize, /* maximum treatment size */ 53 | FutileTrials, /* maximum successive futile trials allowed */ 54 | RandomTrials; /* number of random trials conducted */ -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/sort.c: -------------------------------------------------------------------------------- 1 | #include "defns.h" 2 | #include "types.h" 3 | #include "extern.h" 4 | 5 | /* quicksort */ 6 | 7 | typedef float T; /* type of item to be sorted */ 8 | typedef long tblIndex; /* type of subscript */ 9 | 10 | #define compGT(a,b) (a > b) /* for ascending order */ 11 | 12 | /*********************************** 13 | * insertion sort array a[lb..ub] * 14 | ************************************/ 15 | void insertSort(T *a, tblIndex lb, tblIndex ub) 16 | { 17 | T t; 18 | tblIndex i, j; 19 | 20 | for (i = lb + 1; i <= ub; i++) 21 | { 22 | t = a[i]; 23 | 24 | /* Shift elements down until insertion point found. */ 25 | for (j = i-1; j >= lb && compGT(a[j], t); j--) 26 | a[j+1] = a[j]; 27 | 28 | /* insert */ 29 | a[j+1] = t; 30 | } 31 | } 32 | 33 | /******************************* 34 | * partition array a[lb..ub] * 35 | *******************************/ 36 | tblIndex partition(T *a, tblIndex lb, tblIndex ub) 37 | { 38 | T t, pivot; 39 | tblIndex i, j, p; 40 | 41 | /* select pivot and exchange with 1st element */ 42 | p = lb + ((ub - lb)>>1); 43 | pivot = a[p]; 44 | a[p] = a[lb]; 45 | 46 | /* sort lb+1..ub based on pivot */ 47 | i = lb; 48 | j = ub + 1; 49 | while (1) 50 | { 51 | while (j > i && compGT(a[--j], pivot)); 52 | while (i < j && compGT(pivot, a[++i])); 53 | if (i >= j) break; 54 | 55 | /* swap a[i], a[j] */ 56 | t = a[i]; 57 | a[i] = a[j]; 58 | a[j] = t; 59 | } 60 | 61 | /* pivot belongs in a[j] */ 62 | a[lb] = a[j]; 63 | a[j] = pivot; 64 | 65 | return j; 66 | } 67 | 68 | /****************************** 69 | * quicksort array a[lb..ub] * 70 | *******************************/ 71 | void quickSort(T *a, tblIndex lb, tblIndex ub) 72 | { 73 | tblIndex m; 74 | 75 | while (lb < ub) 76 | { 77 | 78 | /* quickly sort short lists */ 79 | if (ub - lb <= 12) 80 | { 81 | insertSort(a, lb, ub); 82 | return; 83 | } 84 | 85 | /* partition into two segments */ 86 | m = partition (a, lb, ub); 87 | 88 | /* sort the smallest partition */ 89 | /* to minimize stack requirements */ 90 | if (m - lb <= ub - m) 91 | { 92 | quickSort(a, lb, m - 1); 93 | lb = m + 1; 94 | } 95 | else 96 | { 97 | quickSort(a, m + 1, ub); 98 | ub = m - 1; 99 | } 100 | } 101 | } 102 | 103 | -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/tar3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/source/tar3/tar3 -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/types.h: -------------------------------------------------------------------------------- 1 | typedef char Boolean, *String; 2 | 3 | typedef union _attribute_value 4 | { 5 | short _discr_val; 6 | float _cont_val; 7 | } 8 | AttValue, *Description; 9 | 10 | #define CVal(Case,Attribute) Case[Attribute]._cont_val 11 | #define DVal(Case,Attribute) Case[Attribute]._discr_val 12 | #define Class(Case) Case[MaxAtt+1]._discr_val 13 | 14 | typedef struct _band 15 | { 16 | int _continuous; 17 | int _maxband; 18 | float* _min; 19 | float* _max; 20 | } BandInfo; 21 | 22 | typedef struct _candidate /* one candidate item = one attribute range */ 23 | { 24 | int _att; 25 | int _val; 26 | } CandiItem; 27 | 28 | typedef struct _dist /* deltaf value for one candidate*/ 29 | { 30 | struct _candidate _candiItem; 31 | int _weight; 32 | double _CDF; 33 | Boolean _flag; 34 | } DistItem; 35 | 36 | typedef struct _treatment /* one treatment item = one candidate set */ 37 | { 38 | struct _candidate *_candiSet; 39 | int _num; 40 | float _worth_data; 41 | float _worth_test; 42 | } TreatItem; 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /analysis/tar3/source/tar3/xvalsum.c: -------------------------------------------------------------------------------- 1 | /************************************************/ 2 | /* */ 3 | /* Print out xval summary */ 4 | /* -------------------------- */ 5 | /* */ 6 | /************************************************/ 7 | 8 | #include "defns.h" 9 | #include "types.h" 10 | #include "extern.h" 11 | 12 | 13 | /************************************************/ 14 | /* */ 15 | /* Fn is supposed to be "XDFxx" */ 16 | /* -------------------------- */ 17 | /* */ 18 | /************************************************/ 19 | 20 | void Summary(char* Fn) 21 | { 22 | int i,j,TrialNo,Size,Att,Val; 23 | char Tmp[20]; 24 | FILE *Nf; 25 | 26 | strcpy(Tmp, Fn+3); 27 | TrialNo = atoi(Tmp); 28 | 29 | if ( TrialNo == 0 ) 30 | { 31 | Nf = fopen( "XDFsum.out", "w" ); 32 | fprintf(Nf,"---------------------------------------------\n"); 33 | fprintf(Nf,"Summary of N-way cross validation experiments\n"); 34 | fprintf(Nf,"---------------------------------------------\n"); 35 | fprintf(Nf,"\tData file: %d cases * %d attributes\n\n",MaxItem+1,MaxAtt+1); 36 | fprintf(Nf,"\tParameter: granularity=%d\n",Granularity); 37 | fprintf(Nf,"\t maxNumber=%d\n",MaxTreatNum); 38 | fprintf(Nf,"\t minSize=%d\n",MinTreatSize); 39 | fprintf(Nf,"\t maxSize=%d\n",MaxTreatSize); 40 | fprintf(Nf,"\t randomTrials=%d\n",RandomTrials); 41 | fprintf(Nf,"\t futileTrials=%d\n",FutileTrials); 42 | fprintf(Nf,"\t bestClass=%5.2f%%\n",Skew*100); 43 | fprintf(Nf,"\n"); 44 | } 45 | else 46 | Nf = fopen( "XDFsum.out", "a" ); 47 | 48 | fprintf(Nf,"\n----- Trial %d: Treatments=%d -----",TrialNo,MaxTreat+1); 49 | ForEach(i, 0, MaxTreat) 50 | { 51 | fprintf(Nf,"\nworthOnData=%4f worthOnTest=%4f ",TreatSet[i]._worth_data,TreatSet[i]._worth_test); 52 | Size = TreatSet[i]._num; 53 | ForEach(j, 0, Size) 54 | { 55 | Att = TreatSet[i]._candiSet[j]._att; 56 | Val = TreatSet[i]._candiSet[j]._val; 57 | fprintf(Nf,"[%s=%s] ",AttName[Att],AttValName[Att][Val]); 58 | } 59 | } 60 | fprintf(Nf,"\n"); 61 | 62 | fclose(Nf); 63 | } -------------------------------------------------------------------------------- /analysis/tar3/source/xval/xval: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SoftwareSecurityLab/UbSym/22cd6807aa27027eee8c1bb0f28e6d87266ebb0e/analysis/tar3/source/xval/xval -------------------------------------------------------------------------------- /benchmarks_running.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | import argparse 5 | import claripy,angr,monkeyhex 6 | from analysis.CFGPartAnalysis import CFGPartAnalysis 7 | from analysis.simprocedure.vul_strcat import _strcat_vul 8 | from analysis.InitRun import InitRun 9 | from analysis.VTree import _VTree 10 | from analysis.VulAnalyzer import VulAnalyzer 11 | 12 | import sys, os 13 | sys.setrecursionlimit(2000) 14 | 15 | for i in range(1, 226): 16 | print('===================') 17 | print("| Program No.: " + str(i)) 18 | print('===================') 19 | proj=angr.Project('./tests/' + str(i),load_options={'auto_load_libs':False}) 20 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis) 21 | angr.AnalysesHub.register_default('VTree',_VTree) 22 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer) 23 | cfg_an=proj.analyses.CFGPartAnalysis() 24 | if (i >= 1 and i <= 90 ): 25 | checkType = 0 26 | elif (i >= 119 and i <= 206): 27 | checkType = 1 28 | elif (i >= 91 and i <= 118): 29 | checkType = 2 30 | elif (i >= 207 and i <= 225): 31 | checkType = 3 32 | 33 | an=proj.analyses.VulAnalyzer(cfg_an, checkType, False) 34 | if (i >= 1 and i <= 90 ): 35 | u = an.propOverflowUnits("HOF") 36 | elif (i >= 119 and i <= 206): 37 | u = an.propOverflowUnits("SOF") 38 | else: 39 | u = an.propWUnits() 40 | 41 | for unit in u: 42 | print("Test Unit : <{}>".format(unit)) 43 | proj=angr.Project('./tests/' + str(i),load_options={'auto_load_libs':False}) 44 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis) 45 | angr.AnalysesHub.register_default('VTree',_VTree) 46 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer) 47 | cfg_an=proj.analyses.CFGPartAnalysis() 48 | if (i >= 150 and i <= 152): 49 | an=proj.analyses.VulAnalyzer(cfg_an, checkType, False, 100, 180) 50 | elif (i >= 153 and i <= 172): 51 | an=proj.analyses.VulAnalyzer(cfg_an, checkType, False, 180, 180) 52 | else: 53 | an=proj.analyses.VulAnalyzer(cfg_an, checkType, False, 120, 130) 54 | 55 | if i in [12, 14, 15, 31, 33, 35, 51, 53, 55, 87, 89, 90, 133, 134, 135, 150, 151, 152, 162, 172, 187, 188, 189, 204, 205, 206]: 56 | prototype = 'void ' + unit + '(char*, char*)' 57 | size = [0,180] 58 | else: 59 | prototype = 'void ' + unit + '(char*)' 60 | size = [180] 61 | if checkType < 2 : 62 | an.overflowAnalyze(prototype,args_index=[1],arg_sizes=size,buff_type=checkType) 63 | else : 64 | an.analyze(prototype,args_index=[1],arg_sizes=size,VulnType=checkType) 65 | print('\n\n') 66 | 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ailment==9.0.9166 2 | angr==9.0.9166 3 | archinfo==9.0.9166 4 | bitstring==3.1.7 5 | cachetools==4.2.4 6 | capstone==4.0.2 7 | cffi==1.15.0 8 | claripy==9.0.9166 9 | cle==9.0.9166 10 | covertable==2.0.1 11 | CppHeaderParser==2.7.4 12 | decorator==4.4.2 13 | dpkt==1.9.7.2 14 | future==0.18.2 15 | gitdb==4.0.9 16 | GitPython==3.1.18 17 | itanium-demangler==1.0 18 | monkeyhex==1.7.4 19 | mpmath==1.2.1 20 | mulpyplexer==0.9 21 | nampa==0.1.1 22 | networkx==2.5.1 23 | numpy==1.19.5 24 | pandas==1.1.5 25 | pefile==2021.9.3 26 | plumbum==1.7.2 27 | ply==3.11 28 | progressbar2==3.55.0 29 | protobuf==3.19.3 30 | psutil==5.9.0 31 | pycparser==2.21 32 | pyelftools==0.27 33 | PySMT==0.9.1.dev139 34 | python-dateutil==2.8.2 35 | python-utils==3.1.0 36 | pytz==2021.3 37 | pyvex==9.0.9166 38 | rpyc==5.0.1 39 | scipy==1.5.4 40 | six==1.16.0 41 | smmap==5.0.0 42 | sortedcontainers==2.4.0 43 | sympy==1.9 44 | typing_extensions==4.0.1 45 | unicorn==1.0.2rc4 46 | z3-solver==4.8.14.0 47 | -------------------------------------------------------------------------------- /run.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import claripy,angr,monkeyhex 5 | from analysis.CFGPartAnalysis import CFGPartAnalysis 6 | from analysis.simprocedure.vul_strcat import _strcat_vul 7 | from analysis.InitRun import InitRun 8 | from analysis.VTree import _VTree 9 | from analysis.VulAnalyzer import VulAnalyzer 10 | 11 | # 0 , 1 , 2 , 3 12 | CHECK_TYPE = ["HOF", "SOF", "DF", "UAF"] 13 | 14 | if __name__ == '__main__': 15 | parser = argparse.ArgumentParser() 16 | parser.add_argument("-b","--binary",help="The Name of Binary File You Want to Analyze",required=True) 17 | parser.add_argument("-t","--type", help="UbSym's type", choices=CHECK_TYPE, default="HOF",required=True) 18 | parser.add_argument("-p","--prototype",help="The Prototype of Test Unit You Want to Analyze",required=False) 19 | parser.add_argument("-a","--args",help="The Size of Test Unit Arguments",required=False) 20 | parser.add_argument("-s","--sizes",help="The Indexes of Argv Passed to The Test Unit As Function Arguments",required=False) 21 | parser.add_argument("-BUF_SYM","--buffer_symbolic_size",help="The Size of Symbolic Buffer",required=False) 22 | parser.add_argument("-SOLO","--solo_mode", help="VTree solo mode if disable dive into inner functions", action='store_true', default=False, required=False) 23 | args = parser.parse_args() 24 | 25 | args_index=[] 26 | if args.args : 27 | args_index=list(map(int,args.args.split(','))) 28 | 29 | args_sizes=[] 30 | max_str_len=100 31 | if args.sizes : 32 | args_sizes=list(map(int,args.sizes.split(','))) 33 | max_str_len = max(args_sizes) 34 | 35 | flag=True 36 | if args.prototype is None: 37 | flag=False 38 | 39 | checkType = CHECK_TYPE.index(args.type) 40 | 41 | proj=angr.Project(args.binary,load_options={'auto_load_libs':False}) 42 | angr.AnalysesHub.register_default('CFGPartAnalysis',CFGPartAnalysis) 43 | angr.AnalysesHub.register_default('VTree',_VTree) 44 | angr.AnalysesHub.register_default('VulAnalyzer',VulAnalyzer) 45 | cfg_an=proj.analyses.CFGPartAnalysis() 46 | an=proj.analyses.VulAnalyzer(cfg_an, checkType, args.solo_mode, args.buffer_symbolic_size, max_str_len) 47 | 48 | 49 | if flag: 50 | if checkType < 2 : 51 | an.overflowAnalyze(args.prototype,args_index=args_index,arg_sizes=args_sizes,buff_type=checkType) 52 | else : 53 | an.analyze(args.prototype,args_index=args_index,arg_sizes=args_sizes,VulnType=checkType) 54 | else: 55 | if checkType == 0 : 56 | an.propOverflowUnits("HOF") 57 | elif checkType == 1 : 58 | an.propOverflowUnits("SOF") 59 | else : 60 | an.propWUnits() 61 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy string to data using memcpy 13 | * Flow Variant: 01 Baseline 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | memcpy(data, source, strlen(source)*sizeof(char)); 38 | } 39 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 40 | printLine(data); 41 | } 42 | } 43 | 44 | #endif /* OMITBAD */ 45 | 46 | #ifndef OMITGOOD 47 | 48 | /* goodG2B uses the GoodSource with the BadSink */ 49 | static void goodG2B(char * source) 50 | { 51 | char * data; 52 | char dataBadBuffer[50]; 53 | char dataGoodBuffer[100]; 54 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 55 | data = dataGoodBuffer; 56 | data[0] = '\0'; /* null terminate */ 57 | { 58 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 59 | memcpy(data, source, 100*sizeof(char)); 60 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 61 | printLine(data); 62 | } 63 | } 64 | 65 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_good(char * source) 66 | { 67 | goodG2B(source); 68 | } 69 | 70 | #endif /* OMITGOOD */ 71 | 72 | /* Below is the main(). It is only used when building this testcase on 73 | * its own for testing or for building a binary to use in testing binary 74 | * analysis tools. It is not used when compiling all the testcases as one 75 | * application, which is how source code analysis tools are tested. 76 | */ 77 | 78 | 79 | 80 | int main(int argc, char * argv[]) 81 | { 82 | /* seed randomness */ 83 | srand( (unsigned)time(NULL) ); 84 | #ifndef OMITGOOD 85 | printLine("Calling good()..."); 86 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_good(argv[1]); 87 | printLine("Finished good()"); 88 | #endif /* OMITGOOD */ 89 | #ifndef OMITBAD 90 | printLine("Calling bad()..."); 91 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_bad(argv[1]); 92 | printLine("Finished bad()"); 93 | #endif /* OMITBAD */ 94 | return 0; 95 | } 96 | 97 | 98 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-16.