/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { wchar_t * data; wchar_t * &dataRef = data; wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); wmemset(dataBuffer, L'A', 100-1); dataBuffer[100-1] = L'\0'; /* FIX: Set data pointer to the allocated memory buffer */ data = dataBuffer; { wchar_t * data = dataRef; { wchar_t dest[100]; wmemset(dest, L'C', 100-1); /* fill with 'C's */ dest[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */ memmove(dest, data, 100*sizeof(wchar_t)); /* Ensure null termination */ dest[100-1] = L'\0'; printWLine(dest); } } }
void bad() { long * data; data = NULL; /* Initialize data */ if(globalReturnsTrue()) { { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ long * dataBuffer = (long *)ALLOCA(100*sizeof(long)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i] = 5L; } } data = dataBuffer; } } printLongLine(data[0]); /* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */ delete [] data; }
/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */ static void goodG2B1() { wchar_t * data; data = NULL; if(STATIC_CONST_FIVE!=5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Use memory allocated on the stack with ALLOCA */ data = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); /* Initialize and make use of data */ wcscpy(data, L"A String"); printWLine(data); } if(STATIC_CONST_FIVE==5) { /* POTENTIAL FLAW: No deallocation */ ; /* empty statement needed for some flow variants */ } }
/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_TRUE to STATIC_CONST_FALSE */ static void goodG2B1() { int64_t * data; data = NULL; if(STATIC_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Use memory allocated on the stack with ALLOCA */ data = (int64_t *)ALLOCA(100*sizeof(int64_t)); /* Initialize and make use of data */ data[0] = 5LL; printLongLongLine(data[0]); } if(STATIC_CONST_TRUE) { /* POTENTIAL FLAW: No deallocation */ ; /* empty statement needed for some flow variants */ } }
/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */ static void goodG2B() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); memset(dataBuffer, 'A', 100-1); dataBuffer[100-1] = '\0'; while(1) { /* FIX: Set data pointer to the allocated memory buffer */ data = dataBuffer; break; } { char dest[100]; memset(dest, 'C', 100-1); /* fill with 'C's */ dest[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */ memmove(dest, data, 100*sizeof(char)); /* Ensure null termination */ dest[100-1] = '\0'; printLine(dest); } }
void CWE590_Free_Memory_Not_on_Heap__free_long_alloca_11_bad() { long * data; data = NULL; /* Initialize data */ if(globalReturnsTrue()) { { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ long * dataBuffer = (long *)ALLOCA(100*sizeof(long)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i] = 5L; } } data = dataBuffer; } } printLongLine(data[0]); /* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */ free(data); }
void bad() { int * data; data = NULL; /* Initialize data */ if(staticTrue) { { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ int * dataBuffer = (int *)ALLOCA(100*sizeof(int)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i] = 5; } } data = dataBuffer; } } printIntLine(data[0]); /* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */ delete [] data; }
/* good1() uses if(globalReturnsFalse()) instead of if(globalReturnsTrue()) */ static void good1() { if(globalReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { twoIntsStruct data; twoIntsStruct * pointer = (twoIntsStruct *)ALLOCA(sizeof(twoIntsStruct)); data.intOne = 1; data.intTwo = 2; *pointer = data; /* FIX: Assign a value to the thing pointed to by pointer */ { twoIntsStruct data = *pointer; printIntLine(data.intOne); printIntLine(data.intTwo); } } } }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { wchar_t * data; wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); wmemset(dataBuffer, L'A', 100-1); dataBuffer[100-1] = L'\0'; /* FIX: Set data pointer to the allocated memory buffer */ data = dataBuffer; { wchar_t * dataCopy = data; wchar_t * data = dataCopy; { wchar_t source[100]; wmemset(source, L'C', 100-1); /* fill with 'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */ wcsncpy(data, source, 100-1); /* Ensure the destination buffer is null terminated */ data[100-1] = L'\0'; printWLine(data); } } }
/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */ static void goodG2B1() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); data = dataBuffer; if(staticReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */ memset(data, 'A', 50-1); /* fill with 'A's */ data[50-1] = '\0'; /* null terminate */ } { char dest[50] = ""; /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/ strcat(dest, data); printLine(data); } }
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */ static void goodG2B2() { TwoIntsClass * data; data = reinterpret_cast<TwoIntsClass *>(ALLOCA(10*sizeof(TwoIntsClass))); if(1) { /* FIX: Completely initialize data */ for(int i=0; i<10; i++) { data[i].intOne = i; data[i].intTwo = i; } } if(1) { /* POTENTIAL FLAW: Use data without initializing it */ for(int i=0; i<10; i++) { printIntLine(data[i].intOne); printIntLine(data[i].intTwo); } } }
