Introduced 5 vulnerabilities and PoC's

poc/vuln-1.poc

+put http://example.com/adflasdgalsdghaljnsdgdslajkhgndsaljkghdsajklghadnsjlkgadjklsgadjklsgadjklsghadklnsghadklsjghdsakljgadjlsghkdalsgadjklsghadjklsghadklsghadjklsgndasjklghadklssdlfhladjslhnadlskghadlnsghadlsghjadnslkgnadsklghadklnsghadklnsghdsaklgnhkasdhgnkljadsghlnasdkjghlkdsaghnadklsghadklsghnadklsghadjklsgnadklsgadlnsgadlnsjghnadklsjghnaklsghjadjfhgdajkgnadslghadnlsghadklsjghadjlsghadlskghadklnsghadjklsgnasdjklghnlkjadsghadlsghadslnkgjhdsalkgnasdkljghaslknghasddlkgndsakjghadnslkjgnadsklghdnsdhasglnkdsahgkldsaghlaghldaksajklghadslkgnadsjklghadkls username password
+save master_password passwords.txt
\ No newline at end of file

poc/vuln-2.poc

+put h u cGKZu2X69wXHiGZJfWpsXsT8NmxVWKl2f29XwrfgSXhGmm82f9xJLedi8CrHGYDsHkSi5Ep1Y66A1igqmccAPtUSdMPzkCZnxPbqkaIZ9ZRK81N6hUVGzlokSTDSmKKavX0YdG0KyB7kGOQwKvzmGHUkcnULUDU5Un8JGtN3iic5klcNWXSGpNUMWTgWJ7O5eGy8t45WQ8zj1yr9zS1ZTUPnAyHYlhl9wyaLvdV0ijHfwl24MLmA7GZlg6eIcSKJIq7KFyyGcsLXNWQnPpbBjuhni78CAyz7iL8LlwlNPCcqlJ8JYuWljtzQzQqViLmdTbcdz4XcR3f0iCGqZ9rcbT4NW4lhnWLCjtvRIVbCG9W5CoHbPjHmJw8kTRnge0ywkIIfPHpSKSARDfmCr82Ri9swi96RnqbAcPQmqBtfFPLuohlWlAVluJJlg0U1301FGkBABX63LO5FWGMKaCDFaY0ZOSK3BhoJQZKo83XS48XIEsz2fMQVJfLI083AKqe2kgihq8vw1DctMW0I2MkeoRB1ZTaAXIPedyEDjLKK70subPH68rWb9zfYPv7bT7qm7sJkcnAp6t6unffJzr5wpmkf44IyNVTSBG90PlDf2jgsObag0c7iaypswu9pjccqkPBdFTOXAfyT7rNS8iLhhopMo5Zl6BeXUEeegbUiLKiXNiZmDM1zv07eSvvDlvnCNNPEi2vDb7VWzXp3azoj96UOvRH4u6ZitRJDY3TnzW7muke6a9E027iD4uujCKxJ5uLbmdRVHp2YbC1WObR9x4mxMOt4oIPtG405NkPrxQvgp7vPQKPEPLFdGT8vn03Qz5EXw2IRddmc3EDUWNvFSCvdupKXLONpuPVolC5Qbg2EN450a8ASIwt5B0Kb2RfOpIk1OVWMtHi36Pmnd3QHLTIELfF33c3psxJFg4qHgmKS5vM0x7d4B5qZyV3ag5znCPOz13W6I78MF3gE0GvePKWe5O4bqzkirFqKhppc1ylzmFQiGqWeL
+put h u cGKZu2X69wXHiGZJfWpsXsT8NmxVWKl2f29XwrfgSXhGmm82f9xJLedi8CrHGYDsHkSi5Ep1Y66A1igqmccAPtUSdMPzkCZnxPbqkaIZ9ZRK81N6hUVGzlokSTDSmKKavX0YdG0KyB7kGOQwKvzmGHUkcnULUDU5Un8JGtN3iic5klcNWXSGpNUMWTgWJ7O5eGy8t45WQ8zj1yr9zS1ZTUPnAyHYlhl9wyaLvdV0ijHfwl24MLmA7GZlg6eIcSKJIq7KFyyGcsLXNWQnPpbBjuhni78CAyz7iL8LlwlNPCcqlJ8JYuWljtzQzQqViLmdTbcdz4XcR3f0iCGqZ9rcbT4NW4lhnWLCjtvRIVbCG9W5CoHbPjHmJw8kTRnge0ywkIIfPHpSKSARDfmCr82Ri9swi96RnqbAcPQmqBtfFPLuohlWlAVluJJlg0U1301FGkBABX63LO5FWGMKaCDFaY0ZOSK3BhoJQZKo83XS48XIEsz2fMQVJfLI083AKqe2kgihq8vw1DctMW0I2MkeoRB1ZTaAXIPedyEDjLKK70subPH68rWb9zfYPv7bT7qm7sJkcnAp6t6unffJzr5wpmkf44IyNVTSBG90PlDf2jgsObag0c7iaypswu9pjccqkPBdFTOXAfyT7rNS8iLhhopMo5Zl6BeXUEeegbUiLKiXNiZmDM1zv07eSvvDlvnCNNPEi2vDb7VWzXp3azoj96UOvRH4u6ZitRJDY3TnzW7muke6a9E027iD4uujCKxJ5uLbmdRVHp2YbC1WObR9x4mxMOt4oIPtG405NkPrxQvgp7vPQKPEPLFdGT8vn03Qz5EXw2IRddmc3EDUWNvFSCvdupKXLONpuPVolC5Qbg2EN450a8ASIwt5B0Kb2RfOpIk1OVWMtHi36Pmnd3QHLTIELfF33c3psxJFg4qHgmKS5vM0x7d4B5qZyV3ag5znCPOz13W6I78MF3gE0GvePKWe5O4bqzkirFqKhppc1ylzmFQiGqWeL
+save master_pw password.txt
\ No newline at end of file

