From a55f2aa06bae88bdfa2ce480d7969b0638ebed75 Mon Sep 17 00:00:00 2001 From: Miroslaw Staron Date: Sun, 24 Sep 2023 21:18:28 +0200 Subject: [PATCH] Added counter examples --- CWE-119/src/SCE_1_test1.c | 19 +++++++++ CWE-119/src/SCE_2_test2.c | 56 ++++++++++++++++++++++++++ CWE-119/src/SCE_3_test3.c | 23 +++++++++++ CWE-119/src/SCE_4_test4.c | 45 +++++++++++++++++++++ CWE-119/src/{test1.c => VCE_1_test1.c} | 0 CWE-119/src/{test2.c => VCE_2_test2.c} | 0 CWE-119/src/{test3.c => VCE_3_test3.c} | 0 CWE-119/src/{test4.c => VCE_4_test4.c} | 0 CWE-120/src/SCE_1_test1.c | 8 ++++ CWE-120/src/{test1.c => VCE_1_test1.c} | 0 CWE-125/src/SCE_1.c | 7 ++++ CWE-125/src/SCE_2.c | 18 +++++++++ CWE-125/src/SCE_3.c | 18 +++++++++ CWE-125/src/SCE_4.c | 13 ++++++ CWE-125/src/{test1.c => VCE_1.c} | 0 CWE-125/src/{test2.c => VCE_2.c} | 0 CWE-125/src/{test3.c => VCE_3.c} | 0 CWE-125/src/{test4.c => VCE_4.c} | 0 CWE-134/src/SCE_1.c | 20 +++++++++ CWE-134/src/SCE_2.c | 22 ++++++++++ CWE-134/src/{test1.c => VCE_1.c} | 0 CWE-134/src/{test2.c => VCE_2.c} | 0 CWE-170/SCE_1.c | 23 +++++++++++ CWE-170/src/{test1.c => VCE_1.c} | 0 CWE-190/SCE_1.c | 30 ++++++++++++++ CWE-190/src/{test1.c => VCE_1.c} | 0 CWE-193/src/SCE_1.c | 17 ++++++++ CWE-193/src/{test1.c => VCE_1.c} | 0 CWE-195/src/SCE_1.c | 16 ++++++++ CWE-195/src/{test1.c => VCE_1.c} | 0 CWE-197/src/SCE_1.c | 22 ++++++++++ CWE-197/src/{test1.c => VCE_1.c} | 0 CWE-20/cwe-20.txt | 1 - CWE-20/src/Makefile | 8 ---- CWE-20/src/SCE_1_test1.c | 47 +++++++++++++++++++++ CWE-20/src/SCE_2_test2.c | 47 +++++++++++++++++++++ CWE-20/src/{test1.c => VCE_1_test1.c} | 0 CWE-20/src/{test2.c => VCE_2_test2.c} | 0 CWE-369/src/SCE_1.c | 17 ++++++++ CWE-369/src/SCE_2.c | 18 +++++++++ CWE-369/src/SCE_3.c | 17 ++++++++ CWE-369/src/SCE_4.c | 17 ++++++++ CWE-369/src/{test1.c => VCE_1.c} | 0 CWE-369/src/{test2.c => VCE_2.c} | 0 CWE-369/src/{test3.c => VCE_3.c} | 0 CWE-369/src/{test4.c => VCE_4.c} | 0 CWE-401/src/SCE_1.c | 24 +++++++++++ CWE-401/src/{test1.c => VCE_1.c} | 0 CWE-403/SCE_1.c | 20 +++++++++ CWE-403/SCE_2.c | 24 +++++++++++ CWE-403/VCE_1.c | 10 +++++ CWE-403/VCE_2.c | 11 +++++ CWE-415/src/SCE_1.c | 12 ++++++ CWE-415/src/{test1.c => VCE_1.c} | 0 CWE-416/src/SCE-2.c | 30 ++++++++++++++ CWE-416/src/SCE_1.c | 39 ++++++++++++++++++ CWE-416/src/SCE_3.c | 35 ++++++++++++++++ CWE-416/src/{test1.c => VCE_1.c} | 0 CWE-416/src/{test2.c => VCE_2.c} | 0 CWE-416/src/{test3.c => VCE_3.c} | 0 CWE-457/src/SCE_1.c | 6 +++ CWE-457/src/{test1.c => VCE_1.c} | 0 CWE-476/src/SCE_1.c | 9 +++++ CWE-476/src/{test1.c => VCE_1.c} | 0 CWE-665/src/SCE_1.c | 9 +++++ CWE-665/src/{test1.c => VCE_1.c} | 0 CWE-787/SCE_1.c | 10 +++++ CWE-787/SCE_2.c | 10 +++++ CWE-787/SCE_3.c | 10 +++++ CWE-787/SCE_4.c | 11 +++++ CWE-787/VCE_1.c | 7 ++++ CWE-787/VCE_2.c | 8 ++++ CWE-787/VCE_3.c | 10 +++++ CWE-787/VCE_4.c | 9 +++++ CWE-787/VCE_5.c | 8 ++++ 75 files changed, 832 insertions(+), 9 deletions(-) create mode 100644 CWE-119/src/SCE_1_test1.c create mode 100644 CWE-119/src/SCE_2_test2.c create mode 100644 CWE-119/src/SCE_3_test3.c create mode 100644 CWE-119/src/SCE_4_test4.c rename CWE-119/src/{test1.c => VCE_1_test1.c} (100%) rename CWE-119/src/{test2.c => VCE_2_test2.c} (100%) rename CWE-119/src/{test3.c => VCE_3_test3.c} (100%) rename CWE-119/src/{test4.c => VCE_4_test4.c} (100%) create mode 100644 CWE-120/src/SCE_1_test1.c rename CWE-120/src/{test1.c => VCE_1_test1.c} (100%) create mode 100644 CWE-125/src/SCE_1.c create mode 100644 CWE-125/src/SCE_2.c create mode 100644 CWE-125/src/SCE_3.c create mode 100644 CWE-125/src/SCE_4.c rename CWE-125/src/{test1.c => VCE_1.c} (100%) rename CWE-125/src/{test2.c => VCE_2.c} (100%) rename CWE-125/src/{test3.c => VCE_3.c} (100%) rename CWE-125/src/{test4.c => VCE_4.c} (100%) create mode 100644 CWE-134/src/SCE_1.c create mode 100644 CWE-134/src/SCE_2.c rename CWE-134/src/{test1.c => VCE_1.c} (100%) rename CWE-134/src/{test2.c => VCE_2.c} (100%) create mode 100644 CWE-170/SCE_1.c rename CWE-170/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-190/SCE_1.c rename CWE-190/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-193/src/SCE_1.c rename CWE-193/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-195/src/SCE_1.c rename CWE-195/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-197/src/SCE_1.c