wangwei
/
cwetest
Not watched
1
0
Fork 0
Code
Releases 0 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
3.2 MB
55 Download
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
cwetest/CWE126_Buffer_Overread__CWE...

CWE126_Buffer_Overread__CWE129_connect_socket_02.c 12 kB
Raw Permalink Normal View History

1
3 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398 
  1. /* TEMPLATE GENERATED TESTCASE FILE

  2. Filename: CWE126_Buffer_Overread__CWE129_connect_socket_02.c

  3. Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml

  4. Template File: sources-sinks-02.tmpl.c

  5. */

  6. /*

  7.  * @description

  8.  * CWE: 126 Buffer Overread

  9.  * BadSource: connect_socket Read data using a connect socket (client side)

  10.  * GoodSource: Larger than zero but less than 10

  11.  * Sinks:

  12.  *    GoodSink: Ensure the array index is valid

  13.  *    BadSink : Improperly check the array index by not checking the upper bound

  14.  * Flow Variant: 02 Control flow: if(1) and if(0)

  15.  *

  16.  * */

  17. 

  18. #include "std_testcase.h"

  19. 

  20. #ifdef _WIN32

  21. #include <winsock2.h>

  22. #include <windows.h>

  23. #include <direct.h>

  24. #pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */

  25. #define CLOSE_SOCKET closesocket

  26. #else /* NOT _WIN32 */

  27. #include <sys/types.h>

  28. #include <sys/socket.h>

  29. #include <netinet/in.h>

  30. #include <arpa/inet.h>

  31. #include <unistd.h>

  32. #define INVALID_SOCKET -1

  33. #define SOCKET_ERROR -1

  34. #define CLOSE_SOCKET close

  35. #define SOCKET int

  36. #endif

  37. 

  38. #define TCP_PORT 27015

  39. #define IP_ADDRESS "127.0.0.1"

  40. #define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)

  41. 

  42. #ifndef OMITBAD

  43. 

  44. void CWE126_Buffer_Overread__CWE129_connect_socket_02_bad()

  45. {

  46.     int data;

  47.     /* Initialize data */

  48.     data = -1;

  49.     if(1)

  50.     {

  51.         {

  52. #ifdef _WIN32

  53.             WSADATA wsaData;

  54.             int wsaDataInit = 0;

  55. #endif

  56.             int recvResult;

  57.             struct sockaddr_in service;

  58.             SOCKET connectSocket = INVALID_SOCKET;

  59.             char inputBuffer[CHAR_ARRAY_SIZE];

  60.             do

  61.             {

  62. #ifdef _WIN32

  63.                 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)

  64.                 {

  65.                     break;

  66.                 }

  67.                 wsaDataInit = 1;

  68. #endif

  69.                 /* POTENTIAL FLAW: Read data using a connect socket */

  70.                 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

  71.                 if (connectSocket == INVALID_SOCKET)

  72.                 {

  73.                     break;

  74.                 }

  75.                 memset(&service, 0, sizeof(service));

  76.                 service.sin_family = AF_INET;

  77.                 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);

  78.                 service.sin_port = htons(TCP_PORT);

  79.                 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)

  80.                 {

  81.                     break;

  82.                 }

  83.                 /* Abort on error or the connection was closed, make sure to recv one

  84.                  * less char than is in the recv_buf in order to append a terminator */

  85.                 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);

  86.                 if (recvResult == SOCKET_ERROR || recvResult == 0)

  87.                 {

  88.                     break;

  89.                 }

  90.                 /* NUL-terminate the string */

  91.                 inputBuffer[recvResult] = '\0';

  92.                 /* Convert to int */

  93.                 data = atoi(inputBuffer);

  94.             }

  95.             while (0);

  96.             if (connectSocket != INVALID_SOCKET)

  97.             {

  98.                 CLOSE_SOCKET(connectSocket);

  99.             }

  100. #ifdef _WIN32

  101.             if (wsaDataInit)

  102.             {

  103.                 WSACleanup();

  104.             }

  105. #endif

  106.         }

  107.     }

  108.     if(1)

  109.     {

  110.         {

  111.             int buffer[10] = { 0 };

  112.             /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound

  113.              * This check does not check the upper bounds of the array index */

  114.             if (data >= 0)

  115.             {

  116.                 printIntLine(buffer[data]);

  117.             }

  118.             else

  119.             {

  120.                 printLine("ERROR: Array index is negative");

  121.             }

  122.         }

  123.     }

  124. }

  125. 

