National Institute of Standards and Technology
Package illustrating a test case

Test case 153143

Description

This test case checks if the taint source is less than 20 characters, and if so, allocates a buffer on the heap with 20 characters. It sets the buffer to all 0's, then calls realpath on the taint source, with the destination being the 20-character heap buffer. If realpath evaluates to more than 20 characters, it will over-write memory reserved for the memory manager, resulting in a glibc error when the heap buffer is freed.
Metadata
- Base program: Subversion
- Source Taint: SOCKET
- Data Type: SIMPLE
- Data Flow: ADDRESS_AS_VARIABLE
- Control Flow: CALLBACK

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.