rename CWE-197/src/{test1.c => VCE_1.c} (100%) delete mode 100644 CWE-20/cwe-20.txt delete mode 100644 CWE-20/src/Makefile create mode 100644 CWE-20/src/SCE_1_test1.c create mode 100644 CWE-20/src/SCE_2_test2.c rename CWE-20/src/{test1.c => VCE_1_test1.c} (100%) rename CWE-20/src/{test2.c => VCE_2_test2.c} (100%) create mode 100644 CWE-369/src/SCE_1.c create mode 100644 CWE-369/src/SCE_2.c create mode 100644 CWE-369/src/SCE_3.c create mode 100644 CWE-369/src/SCE_4.c rename CWE-369/src/{test1.c => VCE_1.c} (100%) rename CWE-369/src/{test2.c => VCE_2.c} (100%) rename CWE-369/src/{test3.c => VCE_3.c} (100%) rename CWE-369/src/{test4.c => VCE_4.c} (100%) create mode 100644 CWE-401/src/SCE_1.c rename CWE-401/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-403/SCE_1.c create mode 100644 CWE-403/SCE_2.c create mode 100644 CWE-403/VCE_1.c create mode 100644 CWE-403/VCE_2.c create mode 100644 CWE-415/src/SCE_1.c rename CWE-415/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-416/src/SCE-2.c create mode 100644 CWE-416/src/SCE_1.c create mode 100644 CWE-416/src/SCE_3.c rename CWE-416/src/{test1.c => VCE_1.c} (100%) rename CWE-416/src/{test2.c => VCE_2.c} (100%) rename CWE-416/src/{test3.c => VCE_3.c} (100%) create mode 100644 CWE-457/src/SCE_1.c rename CWE-457/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-476/src/SCE_1.c rename CWE-476/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-665/src/SCE_1.c rename CWE-665/src/{test1.c => VCE_1.c} (100%) create mode 100644 CWE-787/SCE_1.c create mode 100644 CWE-787/SCE_2.c create mode 100644 CWE-787/SCE_3.c create mode 100644 CWE-787/SCE_4.c create mode 100644 CWE-787/VCE_1.c create mode 100644 CWE-787/VCE_2.c create mode 100644 CWE-787/VCE_3.c create mode 100644 CWE-787/VCE_4.c create mode 100644 CWE-787/VCE_5.c diff --git a/CWE-119/src/SCE_1_test1.c b/CWE-119/src/SCE_1_test1.c new file mode 100644 index 0000000..bdcde2b --- /dev/null +++ b/CWE-119/src/SCE_1_test1.c @@ -0,0 +1,19 @@ +#include + +/*This function attempts to extract a pair of numbers from a user-supplied string.*/ +void parse_data(char *untrusted_input){ + int m = 0, n = 0, error; // Initialize m and n to 0 + error = sscanf(untrusted_input, "%d:%d", &m, &n); + + if (error != 2){ // Check if two values were parsed + printf("Did not specify two integer values. Die evil hacker!\n"); + return; // Exit the function + } + + printf("m is %d and n is %d", m, n); +} + +int main(){ + parse_data("123:"); + return 0; +} diff --git a/CWE-119/src/SCE_2_test2.c b/CWE-119/src/SCE_2_test2.c new file mode 100644 index 0000000..9346c0b --- /dev/null +++ b/CWE-119/src/SCE_2_test2.c @@ -0,0 +1,56 @@ +#define MAX_SIZE 16 +#include +#include +#include +#include + +char * copy_input(char *user_supplied_string){ + int i, dst_index; + size_t potential_length = strlen(user_supplied_string) * 5; // Maximum expansion factor is 5 + + if (potential_length > 4 * MAX_SIZE) { + printf("Encoded string might be too long, die evil hacker!\n"); + exit(0); + } + + char *dst_buf = (char*) malloc(potential_length + 1); // +1 for null terminator + if (!dst_buf) { + printf("Memory allocation failed!\n"); + exit(0); + } + + dst_index = 0; + for (i = 0; i < strlen(user_supplied_string); i++) { + if ('&' == user_supplied_string[i]) { + dst_buf[dst_index++] = '&'; + dst_buf[dst_index++] = 'a'; + dst_buf[dst_index++] = 'm'; + dst_buf[dst_index++] = 'p'; + dst_buf[dst_index++] = ';'; + } + else if ('<' == user_supplied_string[i]) { + // encode to < + } + else { + dst_buf[dst_index++] = user_supplied_string[i]; + } + } + dst_buf[dst_index] = '\0'; // Null-terminate the string + return dst_buf; +} + +int main(){ + char uss[MAX_SIZE + 1]; // +1 for null terminator + ssize_t bytes_read = read(0, uss, MAX_SIZE); + if (bytes_read <= 0) { + printf("Failed to read input or input is empty.\n"); + return 1; + } + uss[bytes_read] = '\0'; // Null-terminate the string + + char *dst_buff = copy_input(uss); + printf("%s", dst_buff); // Use %s format specifier for strings + + free(dst_buff); // Free the allocated memory + return 0; +} diff --git a/CWE-119/src/SCE_3_test3.c b/CWE-119/src/SCE_3_test3.c new file mode 100644 index 0000000..0a79962 --- /dev/null +++ b/CWE-119/src/SCE_3_test3.c @@ -0,0 +1,23 @@ +#include + +/*The following example asks a user for an offset into an array to select an item.