National Institute of Standards and Technology
Package illustrating a test case

Test case 153658

Description

This test case creates two buffers on the stack, one of 64 bytes and one of 1024 bytes. It copies the taint source into the larger buffer. It checks if the length of the taint source is less than the length of the shorter buffer. If it is, it uses strncpy to copy the taint source into the shorter buffer, with a maximum value of 1024 bytes. However, strncpy always writes the maximum number of bytes, and so writes 1024 bytes. This overflows the short buffer, and corrupts other data on the stack. The %eip is corrupted, resulting in a segmentation fault at function return.
Metadata
- Base program: PostgreSQL
- Source Taint: FILE_CONTENTS
- Data Type: ARRAY
- Data Flow: VAR_ARG_LIST
- Control Flow: MACROS

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.