/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE606_Unchecked_Loop_Condition__char_environment_01.c Label Definition File: CWE606_Unchecked_Loop_Condition.label.xml Template File: sources-sinks-01.tmpl.c */ /* * @description * CWE: 606 Unchecked Input For Loop Condition * BadSource: environment Read input from an environment variable * GoodSource: Input a number less than MAX_LOOP * Sinks: * GoodSink: Use data as the for loop variant after checking to see if it is less than MAX_LOOP * BadSink : Use data as the for loop variant without checking its size * Flow Variant: 01 Baseline * * */ #include "std_testcase.h" #define MAX_LOOP 10000 #ifndef _WIN32 #include #endif #define ENV_VARIABLE "ADD" #ifdef _WIN32 #define GETENV getenv #else #define GETENV getenv #endif #ifndef OMITBAD void CWE606_Unchecked_Loop_Condition__char_environment_01_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); char * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ strncat(data+dataLen, environment, 100-dataLen-1); } } { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* POTENTIAL FLAW: user-supplied value 'n' could lead to very large loop iteration */ intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } #endif /* OMITBAD */ #ifndef OMITGOOD /* goodG2B uses the GoodSource with the BadSink */ static void goodG2B() { char * data; char dataBuffer[100] = ""; data = dataBuffer; /* FIX: Set data to a number less than MAX_LOOP */ strcpy(data, "15"); { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* POTENTIAL FLAW: user-supplied value 'n' could lead to very large loop iteration */ intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } /* goodB2G uses the BadSource with the GoodSink */ static void goodB2G() { char * data; char dataBuffer[100] = ""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); char * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ strncat(data+dataLen, environment, 100-dataLen-1); } } { int i, n, intVariable; if (sscanf(data, "%d", &n) == 1) { /* FIX: limit loop iteration counts */ if (n < MAX_LOOP) { intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } void CWE606_Unchecked_Loop_Condition__char_environment_01_good() { goodG2B(); goodB2G(); } #endif /* OMITGOOD */ /* Below is the main(). It is only used when building this testcase on its own for testing or for building a binary to use in testing binary analysis tools. It is not used when compiling all the testcases as one application, which is how source code analysis tools are tested. */ #ifdef INCLUDEMAIN int main(int argc, char * argv[]) { /* seed randomness */ srand( (unsigned)time(NULL) ); #ifndef OMITGOOD printLine("Calling good()..."); CWE606_Unchecked_Loop_Condition__char_environment_01_good(); printLine("Finished good()"); #endif /* OMITGOOD */ #ifndef OMITBAD printLine("Calling bad()..."); CWE606_Unchecked_Loop_Condition__char_environment_01_bad(); printLine("Finished bad()"); #endif /* OMITBAD */ return 0; } #endif