*/ +int GetUntrustedOffset(){ + int x = -1; + return x; +} + +int main (int argc, char **argv) { + char *items[] = {"boat", "car", "truck", "train"}; + int num_items = sizeof(items) / sizeof(items[0]); // Calculate the number of items in the array + + int index = GetUntrustedOffset(); + + // Validate the index to ensure it's within the valid range + if (index <= 0 || index > num_items) { + printf("Invalid selection.\n"); + return 1; + } + + printf("You selected %s\n", items[index-1]); + return 0; +} diff --git a/CWE-119/src/SCE_4_test4.c b/CWE-119/src/SCE_4_test4.c new file mode 100644 index 0000000..ab06480 --- /dev/null +++ b/CWE-119/src/SCE_4_test4.c @@ -0,0 +1,45 @@ +#define MAX_SIZE 16 +#include +#include +#include +#include + +int main(int argc, char *argv[]){ + int i, j = 0; + char a[MAX_SIZE + 1]; // +1 for null terminator + + /*checks if the user provided an input*/ + if (argc < 2) return 0; + + /* Calculate the potential length of the encoded string */ + int potential_length = 0; + for (i = 0; i < strlen(argv[1]); i++) { + if ('&' == argv[1][i]) { + potential_length += 5; // For & + } else { + potential_length += 1; + } + } + + /*checks if the potential encoded length fits in the array a*/ + if (potential_length >= MAX_SIZE) { + printf("Encoded string might be too long\n"); + return 0; + } + + /*performs the encoding*/ + for (i = 0; i < strlen(argv[1]) && j < MAX_SIZE; i++) { + if ('&' == argv[1][i]) { + a[j++] = '&'; + a[j++] = 'a'; + a[j++] = 'm'; + a[j++] = 'p'; + a[j++] = ';'; + } else { + a[j++] = argv[1][i]; + } + } + a[j] = '\0'; // Null-terminate the string + printf("The encoded string is %s \n", a); + return 0; +} diff --git a/CWE-119/src/test1.c b/CWE-119/src/VCE_1_test1.c similarity index 100% rename from CWE-119/src/test1.c rename to CWE-119/src/VCE_1_test1.c diff --git a/CWE-119/src/test2.c b/CWE-119/src/VCE_2_test2.c similarity index 100% rename from CWE-119/src/test2.c rename to CWE-119/src/VCE_2_test2.c diff --git a/CWE-119/src/test3.c b/CWE-119/src/VCE_3_test3.c similarity index 100% rename from CWE-119/src/test3.c rename to CWE-119/src/VCE_3_test3.c diff --git a/CWE-119/src/test4.c b/CWE-119/src/VCE_4_test4.c similarity index 100% rename from CWE-119/src/test4.c rename to CWE-119/src/VCE_4_test4.c diff --git a/CWE-120/src/SCE_1_test1.c b/CWE-120/src/SCE_1_test1.c new file mode 100644 index 0000000..4b92507 --- /dev/null +++ b/CWE-120/src/SCE_1_test1.c @@ -0,0 +1,8 @@ +#include + +int main(){ + char last_name[20]; + printf("Enter your last name: "); + scanf("%19s", last_name); // Limit input to 19 characters + return 0; +} diff --git a/CWE-120/src/test1.c b/CWE-120/src/VCE_1_test1.c similarity index 100% rename from CWE-120/src/test1.c rename to CWE-120/src/VCE_1_test1.c diff --git a/CWE-125/src/SCE_1.c b/CWE-125/src/SCE_1.c new file mode 100644 index 0000000..ccde550 --- /dev/null +++ b/CWE-125/src/SCE_1.c @@ -0,0 +1,7 @@ +int main() +{ + int a[10]; + int last_index = sizeof(a) / sizeof(a[0]) - 1; // Calculate the last index of the array + a[last_index] = 0; // Set the last element of the array to 0 + return 0; +} diff --git a/CWE-125/src/SCE_2.c b/CWE-125/src/SCE_2.c new file mode 100644 index 0000000..8e0a374 --- /dev/null +++ b/CWE-125/src/SCE_2.c @@ -0,0 +1,18 @@ +int main() +{ + int x; + int y = 10; + int a[10]; + + int array_size = sizeof(a) / sizeof(a[0]); + + if (y >= 0 && y < array_size) { + x = a[y]; + } else { + // Handle out-of-bounds access, e.g., set x to a default value or print an error message + x = 0; // Default value + printf("Index out of bounds!\n"); + } + + return 0; +} diff --git a/CWE-125/src/SCE_3.c b/CWE-125/src/SCE_3.c new file mode 100644 index 0000000..294ce93 --- /dev/null +++ b/CWE-125/src/SCE_3.c @@ -0,0 +1,18 @@ +int main() +{ + int x; + int y = 10; + int a[10]; + + int array_size = sizeof(a) / sizeof(a[0]); + + if (y+2 >= 0 && y+2 < array_size) { + x = a[y+2]; + } else { + // Handle out-of-bounds access, e.g., set x to a default value or print an error message + x = 0; // Default value + printf("Index out of bounds!