diff --git a/poc/vuln-1.poc b/poc/vuln-1.poc index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..eba4958dc48bffaf58c6b5738680c0efebd5f4f8 100644 --- a/poc/vuln-1.poc +++ b/poc/vuln-1.poc @@ -0,0 +1,2 @@ +push 5 +store aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \ No newline at end of file diff --git a/poc/vuln-2.poc b/poc/vuln-2.poc index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0724af2cbbe79f5962158ba33c8573ce36b6c9c1 100644 --- a/poc/vuln-2.poc +++ b/poc/vuln-2.poc @@ -0,0 +1,3 @@ +push 5 ++ +print \ No newline at end of file diff --git a/poc/vuln-3.poc b/poc/vuln-3.poc index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..9898eb7de370b2ac97e89c694ece7da2673b8e73 100644 --- a/poc/vuln-3.poc +++ b/poc/vuln-3.poc @@ -0,0 +1,4 @@ +push 5 +store a +load a +print \ No newline at end of file diff --git a/poc/vuln-4.poc b/poc/vuln-4.poc index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..51b30b943cb3bb079d11645880e42f786d3b263f 100644 --- a/poc/vuln-4.poc +++ b/poc/vuln-4.poc @@ -0,0 +1,3 @@ +push 5 +- +print \ No newline at end of file diff --git a/poc/vuln-5.poc b/poc/vuln-5.poc index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5bd0e4a5890db12d49db6a3f531479729e2345fb 100644 --- a/poc/vuln-5.poc +++ b/poc/vuln-5.poc @@ -0,0 +1,4 @@ +push 5 +store a +remove a +list \ No newline at end of file diff --git a/src/vuln-1/dc.c b/src/vuln-1/dc.c index 63fb7f4f14026c24db10a6f63d0638e7b8c72a57..9aecf119d69aec191fddc6c4556fe3df730b0a30 100644 --- a/src/vuln-1/dc.c +++ b/src/vuln-1/dc.c @@ -72,7 +72,10 @@ static void node_print(const node_t *p){ static node_t *node_new(const char *varname, const value_t value){ node_t *new = malloc(sizeof(node_t)); assert(new != NULL && "new: malloc failed"); - new->varname = strdup(varname); + //new->varname = strdup(varname); + //vuln-1 + new->varname = (char *)malloc(1015 * sizeof(char)); + strcpy(new->varname, varname); assert(new->varname != NULL && "new: strdup varname failed"); new->value = value; new->left = NULL; @@ -109,7 +112,7 @@ static node_t * node_insert(node_t *p, node_t *q){ node_t ** new = NULL; node_t * const start = p; while (new == NULL) { - int ret = strcmp(q->varname,p->varname); + int ret = strcmp(q->varname,p->varname);//exchange p and q if (ret == 0){ assert (q->left == NULL && q->right == NULL && "illegal insertion"); /* edit the node in place */ @@ -146,8 +149,7 @@ static void destroy(node_t *p){ node_t * left = p->left; node_t * const right = p->right; left = node_insert(left,right); - //node_free(p); - free(p); + node_free(p); p = left; } } diff --git a/src/vuln-2/dc.c b/src/vuln-2/dc.c index ed843fe033476050bf8e8acb6775def110d16ad4..bc2abf164b7a9fe4236d41712f3d81d6bc4f7bec 100644 --- a/src/vuln-2/dc.c +++ b/src/vuln-2/dc.c @@ -74,10 +74,6 @@ static node_t *node_new(const char *varname, const value_t value){ assert(new != NULL && "new: malloc failed"); new->varname = strdup(varname); assert(new->varname != NULL && "new: strdup varname failed"); - /***********/ - new->varname = (char *)malloc (1002*sizeof(char)); - strcpy(new->varname, varname); - /*********/ new->value = value; new->left = NULL; new->right = NULL; @@ -477,7 +473,8 @@ static int execute(void){ return -1; } - if (stack_size() < 2){ + //vuln-2 + if (stack_size() < 1){ debug_printf("Add from insufficient stack\n"); return -1; } diff --git a/src/vuln-3/dc.c b/src/vuln-3/dc.c index 1a47cd0184a07c58217bc2df7304aa3e0d606b5e..0d9795a06dfc5cb6cdd6056ba7d7bc0b563d2d95 100644 --- a/src/vuln-3/dc.c +++ b/src/vuln-3/dc.c @@ -429,8 +429,10 @@ int save_levelorder(const node_t *p, /* returns 0 on successful execution of the instruction in inst */ static int execute(void){ - char * toks[4]; /* these are pointers to start of different tokens */ - const unsigned int numToks = tokenise(inst,toks,4); + + /*---- vuln3 ----*/ + char * toks[2]; /* these are pointers to start of different tokens */ + const unsigned int numToks = tokenise(inst,toks,2); if (numToks == 0){ /* blank line */ @@ -443,7 +445,9 @@ static int execute(void){ return -1; } debug_printf("Looking up: %s\n",toks[1]); - const node_t *p = lookup(map,toks[1]); + + /*---- vuln3 ----*/ + const node_t *p = lookup(map,toks[2]); if (p != NULL){ if (stack_full()){ debug_printf("Trying to load onto full stack\n"); diff --git a/src/vuln-4/dc.c b/src/vuln-4/dc.c index 1a47cd0184a07c58217bc2df7304aa3e0d606b5e..a7421ab40b1edc5948ca8a68b385724aa45c7cfe 100644 --- a/src/vuln-4/dc.c +++ b/src/vuln-4/dc.c @@ -182,7 +182,7 @@ static node_t * rem(node_t *p, const char *varname){ return start; // not found } -const char WHITESPACE[] = " \t\r\n"; +const char WHITESPACE[] = " \r\n"; /* tokenise a string, splitting on characters in WHITESPACE, up to @@ -488,7 +488,8 @@ static int execute(void){ return -1; } - if (stack_size() < 2){ + /*---- vuln4 ----*/ + if (stack_size() == 0){ debug_printf("Sub from insufficient stack\n"); return -1; } diff --git a/src/vuln-5/dc.c b/src/vuln-5/dc.c index 1a47cd0184a07c58217bc2df7304aa3e0d606b5e..de84ea6c472c352e21abfa4eea2dac1c4a9ca60b 100644 --- a/src/vuln-5/dc.c +++ b/src/vuln-5/dc.c @@ -429,8 +429,10 @@ int save_levelorder(const node_t *p, /* returns 0 on successful execution of the instruction in inst */ static int execute(void){ - char * toks[4]; /* these are pointers to start of different tokens */ - const unsigned int numToks = tokenise(inst,toks,4); + + /*---- vuln5 ----*/ + char * toks[2]; /* these are pointers to start of different tokens */ + const unsigned int numToks = tokenise(inst,toks,2); if (numToks == 0){ /* blank line */ @@ -566,7 +568,9 @@ static int execute(void){ return -1; } debug_printf("Removing: %s\n",toks[1]); - map = rem(map,toks[1]); + + /*---- vuln5 ----*/ + map = rem(map,toks[2]); } else if (strcmp(toks[0],INSTRUCTION_SAVE) == 0){ if (numToks != 2){