C Test Suite for Source Code Analyzer v2 - Vulnerable Test suite #100
DownloadDescription
This test suite replaces test suite 45 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
Using the value of an unitialized variable is not safe. (from TCCLASP-5_6_4_10)
-
The test cases implements CVE-2002-1869: Does not check if you can write a log file allow attackers to avoid logging.
-
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. (from TCCLASP-5_2_4_10)
-
The test case shows a use of an allocated memory after being freed.
-
Pointer may contain garbage and pass in the check.
-
Test of tool ability to identify a NULL pointer dereference.
-
This is a CGI program which take some parameters values then print it. It shows Cross-Site Scripting in C within a looping complexity.
-
This test case shows a block of memory freed twice.
-
Attempt to return a pointer to memory that has been freed.
-
The test case shows a use of a allocated memory after freed.
-
The test case shows a use of an allocated memory after being freed with a string which is in a structure.
-
The test case shows a use of an allocated memory after being freed.
-
This test case shows double free weakness.
-
The test case exposes a race condition while writing the file.
-
The test case shows a Time-of-Check-Time-of-Use (TOCTOU) race condition between checking file attributes and then opening and writing to the file using random calls to function pointers.
-
Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/ C++ functions. (from TCCLASP-5_2_23_10)
-
Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/C++ functions (flawed).
-
The test case shows a use of a allocated memory after freed.
-
The test case shows a use of an allocated memory after being freed with an extra allocation and free complexity.
-
Command injection problems are a subset of injection problem, in which the process is tricked into calling external processes of the attackers choice through the injection of control-plane data into the data plane. (from TCCLASP-5_2_25_10)
-
Command injection problems are a subset of injection problem, in which the process is tricked into calling external processes of the attackers choice through the injection of control-plane data into the data plane.
-
The test case exposes a null dereference.
-
The test case exposes a null dereference.
-
This test case may dereference a NULL pointer.
-
This test case may dereference a NULL pointer.