National Institute of Standards and Technology
Package illustrating a test case

Test case 152878

Description

This test case creates a buffer on the stack of 1024 bytes and a struct on the heap containing a 64-byte buffer and a pointer to the beginning of that buffer. It copies the taint source into the 1024-char buffer. It checks if the length of the taint source is less than the length of the 64-byte buffer. If it is, it uses strncpy to copy the taint source into the 64-byte buffer, with a maximum value of 1024 bytes. However, strncpy always writes the maximum number of bytes, and so writes 1024 bytes. This overflows the other data in the struct, including the pointer that originally pointed to the beginning of the 64-byte buffer. The test case then calls strlen on that pointer in the struct. However, since the pointer has been corrupted by the overflow, this causes a segmentation fault.
Metadata
- Base program: Tree
- Source Taint: FILE_CONTENTS
- Data Type: SIMPLE
- Data Flow: BASIC
- Control Flow: SEQUENCE

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.