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy string to data using memcpy 13 | * Flow Variant: 16 Control flow: while(1) 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | while(1) 29 | { 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | break; 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | memcpy(data, source, strlen(source)*sizeof(char)); 42 | } 43 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 44 | printLine(data); 45 | } 46 | } 47 | 48 | #endif /* OMITBAD */ 49 | 50 | #ifndef OMITGOOD 51 | 52 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ 53 | static void goodG2B(char * source) 54 | { 55 | char * data; 56 | char dataBadBuffer[50]; 57 | char dataGoodBuffer[100]; 58 | while(1) 59 | { 60 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 61 | data = dataGoodBuffer; 62 | data[0] = '\0'; /* null terminate */ 63 | break; 64 | } 65 | { 66 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 67 | memcpy(data, source, 100*sizeof(char)); 68 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 69 | printLine(data); 70 | } 71 | } 72 | 73 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16_good(char * source) 74 | { 75 | goodG2B(source); 76 | } 77 | 78 | #endif /* OMITGOOD */ 79 | 80 | /* Below is the main(). It is only used when building this testcase on 81 | * its own for testing or for building a binary to use in testing binary 82 | * analysis tools. It is not used when compiling all the testcases as one 83 | * application, which is how source code analysis tools are tested. 84 | */ 85 | 86 | 87 | 88 | int main(int argc, char * argv[]) 89 | { 90 | /* seed randomness */ 91 | srand( (unsigned)time(NULL) ); 92 | #ifndef OMITGOOD 93 | printLine("Calling good()..."); 94 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16_good(argv[1]); 95 | printLine("Finished good()"); 96 | #endif /* OMITGOOD */ 97 | #ifndef OMITBAD 98 | printLine("Calling bad()..."); 99 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_16_bad(argv[1]); 100 | printLine("Finished bad()"); 101 | #endif /* OMITBAD */ 102 | return 0; 103 | } 104 | 105 | 106 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-17.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy string to data using memcpy 13 | * Flow Variant: 17 Control flow: for loops 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17_bad(char * source) 24 | { 25 | int i; 26 | char * data; 27 | char dataBadBuffer[50]; 28 | char dataGoodBuffer[100]; 29 | for(i = 0; i < 1; i++) 30 | { 31 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 32 | * buffer in various memory copying functions using a "large" source buffer. */ 33 | data = dataBadBuffer; 34 | data[0] = '\0'; /* null terminate */ 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | memcpy(data, source, strlen(source)*sizeof(char)); 42 | } 43 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 44 | printLine(data); 45 | } 46 | } 47 | 48 | #endif /* OMITBAD */ 49 | 50 | #ifndef OMITGOOD 51 | 52 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */ 53 | static void goodG2B(char * source) 54 | { 55 | int h; 56 | char * data; 57 | char dataBadBuffer[50]; 58 | char dataGoodBuffer[100]; 59 | for(h = 0; h < 1; h++) 60 | { 61 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 62 | data = dataGoodBuffer; 63 | data[0] = '\0'; /* null terminate */ 64 | } 65 | { 66 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 67 | memcpy(data, source, 100*sizeof(char)); 68 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 69 | printLine(data); 70 | } 71 | } 72 | 73 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17_good(char * source) 74 | { 75 | goodG2B(source); 76 | } 77 | 78 | #endif /* OMITGOOD */ 79 | 80 | /* Below is the main(). It is only used when building this testcase on 81 | * its own for testing or for building a binary to use in testing binary 82 | * analysis tools. It is not used when compiling all the testcases as one 83 | * application, which is how source code analysis tools are tested. 84 | */ 85 | 86 | 87 | 88 | int main(int argc, char * argv[]) 89 | { 90 | /* seed randomness */ 91 | srand( (unsigned)time(NULL) ); 92 | #ifndef OMITGOOD 93 | printLine("Calling good()..."); 94 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17_good(argv[1]); 95 | printLine("Finished good()"); 96 | #endif /* OMITGOOD */ 97 | #ifndef OMITBAD 98 | printLine("Calling bad()..."); 99 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_17_bad(argv[1]); 100 | printLine("Finished bad()"); 101 | #endif /* OMITBAD */ 102 | return 0; 103 | } 104 | 105 | 106 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy string to data using memcpy 13 | * Flow Variant: 18 Control flow: goto statements 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | goto source; 29 | source: 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | { 35 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 36 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 37 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 38 | { 39 | memcpy(data, source, strlen(source)*sizeof(char)); 40 | } 41 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 42 | printLine(data); 43 | } 44 | } 45 | 46 | #endif /* OMITBAD */ 47 | 48 | #ifndef OMITGOOD 49 | 50 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ 51 | static void goodG2B(char * source) 52 | { 53 | char * data; 54 | char dataBadBuffer[50]; 55 | char dataGoodBuffer[100]; 56 | goto source; 57 | source: 58 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 59 | data = dataGoodBuffer; 60 | data[0] = '\0'; /* null terminate */ 61 | { 62 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 63 | memcpy(data, source, 100*sizeof(char)); 64 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 65 | printLine(data); 66 | } 67 | } 68 | 69 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18_good(char * source) 70 | { 71 | goodG2B(source); 72 | } 73 | 74 | #endif /* OMITGOOD */ 75 | 76 | /* Below is the main(). It is only used when building this testcase on 77 | * its own for testing or for building a binary to use in testing binary 78 | * analysis tools. It is not used when compiling all the testcases as one 79 | * application, which is how source code analysis tools are tested. 80 | */ 81 | 82 | 83 | 84 | int main(int argc, char * argv[]) 85 | { 86 | /* seed randomness */ 87 | srand( (unsigned)time(NULL) ); 88 | #ifndef OMITGOOD 89 | printLine("Calling good()..."); 90 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18_good(argv[1]); 91 | printLine("Finished good()"); 92 | #endif /* OMITGOOD */ 93 | #ifndef OMITBAD 94 | printLine("Calling bad()..."); 95 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_18_bad(argv[1]); 96 | printLine("Finished bad()"); 97 | #endif /* OMITBAD */ 98 | return 0; 99 | } 100 | 101 | 102 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67b.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: memcpy 12 | * BadSink : Copy string to data using memcpy 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67_structType 22 | { 23 | char * structFirst; 24 | } CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67b_badSink(CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67_structType myStruct, char * source) 29 | { 30 | char * data = myStruct.structFirst; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 33 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 34 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 35 | { 36 | memcpy(data, source, strlen(source)*sizeof(char)); 37 | } 38 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 39 | printLine(data); 40 | } 41 | } 42 | 43 | #endif /* OMITBAD */ 44 | 45 | #ifndef OMITGOOD 46 | 47 | /* goodG2B uses the GoodSource with the BadSink */ 48 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67b_goodG2BSink(CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_67_structType myStruct, char * source) 49 | { 50 | char * data = myStruct.structFirst; 51 | { 52 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 53 | memcpy(data, source, 100*sizeof(char)); 54 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 55 | printLine(data); 56 | } 57 | } 58 | 59 | #endif /* OMITGOOD */ 60 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 01 Baseline 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | memmove(data, source, strlen(source)*sizeof(char)); 38 | } 39 | printLine(data); 40 | } 41 | } 42 | 43 | #endif /* OMITBAD */ 44 | 45 | #ifndef OMITGOOD 46 | 47 | /* goodG2B uses the GoodSource with the BadSink */ 48 | static void goodG2B(char * source) 49 | { 50 | char * data; 51 | char dataBadBuffer[50]; 52 | char dataGoodBuffer[100]; 53 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 54 | data = dataGoodBuffer; 55 | data[0] = '\0'; /* null terminate */ 56 | { 57 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 58 | memmove(data, source, 100*sizeof(char)); 59 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 60 | printLine(data); 61 | } 62 | } 63 | 64 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01_good(char * source) 65 | { 66 | goodG2B(source); 67 | } 68 | 69 | #endif /* OMITGOOD */ 70 | 71 | /* Below is the main(). It is only used when building this testcase on 72 | * its own for testing or for building a binary to use in testing binary 73 | * analysis tools. It is not used when compiling all the testcases as one 74 | * application, which is how source code analysis tools are tested. 75 | */ 76 | 77 | 78 | 79 | int main(int argc, char * argv[]) 80 | { 81 | /* seed randomness */ 82 | srand( (unsigned)time(NULL) ); 83 | #ifndef OMITGOOD 84 | printLine("Calling good()..."); 85 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01_good(argv[1]); 86 | printLine("Finished good()"); 87 | #endif /* OMITGOOD */ 88 | #ifndef OMITBAD 89 | printLine("Calling bad()..."); 90 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_01_bad(argv[1]); 91 | printLine("Finished bad()"); 92 | #endif /* OMITBAD */ 93 | return 0; 94 | } 95 | 96 | 97 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-16.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 16 Control flow: while(1) 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | while(1) 29 | { 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | break; 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | memmove(data, source, strlen(source)*sizeof(char)); 42 | } 43 | printLine(data); 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | char dataBadBuffer[50]; 56 | char dataGoodBuffer[100]; 57 | while(1) 58 | { 59 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 60 | data = dataGoodBuffer; 61 | data[0] = '\0'; /* null terminate */ 62 | break; 63 | } 64 | { 65 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 66 | memmove(data, source, 100*sizeof(char)); 67 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 68 | printLine(data); 69 | } 70 | } 71 | 72 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16_good(char * source) 73 | { 74 | goodG2B(source); 75 | } 76 | 77 | #endif /* OMITGOOD */ 78 | 79 | /* Below is the main(). It is only used when building this testcase on 80 | * its own for testing or for building a binary to use in testing binary 81 | * analysis tools. It is not used when compiling all the testcases as one 82 | * application, which is how source code analysis tools are tested. 83 | */ 84 | 85 | 86 | 87 | int main(int argc, char * argv[]) 88 | { 89 | /* seed randomness */ 90 | srand( (unsigned)time(NULL) ); 91 | #ifndef OMITGOOD 92 | printLine("Calling good()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16_good(argv[1]); 94 | printLine("Finished good()"); 95 | #endif /* OMITGOOD */ 96 | #ifndef OMITBAD 97 | printLine("Calling bad()..."); 98 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_16_bad(argv[1]); 99 | printLine("Finished bad()"); 100 | #endif /* OMITBAD */ 101 | return 0; 102 | } 103 | 104 | 105 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-17.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 17 Control flow: for loops 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17_bad(char * source) 24 | { 25 | int i; 26 | char * data; 27 | char dataBadBuffer[50]; 28 | char dataGoodBuffer[100]; 29 | for(i = 0; i < 1; i++) 30 | { 31 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 32 | * buffer in various memory copying functions using a "large" source buffer. */ 33 | data = dataBadBuffer; 34 | data[0] = '\0'; /* null terminate */ 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | memmove(data, source, strlen(source)*sizeof(char)); 42 | } 43 | printLine(data); 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */ 52 | static void goodG2B(char * source) 53 | { 54 | int h; 55 | char * data; 56 | char dataBadBuffer[50]; 57 | char dataGoodBuffer[100]; 58 | for(h = 0; h < 1; h++) 59 | { 60 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 61 | data = dataGoodBuffer; 62 | data[0] = '\0'; /* null terminate */ 63 | } 64 | { 65 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 66 | memmove(data, source, 100*sizeof(char)); 67 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 68 | printLine(data); 69 | } 70 | } 71 | 72 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17_good(char * source) 73 | { 74 | goodG2B(source); 75 | } 76 | 77 | #endif /* OMITGOOD */ 78 | 79 | /* Below is the main(). It is only used when building this testcase on 80 | * its own for testing or for building a binary to use in testing binary 81 | * analysis tools. It is not used when compiling all the testcases as one 82 | * application, which is how source code analysis tools are tested. 83 | */ 84 | 85 | 86 | 87 | int main(int argc, char * argv[]) 88 | { 89 | /* seed randomness */ 90 | srand( (unsigned)time(NULL) ); 91 | #ifndef OMITGOOD 92 | printLine("Calling good()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17_good(argv[1]); 94 | printLine("Finished good()"); 95 | #endif /* OMITGOOD */ 96 | #ifndef OMITBAD 97 | printLine("Calling bad()..."); 98 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_17_bad(argv[1]); 99 | printLine("Finished bad()"); 100 | #endif /* OMITBAD */ 101 | return 0; 102 | } 103 | 104 | 105 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 18 Control flow: goto statements 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | goto source; 29 | source: 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | { 35 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 36 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 37 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 38 | { 39 | memmove(data, source, strlen(source)*sizeof(char)); 40 | } 41 | printLine(data); 42 | } 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ 50 | static void goodG2B(char * source) 51 | { 52 | char * data; 53 | char dataBadBuffer[50]; 54 | char dataGoodBuffer[100]; 55 | goto source; 56 | source: 57 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 58 | data = dataGoodBuffer; 59 | data[0] = '\0'; /* null terminate */ 60 | { 61 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 62 | memmove(data, source, 100*sizeof(char)); 63 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 64 | printLine(data); 65 | } 66 | } 67 | 68 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18_good(char * source) 69 | { 70 | goodG2B(source); 71 | } 72 | 73 | #endif /* OMITGOOD */ 74 | 75 | /* Below is the main(). It is only used when building this testcase on 76 | * its own for testing or for building a binary to use in testing binary 77 | * analysis tools. It is not used when compiling all the testcases as one 78 | * application, which is how source code analysis tools are tested. 