National Institute of Standards and Technology
Package illustrating a test case

Test case 153702

Description

This test case allocates a struct on the heap that contains an 8-character buffer, followed by a pointer. The pointer is set to point to the beginning of the 8-character buffer. The taint source is copied into the 8-character buffer, using strncpy, but the length is incorrectly capped at the length of the taint source rather than the length of the 8-character buffer. If the taint source is 8 characters or longer, the strncpy will overflow the 8-character buffer, over-writing the pointer that follows it. The test case then call strlen on the following pointer, and if this point is not valid (due to the overflow), this will cause a segmentation fault.
Metadata
- Base program: Subversion
- Source Taint: FILE_CONTENTS
- Data Type: HEAP_POINTER
- Data Flow: ADDRESS_ALIAS_10
- Control Flow: SEQUENCE

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.