\n"); + } + + return 0; +} diff --git a/CWE-125/src/SCE_4.c b/CWE-125/src/SCE_4.c new file mode 100644 index 0000000..314517d --- /dev/null +++ b/CWE-125/src/SCE_4.c @@ -0,0 +1,13 @@ +int main() +{ + int a[10]; + int array_size = sizeof(a) / sizeof(a[0]); + int y = array_size - 1; // Start with the last valid index of the array + + while (y >= 0) + { + a[y] = y; + y = y - 1; + } + return 0; +} diff --git a/CWE-125/src/test1.c b/CWE-125/src/VCE_1.c similarity index 100% rename from CWE-125/src/test1.c rename to CWE-125/src/VCE_1.c diff --git a/CWE-125/src/test2.c b/CWE-125/src/VCE_2.c similarity index 100% rename from CWE-125/src/test2.c rename to CWE-125/src/VCE_2.c diff --git a/CWE-125/src/test3.c b/CWE-125/src/VCE_3.c similarity index 100% rename from CWE-125/src/test3.c rename to CWE-125/src/VCE_3.c diff --git a/CWE-125/src/test4.c b/CWE-125/src/VCE_4.c similarity index 100% rename from CWE-125/src/test4.c rename to CWE-125/src/VCE_4.c diff --git a/CWE-134/src/SCE_1.c b/CWE-134/src/SCE_1.c new file mode 100644 index 0000000..962adf8 --- /dev/null +++ b/CWE-134/src/SCE_1.c @@ -0,0 +1,20 @@ +#include +#include + +void printWrapper(char *string) { + printf("%s", string); // Use a fixed format string +} + +int main(int argc, char **argv) { + if (argc < 2) { + printf("Usage: %s \n", argv[0]); + return 1; + } + + char buf[5012]; + strncpy(buf, argv[1], sizeof(buf) - 1); // Use strncpy to prevent buffer overflow + buf[sizeof(buf) - 1] = '\0'; // Ensure null termination + + printWrapper(buf); + return 0; +} diff --git a/CWE-134/src/SCE_2.c b/CWE-134/src/SCE_2.c new file mode 100644 index 0000000..eca7245 --- /dev/null +++ b/CWE-134/src/SCE_2.c @@ -0,0 +1,22 @@ +#include +#include +#include + +int main(int argc, char **argv) +{ + if (argc < 2) { + printf("Usage: %s \n", argv[0]); + return 1; + } + + char buf[100]; + int x = 1; + + // Use a fixed format string with snprintf + snprintf(buf, sizeof(buf), "%s", argv[1]); + buf[sizeof(buf) - 1] = 0; + + printf("Buffer size is: (%d) \n Data input: %s \n", strlen(buf), buf); + printf("X equals: %d in hex: %#x\n Memory address for x: (%p) \n", x, x, &x); + return 0; +} diff --git a/CWE-134/src/test1.c b/CWE-134/src/VCE_1.c similarity index 100% rename from CWE-134/src/test1.c rename to CWE-134/src/VCE_1.c diff --git a/CWE-134/src/test2.c b/CWE-134/src/VCE_2.c similarity index 100% rename from CWE-134/src/test2.c rename to CWE-134/src/VCE_2.c diff --git a/CWE-170/SCE_1.c b/CWE-170/SCE_1.c new file mode 100644 index 0000000..dd5ba58 --- /dev/null +++ b/CWE-170/SCE_1.c @@ -0,0 +1,23 @@ +#include +#include +#include +#define MAXLEN 1024 + +int main() { + char inputbuf[MAXLEN]; + char pathbuf[MAXLEN]; + + // Read data and ensure it's null-terminated + ssize_t bytes_read = read(0, inputbuf, MAXLEN - 1); // Leave space for null terminator + if (bytes_read <= 0) { + perror("Failed to read data"); + return 1; + } + inputbuf[bytes_read] = '\0'; // Null-terminate the string + + // Safely copy the string + strncpy(pathbuf, inputbuf, MAXLEN - 1); + pathbuf[MAXLEN - 1] = '\0'; // Ensure pathbuf is null-terminated + + return 0; +} diff --git a/CWE-170/src/test1.c b/CWE-170/src/VCE_1.c similarity index 100% rename from CWE-170/src/test1.c rename to CWE-170/src/VCE_1.c diff --git a/CWE-190/SCE_1.c b/CWE-190/SCE_1.c new file mode 100644 index 0000000..3cbd74f --- /dev/null +++ b/CWE-190/SCE_1.c @@ -0,0 +1,30 @@ +#include +#include + +int main() +{ + char *buf; + int len; + + // Read the length + read(0, &len, sizeof(len)); + + // Check for negative values and a safe upper limit + if (len <= 0 || len > 8000) { + return 0; + } + + // Allocate memory + buf = malloc(len); + if (!buf) { + perror("Memory allocation failed"); + return 1; + } + + // Read data into the buffer + read(0, buf, len); + + // Clean up + free(buf); + return 0; +} diff --git a/CWE-190/src/test1.c b/CWE-190/src/VCE_1.c similarity index 100% rename from CWE-190/src/test1.c rename to CWE-190/src/VCE_1.c diff --git a/CWE-193/src/SCE_1.c b/CWE-193/src/SCE_1.c new file mode 100644 index 0000000..e82d29c --- /dev/null +++ b/CWE-193/src/SCE_1.c @@ -0,0 +1,17 @@ +#include +#include + +int main() { + char firstname[20]; + char lastname[20]; + char fullname[40]; + + // Assuming you want to initialize both firstname and lastname to empty strings + firstname[0] = '\0'; + lastname[0] = '\0'; + + strncat(fullname, firstname, 20); // Appends up to 20 characters plus a null terminator + strncat(fullname, lastname, 19); // Appends up to 19 characters to leave space for the null terminator + + return 0; +} diff --git a/CWE-193/src/test1.c b/CWE-193/src/VCE_1.c similarity index 100% rename from CWE-193/src/test1.c rename to CWE-193/src/VCE_1.c diff --git a/CWE-195/src/SCE_1.c b/CWE-195/src/SCE_1.c new file mode 100644 index 0000000..9ad4825 --- /dev/null +++ b/CWE-195/src/SCE_1.c @@ -0,0 +1,16 @@ +#include + +unsigned int amount(int y) { + if (y < 0) { + printf("Error: Negative value provided.