/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE606_Unchecked_Loop_Condition__char_connect_socket_02.c Label Definition File: CWE606_Unchecked_Loop_Condition.label.xml Template File: sources-sinks-02.tmpl.c */ /* * @description * CWE: 606 Unchecked Input For Loop Condition * BadSource: connect_socket Read data using a connect socket (client side) * GoodSource: Input a number less than MAX_LOOP * Sinks: * GoodSink: Use data as the for loop variant after checking to see if it is less than MAX_LOOP * BadSink : Use data as the for loop variant without checking its size * Flow Variant: 02 Control flow: if(1) and if(0) * * */ #include "std_testcase.h" #define MAX_LOOP 10000 #ifndef _WIN32 #include #endif #ifdef _WIN32 #include #include #include #pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */ #define CLOSE_SOCKET closesocket #else /* NOT _WIN32 */ #include #include #include #include #include #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define CLOSE_SOCKET close #define SOCKET int #endif #define TCP_PORT 27015 #define IP_ADDRESS "127.0.0.1" #ifndef OMITBAD void CWE606_Unchecked_Loop_Condition__char_connect_socket_02_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(1) { { #ifdef _WIN32 WSADATA wsaData; int wsaDataInit = 0; #endif int recvResult; struct sockaddr_in service; char *replace; SOCKET connectSocket = INVALID_SOCKET; size_t dataLen = strlen(data); do { #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR) { break; } wsaDataInit = 1; #endif /* POTENTIAL FLAW: Read data using a connect socket */ connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (connectSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr(IP_ADDRESS); service.sin_port = htons(TCP_PORT); if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) { break; } /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* Abort on error or the connection was closed */ recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); if (recvResult == SOCKET_ERROR || recvResult == 0) { break; } /* Append null terminator */ data[dataLen + recvResult / sizeof(char)] = '\0'; /* Eliminate CRLF */ replace = strchr(data, '\r'); if (replace) { *replace = '\0'; } replace = strchr(data, '\n'); if (replace) { *replace = '\0'; } } while (0); if (connectSocket != INVALID_SOCKET) { CLOSE_SOCKET(connectSocket); } #ifdef _WIN32 if (wsaDataInit) { WSACleanup(); } #endif } } if(1) { { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* POTENTIAL FLAW: user-supplied value 'n' could lead to very large loop iteration */ intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } #endif /* OMITBAD */ #ifndef OMITGOOD /* goodB2G1() - use badsource and goodsink by changing the second 1 to 0 */ static void goodB2G1() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(1) { { #ifdef _WIN32 WSADATA wsaData; int wsaDataInit = 0; #endif int recvResult; struct sockaddr_in service; char *replace; SOCKET connectSocket = INVALID_SOCKET; size_t dataLen = strlen(data); do { #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR) { break; } wsaDataInit = 1; #endif /* POTENTIAL FLAW: Read data using a connect socket */ connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (connectSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr(IP_ADDRESS); service.sin_port = htons(TCP_PORT); if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) { break; } /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* Abort on error or the connection was closed */ recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); if (recvResult == SOCKET_ERROR || recvResult == 0) { break; } /* Append null terminator */ data[dataLen + recvResult / sizeof(char)] = '\0'; /* Eliminate CRLF */ replace = strchr(data, '\r'); if (replace) { *replace = '\0'; } replace = strchr(data, '\n'); if (replace) { *replace = '\0'; } } while (0); if (connectSocket != INVALID_SOCKET) { CLOSE_SOCKET(connectSocket); } #ifdef _WIN32 if (wsaDataInit) { WSACleanup(); } #endif } } if(0) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* FIX: limit loop iteration counts */ if (n < MAX_LOOP) { intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } } /* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */ static void goodB2G2() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(1) { { #ifdef _WIN32 WSADATA wsaData; int wsaDataInit = 0; #endif int recvResult; struct sockaddr_in service; char *replace; SOCKET connectSocket = INVALID_SOCKET; size_t dataLen = strlen(data); do { #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR) { break; } wsaDataInit = 1; #endif /* POTENTIAL FLAW: Read data using a connect socket */ connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (connectSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr(IP_ADDRESS); service.sin_port = htons(TCP_PORT); if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) { break; } /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* Abort on error or the connection was closed */ recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); if (recvResult == SOCKET_ERROR || recvResult == 0) { break; } /* Append null terminator */ data[dataLen + recvResult / sizeof(char)] = '\0'; /* Eliminate CRLF */ replace = strchr(data, '\r'); if (replace) { *replace = '\0'; } replace = strchr(data, '\n'); if (replace) { *replace = '\0'; } } while (0); if (connectSocket != INVALID_SOCKET) { CLOSE_SOCKET(connectSocket); } #ifdef _WIN32 if (wsaDataInit) { WSACleanup(); } #endif } } if(1) { { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* FIX: limit loop iteration counts */ if (n < MAX_LOOP) { intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } } /* goodG2B1() - use goodsource and badsink by changing the first 1 to 0 */ static void goodG2B1() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(0) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Set data to a number less than MAX_LOOP */ strcpy(data, "15"); } if(1) { { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* POTENTIAL FLAW: user-supplied value 'n' could lead to very large loop iteration */ intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } /* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */ static void goodG2B2() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(1) { /* FIX: Set data to a number less than MAX_LOOP */ strcpy(data, "15"); } if(1) { { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* POTENTIAL FLAW: user-supplied value 'n' could lead to very large loop iteration */ intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } void CWE606_Unchecked_Loop_Condition__char_connect_socket_02_good() { goodB2G1(); goodB2G2(); goodG2B1(); goodG2B2(); } #endif /* OMITGOOD */ /* Below is the main(). It is only used when building this testcase on its own for testing or for building a binary to use in testing binary analysis tools. It is not used when compiling all the testcases as one application, which is how source code analysis tools are tested. */ #ifdef INCLUDEMAIN int main(int argc, char * argv[]) { /* seed randomness */ srand( (unsigned)time(NULL) ); #ifndef OMITGOOD printLine("Calling good()..."); CWE606_Unchecked_Loop_Condition__char_connect_socket_02_good(); printLine("Finished good()"); #endif /* OMITGOOD */ #ifndef OMITBAD printLine("Calling bad()..."); CWE606_Unchecked_Loop_Condition__char_connect_socket_02_bad(); printLine("Finished bad()"); #endif /* OMITBAD */ return 0; } #endif