79 | */ 80 | 81 | 82 | 83 | int main(int argc, char * argv[]) 84 | { 85 | /* seed randomness */ 86 | srand( (unsigned)time(NULL) ); 87 | #ifndef OMITGOOD 88 | printLine("Calling good()..."); 89 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18_good(argv[1]); 90 | printLine("Finished good()"); 91 | #endif /* OMITGOOD */ 92 | #ifndef OMITBAD 93 | printLine("Calling bad()..."); 94 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_18_bad(argv[1]); 95 | printLine("Finished bad()"); 96 | #endif /* OMITBAD */ 97 | return 0; 98 | } 99 | 100 | 101 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-31.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 31 Data flow using a copy of data within the same function 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | char * dataCopy = data; 34 | char * data = dataCopy; 35 | { 36 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 37 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 38 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 39 | { 40 | memmove(data, source, strlen(source)*sizeof(char)); 41 | } 42 | printLine(data); 43 | } 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() uses the GoodSource with the BadSink */ 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | char dataBadBuffer[50]; 56 | char dataGoodBuffer[100]; 57 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 58 | data = dataGoodBuffer; 59 | data[0] = '\0'; /* null terminate */ 60 | { 61 | char * dataCopy = data; 62 | char * data = dataCopy; 63 | { 64 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 65 | memmove(data, source, 100*sizeof(char)); 66 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 67 | printLine(data); 68 | } 69 | } 70 | } 71 | 72 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31_good(char * source) 73 | { 74 | goodG2B(source); 75 | } 76 | 77 | #endif /* OMITGOOD */ 78 | 79 | /* Below is the main(). It is only used when building this testcase on 80 | * its own for testing or for building a binary to use in testing binary 81 | * analysis tools. It is not used when compiling all the testcases as one 82 | * application, which is how source code analysis tools are tested. 83 | */ 84 | 85 | 86 | 87 | int main(int argc, char * argv[]) 88 | { 89 | /* seed randomness */ 90 | srand( (unsigned)time(NULL) ); 91 | #ifndef OMITGOOD 92 | printLine("Calling good()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31_good(argv[1]); 94 | printLine("Finished good()"); 95 | #endif /* OMITGOOD */ 96 | #ifndef OMITBAD 97 | printLine("Calling bad()..."); 98 | CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_31_bad(argv[1]); 99 | printLine("Finished bad()"); 100 | #endif /* OMITBAD */ 101 | return 0; 102 | } 103 | 104 | 105 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67b.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67_structType 22 | { 23 | char * structFirst; 24 | } CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67b_badSink(CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67_structType myStruct, char * source) 29 | { 30 | char * data = myStruct.structFirst; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 33 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 34 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 35 | { 36 | memmove(data, source, strlen(source)*sizeof(char)); 37 | } 38 | printLine(data); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67b_goodG2BSink(CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_67_structType myStruct, char * source) 48 | { 49 | char * data = myStruct.structFirst; 50 | { 51 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 52 | memmove(data, source, 100*sizeof(char)); 53 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 54 | printLine(data); 55 | } 56 | } 57 | 58 | #endif /* OMITGOOD */ 59 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy int array to data using memcpy 13 | * Flow Variant: 01 Baseline 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 27 | * buffer in various memory copying functions using a "large" source buffer. */ 28 | data = dataBadBuffer; 29 | { 30 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 31 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 32 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 33 | { 34 | memcpy(data, source, strlen(source)*sizeof(char)); 35 | } 36 | printIntLine(data[0]); 37 | } 38 | } 39 | 40 | #endif /* OMITBAD */ 41 | 42 | #ifndef OMITGOOD 43 | 44 | /* goodG2B uses the GoodSource with the BadSink */ 45 | static void goodG2B(char * source) 46 | { 47 | int * data; 48 | int dataBadBuffer[20]; 49 | int dataGoodBuffer[40]; 50 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 51 | data = dataGoodBuffer; 52 | { 53 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 54 | memcpy(data, source, 40*sizeof(int)); 55 | printIntLine(data[0]); 56 | } 57 | } 58 | 59 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01_good(char * source) 60 | { 61 | goodG2B(source); 62 | } 63 | 64 | #endif /* OMITGOOD */ 65 | 66 | /* Below is the main(). It is only used when building this testcase on 67 | * its own for testing or for building a binary to use in testing binary 68 | * analysis tools. It is not used when compiling all the testcases as one 69 | * application, which is how source code analysis tools are tested. 70 | */ 71 | 72 | 73 | 74 | int main(int argc, char * argv[]) 75 | { 76 | /* seed randomness */ 77 | srand( (unsigned)time(NULL) ); 78 | #ifndef OMITGOOD 79 | printLine("Calling good()..."); 80 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01_good(argv[1]); 81 | printLine("Finished good()"); 82 | #endif /* OMITGOOD */ 83 | #ifndef OMITBAD 84 | printLine("Calling bad()..."); 85 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_01_bad(argv[1]); 86 | printLine("Finished bad()"); 87 | #endif /* OMITBAD */ 88 | return 0; 89 | } 90 | 91 | 92 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-16.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy int array to data using memcpy 13 | * Flow Variant: 16 Control flow: while(1) 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | while(1) 27 | { 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | break; 32 | } 33 | { 34 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 35 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 36 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 37 | { 38 | memcpy(data, source, strlen(source)*sizeof(char)); 39 | } 40 | printIntLine(data[0]); 41 | } 42 | } 43 | 44 | #endif /* OMITBAD */ 45 | 46 | #ifndef OMITGOOD 47 | 48 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ 49 | static void goodG2B(char * source) 50 | { 51 | int * data; 52 | int dataBadBuffer[20]; 53 | int dataGoodBuffer[40]; 54 | while(1) 55 | { 56 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 57 | data = dataGoodBuffer; 58 | break; 59 | } 60 | { 61 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 62 | memcpy(data, source, 40*sizeof(int)); 63 | printIntLine(data[0]); 64 | } 65 | } 66 | 67 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16_good(char * source) 68 | { 69 | goodG2B(source); 70 | } 71 | 72 | #endif /* OMITGOOD */ 73 | 74 | /* Below is the main(). It is only used when building this testcase on 75 | * its own for testing or for building a binary to use in testing binary 76 | * analysis tools. It is not used when compiling all the testcases as one 77 | * application, which is how source code analysis tools are tested. 78 | */ 79 | 80 | 81 | 82 | int main(int argc, char * argv[]) 83 | { 84 | /* seed randomness */ 85 | srand( (unsigned)time(NULL) ); 86 | #ifndef OMITGOOD 87 | printLine("Calling good()..."); 88 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16_good(argv[1]); 89 | printLine("Finished good()"); 90 | #endif /* OMITGOOD */ 91 | #ifndef OMITBAD 92 | printLine("Calling bad()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_16_bad(argv[1]); 94 | printLine("Finished bad()"); 95 | #endif /* OMITBAD */ 96 | return 0; 97 | } 98 | 99 | 100 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy int array to data using memcpy 13 | * Flow Variant: 18 Control flow: goto statements 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | goto source; 27 | source: 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 33 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 34 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 35 | { 36 | memcpy(data, source, strlen(source)*sizeof(char)); 37 | } 38 | printIntLine(data[0]); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ 47 | static void goodG2B(char * source) 48 | { 49 | int * data; 50 | int dataBadBuffer[20]; 51 | int dataGoodBuffer[40]; 52 | goto source; 53 | source: 54 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 55 | data = dataGoodBuffer; 56 | { 57 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 58 | memcpy(data, source, 40*sizeof(int)); 59 | printIntLine(data[0]); 60 | } 61 | } 62 | 63 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18_good(char * source) 64 | { 65 | goodG2B(source); 66 | } 67 | 68 | #endif /* OMITGOOD */ 69 | 70 | /* Below is the main(). It is only used when building this testcase on 71 | * its own for testing or for building a binary to use in testing binary 72 | * analysis tools. It is not used when compiling all the testcases as one 73 | * application, which is how source code analysis tools are tested. 74 | */ 75 | 76 | 77 | 78 | int main(int argc, char * argv[]) 79 | { 80 | /* seed randomness */ 81 | srand( (unsigned)time(NULL) ); 82 | #ifndef OMITGOOD 83 | printLine("Calling good()..."); 84 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18_good(argv[1]); 85 | printLine("Finished good()"); 86 | #endif /* OMITGOOD */ 87 | #ifndef OMITBAD 88 | printLine("Calling bad()..."); 89 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_18_bad(argv[1]); 90 | printLine("Finished bad()"); 91 | #endif /* OMITBAD */ 92 | return 0; 93 | } 94 | 95 | 96 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-31.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: memcpy 12 | * BadSink : Copy int array to data using memcpy 13 | * Flow Variant: 31 Data flow using a copy of data within the same function 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 27 | * buffer in various memory copying functions using a "large" source buffer. */ 28 | data = dataBadBuffer; 29 | { 30 | int * dataCopy = data; 31 | int * data = dataCopy; 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | memcpy(data, source, strlen(source)*sizeof(char)); 38 | } 39 | printIntLine(data[0]); 40 | } 41 | } 42 | } 43 | 44 | #endif /* OMITBAD */ 45 | 46 | #ifndef OMITGOOD 47 | 48 | /* goodG2B() uses the GoodSource with the BadSink */ 49 | static void goodG2B(char * source) 50 | { 51 | int * data; 52 | int dataBadBuffer[20]; 53 | int dataGoodBuffer[40]; 54 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 55 | data = dataGoodBuffer; 56 | { 57 | int * dataCopy = data; 58 | int * data = dataCopy; 59 | { 60 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 61 | memcpy(data, source, 40*sizeof(int)); 62 | printIntLine(data[0]); 63 | } 64 | } 65 | } 66 | 67 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31_good(char * source) 68 | { 69 | goodG2B(source); 70 | } 71 | 72 | #endif /* OMITGOOD */ 73 | 74 | /* Below is the main(). It is only used when building this testcase on 75 | * its own for testing or for building a binary to use in testing binary 76 | * analysis tools. It is not used when compiling all the testcases as one 77 | * application, which is how source code analysis tools are tested. 78 | */ 79 | 80 | 81 | 82 | int main(int argc, char * argv[]) 83 | { 84 | /* seed randomness */ 85 | srand( (unsigned)time(NULL) ); 86 | #ifndef OMITGOOD 87 | printLine("Calling good()..."); 88 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31_good(argv[1]); 89 | printLine("Finished good()"); 90 | #endif /* OMITGOOD */ 91 | #ifndef OMITBAD 92 | printLine("Calling bad()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_31_bad(argv[1]); 94 | printLine("Finished bad()"); 95 | #endif /* OMITBAD */ 96 | return 0; 97 | } 98 | 99 | 100 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-41.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memcpy 12 | * BadSink : Copy int array to data using memcpy 13 | * Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_badSink(int * data, char * source) 22 | { 23 | { 24 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(activator) */ 25 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 26 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 27 | { 28 | memcpy(data, source, strlen(source)*sizeof(char)); 29 | } 30 | printIntLine(data[0]); 31 | } 32 | } 33 | 34 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_bad(char * source) 35 | { 36 | int * data; 37 | int dataBadBuffer[20]; 38 | int dataGoodBuffer[40]; 39 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 40 | * buffer in various memory copying functions using a "large" source buffer. */ 41 | data = dataBadBuffer; 42 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_badSink(data, source); 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_goodG2BSink(int * data, char * source) 50 | { 51 | { 52 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 53 | memcpy(data, source, 40*sizeof(int)); 54 | printIntLine(data[0]); 55 | } 56 | } 57 | 58 | /* goodG2B uses the GoodSource with the BadSink */ 59 | static void goodG2B(char * source) 60 | { 61 | int * data; 62 | int dataBadBuffer[20]; 63 | int dataGoodBuffer[40]; 64 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 65 | data = dataGoodBuffer; 66 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_goodG2BSink(data, source); 67 | } 68 | 69 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_good(char * source) 70 | { 71 | goodG2B(source); 72 | } 73 | 74 | #endif /* OMITGOOD */ 75 | 76 | /* Below is the main(). It is only used when building this testcase on 77 | * its own for testing or for building a binary to use in testing binary 78 | * analysis tools. It is not used when compiling all the testcases as one 79 | * application, which is how source code analysis tools are tested. 