\n"); + return 0; // or handle the error as appropriate + } + return (unsigned int)y; +} + +int main() { + int amoun; + int value = -300; + amoun = amount(value); + return 0; +} diff --git a/CWE-195/src/test1.c b/CWE-195/src/VCE_1.c similarity index 100% rename from CWE-195/src/test1.c rename to CWE-195/src/VCE_1.c diff --git a/CWE-197/src/SCE_1.c b/CWE-197/src/SCE_1.c new file mode 100644 index 0000000..a583a5e --- /dev/null +++ b/CWE-197/src/SCE_1.c @@ -0,0 +1,22 @@ +#include +#include + +int main() { + int intPrimitive; + short shortPrimitive; + + intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1))); + + // Check if intPrimitive exceeds the range of short + if (intPrimitive > SHRT_MAX || intPrimitive < SHRT_MIN) { + printf("Error: Value exceeds the range of short.\n"); + return 1; + } + + shortPrimitive = (short)intPrimitive; + + // Use appropriate format specifiers + printf("Int MAXINT: %d\nShort MAXINT: %hd\n", intPrimitive, shortPrimitive); + + return 0; +} diff --git a/CWE-197/src/test1.c b/CWE-197/src/VCE_1.c similarity index 100% rename from CWE-197/src/test1.c rename to CWE-197/src/VCE_1.c diff --git a/CWE-20/cwe-20.txt b/CWE-20/cwe-20.txt deleted file mode 100644 index 07dac56..0000000 --- a/CWE-20/cwe-20.txt +++ /dev/null @@ -1 +0,0 @@ -Improper Input Validation diff --git a/CWE-20/src/Makefile b/CWE-20/src/Makefile deleted file mode 100644 index f9dde96..0000000 --- a/CWE-20/src/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -all: test1 test2 - -test1: - gcc -o test1.o test1.c -test2: - gcc -o test2.o test2.c -clean: - rm test*.o diff --git a/CWE-20/src/SCE_1_test1.c b/CWE-20/src/SCE_1_test1.c new file mode 100644 index 0000000..2eb3c21 --- /dev/null +++ b/CWE-20/src/SCE_1_test1.c @@ -0,0 +1,47 @@ +#define MAX_DIM 100 +#include +#include + +struct board_square_t { + int height; + int width; +}; + +int main(){ + /* board dimensions.*/ + int m,n, error; + struct board_square_t *board; + + printf("Please specify the board height: \n"); + error = scanf("%d", &m); + if ( EOF == error ){ + printf("No integer passed: Die evil hacker!\n"); + return 1; // Exit the program + } + if ( m <= 0 || m > MAX_DIM ) { + printf("Invalid height value: Die evil hacker!\n"); + return 1; // Exit the program + } + + printf("Please specify the board width: \n"); + error = scanf("%d", &n); + if ( EOF == error ){ + printf("No integer passed: Die evil hacker!\n"); + return 1; // Exit the program + } + if ( n <= 0 || n > MAX_DIM ) { + printf("Invalid width value: Die evil hacker!\n"); + return 1; // Exit the program + } + + board = (struct board_square_t*) malloc( m * n * sizeof(struct board_square_t)); + if (board == NULL) { + printf("Memory allocation failed!\n"); + return 1; // Exit the program + } + + // ... rest of the code ... + + free(board); // Don't forget to free the allocated memory + return 0; +} diff --git a/CWE-20/src/SCE_2_test2.c b/CWE-20/src/SCE_2_test2.c new file mode 100644 index 0000000..2eb3c21 --- /dev/null +++ b/CWE-20/src/SCE_2_test2.c @@ -0,0 +1,47 @@ +#define MAX_DIM 100 +#include +#include + +struct board_square_t { + int height; + int width; +}; + +int main(){ + /* board dimensions.*/ + int m,n, error; + struct board_square_t *board; + + printf("Please specify the board height: \n"); + error = scanf("%d", &m); + if ( EOF == error ){ + printf("No integer passed: Die evil hacker!\n"); + return 1; // Exit the program + } + if ( m <= 0 || m > MAX_DIM ) { + printf("Invalid height value: Die evil hacker!\n"); + return 1; // Exit the program + } + + printf("Please specify the board width: \n"); + error = scanf("%d", &n); + if ( EOF == error ){ + printf("No integer passed: Die evil hacker!\n"); + return 1; // Exit the program + } + if ( n <= 0 || n > MAX_DIM ) { + printf("Invalid width value: Die evil hacker!