A strncpy generates a string that may be missing a NUL termination. When it is copied with strcpy a stack buffer can be overrun.

integer overflow results in a short malloc and an overflow. A guard in the caller is used to protect against the overflow.

integer overflow results in a short malloc and an overflow. A guard in the caller is used to protect against the overflow but it is incorrect.

integer overflow results in a short malloc and an overflow. A guard is put in place to protect against the overflow.

integer overflow results in a short malloc and an overflow. A guard is put in place to protect against the overflow but it is incorrect.

integer overflow results in a short malloc and an overflow.

Printf is called with a format from a table. This is not a defect.

Syslog is called with a user supplied format string.

A chroot() is performed with a chdir().

A chroot() is performed without a chdir().

Buffer overflow vulnerability using sprintf() as a substitute of %s conversion specifier on line 42. From "Secure Coding in C and C++" by Robert C. Seacord. Page 214, Figure 6-6

Sign error. The flaw is on line 32 the signed int is converted to a unsigned integer of equal size. Thereby, the test on line 33 bypasses (because of the negative value of the len) and as memcpy() uses a size_t (defined as unsigned in C99), the negative value of len is converted to a large unsign...

Integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer. From "Secure Coding in C and C++" by Robert C. Seacord. Page 152, Figure 5-1

Overwriting freed memory exploit. On lines 39-40, the first chunck is overwriting but it was freed on line 36. This example show an exploit: the call to malloc() on line 41 replaces the adress pf strcpy() with the adress of the shellcode and the call to strcpy() on line 42 invokes the shellcode. ...

Double free exploit code. On line 40, the first chunk is free but it was already done on line 37. Allocating the fifth chunk on line 39 causes memory to being split off from the thirf chunk and this result in the first chunk being moved to a regular bin. From "Secure Coding in C and C++" by Rober...

Vulnerability to an exploit using the frontlink technique. Similar to unlink(), the frontlink() code segment can be exploited to write data supplied by the attacker to an address also supplied by the attacker. The attacker supplies the address of a memory chunk. The attacker arranges for the firs...

Vulnerability to an exploit using the unlink technique. The programs allocates trhee chucks of memory (lines 29-31). The unbounded strcpy() operation is susceptible to a buffer overflow. The boundary tag can be overwritten by a string argument exceeding the length of first because the boundary ta...

The longjmp() function. C99 defines the setjmp() macro, the longjmp() function and the jmp_buf type which can be used to bypass the normal function call and return discipline. The longjmp() function can be exploited by overwriting the value of PC (the program counter) in the jmp_buf buffer with t...

Program using atexit(). The atexit() function is used in C99 to register a function test() on line 27. The program assigns the string to the global variable glob (on line 28). The test() function is invoked after the program exists and prints out this string. As the atexit() function works by add...

Exploits of the .dtors section. An attacker can transfer control to arbitrary code by overwriting the address of the function pointer in the .dtors section. This .dtors section exists only in programs that have been compiled and linked with GCC. From "Secure Coding in C and C++" by Robert C. Seac...

Program vulnerable to buffer overflow in the BSS segment. The character array and the function pointer are both uninitialized and stored in the BSS segment. The call of strncpy() on line 36 is an example of an unsafe use of bounded string copy function. A buffer overflow occurs when the length of...

The order of evaluation is unspecified in C for the

Memory for a Struct object is freed and not referenced further.

Return of an uninitialized pointer from a function.

Attempt to assign a pointer address without allocating memory.