National Institute of Standards and Technology
Package illustrating a test case

Test case 1512

Description

Sign error. The flaw is on line 32 the signed int is converted to a unsigned integer of equal size. Thereby, the test on line 33 bypasses (because of the negative value of the len) and as memcpy() uses a size_t (defined as unsigned in C99), the negative value of len is converted to a large unsigned value. Then, the memcpy() performs an buffer overflow.
From "Secure Coding in C and C++" by Robert C. Seacord.
Page 183, Figure 5-24

Flaws

Have any comments on this test case? Please, send us an email.