\n"); + return 1; // Exit the program + } + + board = (struct board_square_t*) malloc( m * n * sizeof(struct board_square_t)); + if (board == NULL) { + printf("Memory allocation failed!\n"); + return 1; // Exit the program + } + + // ... rest of the code ... + + free(board); // Don't forget to free the allocated memory + return 0; +} diff --git a/CWE-20/src/test1.c b/CWE-20/src/VCE_1_test1.c similarity index 100% rename from CWE-20/src/test1.c rename to CWE-20/src/VCE_1_test1.c diff --git a/CWE-20/src/test2.c b/CWE-20/src/VCE_2_test2.c similarity index 100% rename from CWE-20/src/test2.c rename to CWE-20/src/VCE_2_test2.c diff --git a/CWE-369/src/SCE_1.c b/CWE-369/src/SCE_1.c new file mode 100644 index 0000000..145d82c --- /dev/null +++ b/CWE-369/src/SCE_1.c @@ -0,0 +1,17 @@ +#include + +int main() +{ + int x; + + // Check for division by zero + int denominator = 0; + if (denominator != 0) { + x = 1 / denominator; + } else { + printf("Error: Division by zero.\n"); + return 1; + } + + return 0; +} diff --git a/CWE-369/src/SCE_2.c b/CWE-369/src/SCE_2.c new file mode 100644 index 0000000..f2a5fd4 --- /dev/null +++ b/CWE-369/src/SCE_2.c @@ -0,0 +1,18 @@ +#include + +int main() +{ + int x; + int a[10]; + a[0] = 0; + + // Check for division by zero + if (a[0] != 0) { + x = 1 / a[0]; + } else { + printf("Error: Division by zero.\n"); + return 1; + } + + return 0; +} diff --git a/CWE-369/src/SCE_3.c b/CWE-369/src/SCE_3.c new file mode 100644 index 0000000..c9ab057 --- /dev/null +++ b/CWE-369/src/SCE_3.c @@ -0,0 +1,17 @@ +#include + +int main() +{ + int x; + int y = 0; + + // Check for division by zero + if (y != 0) { + x = 4 / y; + } else { + printf("Error: Division by zero.\n"); + return 1; + } + + return 0; +} diff --git a/CWE-369/src/SCE_4.c b/CWE-369/src/SCE_4.c new file mode 100644 index 0000000..555150f --- /dev/null +++ b/CWE-369/src/SCE_4.c @@ -0,0 +1,17 @@ +#include + +int main() +{ + int x; + int y = 0; + + // Check for division by zero + if (y != 0) { + x = 2 / y; + } else { + printf("Error: Division by zero.\n"); + return 1; + } + + return 0; +} diff --git a/CWE-369/src/test1.c b/CWE-369/src/VCE_1.c similarity index 100% rename from CWE-369/src/test1.c rename to CWE-369/src/VCE_1.c diff --git a/CWE-369/src/test2.c b/CWE-369/src/VCE_2.c similarity index 100% rename from CWE-369/src/test2.c rename to CWE-369/src/VCE_2.c diff --git a/CWE-369/src/test3.c b/CWE-369/src/VCE_3.c similarity index 100% rename from CWE-369/src/test3.c rename to CWE-369/src/VCE_3.c diff --git a/CWE-369/src/test4.c b/CWE-369/src/VCE_4.c similarity index 100% rename from CWE-369/src/test4.c rename to CWE-369/src/VCE_4.c diff --git a/CWE-401/src/SCE_1.c b/CWE-401/src/SCE_1.c new file mode 100644 index 0000000..02fbf87 --- /dev/null +++ b/CWE-401/src/SCE_1.c @@ -0,0 +1,24 @@ +#include +#include +#define BLOCK_SIZE 16 + +char* getBlock(int fd) { + char* buf = (char*) malloc(BLOCK_SIZE); + if (!buf) { + return NULL; + } + if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) { + free(buf); // Release the memory if read fails + return NULL; + } + return buf; +} + +int main(){ + char *buff; + buff = getBlock(0); + if (buff) { + free(buff); // Release the memory before exiting + } + return 0; +} diff --git a/CWE-401/src/test1.c b/CWE-401/src/VCE_1.c similarity index 100% rename from CWE-401/src/test1.c rename to CWE-401/src/VCE_1.c diff --git a/CWE-403/SCE_1.c b/CWE-403/SCE_1.c new file mode 100644 index 0000000..3287838 --- /dev/null +++ b/CWE-403/SCE_1.c @@ -0,0 +1,20 @@ +#include +#include +#include + +int main() { + int fd; + char template[] = "/tmp/secure_tmp_file_XXXXXX"; // 'XXXXXX' will be replaced by mkstemp with a unique string + + fd = mkstemp(template); + if (fd == -1) { + perror("Error creating temporary file"); + exit(1); + } + + // ... write some sensitive data to fd ... + + close(fd); + unlink(template); // Delete the temporary file + return 0; +} diff --git a/CWE-403/SCE_2.c b/CWE-403/SCE_2.c new file mode 100644 index 0000000..e1763e2 --- /dev/null +++ b/CWE-403/SCE_2.c @@ -0,0 +1,24 @@ +#include +#include +#include + +int main() { + int fd; + fd = open("sensitive_file.txt", O_RDONLY); + + // Set the FD_CLOEXEC flag on the file descriptor + int flags = fcntl(fd, F_GETFD); + if (flags == -1) { + perror("Error