80 | */ 81 | 82 | 83 | 84 | int main(int argc, char * argv[]) 85 | { 86 | /* seed randomness */ 87 | srand( (unsigned)time(NULL) ); 88 | #ifndef OMITGOOD 89 | printLine("Calling good()..."); 90 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_good(argv[1]); 91 | printLine("Finished good()"); 92 | #endif /* OMITGOOD */ 93 | #ifndef OMITBAD 94 | printLine("Calling bad()..."); 95 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_41_bad(argv[1]); 96 | printLine("Finished bad()"); 97 | #endif /* OMITBAD */ 98 | return 0; 99 | } 100 | 101 | 102 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy int array to data using memmove 13 | * Flow Variant: 01 Baseline 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 27 | * buffer in various memory copying functions using a "large" source buffer. */ 28 | data = dataBadBuffer; 29 | { 30 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 31 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 32 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 33 | { 34 | memmove(data, source, strlen(source)*sizeof(char)); 35 | } 36 | printIntLine(data[0]); 37 | } 38 | } 39 | 40 | #endif /* OMITBAD */ 41 | 42 | #ifndef OMITGOOD 43 | 44 | /* goodG2B uses the GoodSource with the BadSink */ 45 | static void goodG2B(char * source) 46 | { 47 | int * data; 48 | int dataBadBuffer[20]; 49 | int dataGoodBuffer[40]; 50 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 51 | data = dataGoodBuffer; 52 | { 53 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 54 | memmove(data, source, 40*sizeof(int)); 55 | printIntLine(data[0]); 56 | } 57 | } 58 | 59 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01_good(char * source) 60 | { 61 | goodG2B(source); 62 | } 63 | 64 | #endif /* OMITGOOD */ 65 | 66 | /* Below is the main(). It is only used when building this testcase on 67 | * its own for testing or for building a binary to use in testing binary 68 | * analysis tools. It is not used when compiling all the testcases as one 69 | * application, which is how source code analysis tools are tested. 70 | */ 71 | 72 | 73 | 74 | int main(int argc, char * argv[]) 75 | { 76 | /* seed randomness */ 77 | srand( (unsigned)time(NULL) ); 78 | #ifndef OMITGOOD 79 | printLine("Calling good()..."); 80 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01_good(argv[1]); 81 | printLine("Finished good()"); 82 | #endif /* OMITGOOD */ 83 | #ifndef OMITBAD 84 | printLine("Calling bad()..."); 85 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_01_bad(argv[1]); 86 | printLine("Finished bad()"); 87 | #endif /* OMITBAD */ 88 | return 0; 89 | } 90 | 91 | 92 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-16.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy int array to data using memmove 13 | * Flow Variant: 16 Control flow: while(1) 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | while(1) 27 | { 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | break; 32 | } 33 | { 34 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 35 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 36 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 37 | { 38 | memmove(data, source, strlen(source)*sizeof(char)); 39 | } 40 | printIntLine(data[0]); 41 | } 42 | } 43 | 44 | #endif /* OMITBAD */ 45 | 46 | #ifndef OMITGOOD 47 | 48 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ 49 | static void goodG2B(char * source) 50 | { 51 | int * data; 52 | int dataBadBuffer[20]; 53 | int dataGoodBuffer[40]; 54 | while(1) 55 | { 56 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 57 | data = dataGoodBuffer; 58 | break; 59 | } 60 | { 61 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 62 | memmove(data, source, 40*sizeof(int)); 63 | printIntLine(data[0]); 64 | } 65 | } 66 | 67 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16_good(char * source) 68 | { 69 | goodG2B(source); 70 | } 71 | 72 | #endif /* OMITGOOD */ 73 | 74 | /* Below is the main(). It is only used when building this testcase on 75 | * its own for testing or for building a binary to use in testing binary 76 | * analysis tools. It is not used when compiling all the testcases as one 77 | * application, which is how source code analysis tools are tested. 78 | */ 79 | 80 | 81 | 82 | int main(int argc, char * argv[]) 83 | { 84 | /* seed randomness */ 85 | srand( (unsigned)time(NULL) ); 86 | #ifndef OMITGOOD 87 | printLine("Calling good()..."); 88 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16_good(argv[1]); 89 | printLine("Finished good()"); 90 | #endif /* OMITGOOD */ 91 | #ifndef OMITBAD 92 | printLine("Calling bad()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_16_bad(argv[1]); 94 | printLine("Finished bad()"); 95 | #endif /* OMITBAD */ 96 | return 0; 97 | } 98 | 99 | 100 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy int array to data using memmove 13 | * Flow Variant: 18 Control flow: goto statements 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | goto source; 27 | source: 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 33 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 34 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 35 | { 36 | memmove(data, source, strlen(source)*sizeof(char)); 37 | } 38 | printIntLine(data[0]); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ 47 | static void goodG2B(char * source) 48 | { 49 | int * data; 50 | int dataBadBuffer[20]; 51 | int dataGoodBuffer[40]; 52 | goto source; 53 | source: 54 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 55 | data = dataGoodBuffer; 56 | { 57 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 58 | memmove(data, source, 40*sizeof(int)); 59 | printIntLine(data[0]); 60 | } 61 | } 62 | 63 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18_good(char * source) 64 | { 65 | goodG2B(source); 66 | } 67 | 68 | #endif /* OMITGOOD */ 69 | 70 | /* Below is the main(). It is only used when building this testcase on 71 | * its own for testing or for building a binary to use in testing binary 72 | * analysis tools. It is not used when compiling all the testcases as one 73 | * application, which is how source code analysis tools are tested. 74 | */ 75 | 76 | 77 | 78 | int main(int argc, char * argv[]) 79 | { 80 | /* seed randomness */ 81 | srand( (unsigned)time(NULL) ); 82 | #ifndef OMITGOOD 83 | printLine("Calling good()..."); 84 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18_good(argv[1]); 85 | printLine("Finished good()"); 86 | #endif /* OMITGOOD */ 87 | #ifndef OMITBAD 88 | printLine("Calling bad()..."); 89 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_18_bad(argv[1]); 90 | printLine("Finished bad()"); 91 | #endif /* OMITBAD */ 92 | return 0; 93 | } 94 | 95 | 96 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-31.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: memmove 12 | * BadSink : Copy int array to data using memmove 13 | * Flow Variant: 31 Data flow using a copy of data within the same function 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31_bad(char * source) 22 | { 23 | int * data; 24 | int dataBadBuffer[20]; 25 | int dataGoodBuffer[40]; 26 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 27 | * buffer in various memory copying functions using a "large" source buffer. */ 28 | data = dataBadBuffer; 29 | { 30 | int * dataCopy = data; 31 | int * data = dataCopy; 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | memmove(data, source, strlen(source)*sizeof(char)); 38 | } 39 | printIntLine(data[0]); 40 | } 41 | } 42 | } 43 | 44 | #endif /* OMITBAD */ 45 | 46 | #ifndef OMITGOOD 47 | 48 | /* goodG2B() uses the GoodSource with the BadSink */ 49 | static void goodG2B(char * source) 50 | { 51 | int * data; 52 | int dataBadBuffer[20]; 53 | int dataGoodBuffer[40]; 54 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 55 | data = dataGoodBuffer; 56 | { 57 | int * dataCopy = data; 58 | int * data = dataCopy; 59 | { 60 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 61 | memmove(data, source, 40*sizeof(int)); 62 | printIntLine(data[0]); 63 | } 64 | } 65 | } 66 | 67 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31_good(char * source) 68 | { 69 | goodG2B(source); 70 | } 71 | 72 | #endif /* OMITGOOD */ 73 | 74 | /* Below is the main(). It is only used when building this testcase on 75 | * its own for testing or for building a binary to use in testing binary 76 | * analysis tools. It is not used when compiling all the testcases as one 77 | * application, which is how source code analysis tools are tested. 78 | */ 79 | 80 | 81 | 82 | int main(int argc, char * argv[]) 83 | { 84 | /* seed randomness */ 85 | srand( (unsigned)time(NULL) ); 86 | #ifndef OMITGOOD 87 | printLine("Calling good()..."); 88 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31_good(argv[1]); 89 | printLine("Finished good()"); 90 | #endif /* OMITGOOD */ 91 | #ifndef OMITBAD 92 | printLine("Calling bad()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_31_bad(argv[1]); 94 | printLine("Finished bad()"); 95 | #endif /* OMITBAD */ 96 | return 0; 97 | } 98 | 99 | 100 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove/CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml 4 | Template File: sources-sink-41.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: memmove 12 | * BadSink : Copy int array to data using memmove 13 | * Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef OMITBAD 20 | 21 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_badSink(int * data, char * source) 22 | { 23 | { 24 | /* POTENTIAL FLAW: Possible buffer overflow if data < strlen(source) */ 25 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 26 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 27 | { 28 | memmove(data, source, strlen(source)*sizeof(char)); 29 | } 30 | printIntLine(data[0]); 31 | } 32 | } 33 | 34 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_bad(char * source) 35 | { 36 | int * data; 37 | int dataBadBuffer[20]; 38 | int dataGoodBuffer[40]; 39 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 40 | * buffer in various memory copying functions using a "large" source buffer. */ 41 | data = dataBadBuffer; 42 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_badSink(data, source); 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_goodG2BSink(int * data, char * source) 50 | { 51 | { 52 | /* POTENTIAL FLAW: Possible buffer overflow if data < 40 */ 53 | memmove(data, source, 40*sizeof(int)); 54 | printIntLine(data[0]); 55 | } 56 | } 57 | 58 | /* goodG2B uses the GoodSource with the BadSink */ 59 | static void goodG2B(char * source) 60 | { 61 | int * data; 62 | int dataBadBuffer[20]; 63 | int dataGoodBuffer[40]; 64 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 65 | data = dataGoodBuffer; 66 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_goodG2BSink(data, source); 67 | } 68 | 69 | void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_good(char * source) 70 | { 71 | goodG2B(source); 72 | } 73 | 74 | #endif /* OMITGOOD */ 75 | 76 | /* Below is the main(). It is only used when building this testcase on 77 | * its own for testing or for building a binary to use in testing binary 78 | * analysis tools. It is not used when compiling all the testcases as one 79 | * application, which is how source code analysis tools are tested. 80 | */ 81 | 82 | 83 | 84 | int main(int argc, char * argv[]) 85 | { 86 | /* seed randomness */ 87 | srand( (unsigned)time(NULL) ); 88 | #ifndef OMITGOOD 89 | printLine("Calling good()..."); 90 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_good(argv[1]); 91 | printLine("Finished good()"); 92 | #endif /* OMITGOOD */ 93 | #ifndef OMITBAD 94 | printLine("Calling bad()..."); 95 | CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memmove_41_bad(argv[1]); 96 | printLine("Finished bad()"); 97 | #endif /* OMITBAD */ 98 | return 0; 99 | } 100 | 101 | 102 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 01 Baseline 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | strcat(data, source); 38 | } 39 | printLine(data); 40 | } 41 | } 42 | 43 | #endif /* OMITBAD */ 44 | 45 | #ifndef OMITGOOD 46 | 47 | /* goodG2B uses the GoodSource with the BadSink */ 48 | static void goodG2B(char * source) 49 | { 50 | char * data; 51 | char dataBadBuffer[50]; 52 | char dataGoodBuffer[100]; 53 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 54 | data = dataGoodBuffer; 55 | data[0] = '\0'; /* null terminate */ 56 | { 57 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 58 | strncat(data, source, 100-1); 59 | printLine(data); 60 | } 61 | } 62 | 63 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01_good(char * source) 64 | { 65 | goodG2B(source); 66 | } 67 | 68 | #endif /* OMITGOOD */ 69 | 70 | /* Below is the main(). It is only used when building this testcase on 71 | * its own for testing or for building a binary to use in testing binary 72 | * analysis tools. It is not used when compiling all the testcases as one 73 | * application, which is how source code analysis tools are tested. 74 | */ 75 | 76 | 77 | 78 | int main(int argc, char * argv[]) 79 | { 80 | /* seed randomness */ 81 | srand( (unsigned)time(NULL) ); 82 | #ifndef OMITGOOD 83 | printLine("Calling good()..."); 84 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01_good(argv[1]); 85 | printLine("Finished good()"); 86 | #endif /* OMITGOOD */ 87 | #ifndef OMITBAD 88 | printLine("Calling bad()..."); 89 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_01_bad(argv[1]); 90 | printLine("Finished bad()"); 91 | #endif /* OMITBAD */ 92 | return 0; 93 | } 94 | 95 | 96 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-16.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 16 Control flow: while(1) 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | while(1) 29 | { 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | break; 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | strcat(data, source); 42 | } 43 | printLine(data); 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | char dataBadBuffer[50]; 56 | char dataGoodBuffer[100]; 57 | while(1) 58 | { 59 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 60 | data = dataGoodBuffer; 61 | data[0] = '\0'; /* null terminate */ 62 | break; 63 | } 64 | { 65 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 66 | strncat(data, source, 100-1); 67 | printLine(data); 68 | } 69 | } 70 | 71 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16_good(char * source) 72 | { 73 | goodG2B(source); 74 | } 75 | 76 | #endif /* OMITGOOD */ 77 | 78 | /* Below is the main(). It is only used when building this testcase on 79 | * its own for testing or for building a binary to use in testing binary 80 | * analysis tools. It is not used when compiling all the testcases as one 81 | * application, which is how source code analysis tools are tested. 82 | */ 83 | 84 | 85 | 86 | int main(int argc, char * argv[]) 87 | { 88 | /* seed randomness */ 89 | srand( (unsigned)time(NULL) ); 90 | #ifndef OMITGOOD 91 | printLine("Calling good()..."); 92 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16_good(argv[1]); 93 | printLine("Finished good()"); 94 | #endif /* OMITGOOD */ 95 | #ifndef OMITBAD 96 | printLine("Calling bad()..."); 97 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_16_bad(argv[1]); 98 | printLine("Finished bad()"); 99 | #endif /* OMITBAD */ 100 | return 0; 101 | } 102 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-17.