/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
static void goodG2B()
{
char * data;
char dataBuffer[256] = "";
data = dataBuffer;
goto source;
source:
/* FIX: Use a fixed file name */
strcat(data, "Doe, XXXXX");
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
static void test_ldap_parse_sort_control( LDAP *ld )
{
ULONG ret, result;
LDAPSortKeyA *sortkeys[2], key;
LDAPControlA *sort, *ctrls[2], **server_ctrls;
LDAPMessage *res = NULL;
struct l_timeval timeout;
key.sk_attrtype = (char *)"ou";
key.sk_matchruleoid = NULL;
key.sk_reverseorder = FALSE;
sortkeys[0] = &key;
sortkeys[1] = NULL;
ret = ldap_create_sort_controlA( ld, sortkeys, 0, &sort );
ok( !ret, "ldap_create_sort_controlA failed 0x%x\n", ret );
ctrls[0] = sort;
ctrls[1] = NULL;
timeout.tv_sec = 20;
timeout.tv_usec = 0;
ret = ldap_search_ext_sA( ld, (char *)"", LDAP_SCOPE_ONELEVEL, (char *)"(ou=*)", NULL, 0, ctrls, NULL, &timeout, 10, &res );
if (ret == LDAP_SERVER_DOWN || ret == LDAP_TIMEOUT)
{
skip("test server can't be reached\n");
ldap_control_freeA( sort );
return;
}
ok( !ret, "ldap_search_ext_sA failed 0x%x\n", ret );
ok( res != NULL, "expected res != NULL\n" );
if (GetProcAddress(GetModuleHandleA("wldap32.dll"), "ber_init"))
{
ret = ldap_parse_resultA( NULL, res, &result, NULL, NULL, NULL, &server_ctrls, 1 );
ok( ret == LDAP_PARAM_ERROR, "ldap_parse_resultA failed 0x%x\n", ret );
}
else
win_skip("Test would crash on older wldap32 versions\n");
result = ~0u;
ret = ldap_parse_resultA( ld, res, &result, NULL, NULL, NULL, &server_ctrls, 1 );
ok( !ret, "ldap_parse_resultA failed 0x%x\n", ret );
ok( !result, "got 0x%x expected 0\n", result );
ret = ldap_parse_sort_controlA( NULL, NULL, NULL, NULL );
ok( ret == LDAP_PARAM_ERROR, "ldap_parse_sort_controlA failed 0x%d\n", ret );
ret = ldap_parse_sort_controlA( ld, NULL, NULL, NULL );
ok( ret == LDAP_CONTROL_NOT_FOUND, "ldap_parse_sort_controlA failed 0x%x\n", ret );
ret = ldap_parse_sort_controlA( ld, NULL, &result, NULL );
ok( ret == LDAP_CONTROL_NOT_FOUND, "ldap_parse_sort_controlA failed 0x%x\n", ret );
ret = ldap_parse_sort_controlA( ld, server_ctrls, &result, NULL );
ok( ret == LDAP_CONTROL_NOT_FOUND, "ldap_parse_sort_controlA failed 0x%x\n", ret );
ldap_control_freeA( sort );
ldap_controls_freeA( server_ctrls );
}
/* goodG2B uses the GoodSource with the BadSink */
void CWE90_LDAP_Injection__w32_char_environment_64b_goodG2BSink(void * dataVoidPtr)
{
/* cast void pointer to a pointer of the appropriate type */
char * * dataPtr = (char * *)dataVoidPtr;
/* dereference dataPtr into data */
char * data = (*dataPtr);
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
void badSink(vector<char *> dataVector)
{
/* copy data out of dataVector */
char * data = dataVector[2];
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
void CWE90_LDAP_Injection__w32_char_listen_socket_08_bad()
{
char * data;
char dataBuffer[256] = "";
data = dataBuffer;
if(staticReturnsTrue())
{
{
#ifdef _WIN32
WSADATA wsaData;
int wsaDataInit = 0;
#endif
int recvResult;
struct sockaddr_in service;
char *replace;
SOCKET listenSocket = INVALID_SOCKET;
SOCKET acceptSocket = INVALID_SOCKET;
size_t dataLen = strlen(data);
do
{
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
#endif
/* POTENTIAL FLAW: Read data using a listen socket */
listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (listenSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = INADDR_ANY;
service.sin_port = htons(TCP_PORT);
if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