getting file descriptor flags"); + exit(1); + } + flags |= FD_CLOEXEC; + if (fcntl(fd, F_SETFD, flags) == -1) { + perror("Error setting file descriptor flags"); + exit(1); + } + + system("/some/external/program"); // The external program won't have access to fd + close(fd); + return 0; +} diff --git a/CWE-403/VCE_1.c b/CWE-403/VCE_1.c new file mode 100644 index 0000000..d2430ca --- /dev/null +++ b/CWE-403/VCE_1.c @@ -0,0 +1,10 @@ +#include +#include + +int main() { + int fd; + fd = open("/tmp/predictable_tmp_file", O_RDWR | O_CREAT, 0666); + // ... write some sensitive data to fd ... + close(fd); + return 0; +} diff --git a/CWE-403/VCE_2.c b/CWE-403/VCE_2.c new file mode 100644 index 0000000..dcbd9de --- /dev/null +++ b/CWE-403/VCE_2.c @@ -0,0 +1,11 @@ +#include +#include +#include + +int main() { + int fd; + fd = open("sensitive_file.txt", O_RDONLY); + system("/some/external/program"); // This program can access fd + close(fd); + return 0; +} diff --git a/CWE-415/src/SCE_1.c b/CWE-415/src/SCE_1.c new file mode 100644 index 0000000..4f2dcc9 --- /dev/null +++ b/CWE-415/src/SCE_1.c @@ -0,0 +1,12 @@ +#include +#define SIZE 16 + +int main(){ + char* ptr = (char*)malloc(SIZE); + if (ptr) { // Ensure ptr is not NULL before freeing + free(ptr); + ptr = NULL; // Set ptr to NULL after freeing + } + // No need for the second free + return 0; +} diff --git a/CWE-415/src/test1.c b/CWE-415/src/VCE_1.c similarity index 100% rename from CWE-415/src/test1.c rename to CWE-415/src/VCE_1.c diff --git a/CWE-416/src/SCE-2.c b/CWE-416/src/SCE-2.c new file mode 100644 index 0000000..b6de41a --- /dev/null +++ b/CWE-416/src/SCE-2.c @@ -0,0 +1,30 @@ +#include +#include +#include +#define SIZE 64 + +int main (){ + int abrt = 0; + int err = 1; + char* ptr = (char*) malloc(SIZE * sizeof(char)); + if (!ptr) { + perror("Failed to allocate memory"); + return 1; + } + + strcpy(ptr, "This string is in the heap"); + + if (err) { + abrt = 1; + printf("operation aborted before commit. Pointer value is ptr: %s", ptr); + free(ptr); // Move the free after the printf + char* ptr2 = (char*) malloc(2 * sizeof(char)); + if (!ptr2) { + perror("Failed to allocate memory for ptr2"); + return 1; + } + free(ptr2); // Free the newly allocated memory to avoid memory leak + } + + return 0; +} diff --git a/CWE-416/src/SCE_1.c b/CWE-416/src/SCE_1.c new file mode 100644 index 0000000..1eda72b --- /dev/null +++ b/CWE-416/src/SCE_1.c @@ -0,0 +1,39 @@ +#include +#include +#include +#include + +#define BUFSIZER1 512 +#define BUFSIZER2 ((BUFSIZER1/2) - 8) + +int main(int argc, char **argv) { + if (argc < 2) { + printf("Usage: %s \n", argv[0]); + return 1; + } + + char *buf1R1 = (char *) malloc(BUFSIZER1); + char *buf2R1 = (char *) malloc(BUFSIZER1); + char *buf2R2 = (char *) malloc(BUFSIZER2); + char *buf3R2 = (char *) malloc(BUFSIZER2); + + // Check memory allocations + if (!buf1R1 || !buf2R1 || !buf2R2 || !buf3R2) { + perror("Failed to allocate memory"); + free(buf1R1); + free(buf2R1); + free(buf2R2); + free(buf3R2); + return 1; + } + + strncpy(buf2R1, argv[1], BUFSIZER1-1); + buf2R1[BUFSIZER1-1] = '\0'; // Ensure null-termination + + free(buf1R1); + free(buf2R1); + free(buf2R2); + free(buf3R2); + + return 0; +} diff --git a/CWE-416/src/SCE_3.c b/CWE-416/src/SCE_3.c new file mode 100644 index 0000000..f79c88d --- /dev/null +++ b/CWE-416/src/SCE_3.c @@ -0,0 +1,35 @@ +#include +#include + +void dangerous_func(int* ptr, int a, int b) { + int val = 0; + if (!ptr) return; + + if (a) { + *ptr += 2; + } else { + val = *ptr; + free(ptr); + ptr = NULL; // Set ptr to NULL after freeing + } + + if (b) { + val += 5; + } else { + if (ptr) { // Check if ptr is not NULL before accessing + val += *ptr; + } + } + + if (a && ptr) { // Check if ptr is not NULL before freeing + free(ptr); + ptr = NULL; // Set ptr to NULL after freeing + } + + printf("val = %i\n", val); +} + +int main() { + dangerous_func(malloc(sizeof(int)), 0, 0); + return 0; +} diff --git a/CWE-416/src/test1.c b/CWE-416/src/VCE_1.c similarity index 100% rename from CWE-416/src/test1.c rename to CWE-416/src/VCE_1.c diff --git a/CWE-416/src/test2.c b/CWE-416/src/VCE_2.c similarity index 100% rename from CWE-416/src/test2.c rename to CWE-416/src/VCE_2.c diff --git a/CWE-416/src/test3.c b/CWE-416/src/VCE_3.c