C Test Suite for Source Code Analyzer v2 - Vulnerable Test suite #100
DownloadDescription
This test suite replaces test suite 45 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
A printf is called with a user supplied format string.
-
A syslog is called with a user supplied format string. An attempt was made to preformat the buffer but the vulnerability remains.
-
malloc"d data is freed more than once. PLOVER: MISC.DFREE
-
A file is accessed multiple times by name in a publically accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name.
-
A system() is called with user-provided data.
-
A string decode function misses a termination check which allows the decode to proceed past the end of the buffer.
-
An ad hoc gets without bounds check allows a stack buffer to be overrun.
-
An ad-hoc string copy without bounds check overflows a stack buffer.
-
Syslog is called with a user supplied format string. An attempt was made to preformat the buffer but the vulnerability remains.
-
A printf is called with a user format string. This is a defect.
-
A gets is never safe for untrusted input due to lack of buffer length checks.
-
An fgets is called with an incorrect bound allowing a stack buffer to be overrun.
-
Integer overflow results in a short malloc and an overflow. A guard was put in place to protect the overflow but the guard is incorrect.
-
malloc\'d data is never freed and all pointers to the data are lost.
-
malloc\'d data is returned to the caller but never freed.
-
malloc\'d data is freed before being returned to the caller and freed again.
-
A strcpy overflows a stack buffer. A check was made to avoid an overflow condition but the check is off by one.
-
A length check is not made before strcpy, causing heap buffer overflow.
-
A strncpy is used to copy a string but the length is given incorrectly leading to a heap buffer overflow.
-
A strcpy is used to copy a string into a heap buffer. The caller shortens the string but an overflow condition is still allowed.
-
Test if tool can detect a heap inspection vulnerability.
-
stack overflow
-
Test of tool ability to identify use of an uninitialized variable (flawed).
-
Accidentally refer to the wrong memory address due to the semantics of when math operations are implicitly scaled.
-
This Cross-Site Scripting example shows how a CGI program in C takes the arguments and print it out.