Test case 1512

Type: source code
State: bad
Author: Robert C. Seacord
Status: candidate
Language: C
Submission Date: 22 May 2006

Description

Sign error. The flaw is on line 32 the signed int is converted to a unsigned integer of equal size. Thereby, the test on line 33 bypasses (because of the negative value of the len) and as memcpy() uses a size_t (defined as unsigned in C99), the negative value of len is converted to a large unsigned value. Then, the memcpy() performs an buffer overflow.
From "Secure Coding in C and C++" by Robert C. Seacord.
Page 183, Figure 5-24

Flaws

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Have any comments on this test case? Please, send us an email.