  126. #endif /* OMITBAD */

  127. 

  128. #ifndef OMITGOOD

  129. 

  130. /* goodB2G1() - use badsource and goodsink by changing the second 1 to 0 */

  131. static void goodB2G1()

  132. {

  133.     int data;

  134.     /* Initialize data */

  135.     data = -1;

  136.     if(1)

  137.     {

  138.         {

  139. #ifdef _WIN32

  140.             WSADATA wsaData;

  141.             int wsaDataInit = 0;

  142. #endif

  143.             int recvResult;

  144.             struct sockaddr_in service;

  145.             SOCKET connectSocket = INVALID_SOCKET;

  146.             char inputBuffer[CHAR_ARRAY_SIZE];

  147.             do

  148.             {

  149. #ifdef _WIN32

  150.                 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)

  151.                 {

  152.                     break;

  153.                 }

  154.                 wsaDataInit = 1;

  155. #endif

  156.                 /* POTENTIAL FLAW: Read data using a connect socket */

  157.                 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

  158.                 if (connectSocket == INVALID_SOCKET)

  159.                 {

  160.                     break;

  161.                 }

  162.                 memset(&service, 0, sizeof(service));

  163.                 service.sin_family = AF_INET;

  164.                 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);

  165.                 service.sin_port = htons(TCP_PORT);

  166.                 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)

  167.                 {

  168.                     break;

  169.                 }

  170.                 /* Abort on error or the connection was closed, make sure to recv one

  171.                  * less char than is in the recv_buf in order to append a terminator */

  172.                 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);

  173.                 if (recvResult == SOCKET_ERROR || recvResult == 0)

  174.                 {

  175.                     break;

  176.                 }

  177.                 /* NUL-terminate the string */

  178.                 inputBuffer[recvResult] = '\0';

  179.                 /* Convert to int */

  180.                 data = atoi(inputBuffer);

  181.             }

  182.             while (0);

  183.             if (connectSocket != INVALID_SOCKET)

  184.             {

  185.                 CLOSE_SOCKET(connectSocket);

  186.             }

  187. #ifdef _WIN32

  188.             if (wsaDataInit)

  189.             {

  190.                 WSACleanup();

  191.             }

  192. #endif

  193.         }

  194.     }

  195.     if(0)

  196.     {

  197.         /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

  198.         printLine("Benign, fixed string");

  199.     }

  200.     else

  201.     {

  202.         {

  203.             int buffer[10] = { 0 };

  204.             /* FIX: Properly validate the array index and prevent a buffer overread */

  205.             if (data >= 0 && data < (10))

  206.             {

  207.                 printIntLine(buffer[data]);

  208.             }

  209.             else

  210.             {

  211.                 printLine("ERROR: Array index is out-of-bounds");

  212.             }

  213.         }

  214.     }

  215. }

  216. 

  217. /* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */

  218. static void goodB2G2()

  219. {

  220.     int data;

  221.     /* Initialize data */

  222.     data = -1;

  223.     if(1)

  224.     {

  225.         {

  226. #ifdef _WIN32

  227.             WSADATA wsaData;

  228.             int wsaDataInit = 0;

  229. #endif

  230.             int recvResult;

  231.             struct sockaddr_in service;

  232.             SOCKET connectSocket = INVALID_SOCKET;

  233.             char inputBuffer[CHAR_ARRAY_SIZE];

  234.             do

  235.             {

  236. #ifdef _WIN32

  237.                 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)

  238.                 {

  239.                     break;

  240.                 }

  241.                 wsaDataInit = 1;

  242. #endif

  243.                 /* POTENTIAL FLAW: Read data using a connect socket */

  244.                 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

  245.                 if (connectSocket == INVALID_SOCKET)

  246.                 {

  247.                     break;

  248.                 }

  249.                 memset(&service, 0, sizeof(service));

  250.                 service.sin_family = AF_INET;

  251.                 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);

  252.                 service.sin_port = htons(TCP_PORT);

  253.                 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)

  254.                 {

  255.                     break;

  256.                 }

  257.                 /* Abort on error or the connection was closed, make sure to recv one