poc/vuln-3.poc

+put http://example.com u p
+put http://example.com.au u p
+put http://example.co.uk u p
+list
+save master_pw passwords.txt
\ No newline at end of file

poc/vuln-4.poc

+put h user p
+put h user cGKZu2X69wXHiGZJfWpsXsT8NmxVWKl2f29XwrfgSXhGmm82f9xJLedi8CrHGYDsHkSi5Ep1Y66A1igqmccAPtUSdMPzkCZnxPbqkaIZ9ZRK81N6hUVGzlokSTDSmKKavX0YdG0KyB7kGOQwKvzmGHUkcnULUDU5Un8JGtN3iic5klcNWXSGpNUMWTgWJ7O5eGy8t45WQ8zj1yr9zS1ZTUPnAyHYlhl9wyaLvdV0ijHfwl24MLmA7GZlg6eIcSKJIq7KFyyGcsLXNWQnPpbBjuhni78CAyz7iL8LlwlNPCcqlJ8JYuWljtzQzQqViLmdTbcdz4XcR3f0iCGqZ9rcbT4NW4lhnWLCjtvRIVbCG9W5CoHbPjHmJw8kTRnge0ywkIIfPHpSKSARDfmCr82Ri9swi96RnqbAcPQmqBtfFPLuohlWlAVluJJlg0U1301FGkBABX63LO5FWGMKaCDFaY0ZOSK3BhoJQZKo83XS48XIEsz2fMQVJfLI083AKqe2kgihq8vw1DctMW0I2MkeoRB1ZTaAXIPedyEDjLKK70subPH68rWb9zfYPv7bT7qm7sJkcnAp6t6unffJzr5wpmkf44IyNVTSBG90PlDf2jgsObag0c7iaypswu9pjccqkPBdFTOXAfyT7rNS8iLhhopMo5Zl6BeXUEeegbUiLKiXNiZmDM1zv07eSvvDlvnCNNPEi2vDb7VWzXp3azoj96UOvRH4u6ZitRJDY3TnzW7muke6a9E027iD4uujCKxJ5uLbmdRVHp2YbC1WObR9x4mxMOt4oIPtG405NkPrxQvgp7vPQKPEPLFdGT8vn03Qz5EXw2IRddmc3EDUWNvFSCvdupKXLONpuPVolC5Qbg2EN450a8ASIwt5B0Kb2RfOpIk1OVWMtHi36Pmnd3QHLTIELfF33c3psxJFg4qHgmKS5vM0x7d4B5qZyV3ag5znCPOz13W6I78MF3gE0GvePKWe5O4bqzkirFqKhppc1ylzmFQiGqW
+list
+save master_pw password.txt
\ No newline at end of file

poc/vuln-5.poc

+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com u p
+put http://example.com user password
+list
+save master_pw passwords.txt
\ No newline at end of file

src/vuln-1/passbook.c

@@ -7,6 +7,11 @@
 
 #include "debug.h"
 