/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */ static void goodG2B() { wchar_t * data; wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); data = dataBuffer; goto source; source: /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */ wmemset(data, L'A', 50-1); /* fill with L'A's */ data[50-1] = L'\0'; /* null terminate */ { wchar_t dest[50] = L""; size_t i, dataLen; dataLen = wcslen(data); /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */ for (i = 0; i < dataLen; i++) { dest[i] = data[i]; } dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */ printWLine(data); } }
void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_loop_18_bad() { wchar_t * data; wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); data = dataBuffer; goto source; source: /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */ wmemset(data, L'A', 100-1); /* fill with L'A's */ data[100-1] = L'\0'; /* null terminate */ { wchar_t dest[50] = L""; size_t i, dataLen; dataLen = wcslen(data); /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */ for (i = 0; i < dataLen; i++) { dest[i] = data[i]; } dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */ printWLine(data); } }
void CWE127_Buffer_Underread__char_alloca_ncpy_17_bad() { int i; char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); memset(dataBuffer, 'A', 100-1); dataBuffer[100-1] = '\0'; for(i = 0; i < 1; i++) { /* FLAW: Set data pointer to before the allocated memory buffer */ data = dataBuffer - 8; } { char dest[100]; memset(dest, 'C', 100-1); /* fill with 'C's */ dest[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */ strncpy(dest, data, strlen(dest)); /* Ensure null termination */ dest[100-1] = '\0'; printLine(dest); } }
void bad() { int64_t * data; list<int64_t *> dataList; data = NULL; /* Initialize data */ { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ int64_t * dataBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i] = 5LL; } } data = dataBuffer; } /* Put data in a list */ dataList.push_back(data); dataList.push_back(data); dataList.push_back(data); badSink(dataList); }
void bad() { TwoIntsClass * data; data = reinterpret_cast<TwoIntsClass *>(ALLOCA(10*sizeof(TwoIntsClass))); if(STATIC_CONST_FIVE==5) { /* POTENTIAL FLAW: Partially initialize data */ for(int i=0; i<(10/2); i++) { data[i].intOne = i; data[i].intTwo = i; } } if(STATIC_CONST_FIVE==5) { /* POTENTIAL FLAW: Use data without initializing it */ for(int i=0; i<10; i++) { printIntLine(data[i].intOne); printIntLine(data[i].intTwo); } } }
void bad() { int64_t * data; vector<int64_t *> dataVector; data = NULL; /* Initialize data */ { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ int64_t * dataBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i] = 5LL; } } data = dataBuffer; } /* Put data in a vector */ dataVector.insert(dataVector.end(), 1, data); dataVector.insert(dataVector.end(), 1, data); dataVector.insert(dataVector.end(), 1, data); badSink(dataVector); }
void CWE124_Buffer_Underwrite__char_alloca_memmove_31_bad() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); memset(dataBuffer, 'A', 100-1); dataBuffer[100-1] = '\0'; /* FLAW: Set data pointer to before the allocated memory buffer */ data = dataBuffer - 8; { char * dataCopy = data; char * data = dataCopy; { char source[100]; memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */ memmove(data, source, 100*sizeof(char)); /* Ensure the destination buffer is null terminated */ data[100-1] = '\0'; printLine(data); } } }
/* goodG2B1() - use goodsource and badsink by changing the first GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */ static void goodG2B1() { char * data; data = NULL; if(GLOBAL_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Use memory allocated on the stack with ALLOCA */ data = (char *)ALLOCA(100*sizeof(char)); /* Initialize and make use of data */ strcpy(data, "A String"); printLine(data); } if(GLOBAL_CONST_TRUE) { /* POTENTIAL FLAW: No deallocation */ ; /* empty statement needed for some flow variants */ } }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); memset(dataBuffer, 'A', 100-1); dataBuffer[100-1] = '\0'; /* FIX: Set data pointer to the allocated memory buffer */ data = dataBuffer; { char * dataCopy = data; char * data = dataCopy; { char source[100]; memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */ memmove(data, source, 100*sizeof(char)); /* Ensure the destination buffer is null terminated */ data[100-1] = '\0'; printLine(data); } } }
/* good1() uses if(staticFalse) instead of if(staticTrue) */ static void good1() { if(staticFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { int * data; int * * pointer = (int * *)ALLOCA(sizeof(int *)); /* initialize both the pointer and the data pointed to */ data = (int *)malloc(sizeof(int)); *data = 5; *pointer = data; /* FIX: Assign a value to the thing pointed to by pointer */ { int * data = *pointer; printIntLine(*data); } } } }