  258.                  * less char than is in the recv_buf in order to append a terminator */

  259.                 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);

  260.                 if (recvResult == SOCKET_ERROR || recvResult == 0)

  261.                 {

  262.                     break;

  263.                 }

  264.                 /* NUL-terminate the string */

  265.                 inputBuffer[recvResult] = '\0';

  266.                 /* Convert to int */

  267.                 data = atoi(inputBuffer);

  268.             }

  269.             while (0);

  270.             if (connectSocket != INVALID_SOCKET)

  271.             {

  272.                 CLOSE_SOCKET(connectSocket);

  273.             }

  274. #ifdef _WIN32

  275.             if (wsaDataInit)

  276.             {

  277.                 WSACleanup();

  278.             }

  279. #endif

  280.         }

  281.     }

  282.     if(1)

  283.     {

  284.         {

  285.             int buffer[10] = { 0 };

  286.             /* FIX: Properly validate the array index and prevent a buffer overread */

  287.             if (data >= 0 && data < (10))

  288.             {

  289.                 printIntLine(buffer[data]);

  290.             }

  291.             else

  292.             {

  293.                 printLine("ERROR: Array index is out-of-bounds");

  294.             }

  295.         }

  296.     }

  297. }

  298. 

  299. /* goodG2B1() - use goodsource and badsink by changing the first 1 to 0 */

  300. static void goodG2B1()

  301. {

  302.     int data;

  303.     /* Initialize data */

  304.     data = -1;

  305.     if(0)

  306.     {

  307.         /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

  308.         printLine("Benign, fixed string");

  309.     }

  310.     else

  311.     {

  312.         /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to

  313.          * access an index of the array in the sink that is out-of-bounds */

  314.         data = 7;

  315.     }

  316.     if(1)

  317.     {

  318.         {

  319.             int buffer[10] = { 0 };

  320.             /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound

  321.              * This check does not check the upper bounds of the array index */

  322.             if (data >= 0)

  323.             {

  324.                 printIntLine(buffer[data]);

  325.             }

  326.             else

  327.             {

  328.                 printLine("ERROR: Array index is negative");

  329.             }

  330.         }

  331.     }

  332. }

  333. 

  334. /* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */

  335. static void goodG2B2()

  336. {

  337.     int data;

  338.     /* Initialize data */

  339.     data = -1;

  340.     if(1)

  341.     {

  342.         /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to

  343.          * access an index of the array in the sink that is out-of-bounds */

  344.         data = 7;

  345.     }

  346.     if(1)

  347.     {

  348.         {

  349.             int buffer[10] = { 0 };

  350.             /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound

  351.              * This check does not check the upper bounds of the array index */

  352.             if (data >= 0)

  353.             {

  354.                 printIntLine(buffer[data]);

  355.             }

  356.             else

  357.             {

  358.                 printLine("ERROR: Array index is negative");

  359.             }

  360.         }

  361.     }

  362. }

  363. 

  364. void CWE126_Buffer_Overread__CWE129_connect_socket_02_good()

  365. {

  366.     goodB2G1();

  367.     goodB2G2();

  368.     goodG2B1();

  369.     goodG2B2();

  370. }

  371. 

  372. #endif /* OMITGOOD */

  373. 

  374. /* Below is the main(). It is only used when building this testcase on

  375.    its own for testing or for building a binary to use in testing binary

  376.    analysis tools. It is not used when compiling all the testcases as one

  377.    application, which is how source code analysis tools are tested. */

  378. 

  379. #ifdef INCLUDEMAIN

  380. 

  381. int main(int argc, char * argv[])

  382. {

  383.     /* seed randomness */

  384.     srand( (unsigned)time(NULL) );

  385. #ifndef OMITGOOD

  386.     printLine("Calling good()...");

  387.     CWE126_Buffer_Overread__CWE129_connect_socket_02_good();

  388.     printLine("Finished good()");

  389. #endif /* OMITGOOD */

  390. #ifndef OMITBAD

  391.     printLine("Calling bad()...");

  392.     CWE126_Buffer_Overread__CWE129_connect_socket_02_bad();

  393.     printLine("Finished bad()");

  394. #endif /* OMITBAD */

  395.     return 0;

  396. }

  397. 

  398. #endif

No Description

Contributors (1)
All