The bit shift is bigger than the size of the integral type or is negative. These test cases were graciously provided by Frederic Michaud of Defense Research & Development Canada - Valcartier. Please see test case ID 000-001-518 for an executable suite of all the DRDC test cases.

This test case includes the entire suite of code examples provided by DRDC. It contains a main function so that the tests can be executed. Please see the included readme.txt for instructions on preprocessor definitions to make the suite work as desired. These test cases were graciously provided b...

Because of the test for file existence in lines 33 and 35 and the file open on line 36 both use file names. This code contains a TOCTOU - Time of check, Time of use - vulnerability. The code can be exploited by the creation of a symbolic link with the name of the file. From "Secure Coding in C an...

Code with TOCTOU - Time of check, Time of use - culnerability involving stat(). The TOCTOU check occurs with the call of stat() on line 41 and the use is the call of fopen() on line 49. An attacker can simply exploit this vulnerabilty using a symlink: erase the file and make a symbolic link to th...

Extremly insecure stdio implementation. The program reads a filename from stdin on line 26 and attemps to open the file on line 26. This program is vulnerable to buffer overflows on line 26 and format string exploit on line 30. From \"Secure Coding in C and C \" by Robert C. Seacord. Page 215, ...

Buffer overflow vulnerability using sprintf() as a substitute of %s conversion specifier on line 42. From "Secure Coding in C and C++" by Robert C. Seacord. Page 214, Figure 6-6

This example of printing usage information with formatted output shows a flaw that can be exploited to run arbitrary code. By controlling the content of the format string a user can, in effect, cotrol execution of the formatted output function. From "Secure Coding in C and C++" by Robert C. Seaco...

Sign error. The flaw is on line 32 the signed int is converted to a unsigned integer of equal size. Thereby, the test on line 33 bypasses (because of the negative value of the len) and as memcpy() uses a size_t (defined as unsigned in C99), the negative value of len is converted to a large unsign...

Integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer. From "Secure Coding in C and C++" by Robert C. Seacord. Page 152, Figure 5-1

Exploit of buffer overflow in dynamic memory on Windows. This exploit requires that the overwriten memory adress is executable. The HeapFree() on line 38 creates a gap in the contiguous allocated memory. The memcpy() on line 39 is an example of exploit. The first 16 bytes of malArg overwrite the ...

Overwriting freed memory exploit. On lines 39-40, the first chunck is overwriting but it was freed on line 36. This example show an exploit: the call to malloc() on line 41 replaces the adress pf strcpy() with the adress of the shellcode and the call to strcpy() on line 42 invokes the shellcode. ...

Double free exploit code. On line 40, the first chunk is free but it was already done on line 37. Allocating the fifth chunk on line 39 causes memory to being split off from the thirf chunk and this result in the first chunk being moved to a regular bin. From "Secure Coding in C and C++" by Rober...

Vulnerability to an exploit using the frontlink technique. Similar to unlink(), the frontlink() code segment can be exploited to write data supplied by the attacker to an address also supplied by the attacker. The attacker supplies the address of a memory chunk. The attacker arranges for the firs...

Vulnerability to an exploit using the unlink technique. The programs allocates trhee chucks of memory (lines 29-31). The unbounded strcpy() operation is susceptible to a buffer overflow. The boundary tag can be overwritten by a string argument exceeding the length of first because the boundary ta...

The longjmp() function. C99 defines the setjmp() macro, the longjmp() function and the jmp_buf type which can be used to bypass the normal function call and return discipline. The longjmp() function can be exploited by overwriting the value of PC (the program counter) in the jmp_buf buffer with t...

Program using atexit(). The atexit() function is used in C99 to register a function test() on line 27. The program assigns the string to the global variable glob (on line 28). The test() function is invoked after the program exists and prints out this string. As the atexit() function works by add...

The semantics of virtual functions. As most C++ compilers implement virtual functions using a Virtual Function Table (VTBL). The VTBL is an array of function pointers that is used at runtime for dispatching virtual function calls. It"s possible to overwrite function pointers in the VTBL or change...

Exploits of the .dtors section. An attacker can transfer control to arbitrary code by overwriting the address of the function pointer in the .dtors section. This .dtors section exists only in programs that have been compiled and linked with GCC. From "Secure Coding in C and C++" by Robert C. Seac...

Modifying the instruction pointer. The invocation through the function pointer funcPtr uses an indirect reference, and the address inthe referenced location can be overwritten. As the function pointer address cannot be resolved at compiled time, it can be exploited to transfer control to arbitrar...

Program vulnerable to buffer overflow in the BSS segment. The character array and the function pointer are both uninitialized and stored in the BSS segment. The call of strncpy() on line 36 is an example of an unsafe use of bounded string copy function. A buffer overflow occurs when the length of...

Extracting object from cin to std::string object. This example is quite safe because if there is a buffer overflow, C++ will throw a out_of_range exception. From "Secure Coding in C and C++" by Robert C. Seacord. Page 61, Figure 2-33

Input validation. The size of the first argument must be lower than 99 even it will produces a buffer overflow when copied into the buff array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 52, Figure 2-29

Program vulnerable to arc injection exploit. The buffer overflow occurs on line 25 when memcpy() will copy the first entry argument into the 3 characters array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 49, Figure 2-27

Get password program. The security flaw is due to the gets() on line 25. If the entry contains more than 11 characters (remember the null terminating character) the gets() function performs a buffer overflow. From "Secure Coding in C and C++" by Robert C. Seacord. Page 33, Figure 2-9

Defective string manipulation code. If the first argument exceeds 128 characters (including the null one) the program will write outside of the bounds of the fixed size array. From "Secure Coding in C and C++" by Robert C. Seacord. Page 32, Figure 2-8