/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */ static void goodG2B1() { wchar_t * data; wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); data = dataBuffer; if(globalReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */ wmemset(data, L'A', 50-1); /* fill with L'A's */ data[50-1] = L'\0'; /* null terminate */ } { wchar_t dest[50] = L""; /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */ wcscpy(dest, data); printWLine(data); } }
void bad() { char * data; data = NULL; /* Initialize data */ switch(6) { case 6: { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ char * dataBuffer = (char *)ALLOCA(sizeof(char)); *dataBuffer = 'A'; data = dataBuffer; } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } printHexCharLine(*data); /* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */ delete data; }
int _dFactorCholesky (dReal *A, int n, void *tmpbuf/*[n]*/) { dAASSERT (n > 0 && A); bool failure = false; const int nskip = dPAD (n); dReal *recip = tmpbuf ? (dReal *)tmpbuf : (dReal*) ALLOCA (n * sizeof(dReal)); dReal *aa = A; for (int i=0; i<n; aa+=nskip, ++i) { dReal *cc = aa; { const dReal *bb = A; for (int j=0; j<i; bb+=nskip, ++cc, ++j) { dReal sum = *cc; const dReal *a = aa, *b = bb, *bend = bb + j; for (; b != bend; ++a, ++b) { sum -= (*a)*(*b); } *cc = sum * recip[j]; } } { dReal sum = *cc; dReal *a = aa, *aend = aa + i; for (; a != aend; ++a) { sum -= (*a)*(*a); } if (sum <= REAL(0.0)) { failure = true; break; } dReal sumsqrt = dSqrt(sum); *cc = sumsqrt; recip[i] = dRecip (sumsqrt); } } return failure ? 0 : 1; }
/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */ static void goodG2B1() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); data = dataBuffer; if(GLOBAL_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */ memset(data, 'A', 50-1); /* fill with 'A's */ data[50-1] = '\0'; /* null terminate */ } { char dest[50] = ""; /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */ strncpy(dest, data, strlen(data)); dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */ printLine(data); } }
void bad() { twoIntsStruct * data; data = NULL; /* Initialize data */ if(globalFive==5) { { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ twoIntsStruct * dataBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i].intOne = 1; dataBuffer[i].intTwo = 1; } } data = dataBuffer; } } printStructLine(&data[0]); /* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */ delete [] data; }
int altlog_write_w3c_header(void) { time_t now; struct tm *tm; struct tm gmt; char *alloca_line; size_t line_size; if ((now = time(NULL)) == (time_t) -1 || (tm = localtime(&now)) == NULL || tm->tm_mon > 11 || tm->tm_mon < 0) { return -1; } gmt = *gmtime(&now); line_size = sizeof "#Date: 001975-04-13 12:34:56\n"; /* be year-999999 compliant :) */ if ((alloca_line = ALLOCA(line_size)) == NULL) { return -1; } altlog_write("#Software: Pure-FTPd " VERSION "\n"); altlog_write("#Version: 1.0\n"); if (!SNCHECK(snprintf(alloca_line, line_size, "#Date: %04d-%02d-%02d %02d:%02d:%02d\n", gmt.tm_year + 1900, gmt.tm_mon + 1, gmt.tm_mday, gmt.tm_hour, gmt.tm_min, gmt.tm_sec), line_size)) { altlog_write(alloca_line); } altlog_write("#Fields: date time c-ip cs-method cs-uri-stem sc-status cs-username sc-bytes\n"); ALLOCA_FREE(alloca_line); return 0; }
void bad() { TwoIntsClass * data; data = NULL; /* Initialize data */ if(staticTrue) { { /* FLAW: data is allocated on the stack and deallocated in the BadSink */ TwoIntsClass * dataBuffer = (TwoIntsClass *)ALLOCA(100*sizeof(TwoIntsClass)); { size_t i; for (i = 0; i < 100; i++) { dataBuffer[i].intOne = 1; dataBuffer[i].intTwo = 1; } } data = dataBuffer; } } printIntLine(data[0].intOne); /* POTENTIAL FLAW: Possibly deallocating memory allocated on the stack */ delete [] data; }
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */ static void goodG2B2() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); data = dataBuffer; if(1) { /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */ memset(data, 'A', 50-1); /* fill with 'A's */ data[50-1] = '\0'; /* null terminate */ } { char dest[50] = ""; size_t i, dataLen; dataLen = strlen(data); /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */ for (i = 0; i < dataLen; i++) { dest[i] = data[i]; } dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */ printLine(data); } }
void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_loop_02_bad() { char * data; char * dataBuffer = (char *)ALLOCA(100*sizeof(char)); data = dataBuffer; if(1) { /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */ memset(data, 'A', 100-1); /* fill with 'A's */ data[100-1] = '\0'; /* null terminate */ } { char dest[50] = ""; size_t i, dataLen; dataLen = strlen(data); /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */ for (i = 0; i < dataLen; i++) { dest[i] = data[i]; } dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */ printLine(data); } }