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 17 Control flow: for loops 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17_bad(char * source) 24 | { 25 | int i; 26 | char * data; 27 | char dataBadBuffer[50]; 28 | char dataGoodBuffer[100]; 29 | for(i = 0; i < 1; i++) 30 | { 31 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 32 | * buffer in various memory copying functions using a "large" source buffer. */ 33 | data = dataBadBuffer; 34 | data[0] = '\0'; /* null terminate */ 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | strcat(data, source); 42 | } 43 | printLine(data); 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */ 52 | static void goodG2B(char * source) 53 | { 54 | int h; 55 | char * data; 56 | char dataBadBuffer[50]; 57 | char dataGoodBuffer[100]; 58 | for(h = 0; h < 1; h++) 59 | { 60 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 61 | data = dataGoodBuffer; 62 | data[0] = '\0'; /* null terminate */ 63 | } 64 | { 65 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 66 | strncat(data, source, 100-1); 67 | printLine(data); 68 | } 69 | } 70 | 71 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17_good(char * source) 72 | { 73 | goodG2B(source); 74 | } 75 | 76 | #endif /* OMITGOOD */ 77 | 78 | /* Below is the main(). It is only used when building this testcase on 79 | * its own for testing or for building a binary to use in testing binary 80 | * analysis tools. It is not used when compiling all the testcases as one 81 | * application, which is how source code analysis tools are tested. 82 | */ 83 | 84 | 85 | 86 | int main(int argc, char * argv[]) 87 | { 88 | /* seed randomness */ 89 | srand( (unsigned)time(NULL) ); 90 | #ifndef OMITGOOD 91 | printLine("Calling good()..."); 92 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17_good(argv[1]); 93 | printLine("Finished good()"); 94 | #endif /* OMITGOOD */ 95 | #ifndef OMITBAD 96 | printLine("Calling bad()..."); 97 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_17_bad(argv[1]); 98 | printLine("Finished bad()"); 99 | #endif /* OMITBAD */ 100 | return 0; 101 | } 102 | 103 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 18 Control flow: goto statements 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | goto source; 29 | source: 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | { 35 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 36 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 37 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 38 | { 39 | strcat(data, source); 40 | } 41 | printLine(data); 42 | } 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ 50 | static void goodG2B(char * source) 51 | { 52 | char * data; 53 | char dataBadBuffer[50]; 54 | char dataGoodBuffer[100]; 55 | goto source; 56 | source: 57 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 58 | data = dataGoodBuffer; 59 | data[0] = '\0'; /* null terminate */ 60 | { 61 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 62 | strncat(data, source, 100-1); 63 | printLine(data); 64 | } 65 | } 66 | 67 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18_good(char * source) 68 | { 69 | goodG2B(source); 70 | } 71 | 72 | #endif /* OMITGOOD */ 73 | 74 | /* Below is the main(). It is only used when building this testcase on 75 | * its own for testing or for building a binary to use in testing binary 76 | * analysis tools. It is not used when compiling all the testcases as one 77 | * application, which is how source code analysis tools are tested. 78 | */ 79 | 80 | 81 | 82 | int main(int argc, char * argv[]) 83 | { 84 | /* seed randomness */ 85 | srand( (unsigned)time(NULL) ); 86 | #ifndef OMITGOOD 87 | printLine("Calling good()..."); 88 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18_good(argv[1]); 89 | printLine("Finished good()"); 90 | #endif /* OMITGOOD */ 91 | #ifndef OMITBAD 92 | printLine("Calling bad()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_18_bad(argv[1]); 94 | printLine("Finished bad()"); 95 | #endif /* OMITBAD */ 96 | return 0; 97 | } 98 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-31.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 31 Data flow using a copy of data within the same function 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | char * dataCopy = data; 34 | char * data = dataCopy; 35 | { 36 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 37 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 38 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 39 | { 40 | strcat(data, source); 41 | } 42 | printLine(data); 43 | } 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() uses the GoodSource with the BadSink */ 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | char dataBadBuffer[50]; 56 | char dataGoodBuffer[100]; 57 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 58 | data = dataGoodBuffer; 59 | data[0] = '\0'; /* null terminate */ 60 | { 61 | char * dataCopy = data; 62 | char * data = dataCopy; 63 | { 64 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 65 | strncat(data, source, 100-1); 66 | printLine(data); 67 | } 68 | } 69 | } 70 | 71 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31_good(char * source) 72 | { 73 | goodG2B(source); 74 | } 75 | 76 | #endif /* OMITGOOD */ 77 | 78 | /* Below is the main(). It is only used when building this testcase on 79 | * its own for testing or for building a binary to use in testing binary 80 | * analysis tools. It is not used when compiling all the testcases as one 81 | * application, which is how source code analysis tools are tested. 82 | */ 83 | 84 | 85 | 86 | int main(int argc, char * argv[]) 87 | { 88 | /* seed randomness */ 89 | srand( (unsigned)time(NULL) ); 90 | #ifndef OMITGOOD 91 | printLine("Calling good()..."); 92 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31_good(argv[1]); 93 | printLine("Finished good()"); 94 | #endif /* OMITGOOD */ 95 | #ifndef OMITBAD 96 | printLine("Calling bad()..."); 97 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_31_bad(argv[1]); 98 | printLine("Finished bad()"); 99 | #endif /* OMITBAD */ 100 | return 0; 101 | } 102 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67a.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67a.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-67a.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType 22 | { 23 | char * structFirst; 24 | } CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | /* bad function declaration */ 29 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b_badSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType myStruct, char * source); 30 | 31 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_bad(char * source) 32 | { 33 | char * data; 34 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType myStruct; 35 | char dataBadBuffer[50]; 36 | char dataGoodBuffer[100]; 37 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 38 | * buffer in various memory copying functions using a "large" source buffer. */ 39 | data = dataBadBuffer; 40 | data[0] = '\0'; /* null terminate */ 41 | myStruct.structFirst = data; 42 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b_badSink(myStruct, source); 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | /* goodG2B uses the GoodSource with the BadSink */ 50 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b_goodG2BSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType myStruct, char * source); 51 | 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType myStruct; 56 | char dataBadBuffer[50]; 57 | char dataGoodBuffer[100]; 58 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 59 | data = dataGoodBuffer; 60 | data[0] = '\0'; /* null terminate */ 61 | myStruct.structFirst = data; 62 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b_goodG2BSink(myStruct, source); 63 | } 64 | 65 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_good(char * source) 66 | { 67 | goodG2B(source); 68 | } 69 | 70 | #endif /* OMITGOOD */ 71 | 72 | /* Below is the main(). It is only used when building this testcase on 73 | * its own for testing or for building a binary to use in testing binary 74 | * analysis tools. It is not used when compiling all the testcases as one 75 | * application, which is how source code analysis tools are tested. 76 | */ 77 | 78 | 79 | 80 | int main(int argc, char * argv[]) 81 | { 82 | /* seed randomness */ 83 | srand( (unsigned)time(NULL) ); 84 | #ifndef OMITGOOD 85 | printLine("Calling good()..."); 86 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_good(argv[1]); 87 | printLine("Finished good()"); 88 | #endif /* OMITGOOD */ 89 | #ifndef OMITBAD 90 | printLine("Calling bad()..."); 91 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_bad(argv[1]); 92 | printLine("Finished bad()"); 93 | #endif /* OMITBAD */ 94 | return 0; 95 | } 96 | 97 | 98 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcat/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType 22 | { 23 | char * structFirst; 24 | } CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b_badSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType myStruct, char * source) 29 | { 30 | char * data = myStruct.structFirst; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 33 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 34 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 35 | { 36 | strcat(data, source); 37 | } 38 | printLine(data); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67b_goodG2BSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cat_67_structType myStruct, char * source) 48 | { 49 | char * data = myStruct.structFirst; 50 | { 51 | /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ 52 | strncat(data, source, 100-1); 53 | printLine(data); 54 | } 55 | } 56 | 57 | #endif /* OMITGOOD */ 58 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 01 Baseline 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | strcpy(data, source); 38 | } 39 | printLine(data); 40 | } 41 | } 42 | 43 | #endif /* OMITBAD */ 44 | 45 | #ifndef OMITGOOD 46 | 47 | /* goodG2B uses the GoodSource with the BadSink */ 48 | static void goodG2B(char * source) 49 | { 50 | char * data; 51 | char dataBadBuffer[50]; 52 | char dataGoodBuffer[100]; 53 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 54 | data = dataGoodBuffer; 55 | data[0] = '\0'; /* null terminate */ 56 | { 57 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 58 | strncpy(data, source, 100-1); 59 | printLine(data); 60 | } 61 | } 62 | 63 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01_good(char * source) 64 | { 65 | goodG2B(source); 66 | } 67 | 68 | #endif /* OMITGOOD */ 69 | 70 | /* Below is the main(). It is only used when building this testcase on 71 | * its own for testing or for building a binary to use in testing binary 72 | * analysis tools. It is not used when compiling all the testcases as one 73 | * application, which is how source code analysis tools are tested. 74 | */ 75 | 76 | 77 | 78 | int main(int argc, char * argv[]) 79 | { 80 | /* seed randomness */ 81 | srand( (unsigned)time(NULL) ); 82 | #ifndef OMITGOOD 83 | printLine("Calling good()..."); 84 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01_good(argv[1]); 85 | printLine("Finished good()"); 86 | #endif /* OMITGOOD */ 87 | #ifndef OMITBAD 88 | printLine("Calling bad()..."); 89 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_01_bad(argv[1]); 90 | printLine("Finished bad()"); 91 | #endif /* OMITBAD */ 92 | return 0; 93 | } 94 | 95 | 96 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-16.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 16 Control flow: while(1) 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | while(1) 29 | { 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | break; 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | strcpy(data, source); 42 | } 43 | printLine(data); 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | char dataBadBuffer[50]; 56 | char dataGoodBuffer[100]; 57 | while(1) 58 | { 59 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 60 | data = dataGoodBuffer; 61 | data[0] = '\0'; /* null terminate */ 62 | break; 63 | } 64 | { 65 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 66 | strncpy(data, source, 100-1); 67 | printLine(data); 68 | } 69 | } 70 | 71 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16_good(char * source) 72 | { 73 | goodG2B(source); 74 | } 75 | 76 | #endif /* OMITGOOD */ 77 | 78 | /* Below is the main(). It is only used when building this testcase on 79 | * its own for testing or for building a binary to use in testing binary 80 | * analysis tools. It is not used when compiling all the testcases as one 81 | * application, which is how source code analysis tools are tested. 82 | */ 83 | 84 | 85 | 86 | int main(int argc, char * argv[]) 87 | { 88 | /* seed randomness */ 89 | srand( (unsigned)time(NULL) ); 90 | #ifndef OMITGOOD 91 | printLine("Calling good()..."); 92 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16_good(argv[1]); 93 | printLine("Finished good()"); 94 | #endif /* OMITGOOD */ 95 | #ifndef OMITBAD 96 | printLine("Calling bad()..."); 97 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_16_bad(argv[1]); 98 | printLine("Finished bad()"); 99 | #endif /* OMITBAD */ 100 | return 0; 101 | } 102 | 103 | 104 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-17.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 17 Control flow: for loops 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_bad(char * source) 24 | { 25 | int i; 26 | char * data; 27 | char dataBadBuffer[50]; 28 | char dataGoodBuffer[100]; 29 | for(i = 0; i < 1; i++) 30 | { 31 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 32 | * buffer in various memory copying functions using a "large" source buffer. */ 33 | data = dataBadBuffer; 34 | data[0] = '\0'; /* null terminate */ 35 | } 36 | { 37 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | strcpy(data, source); 42 | } 43 | printLine(data); 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */ 52 | static void goodG2B(char * source) 53 | { 54 | int h; 55 | char * data; 56 | char dataBadBuffer[50]; 57 | char dataGoodBuffer[100]; 58 | for(h = 0; h < 1; h++) 59 | { 60 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 61 | data = dataGoodBuffer; 62 | data[0] = '\0'; /* null terminate */ 63 | } 64 | { 65 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 66 | strncpy(data, source, 100-1); 67 | printLine(data); 68 | } 69 | } 70 | 71 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_good(char * source) 72 | { 73 | goodG2B(source); 74 | } 75 | 76 | #endif /* OMITGOOD */ 77 | 78 | /* Below is the main(). It is only used when building this testcase on 79 | * its own for testing or for building a binary to use in testing binary 80 | * analysis tools. It is not used when compiling all the testcases as one 81 | * application, which is how source code analysis tools are tested. 