{
break;
}
acceptSocket = accept(listenSocket, NULL, NULL);
if (acceptSocket == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed */
recvResult = recv(acceptSocket, (char *)(data + dataLen), sizeof(char) * (256 - dataLen - 1), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
data[dataLen + recvResult / sizeof(char)] = '\0';
/* Eliminate CRLF */
replace = strchr(data, '\r');
if (replace)
{
*replace = '\0';
}
replace = strchr(data, '\n');
if (replace)
{
*replace = '\0';
}
}
while (0);
if (listenSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(listenSocket);
}
if (acceptSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(acceptSocket);
}
#ifdef _WIN32
if (wsaDataInit)
{
WSACleanup();
}
#endif
}
}
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
void CWE90_LDAP_Injection__w32_char_console_14_bad()
{
char * data;
char dataBuffer[256] = "";
data = dataBuffer;
if(globalFive==5)
{
{
/* Read input from the console */
size_t dataLen = strlen(data);
/* if there is room in data, read into it from the console */
if (256-dataLen > 1)
{
/* POTENTIAL FLAW: Read data from the console */
if (fgets(data+dataLen, (int)(256-dataLen), stdin) != NULL)
{
/* The next few lines remove the carriage return from the string that is
* inserted by fgets() */
dataLen = strlen(data);
if (dataLen > 0 && data[dataLen-1] == '\n')
{
data[dataLen-1] = '\0';
}
}
else
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
}
}
}
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
void CWE90_LDAP_Injection__w32_char_environment_18_bad()
{
char * data;
char dataBuffer[256] = "";
data = dataBuffer;
goto source;
source:
{
/* Append input from an environment variable to data */
size_t dataLen = strlen(data);
char * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
strncat(data+dataLen, environment, 256-dataLen-1);
}
}
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
void CWE90_LDAP_Injection__w32_char_file_13_bad()
{
char * data;
char dataBuffer[256] = "";
data = dataBuffer;
if(GLOBAL_CONST_FIVE==5)
{
{
/* Read input from a file */
size_t dataLen = strlen(data);
FILE * pFile;
/* if there is room in data, attempt to read the input from a file */
if (256-dataLen > 1)
{
pFile = fopen(FILENAME, "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read data from a file */
if (fgets(data+dataLen, (int)(256-dataLen), pFile) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
fclose(pFile);
}
}
}
}
{
LDAP* pLdapConnection = NULL;
ULONG connectSuccess = 0L;
ULONG searchSuccess = 0L;
LDAPMessage *pMessage = NULL;
char filter[256];
/* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection*/
_snprintf(filter, 256-1, "(cn=%s)", data);
pLdapConnection = ldap_initA("localhost", LDAP_PORT);
if (pLdapConnection == NULL)
{
printLine("Initialization failed");
exit(1);
}
connectSuccess = ldap_connect(pLdapConnection, NULL);
if (connectSuccess != LDAP_SUCCESS)
{
printLine("Connection failed");
exit(1);
}
searchSuccess = ldap_search_ext_sA(
pLdapConnection,
"base",
LDAP_SCOPE_SUBTREE,
filter,
NULL,
0,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT,
&pMessage);
if (searchSuccess != LDAP_SUCCESS)
{
printLine("Search failed");
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
exit(1);
}
/* Typically you would do something with the search results, but this is a test case and we can ignore them */
/* Free the results to avoid incidentals */
if (pMessage != NULL)
{
ldap_msgfree(pMessage);
}
/* Close the connection */
ldap_unbind(pLdapConnection);
}
}
