CWE: 197 Numeric Truncation Error BadSource: fgets Read data from the console using fgets() GoodSource: Less than CHAR_MAX Sinks: BadSink : Convert data to a char Flow Variant: 73 Data flow: data passed in a list from one function to another in different source files

CWE: 197 Numeric Truncation Error BadSource: large Set data to a number larger than SHRT_MAX GoodSource: Less than CHAR_MAX Sinks: to_short BadSink : Convert data to a short Flow Variant: 84 Data flow: data passed to class constructor and destructor by declaring the class object on the heap ...

CWE: 195 Signed to Unsigned Conversion Error BadSource: fgets Read data from the console using fgets() GoodSource: Positive integer Sinks: memmove BadSink : Copy strings using memmove() with the length of data Flow Variant: 81 Data flow: data passed in a parameter to an virtual method called...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: add GoodSink: Ensure there will not be an overflow before adding 1 to data BadSink : Add 1 to data, which can cause an overflow Flow Variant: 8...

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: add GoodSink: Ensure there will not be an overflow before adding 1 to data BadSink : Add 1 to data, which can cause an overflow Flow Variant: 83 Data flow: da...

CWE: 190 Integer Overflow BadSource: max Set data to the max value for int64_t GoodSource: Set data to a small, non-zero number (two) Sinks: multiply GoodSink: Ensure there will not be an overflow before multiplying data by 2 BadSink : If data is positive, multiply by 2, which can cause an o...

CWE: 134 Uncontrolled Format String BadSource: environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: printf GoodSink: printf with %s as the first argument and data as the second BadSink : printf with only data as an argument Flow Variant: 72 Da...

CWE: 134 Uncontrolled Format String BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Copy a fixed string into data Sinks: vprintf GoodSink: vprintf with a format string BadSink : vprintf without a format string Flow Variant: 73 Data flow: data passed in a...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: cpy BadSink : Copy data to string using strcpy Flow Variant: 51 Data flow: data passed as an argument from one function to another i...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memmove BadSink : Copy data to string using memmove Flow Variant: 33 Data flow: use of a C++ reference to data within the same func...

CWE: 126 Buffer Over-read BadSource: Use a small buffer GoodSource: Use a large buffer Sinks: loop BadSink : Copy data to string using a loop Flow Variant: 33 Data flow: use of a C++ reference to data within the same function

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy string to data using memcpy Flow Variant: 17 Control flow: for loops

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data to a small buffer GoodSource: Initialize data to a buffer large enough to hold a TwoIntsClass Sinks: GoodSink: Allocate a new class using placement new and a buffer that is large enough to hold the class BadSink : Allocate a new...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 54 Data flow: data passed as an argument from one function through three others to a fifth; ...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: loop BadSink : Copy int64_t array to data using a loop Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: ncat BadSink : Copy string to data using strncat Flow Variant: 17 Control flow: for loops

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: ncat BadSink : Copy string to data using strncat Flow Variant: 15 Control flow: switch(6)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: cpy BadSink : Copy string to data using wcscpy() Flow Variant: 22 Control flow: Flow contr...

CWE: 122 Heap Based Buffer Overflow BadSource: large Large index value that is greater than 10-1 GoodSource: Larger than zero but less than 10 Sinks: GoodSink: Ensure the array index is valid BadSink : Improperly check the array index by not checking the upper bound Flow Variant: 54 Data fl...

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: ncat BadSink : Copy data to string using strncat Flow Variant: 72 Data flow: data passed in a vector from one function to another in different source files

CWE: 114 Process Control BadSource: console Read input from the console GoodSource: Hard code the full pathname to the library Sinks: BadSink : Load a dynamic link library Flow Variant: 81 Data flow: data passed in a parameter to an virtual method called via a reference

CWE: 114 Process Control BadSource: relativePath Hard code the relative pathname to the library GoodSource: Hard code the full pathname to the library Sinks: BadSink : Load a dynamic link library Flow Variant: 84 Data flow: data passed to class constructor and destructor by declaring the cla...

Get password program. The security flaw is due to the gets() on line 25. If the entry contains more than 11 characters (remember the null terminating character) the gets() function performs a buffer overflow. From "Secure Coding in C and C++" by Robert C. Seacord. Page 33, Figure 2-9