82 | */ 83 | 84 | 85 | 86 | int main(int argc, char * argv[]) 87 | { 88 | /* seed randomness */ 89 | srand( (unsigned)time(NULL) ); 90 | #ifndef OMITGOOD 91 | printLine("Calling good()..."); 92 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_good(argv[1]); 93 | printLine("Finished good()"); 94 | #endif /* OMITGOOD */ 95 | #ifndef OMITBAD 96 | printLine("Calling bad()..."); 97 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_bad(argv[1]); 98 | printLine("Finished bad()"); 99 | #endif /* OMITBAD */ 100 | return 0; 101 | } 102 | 103 | 104 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sink: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 18 Control flow: goto statements 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | goto source; 29 | source: 30 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 31 | * buffer in various memory copying functions using a "large" source buffer. */ 32 | data = dataBadBuffer; 33 | data[0] = '\0'; /* null terminate */ 34 | { 35 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 36 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 37 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 38 | { 39 | strcpy(data, source); 40 | } 41 | printLine(data); 42 | } 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ 50 | static void goodG2B(char * source) 51 | { 52 | char * data; 53 | char dataBadBuffer[50]; 54 | char dataGoodBuffer[100]; 55 | goto source; 56 | source: 57 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 58 | data = dataGoodBuffer; 59 | data[0] = '\0'; /* null terminate */ 60 | { 61 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 62 | strncpy(data, source, 100-1); 63 | printLine(data); 64 | } 65 | } 66 | 67 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18_good(char * source) 68 | { 69 | goodG2B(source); 70 | } 71 | 72 | #endif /* OMITGOOD */ 73 | 74 | /* Below is the main(). It is only used when building this testcase on 75 | * its own for testing or for building a binary to use in testing binary 76 | * analysis tools. It is not used when compiling all the testcases as one 77 | * application, which is how source code analysis tools are tested. 78 | */ 79 | 80 | 81 | 82 | int main(int argc, char * argv[]) 83 | { 84 | /* seed randomness */ 85 | srand( (unsigned)time(NULL) ); 86 | #ifndef OMITGOOD 87 | printLine("Calling good()..."); 88 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18_good(argv[1]); 89 | printLine("Finished good()"); 90 | #endif /* OMITGOOD */ 91 | #ifndef OMITBAD 92 | printLine("Calling bad()..."); 93 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_18_bad(argv[1]); 94 | printLine("Finished bad()"); 95 | #endif /* OMITBAD */ 96 | return 0; 97 | } 98 | 99 | 100 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-31.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 31 Data flow using a copy of data within the same function 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | #ifndef OMITBAD 22 | 23 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31_bad(char * source) 24 | { 25 | char * data; 26 | char dataBadBuffer[50]; 27 | char dataGoodBuffer[100]; 28 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 29 | * buffer in various memory copying functions using a "large" source buffer. */ 30 | data = dataBadBuffer; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | char * dataCopy = data; 34 | char * data = dataCopy; 35 | { 36 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 37 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 38 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 39 | { 40 | strcpy(data, source); 41 | } 42 | printLine(data); 43 | } 44 | } 45 | } 46 | 47 | #endif /* OMITBAD */ 48 | 49 | #ifndef OMITGOOD 50 | 51 | /* goodG2B() uses the GoodSource with the BadSink */ 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | char dataBadBuffer[50]; 56 | char dataGoodBuffer[100]; 57 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 58 | data = dataGoodBuffer; 59 | data[0] = '\0'; /* null terminate */ 60 | { 61 | char * dataCopy = data; 62 | char * data = dataCopy; 63 | { 64 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 65 | strncpy(data, source, 100-1); 66 | printLine(data); 67 | } 68 | } 69 | } 70 | 71 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31_good(char * source) 72 | { 73 | goodG2B(source); 74 | } 75 | 76 | #endif /* OMITGOOD */ 77 | 78 | /* Below is the main(). It is only used when building this testcase on 79 | * its own for testing or for building a binary to use in testing binary 80 | * analysis tools. It is not used when compiling all the testcases as one 81 | * application, which is how source code analysis tools are tested. 82 | */ 83 | 84 | 85 | 86 | int main(int argc, char * argv[]) 87 | { 88 | /* seed randomness */ 89 | srand( (unsigned)time(NULL) ); 90 | #ifndef OMITGOOD 91 | printLine("Calling good()..."); 92 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31_good(argv[1]); 93 | printLine("Finished good()"); 94 | #endif /* OMITGOOD */ 95 | #ifndef OMITBAD 96 | printLine("Calling bad()..."); 97 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_31_bad(argv[1]); 98 | printLine("Finished bad()"); 99 | #endif /* OMITBAD */ 100 | return 0; 101 | } 102 | 103 | 104 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67a.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67a.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-67a.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType 22 | { 23 | char * structFirst; 24 | } CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | /* bad function declaration */ 29 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b_badSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType myStruct, char * source); 30 | 31 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_bad(char * source) 32 | { 33 | char * data; 34 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType myStruct; 35 | char dataBadBuffer[50]; 36 | char dataGoodBuffer[100]; 37 | /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination 38 | * buffer in various memory copying functions using a "large" source buffer. */ 39 | data = dataBadBuffer; 40 | data[0] = '\0'; /* null terminate */ 41 | myStruct.structFirst = data; 42 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b_badSink(myStruct, source); 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | /* goodG2B uses the GoodSource with the BadSink */ 50 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b_goodG2BSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType myStruct, char * source); 51 | 52 | static void goodG2B(char * source) 53 | { 54 | char * data; 55 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType myStruct; 56 | char dataBadBuffer[50]; 57 | char dataGoodBuffer[100]; 58 | /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */ 59 | data = dataGoodBuffer; 60 | data[0] = '\0'; /* null terminate */ 61 | myStruct.structFirst = data; 62 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b_goodG2BSink(myStruct, source); 63 | } 64 | 65 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_good(char * source) 66 | { 67 | goodG2B(source); 68 | } 69 | 70 | #endif /* OMITGOOD */ 71 | 72 | /* Below is the main(). It is only used when building this testcase on 73 | * its own for testing or for building a binary to use in testing binary 74 | * analysis tools. It is not used when compiling all the testcases as one 75 | * application, which is how source code analysis tools are tested. 76 | */ 77 | 78 | 79 | 80 | int main(int argc, char * argv[]) 81 | { 82 | /* seed randomness */ 83 | srand( (unsigned)time(NULL) ); 84 | #ifndef OMITGOOD 85 | printLine("Calling good()..."); 86 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_good(argv[1]); 87 | printLine("Finished good()"); 88 | #endif /* OMITGOOD */ 89 | #ifndef OMITBAD 90 | printLine("Calling bad()..."); 91 | CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_bad(argv[1]); 92 | printLine("Finished bad()"); 93 | #endif /* OMITBAD */ 94 | return 0; 95 | } 96 | 97 | 98 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_strcpy/CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b.c 3 | Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 121 Stack Based Buffer Overflow 9 | * BadSource: Set data pointer to the bad buffer 10 | * GoodSource: Set data pointer to the good buffer 11 | * Sinks: cpy 12 | * BadSink : Copy string to data using strcpy 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType 22 | { 23 | char * structFirst; 24 | } CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b_badSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType myStruct, char * source) 29 | { 30 | char * data = myStruct.structFirst; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 33 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 34 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 35 | { 36 | strcpy(data, source); 37 | } 38 | printLine(data); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67b_goodG2BSink(CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_67_structType myStruct, char * source) 48 | { 49 | char * data = myStruct.structFirst; 50 | { 51 | /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ 52 | strncpy(data, source, 100-1); 53 | printLine(data); 54 | } 55 | } 56 | 57 | #endif /* OMITGOOD */ 58 | -------------------------------------------------------------------------------- /tests/CWE121_Stack_Based_Buffer_Overflow/includes/std_testcase_io.h: -------------------------------------------------------------------------------- 1 | /* header file to define functions in io.c. Not named io.h 2 | because that name is already taken by a system header on 3 | Windows */ 4 | 5 | #ifndef _STD_TESTCASE_IO_H 6 | #define _STD_TESTCASE_IO_H 7 | 8 | #include "std_testcase.h" /* needed for the twoint struct */ 9 | 10 | #ifdef __cplusplus 11 | extern "C" { 12 | #endif 13 | 14 | void printLine(const char * line); 15 | 16 | void printWLine(const wchar_t * line); 17 | 18 | void printIntLine (int intNumber); 19 | 20 | void printShortLine (short shortNumber); 21 | 22 | void printFloatLine (float floatNumber); 23 | 24 | void printLongLine(long longNumber); 25 | 26 | void printLongLongLine(int64_t longLongIntNumber); 27 | 28 | void printSizeTLine(size_t sizeTNumber); 29 | 30 | void printHexCharLine(char charHex); 31 | 32 | void printWcharLine(wchar_t wideChar); 33 | 34 | void printUnsignedLine(unsigned unsignedNumber); 35 | 36 | void printHexUnsignedCharLine(unsigned char unsignedCharacter); 37 | 38 | void printDoubleLine(double doubleNumber); 39 | 40 | void printStructLine(const twoIntsStruct * structTwoIntsStruct); 41 | 42 | void printBytesLine(const unsigned char * bytes, size_t numBytes); 43 | 44 | size_t decodeHexChars(unsigned char * bytes, size_t numBytes, const char * hex); 45 | 46 | size_t decodeHexWChars(unsigned char * bytes, size_t numBytes, const wchar_t * hex); 47 | 48 | int globalReturnsTrue(); 49 | 50 | int globalReturnsFalse(); 51 | 52 | int globalReturnsTrueOrFalse(); 53 | 54 | /* Define some global variables that will get argc and argv */ 55 | extern int globalArgc; 56 | extern char** globalArgv; 57 | 58 | #ifdef __cplusplus 59 | } 60 | #endif 61 | 62 | #endif 63 | -------------------------------------------------------------------------------- /tests/CWE122_Heap_Based_Buffer_Overflow/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_strcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b.c 3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 122 Heap Based Buffer Overflow 9 | * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator 10 | * GoodSource: Allocate enough memory for a string and the NULL terminator 11 | * Sinks: cpy 12 | * BadSink : Copy string to data using strcpy() 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #ifndef _WIN32 20 | #include 21 | #endif 22 | 23 | /* MAINTENANCE NOTE: The length of this string should equal the 10 */ 24 | #define SRC_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 25 | 26 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType 27 | { 28 | char * structFirst; 29 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType; 30 | 31 | #ifndef OMITBAD 32 | 33 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct, char * activator) 34 | { 35 | char * data = myStruct.structFirst; 36 | { 37 | /* POTENTIAL FLAW: data may not have enough space to hold source */ 38 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4' 39 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a') 40 | { 41 | strcpy(data, activator); 42 | } 43 | printLine(data); 44 | free(data); 45 | } 46 | } 47 | 48 | #endif /* OMITBAD */ 49 | 50 | #ifndef OMITGOOD 51 | 52 | /* goodG2B uses the GoodSource with the BadSink */ 53 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_67_structType myStruct) 54 | { 55 | char * data = myStruct.structFirst; 56 | { 57 | char source[40+1] = SRC_STRING; 58 | /* POTENTIAL FLAW: data may not have enough space to hold source */ 59 | strcpy(data, source); 60 | printLine(data); 61 | free(data); 62 | } 63 | } 64 | 65 | #endif /* OMITGOOD */ 66 | -------------------------------------------------------------------------------- /tests/CWE122_Heap_Based_Buffer_Overflow/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b.c 3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 122 Heap Based Buffer Overflow 9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer 10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer 11 | * Sinks: memcpy 12 | * BadSink : Copy string to data using memcpy 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType 22 | { 23 | char * structFirst; 24 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct, char * activator) 29 | { 30 | char * data = myStruct.structFirst; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ 33 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4' 34 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a') 35 | { 36 | memcpy(data, activator, strlen(activator)*sizeof(char)); 37 | } 38 | free(data); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_67_structType myStruct, char * source) 48 | { 49 | char * data = myStruct.structFirst; 50 | { 51 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ 52 | memcpy(data, source, 100*sizeof(char)); 53 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 54 | free(data); 55 | } 56 | } 57 | 58 | #endif /* OMITGOOD */ 59 | -------------------------------------------------------------------------------- /tests/CWE122_Heap_Based_Buffer_Overflow/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove/CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b.c 3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 122 Heap Based Buffer Overflow 9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer 10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer 11 | * Sinks: memmove 12 | * BadSink : Copy string to data using memmove 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType 22 | { 23 | char * structFirst; 24 | } CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType myStruct, char * activator) 29 | { 30 | char * data = myStruct.structFirst; 31 | { 32 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ 33 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4' 34 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a') 35 | { 36 | memmove(data, activator, strlen(activator)*sizeof(char)); 37 | } 38 | free(data); 39 | } 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memmove_67_structType myStruct, char * source) 48 | { 49 | char * data = myStruct.structFirst; 50 | { 51 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ 52 | memmove(data, source, 100*sizeof(char)); 53 | data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ 54 | free(data); 55 | } 56 | } 57 | 58 | #endif /* OMITGOOD */ 59 | -------------------------------------------------------------------------------- /tests/CWE122_Heap_Based_Buffer_Overflow/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_strcat/CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b.c 3 | Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml 4 | Template File: sources-sink-67b.