National Institute of Standards and Technology
Package illustrating a test case

Test case 150067

Description

This test case implements an asynchronous unsafe signal handler that access a string without properly null checking the pointer. The test case takes the name of a control file and an input string. The control file is used for timing within the test case to ensure that the test case follows an exploiting or benign execution path, and the input string is used as shared data for the threads to act upon. When executing, the test case assigns a signal hander that access an internal array, printing it's data to the output string. The test case then iterates through the input string, copying each character into the internal array, initialized to a size of 51. If the input string is greater than 50 characters in length, the test case resizes the array, temporarily setting it to null. If the signal handler is invoked while the new array is set to null the signal handler will dereference the null pointer resulting in a segfault.
Metadata
- Base program: Subversion
- Source Taint: FILE_CONTENTS
- Data Type: ARRAY
- Data Flow: VAR_ARG_LIST
- Control Flow: INFINITE_LOOP

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.