similarity index 100% rename from CWE-416/src/test3.c rename to CWE-416/src/VCE_3.c diff --git a/CWE-457/src/SCE_1.c b/CWE-457/src/SCE_1.c new file mode 100644 index 0000000..49e9d7d --- /dev/null +++ b/CWE-457/src/SCE_1.c @@ -0,0 +1,6 @@ +int main(){ + int x; + int y = 0; // Initialize y to a default value + x = y + 1; + return 0; +} diff --git a/CWE-457/src/test1.c b/CWE-457/src/VCE_1.c similarity index 100% rename from CWE-457/src/test1.c rename to CWE-457/src/VCE_1.c diff --git a/CWE-476/src/SCE_1.c b/CWE-476/src/SCE_1.c new file mode 100644 index 0000000..a8bf909 --- /dev/null +++ b/CWE-476/src/SCE_1.c @@ -0,0 +1,9 @@ +#define NULL 0 + +int main(){ + int *p = NULL; + if (p && *p){ // Check if p is not NULL before dereferencing + + } + return 0; +} diff --git a/CWE-476/src/test1.c b/CWE-476/src/VCE_1.c similarity index 100% rename from CWE-476/src/test1.c rename to CWE-476/src/VCE_1.c diff --git a/CWE-665/src/SCE_1.c b/CWE-665/src/SCE_1.c new file mode 100644 index 0000000..6a114e8 --- /dev/null +++ b/CWE-665/src/SCE_1.c @@ -0,0 +1,9 @@ +#include +#include + +int main(){ + char str[20] = ""; // Initialize the array with an empty string + strcat(str, "hello world"); + printf("%s", str); + return 0; +} diff --git a/CWE-665/src/test1.c b/CWE-665/src/VCE_1.c similarity index 100% rename from CWE-665/src/test1.c rename to CWE-665/src/VCE_1.c diff --git a/CWE-787/SCE_1.c b/CWE-787/SCE_1.c new file mode 100644 index 0000000..8582337 --- /dev/null +++ b/CWE-787/SCE_1.c @@ -0,0 +1,10 @@ +#include + +int main() { + int arr[5]; + // Ensure we don't write past the end of the array + if (sizeof(arr)/sizeof(arr[0]) > 5) { + arr[4] = 42; // Use a valid index + } + return 0; +} diff --git a/CWE-787/SCE_2.c b/CWE-787/SCE_2.c new file mode 100644 index 0000000..77c9656 --- /dev/null +++ b/CWE-787/SCE_2.c @@ -0,0 +1,10 @@ +#include +#include + +int main() { + char buffer[10]; + // Use strncpy to ensure we don't write past the buffer size + strncpy(buffer, "This string is too long for the buffer", sizeof(buffer) - 1); + buffer[sizeof(buffer) - 1] = '\0'; // Ensure null termination + return 0; +} diff --git a/CWE-787/SCE_3.c b/CWE-787/SCE_3.c new file mode 100644 index 0000000..8f18e7d --- /dev/null +++ b/CWE-787/SCE_3.c @@ -0,0 +1,10 @@ +#include + +int main() { + int i; + int arr[10]; + for (i = 0; i < 10; i++) { // Ensure loop runs from 0 to 9 only + arr[i] = i; + } + return 0; +} diff --git a/CWE-787/SCE_4.c b/CWE-787/SCE_4.c new file mode 100644 index 0000000..5421555 --- /dev/null +++ b/CWE-787/SCE_4.c @@ -0,0 +1,11 @@ +#include +#include + +int main() { + int* ptr = (int*) malloc(5 * sizeof(int)); + if (ptr) { // Check if memory allocation was successful + ptr[4] = 100; // Use a valid index + free(ptr); + } + return 0; +} diff --git a/CWE-787/VCE_1.c b/CWE-787/VCE_1.c new file mode 100644 index 0000000..1aa2a58 --- /dev/null +++ b/CWE-787/VCE_1.c @@ -0,0 +1,7 @@ +#include + +int main() { + int arr[5]; + arr[5] = 42; // Out-of-bounds write + return 0; +} diff --git a/CWE-787/VCE_2.c b/CWE-787/VCE_2.c new file mode 100644 index 0000000..16fd64f --- /dev/null +++ b/CWE-787/VCE_2.c @@ -0,0 +1,8 @@ +#include +#include + +int main() { + char buffer[10]; + strcpy(buffer, "This string is too long for the buffer"); // Out-of-bounds write + return 0; +} diff --git a/CWE-787/VCE_3.c b/CWE-787/VCE_3.c new file mode 100644 index 0000000..2b177e9 --- /dev/null +++ b/CWE-787/VCE_3.c @@ -0,0 +1,10 @@ +#include + +int main() { + int i; + int arr[10]; + for (i = 0; i <= 10; i++) { // The loop should run from 0 to 9, not 10 + arr[i] = i; // Out-of-bounds write when i = 10 + } + return 0; +} diff --git a/CWE-787/VCE_4.c b/CWE-787/VCE_4.c new file mode 100644 index 0000000..da2e317 --- /dev/null +++ b/CWE-787/VCE_4.c @@ -0,0 +1,9 @@ +#include +#include + +int main() { + int* ptr = (int*) malloc(5 * sizeof(int)); + ptr[5] = 100; // Out-of-bounds write + free(ptr); + return 0; +} diff --git a/CWE-787/VCE_5.c b/CWE-787/VCE_5.c new file mode 100644 index 0000000..2bbb600 --- /dev/null +++ b/CWE-787/VCE_5.c @@ -0,0 +1,8 @@ +#include + +int main() { + char buffer[20]; + printf("Enter a string: "); + scanf("%s", buffer); // If the user enters more than 19 characters (+1 for null terminator), it results in an out-of-bounds write + return 0; +}