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 122 Heap Based Buffer Overflow 9 | * BadSource: Allocate using malloc() and set data pointer to a small buffer 10 | * GoodSource: Allocate using malloc() and set data pointer to a large buffer 11 | * Sinks: cat 12 | * BadSink : Copy string to data using strcat 13 | * Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files 14 | * 15 | * */ 16 | 17 | #include "std_testcase.h" 18 | 19 | #include 20 | 21 | typedef struct _CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType 22 | { 23 | char * structFirst; 24 | } CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType; 25 | 26 | #ifndef OMITBAD 27 | 28 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_badSink(CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct, char * activator) 29 | { 30 | char * data = myStruct.structFirst; 31 | data[0] = '\0'; /* null terminate */ 32 | { 33 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */ 34 | if (activator[0] == '7' && activator[1] == '/' && activator[2] == '4' 35 | && activator[3] == '2' && activator[4] == 'a' && activator[5] == '8' && activator[75] == 'a') 36 | { 37 | strcat(data, activator); 38 | } 39 | printLine(data); 40 | free(data); 41 | } 42 | } 43 | 44 | #endif /* OMITBAD */ 45 | 46 | #ifndef OMITGOOD 47 | 48 | /* goodG2B uses the GoodSource with the BadSink */ 49 | void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67b_goodG2BSink(CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_67_structType myStruct) 50 | { 51 | char * data = myStruct.structFirst; 52 | data[0] = '\0'; /* null terminate */ 53 | { 54 | char source[100]; 55 | memset(source, 'C', 100-1); /* fill with 'C's */ 56 | source[100-1] = '\0'; /* null terminate */ 57 | /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */ 58 | strcat(data, source); 59 | printLine(data); 60 | free(data); 61 | } 62 | } 63 | 64 | #endif /* OMITGOOD */ 65 | -------------------------------------------------------------------------------- /tests/CWE122_Heap_Based_Buffer_Overflow/includes/std_testcase_io.h: -------------------------------------------------------------------------------- 1 | /* header file to define functions in io.c. Not named io.h 2 | because that name is already taken by a system header on 3 | Windows */ 4 | 5 | #ifndef _STD_TESTCASE_IO_H 6 | #define _STD_TESTCASE_IO_H 7 | 8 | #include "std_testcase.h" /* needed for the twoint struct */ 9 | 10 | #ifdef __cplusplus 11 | extern "C" { 12 | #endif 13 | 14 | void printLine(const char * line); 15 | 16 | void printWLine(const wchar_t * line); 17 | 18 | void printIntLine (int intNumber); 19 | 20 | void printShortLine (short shortNumber); 21 | 22 | void printFloatLine (float floatNumber); 23 | 24 | void printLongLine(long longNumber); 25 | 26 | void printLongLongLine(int64_t longLongIntNumber); 27 | 28 | void printSizeTLine(size_t sizeTNumber); 29 | 30 | void printHexCharLine(char charHex); 31 | 32 | void printWcharLine(wchar_t wideChar); 33 | 34 | void printUnsignedLine(unsigned unsignedNumber); 35 | 36 | void printHexUnsignedCharLine(unsigned char unsignedCharacter); 37 | 38 | void printDoubleLine(double doubleNumber); 39 | 40 | void printStructLine(const twoIntsStruct * structTwoIntsStruct); 41 | 42 | void printBytesLine(const unsigned char * bytes, size_t numBytes); 43 | 44 | size_t decodeHexChars(unsigned char * bytes, size_t numBytes, const char * hex); 45 | 46 | size_t decodeHexWChars(unsigned char * bytes, size_t numBytes, const wchar_t * hex); 47 | 48 | int globalReturnsTrue(); 49 | 50 | int globalReturnsFalse(); 51 | 52 | int globalReturnsTrueOrFalse(); 53 | 54 | /* Define some global variables that will get argc and argv */ 55 | extern int globalArgc; 56 | extern char** globalArgv; 57 | 58 | #ifdef __cplusplus 59 | } 60 | #endif 61 | 62 | #endif 63 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_int/CWE415_Double_Free__malloc_free_int_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_int_01.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 01 Baseline 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_int_01_bad(char * source) 25 | { 26 | int * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | data = (int *)malloc(100*sizeof(int)); 30 | if (data == NULL) {exit(-1);} 31 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 32 | free(data); 33 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | free(data); 38 | } 39 | printIntLine(data[0]); 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | static void goodG2B() 48 | { 49 | int * data; 50 | /* Initialize data */ 51 | data = NULL; 52 | data = (int *)malloc(100*sizeof(int)); 53 | if (data == NULL) {exit(-1);} 54 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 55 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 56 | free(data); 57 | } 58 | 59 | /* goodB2G uses the BadSource with the GoodSink */ 60 | static void goodB2G() 61 | { 62 | int * data; 63 | /* Initialize data */ 64 | data = NULL; 65 | data = (int *)malloc(100*sizeof(int)); 66 | if (data == NULL) {exit(-1);} 67 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 68 | free(data); 69 | /* do nothing */ 70 | /* FIX: Don't attempt to free the memory */ 71 | ; /* empty statement needed for some flow variants */ 72 | } 73 | 74 | void CWE415_Double_Free__malloc_free_int_01_good() 75 | { 76 | goodG2B(); 77 | goodB2G(); 78 | } 79 | 80 | #endif /* OMITGOOD */ 81 | 82 | /* Below is the main(). It is only used when building this testcase on 83 | its own for testing or for building a binary to use in testing binary 84 | analysis tools. It is not used when compiling all the testcases as one 85 | application, which is how source code analysis tools are tested. */ 86 | 87 | 88 | 89 | int main(int argc, char * argv[]) 90 | { 91 | /* seed randomness */ 92 | srand( (unsigned)time(NULL) ); 93 | #ifndef OMITGOOD 94 | printLine("Calling good()..."); 95 | CWE415_Double_Free__malloc_free_int_01_good(); 96 | printLine("Finished good()"); 97 | #endif /* OMITGOOD */ 98 | #ifndef OMITBAD 99 | printLine("Calling bad()..."); 100 | CWE415_Double_Free__malloc_free_int_01_bad(argv[1]); 101 | printLine("Finished bad()"); 102 | #endif /* OMITBAD */ 103 | return 0; 104 | } 105 | 106 | 107 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_int/CWE415_Double_Free__malloc_free_int_31.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_int_31.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-31.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 31 Data flow using a copy of data within the same function 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_int_31_bad(char * source) 25 | { 26 | int * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | data = (int *)malloc(100*sizeof(int)); 30 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 31 | free(data); 32 | { 33 | int * dataCopy = data; 34 | int * data = dataCopy; 35 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 36 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 37 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 38 | { 39 | free(data); 40 | } 41 | printIntLine(data[0]); 42 | } 43 | } 44 | 45 | #endif /* OMITBAD */ 46 | 47 | #ifndef OMITGOOD 48 | 49 | /* goodG2B() uses the GoodSource with the BadSink */ 50 | static void goodG2B() 51 | { 52 | int * data; 53 | /* Initialize data */ 54 | data = NULL; 55 | data = (int *)malloc(100*sizeof(int)); 56 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 57 | { 58 | int * dataCopy = data; 59 | int * data = dataCopy; 60 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 61 | free(data); 62 | } 63 | } 64 | 65 | /* goodB2G() uses the BadSource with the GoodSink */ 66 | static void goodB2G() 67 | { 68 | int * data; 69 | /* Initialize data */ 70 | data = NULL; 71 | data = (int *)malloc(100*sizeof(int)); 72 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 73 | free(data); 74 | { 75 | int * dataCopy = data; 76 | int * data = dataCopy; 77 | /* do nothing */ 78 | /* FIX: Don't attempt to free the memory */ 79 | ; /* empty statement needed for some flow variants */ 80 | } 81 | } 82 | 83 | void CWE415_Double_Free__malloc_free_int_31_good() 84 | { 85 | goodG2B(); 86 | goodB2G(); 87 | } 88 | 89 | #endif /* OMITGOOD */ 90 | 91 | /* Below is the main(). It is only used when building this testcase on 92 | its own for testing or for building a binary to use in testing binary 93 | analysis tools. It is not used when compiling all the testcases as one 94 | application, which is how source code analysis tools are tested. */ 95 | 96 | 97 | 98 | int main(int argc, char * argv[]) 99 | { 100 | /* seed randomness */ 101 | srand( (unsigned)time(NULL) ); 102 | #ifndef OMITGOOD 103 | printLine("Calling good()..."); 104 | CWE415_Double_Free__malloc_free_int_31_good(); 105 | printLine("Finished good()"); 106 | #endif /* OMITGOOD */ 107 | #ifndef OMITBAD 108 | printLine("Calling bad()..."); 109 | CWE415_Double_Free__malloc_free_int_31_bad(argv[1]); 110 | printLine("Finished bad()"); 111 | #endif /* OMITBAD */ 112 | return 0; 113 | } 114 | 115 | 116 | 117 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_int/CWE415_Double_Free__malloc_free_int_42.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_int_42.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-42.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 42 Data flow: data returned from one function to another in the same source file 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | static int * badSource(int * data) 25 | { 26 | data = (int *)malloc(100*sizeof(int)); 27 | if (data == NULL) {exit(-1);} 28 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 29 | free(data); 30 | return data; 31 | } 32 | 33 | void CWE415_Double_Free__malloc_free_int_42_bad(char * source) 34 | { 35 | int * data; 36 | /* Initialize data */ 37 | data = NULL; 38 | data = badSource(data); 39 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 40 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 41 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 42 | { 43 | free(data); 44 | } 45 | printIntLine(data[0]); 46 | } 47 | 48 | #endif /* OMITBAD */ 49 | 50 | #ifndef OMITGOOD 51 | 52 | /* goodG2B uses the GoodSource with the BadSink */ 53 | static int * goodG2BSource(int * data) 54 | { 55 | data = (int *)malloc(100*sizeof(int)); 56 | if (data == NULL) {exit(-1);} 57 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 58 | return data; 59 | } 60 | 61 | static void goodG2B() 62 | { 63 | int * data; 64 | /* Initialize data */ 65 | data = NULL; 66 | data = goodG2BSource(data); 67 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 68 | free(data); 69 | } 70 | 71 | /* goodB2G uses the BadSource with the GoodSink */ 72 | static int * goodB2GSource(int * data) 73 | { 74 | data = (int *)malloc(100*sizeof(int)); 75 | if (data == NULL) {exit(-1);} 76 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 77 | free(data); 78 | return data; 79 | } 80 | 81 | static void goodB2G() 82 | { 83 | int * data; 84 | /* Initialize data */ 85 | data = NULL; 86 | data = goodB2GSource(data); 87 | /* do nothing */ 88 | /* FIX: Don't attempt to free the memory */ 89 | ; /* empty statement needed for some flow variants */ 90 | } 91 | 92 | void CWE415_Double_Free__malloc_free_int_42_good() 93 | { 94 | goodB2G(); 95 | goodG2B(); 96 | } 97 | 98 | #endif /* OMITGOOD */ 99 | 100 | /* Below is the main(). It is only used when building this testcase on 101 | its own for testing or for building a binary to use in testing binary 102 | analysis tools. It is not used when compiling all the testcases as one 103 | application, which is how source code analysis tools are tested. */ 104 | 105 | 106 | 107 | int main(int argc, char * argv[]) 108 | { 109 | /* seed randomness */ 110 | srand( (unsigned)time(NULL) ); 111 | #ifndef OMITGOOD 112 | printLine("Calling good()..."); 113 | CWE415_Double_Free__malloc_free_int_42_good(); 114 | printLine("Finished good()"); 115 | #endif /* OMITGOOD */ 116 | #ifndef OMITBAD 117 | printLine("Calling bad()..."); 118 | CWE415_Double_Free__malloc_free_int_42_bad(argv[1]); 119 | printLine("Finished bad()"); 120 | #endif /* OMITBAD */ 121 | return 0; 122 | } 123 | 124 | 125 | 126 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_int64_t/CWE415_Double_Free__malloc_free_int64_t_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_int64_t_01.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 01 Baseline 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_int64_t_01_bad(char * source) 25 | { 26 | int64_t * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | data = (int64_t *)malloc(100*sizeof(int64_t)); 30 | if (data == NULL) {exit(-1);} 31 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 32 | free(data); 33 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | free(data); 38 | } 39 | } 40 | 41 | #endif /* OMITBAD */ 42 | 43 | #ifndef OMITGOOD 44 | 45 | /* goodG2B uses the GoodSource with the BadSink */ 46 | static void goodG2B() 47 | { 48 | int64_t * data; 49 | /* Initialize data */ 50 | data = NULL; 51 | data = (int64_t *)malloc(100*sizeof(int64_t)); 52 | if (data == NULL) {exit(-1);} 53 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 54 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 55 | free(data); 56 | } 57 | 58 | /* goodB2G uses the BadSource with the GoodSink */ 59 | static void goodB2G() 60 | { 61 | int64_t * data; 62 | /* Initialize data */ 63 | data = NULL; 64 | data = (int64_t *)malloc(100*sizeof(int64_t)); 65 | if (data == NULL) {exit(-1);} 66 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 67 | free(data); 68 | /* do nothing */ 69 | /* FIX: Don't attempt to free the memory */ 70 | ; /* empty statement needed for some flow variants */ 71 | } 72 | 73 | void CWE415_Double_Free__malloc_free_int64_t_01_good() 74 | { 75 | goodG2B(); 76 | goodB2G(); 77 | } 78 | 79 | #endif /* OMITGOOD */ 80 | 81 | /* Below is the main(). It is only used when building this testcase on 82 | its own for testing or for building a binary to use in testing binary 83 | analysis tools. It is not used when compiling all the testcases as one 84 | application, which is how source code analysis tools are tested. */ 85 | 86 | 87 | 88 | int main(int argc, char * argv[]) 89 | { 90 | /* seed randomness */ 91 | srand( (unsigned)time(NULL) ); 92 | #ifndef OMITGOOD 93 | printLine("Calling good()..."); 94 | CWE415_Double_Free__malloc_free_int64_t_01_good(); 95 | printLine("Finished good()"); 96 | #endif /* OMITGOOD */ 97 | #ifndef OMITBAD 98 | printLine("Calling bad()..."); 99 | CWE415_Double_Free__malloc_free_int64_t_01_bad(argv[1]); 100 | printLine("Finished bad()"); 101 | #endif /* OMITBAD */ 102 | return 0; 103 | } 104 | 105 | 106 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_long/CWE415_Double_Free__malloc_free_long_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_long_01.