Command injection problems are a subset of injection problem, in which the process is tricked into calling external processes of the attackers choice through the injection of control-plane data into the data plane. (from TCCLASP-5_2_25_10)

CWE: 400 Resource Exhaustion BadSource: fgets Read data from the console using fgets() GoodSource: Assign count to be a relatively small number Sinks: fwrite GoodSink: Write to a file count number of times, but first validate count BadSink : Write to a file count number of times Flow Varian...

CWE: 390 Detection of Error Condition Without Action Sinks: w32CreateMutex GoodSink: Check the return value of CreateMutexW() and handle it properly BadSink : Check to see if CreateMutexW() failed, but do nothing about it Flow Variant: 12 Control flow: if(global_returns_t_or_f())

CWE: 390 Detection of Error Condition Without Action Sinks: fopen GoodSink: Check to see if _wfopen() failed, and handle errors properly BadSink : Check to see if _wfopen() failed, but fail to handle errors Flow Variant: 13 Control flow: if(global_const_five==5) and if(global_const_five!=5)

CWE: 36 Absolute Path Traversal BadSource: fromConsole Read input from the console GoodSource: Full path and file name Sink: open BadSink : Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 369 Divide By Zero BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Non-zero Sinks: divide BadSink : Divide a constant by data Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)

CWE: 253 Incorrect Check of Return Value Sinks: snprintf GoodSink: Correctly check if snwprintf() failed BadSink : Incorrectly check if snwprintf() failed Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 253 Incorrect Check of Return Value Sinks: fwrite GoodSink: Correctly check if fwrite() failed BadSink : Incorrectly check if fwrite() failed Flow Variant: 08 Control flow: if(static_returns_t()) and if(static_returns_f())

CWE: 252 Unchecked Return Value Sinks: fprintf GoodSink: Check if fwprintf() fails BadSink : Do not check if fwprintf() fails Flow Variant: 07 Control flow: if(static_five==5) and if(static_five!=5)

CWE: 197 Numeric Truncation Error BadSource: fscanf Read data from the console using fscanf() GoodSource: Less than CHAR_MAX Sink: BadSink : Convert data to a char Flow Variant: 51 Data flow: data passed as an argument from one function to another in different source files

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the squaring operation BadSink : Square data Flow Variant: 66 Data flow: data passed in an array from one function to anot...

CWE: 190 Integer Overflow BadSource: fgets Read data from the console using fgets() GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the square root BadSink : Square data Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the squaring operation BadSink : Square data Flow Variant: 63 Data flow: pointer to data passed from one function to anoth...

CWE: 187 Partial Comparison BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Provide a matching password Sinks: str GoodSink: Compare the 2 passwords correctly BadSink : use strstr() to do password match, which is a partial comparison Flow Variant: 02 Contr...

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: vsnprintf GoodSink: vsnprintf with a format string BadSink : vsnprintf without a format string Flow Variant: 19 Control flow: Dead code...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 05 Control flow: if(static_t) and if(static_f)

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memcpy BadSink : Copy data to string using memcpy Flow Variant: 61 Data flow: data returned from one function to another in differe...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sinks: memcpy BadSink : Copy twointsclass array to data using memcpy Flow Variant: 45 Data flow: data passed as ...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 19 Control flow: Dead code after a return

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: memmove BadSink : Copy long long array to data using memmove Flow Variant: 41 Data flow: data passed...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: loop BadSink : Copy string to data using a loop Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 52 Data flow: data passed as an argument from one function to another to another in three d...