Back to the previous page

Test Case ID	2082
Bad / Good	Bad
Author	N/A
Associated test case	N/A
Contributor	Paul E. Black
Language	C
Type of test case	Source Code

Input string	./a.out a234567890 b234567890
Expected Output	results: a234567890b234567890>
Instructions	N/A
Submission date	2009-04-03
Description	Off-by-one error on bounds checking for strcat(). PLOVER: NUM.OBO, BUFF.OVER This replaces case 1320
Filename	./strcat-bad2.c (763 bytes)
Flaw	CWE-121: Stack-based Buffer Overflow at line 25 + Root CWE-019: Data Handling CWE-118: Improper Access of Indexable Resource (Range Error) CWE-119: Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer CWE-120: Buffer Copy without Checking Size of Input CWE-121: Stack-based Buffer Overflow

There is no comments :: Submit a comment ::

>./strcat-bad2.c

/*
  PLOVER: NUM.OBO, BUFF.OVER
*/
 
/*
        Off-by-one error in bounds checking of strcat()
    input: ./a.out a234567890 b234567890
*/
 
 
#include <stdio.h>
#include <string.h>
 
#define MAXSIZE 20
 
void test(char *str, char *str2){
    char pre[2] = "<";
    char buf[MAXSIZE] = "";
    char post[2] = ">";
    if(strlen(str) < MAXSIZE)
        strcpy(buf, str);
    printf(" strcpy: %s%s%s\n", pre, buf, post);
    if(strlen(buf) + strlen(str2) <= MAXSIZE) // theoretical integer overflow
        strcat(buf, str2); // CWE-121
    printf("results: %s%s%s\n", pre, buf, post);
}
 
int main(int argc, char **argv){
    char *userstr;
    char *userstr2;
    if(argc > 2){
        userstr = argv[1];
        userstr2 = argv[2];
        test(userstr,userstr2);
    }
    printf("done\n");
    return 0;
}
 