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 01 Baseline 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_long_01_bad(char * source) 25 | { 26 | long * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | data = (long *)malloc(100*sizeof(long)); 30 | if (data == NULL) {exit(-1);} 31 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 32 | free(data); 33 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | free(data); 38 | } 39 | printLongLine(data[0]); 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | static void goodG2B() 48 | { 49 | long * data; 50 | /* Initialize data */ 51 | data = NULL; 52 | data = (long *)malloc(100*sizeof(long)); 53 | if (data == NULL) {exit(-1);} 54 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 55 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 56 | free(data); 57 | } 58 | 59 | /* goodB2G uses the BadSource with the GoodSink */ 60 | static void goodB2G() 61 | { 62 | long * data; 63 | /* Initialize data */ 64 | data = NULL; 65 | data = (long *)malloc(100*sizeof(long)); 66 | if (data == NULL) {exit(-1);} 67 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 68 | free(data); 69 | /* do nothing */ 70 | /* FIX: Don't attempt to free the memory */ 71 | ; /* empty statement needed for some flow variants */ 72 | } 73 | 74 | void CWE415_Double_Free__malloc_free_long_01_good() 75 | { 76 | goodG2B(); 77 | goodB2G(); 78 | } 79 | 80 | #endif /* OMITGOOD */ 81 | 82 | /* Below is the main(). It is only used when building this testcase on 83 | its own for testing or for building a binary to use in testing binary 84 | analysis tools. It is not used when compiling all the testcases as one 85 | application, which is how source code analysis tools are tested. */ 86 | 87 | 88 | 89 | int main(int argc, char * argv[]) 90 | { 91 | /* seed randomness */ 92 | srand( (unsigned)time(NULL) ); 93 | #ifndef OMITGOOD 94 | printLine("Calling good()..."); 95 | CWE415_Double_Free__malloc_free_long_01_good(); 96 | printLine("Finished good()"); 97 | #endif /* OMITGOOD */ 98 | #ifndef OMITBAD 99 | printLine("Calling bad()..."); 100 | CWE415_Double_Free__malloc_free_long_01_bad(argv[1]); 101 | printLine("Finished bad()"); 102 | #endif /* OMITBAD */ 103 | return 0; 104 | } 105 | 106 | 107 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_struct/CWE415_Double_Free__malloc_free_struct_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_struct_01.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 01 Baseline 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_struct_01_bad(char * source) 25 | { 26 | twoIntsStruct * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct)); 30 | if (data == NULL) {exit(-1);} 31 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 32 | free(data); 33 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | free(data); 38 | } 39 | printStructLine(data); 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | static void goodG2B() 48 | { 49 | twoIntsStruct * data; 50 | /* Initialize data */ 51 | data = NULL; 52 | data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct)); 53 | if (data == NULL) {exit(-1);} 54 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 55 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 56 | free(data); 57 | } 58 | 59 | /* goodB2G uses the BadSource with the GoodSink */ 60 | static void goodB2G() 61 | { 62 | twoIntsStruct * data; 63 | /* Initialize data */ 64 | data = NULL; 65 | data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct)); 66 | if (data == NULL) {exit(-1);} 67 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 68 | free(data); 69 | /* do nothing */ 70 | /* FIX: Don't attempt to free the memory */ 71 | ; /* empty statement needed for some flow variants */ 72 | } 73 | 74 | void CWE415_Double_Free__malloc_free_struct_01_good() 75 | { 76 | goodG2B(); 77 | goodB2G(); 78 | } 79 | 80 | #endif /* OMITGOOD */ 81 | 82 | /* Below is the main(). It is only used when building this testcase on 83 | its own for testing or for building a binary to use in testing binary 84 | analysis tools. It is not used when compiling all the testcases as one 85 | application, which is how source code analysis tools are tested. */ 86 | 87 | 88 | 89 | int main(int argc, char * argv[]) 90 | { 91 | /* seed randomness */ 92 | srand( (unsigned)time(NULL) ); 93 | #ifndef OMITGOOD 94 | printLine("Calling good()..."); 95 | CWE415_Double_Free__malloc_free_struct_01_good(); 96 | printLine("Finished good()"); 97 | #endif /* OMITGOOD */ 98 | #ifndef OMITBAD 99 | printLine("Calling bad()..."); 100 | CWE415_Double_Free__malloc_free_struct_01_bad(argv[1]); 101 | printLine("Finished bad()"); 102 | #endif /* OMITBAD */ 103 | return 0; 104 | } 105 | 106 | 107 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_wchar_t/CWE415_Double_Free__malloc_free_wchar_t_01.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_wchar_t_01.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-01.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 01 Baseline 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_wchar_t_01_bad(char * source) 25 | { 26 | wchar_t * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | data = (wchar_t *)malloc(100*sizeof(wchar_t)); 30 | if (data == NULL) {exit(-1);} 31 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 32 | free(data); 33 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 34 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 35 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 36 | { 37 | free(data); 38 | } 39 | printWLine(data); 40 | } 41 | 42 | #endif /* OMITBAD */ 43 | 44 | #ifndef OMITGOOD 45 | 46 | /* goodG2B uses the GoodSource with the BadSink */ 47 | static void goodG2B() 48 | { 49 | wchar_t * data; 50 | /* Initialize data */ 51 | data = NULL; 52 | data = (wchar_t *)malloc(100*sizeof(wchar_t)); 53 | if (data == NULL) {exit(-1);} 54 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 55 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 56 | free(data); 57 | } 58 | 59 | /* goodB2G uses the BadSource with the GoodSink */ 60 | static void goodB2G() 61 | { 62 | wchar_t * data; 63 | /* Initialize data */ 64 | data = NULL; 65 | data = (wchar_t *)malloc(100*sizeof(wchar_t)); 66 | if (data == NULL) {exit(-1);} 67 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 68 | free(data); 69 | /* do nothing */ 70 | /* FIX: Don't attempt to free the memory */ 71 | ; /* empty statement needed for some flow variants */ 72 | } 73 | 74 | void CWE415_Double_Free__malloc_free_wchar_t_01_good() 75 | { 76 | goodG2B(); 77 | goodB2G(); 78 | } 79 | 80 | #endif /* OMITGOOD */ 81 | 82 | /* Below is the main(). It is only used when building this testcase on 83 | its own for testing or for building a binary to use in testing binary 84 | analysis tools. It is not used when compiling all the testcases as one 85 | application, which is how source code analysis tools are tested. */ 86 | 87 | 88 | 89 | int main(int argc, char * argv[]) 90 | { 91 | /* seed randomness */ 92 | srand( (unsigned)time(NULL) ); 93 | #ifndef OMITGOOD 94 | printLine("Calling good()..."); 95 | CWE415_Double_Free__malloc_free_wchar_t_01_good(); 96 | printLine("Finished good()"); 97 | #endif /* OMITGOOD */ 98 | #ifndef OMITBAD 99 | printLine("Calling bad()..."); 100 | CWE415_Double_Free__malloc_free_wchar_t_01_bad(argv[1]); 101 | printLine("Finished bad()"); 102 | #endif /* OMITBAD */ 103 | return 0; 104 | } 105 | 106 | 107 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/CWE415_Double_Free__malloc_free_wchar_t/CWE415_Double_Free__malloc_free_wchar_t_18.c: -------------------------------------------------------------------------------- 1 | /* TEMPLATE GENERATED TESTCASE FILE 2 | Filename: CWE415_Double_Free__malloc_free_wchar_t_18.c 3 | Label Definition File: CWE415_Double_Free__malloc_free.label.xml 4 | Template File: sources-sinks-18.tmpl.c 5 | */ 6 | /* 7 | * @description 8 | * CWE: 415 Double Free 9 | * BadSource: Allocate data using malloc() and Deallocate data using free() 10 | * GoodSource: Allocate data using malloc() 11 | * Sinks: 12 | * GoodSink: do nothing 13 | * BadSink : Deallocate data using free() 14 | * Flow Variant: 18 Control flow: goto statements 15 | * 16 | * */ 17 | 18 | #include "std_testcase.h" 19 | 20 | #include 21 | 22 | #ifndef OMITBAD 23 | 24 | void CWE415_Double_Free__malloc_free_wchar_t_18_bad(char * source) 25 | { 26 | wchar_t * data; 27 | /* Initialize data */ 28 | data = NULL; 29 | goto source; 30 | source: 31 | data = (wchar_t *)malloc(100*sizeof(wchar_t)); 32 | if (data == NULL) {exit(-1);} 33 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 34 | free(data); 35 | goto sink; 36 | sink: 37 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 38 | if (source[0] == '7' && source[1] == '/' && source[2] == '4' 39 | && source[3] == '2' && source[4] == 'a' && source[5] == '8' && source[75] == 'a') 40 | { 41 | free(data); 42 | } 43 | printWLine(data); 44 | } 45 | 46 | #endif /* OMITBAD */ 47 | 48 | #ifndef OMITGOOD 49 | 50 | /* goodB2G() - use badsource and goodsink by reversing the blocks on the second goto statement */ 51 | static void goodB2G() 52 | { 53 | wchar_t * data; 54 | /* Initialize data */ 55 | data = NULL; 56 | goto source; 57 | source: 58 | data = (wchar_t *)malloc(100*sizeof(wchar_t)); 59 | if (data == NULL) {exit(-1);} 60 | /* POTENTIAL FLAW: Free data in the source - the bad sink frees data as well */ 61 | free(data); 62 | goto sink; 63 | sink: 64 | /* do nothing */ 65 | /* FIX: Don't attempt to free the memory */ 66 | ; /* empty statement needed for some flow variants */ 67 | } 68 | 69 | /* goodG2B() - use goodsource and badsink by reversing the blocks on the first goto statement */ 70 | static void goodG2B() 71 | { 72 | wchar_t * data; 73 | /* Initialize data */ 74 | data = NULL; 75 | goto source; 76 | source: 77 | data = (wchar_t *)malloc(100*sizeof(wchar_t)); 78 | if (data == NULL) {exit(-1);} 79 | /* FIX: Do NOT free data in the source - the bad sink frees data */ 80 | goto sink; 81 | sink: 82 | /* POTENTIAL FLAW: Possibly freeing memory twice */ 83 | free(data); 84 | } 85 | 86 | void CWE415_Double_Free__malloc_free_wchar_t_18_good() 87 | { 88 | goodB2G(); 89 | goodG2B(); 90 | } 91 | 92 | #endif /* OMITGOOD */ 93 | 94 | /* Below is the main(). It is only used when building this testcase on 95 | its own for testing or for building a binary to use in testing binary 96 | analysis tools. It is not used when compiling all the testcases as one 97 | application, which is how source code analysis tools are tested. */ 98 | 99 | 100 | 101 | int main(int argc, char * argv[]) 102 | { 103 | /* seed randomness */ 104 | srand( (unsigned)time(NULL) ); 105 | #ifndef OMITGOOD 106 | printLine("Calling good()..."); 107 | CWE415_Double_Free__malloc_free_wchar_t_18_good(); 108 | printLine("Finished good()"); 109 | #endif /* OMITGOOD */ 110 | #ifndef OMITBAD 111 | printLine("Calling bad()..."); 112 | CWE415_Double_Free__malloc_free_wchar_t_18_bad(argv[1]); 113 | printLine("Finished bad()"); 114 | #endif /* OMITBAD */ 115 | return 0; 116 | } 117 | 118 | 119 | -------------------------------------------------------------------------------- /tests/CWE415_Double_Free/includes/std_testcase_io.h: -------------------------------------------------------------------------------- 1 | /* header file to define functions in io.c. Not named io.h 2 | because that name is already taken by a system header on 3 | Windows */ 4 | 5 | #ifndef _STD_TESTCASE_IO_H 6 | #define _STD_TESTCASE_IO_H 7 | 8 | #include "std_testcase.h" /* needed for the twoint struct */ 9 | 10 | #ifdef __cplusplus 11 | extern "C" { 12 | #endif 13 | 14 | void printLine(const char * line); 15 | 16 | void printWLine(const wchar_t * line); 17 | 18 | void printIntLine (int intNumber); 19 | 20 | void printShortLine (short shortNumber); 21 | 22 | void printFloatLine (float floatNumber); 23 | 24 | void printLongLine(long longNumber); 25 | 26 | void printLongLongLine(int64_t longLongIntNumber); 27 | 28 | void printSizeTLine(size_t sizeTNumber); 29 | 30 | void printHexCharLine(char charHex); 31 | 32 | void printWcharLine(wchar_t wideChar); 33 | 34 | void printUnsignedLine(unsigned unsignedNumber); 35 | 36 | void printHexUnsignedCharLine(unsigned char unsignedCharacter); 37 | 38 | void printDoubleLine(double doubleNumber); 39 | 40 | void printStructLine(const twoIntsStruct * structTwoIntsStruct); 41 | 42 | void printBytesLine(const unsigned char * bytes, size_t numBytes); 43 | 44 | size_t decodeHexChars(unsigned char * bytes, size_t numBytes, const char * hex); 45 | 46 | size_t decodeHexWChars(unsigned char * bytes, size_t numBytes, const wchar_t * hex); 47 | 48 | int globalReturnsTrue(); 49 | 50 | int globalReturnsFalse(); 51 | 52 | int globalReturnsTrueOrFalse(); 53 | 54 | /* Define some global variables that will get argc and argv */ 55 | extern int globalArgc; 56 | extern char** globalArgv; 57 | 58 | #ifdef __cplusplus 59 | } 60 | #endif 61 | 62 | #endif 63 | 64 | -------------------------------------------------------------------------------- /tests/CWE416_Use_After_Free/includes/std_testcase_io.h: -------------------------------------------------------------------------------- 1 | /* header file to define functions in io.c. Not named io.h 2 | because that name is already taken by a system header on 3 | Windows */ 4 | 5 | #ifndef _STD_TESTCASE_IO_H 6 | #define _STD_TESTCASE_IO_H 7 | 8 | #include "std_testcase.h" /* needed for the twoint struct */ 9 | 10 | #ifdef __cplusplus 11 | extern "C" { 12 | #endif 13 | 14 | void printLine(const char * line); 15 | 16 | void printWLine(const wchar_t * line); 17 | 18 | void printIntLine (int intNumber); 19 | 20 | void printShortLine (short shortNumber); 21 | 22 | void printFloatLine (float floatNumber); 23 | 24 | void printLongLine(long longNumber); 25 | 26 | void printLongLongLine(int64_t longLongIntNumber); 27 | 28 | void printSizeTLine(size_t sizeTNumber); 29 | 30 | void printHexCharLine(char charHex); 31 | 32 | void printWcharLine(wchar_t wideChar); 33 | 34 | void printUnsignedLine(unsigned unsignedNumber); 35 | 36 | void printHexUnsignedCharLine(unsigned char unsignedCharacter); 37 | 38 | void printDoubleLine(double doubleNumber); 39 | 40 | void printStructLine(const twoIntsStruct * structTwoIntsStruct); 41 | 42 | void printBytesLine(const unsigned char * bytes, size_t numBytes); 43 | 44 | size_t decodeHexChars(unsigned char * bytes, size_t numBytes, const char * hex); 45 | 46 | size_t decodeHexWChars(unsigned char * bytes, size_t numBytes, const wchar_t * hex); 47 | 48 | int globalReturnsTrue(); 49 | 50 | int globalReturnsFalse(); 51 | 52 | int globalReturnsTrueOrFalse(); 53 | 54 | /* Define some global variables that will get argc and argv */ 55 | extern int globalArgc; 56 | extern char** globalArgv; 57 | 58 | #ifdef __cplusplus 59 | } 60 | #endif 61 | 62 | #endif 63 | 64 | --------------------------------------------------------------------------------