Description
This test case allocates a stack buffer of size 16. It takes the user input and performs a check to see if it is possible to copy the user input into a 16-byte buffer. If the user input is larger than 15 bytes, then the check method returns a -1. This value is converted to an unsigned type (size_t), resulting in an enormous number if the check method returned -1. The test case then uses that unsigned value as a size for the copy from the user input into the stack buffer. Because the unsigned value is huge, this overwrites the stack, resulting in a segmentation fault upon return from the function.
Metadata
- Base program: Subversion
- Source Taint: FILE_CONTENTS
- Data Type: HEAP_POINTER
- Data Flow: ADDRESS_AS_VARIABLE
- Control Flow: INDIRECTLY_RECURSIVE
Flaws
Test Suites
Apache Subversion 1.8.3
IARPA STONESOUP Phase 3 - Test Cases
Documentation
Have any comments on this test case? Please, send us an email.