+#define MAX_LINE_LENGTH 1022
+#define MAX_INSTRUCTIONS 1024
+/* two extra chars in each line: the newline '\n' and NUL '\0' */
+#define INSTRUCTION_LENGTH (MAX_LINE_LENGTH + 2)
+
 #ifdef PASSBOOK_LIBFUZZER
 #include <stdint.h>
 const char LIBFUZZER_INPUT_FILE[] = "libFuzzerInput.tmp";
@@ -64,7 +69,9 @@ static void node_print(const node_t *p){
 static node_t *node_new(const char *url, const cred_t cred){
   node_t *new = malloc(sizeof(node_t));
   assert(new != NULL && "new: malloc failed");
-  new->url = strdup(url);
+  new->url = malloc(200); // Vulnerability, almost all commercial lengths are < 100, so 200 seems safe
+  // But URLs exist with length > 200, so this is reasonable error
+  strcpy(new->url, url);
   assert(new->url != NULL && "new: strdup url failed");
   new->cred.username = strdup(cred.username);
   assert(new->cred.username != NULL && "new: strdup username failed");  
@@ -214,12 +221,6 @@ unsigned int tokenise(char *str, char * toks[], unsigned int toksLen){
   return numToks;
 }
 
-#define MAX_LINE_LENGTH  1022
-#define MAX_INSTRUCTIONS 1024
-/* two extra chars in each line: the newline '\n' and NUL '\0' */
-#define INSTRUCTION_LENGTH (MAX_LINE_LENGTH+2)
-
-
 /* a global instruction buffer */
 char inst[INSTRUCTION_LENGTH];
 

src/vuln-2/passbook.c

@@ -78,11 +78,13 @@ static node_t *node_new(const char *url, const cred_t cred){
 /* updates a node's credential in place: 
    replaces p's credential with that from q and frees q */
 static void node_edit_cred(node_t * p, node_t *q){
-  free(p->cred.username);
-  free(p->cred.password);
 
-  p->cred.username = q->cred.username;
-  p->cred.password = q->cred.password;
+  p->cred.username = realloc(p->cred.username, 1013); // Vulnerability here
+  p->cred.password = realloc(p->cred.password, 1013);
+
+  strcpy(p->cred.username, q->cred.username);
+  strcpy(p->cred.password, q->cred.password);
+
   free(q->url);
   free(q);
 }

src/vuln-3/passbook.c

@@ -274,7 +274,7 @@ nodeptr_list_t list_pop(nodeptr_list_t lst, const node_t **out){
     lst.head = NULL;
     lst.last = NULL;
   }else{
-    nodeptr_list_elem_t *ret = lst.head->next;
+    nodeptr_list_elem_t *ret = lst.head; // Vulnerability
     free(lst.head);
     lst.head = ret;
   }

src/vuln-4/passbook.c

@@ -78,11 +78,12 @@ static node_t *node_new(const char *url, const cred_t cred){
 /* updates a node's credential in place: 
    replaces p's credential with that from q and frees q */
 static void node_edit_cred(node_t * p, node_t *q){
-  free(p->cred.username);
-  free(p->cred.password);
+  p->cred.username = realloc(p->cred.username, sizeof(char)*(strlen(p->cred.username)+1002)); // Vulnerability
+  p->cred.password = realloc(p->cred.password, sizeof(char)*(strlen(p->cred.password)+1002));
+
+  strcpy(p->cred.username, q->cred.username);
+  strcpy(p->cred.password, q->cred.password);
 
-  p->cred.username = q->cred.username;
-  p->cred.password = q->cred.password;
   free(q->url);
   free(q);
 }

src/vuln-5/passbook.c

@@ -15,6 +15,10 @@ const char LIBFUZZER_INPUT_FILE[] = "libFuzzerInput.tmp";
 #define fprintf(...)
 #endif
 
+#define MAX_UPDATE 10
+
+int g_curr_update = 0;
+
 const char INSTRUCTION_PUT[] = "put";
 
 const char INSTRUCTION_REM[] = "rem";
@@ -78,11 +82,19 @@ static node_t *node_new(const char *url, const cred_t cred){
 /* updates a node's credential in place: 
    replaces p's credential with that from q and frees q */
 static void node_edit_cred(node_t * p, node_t *q){
-  free(p->cred.username);
-  free(p->cred.password);
 
+  fprintf(stderr, "%d\n", g_curr_update);
+  if (++g_curr_update > MAX_UPDATE) {
+    p->cred.username = realloc(p->cred.username, sizeof(char)*(strlen(p->cred.username))); // Vulnerability
+    p->cred.password = realloc(p->cred.password, sizeof(char)*(strlen(p->cred.password)));
+
+    strcpy(p->cred.username, q->cred.username);
+    strcpy(p->cred.password, q->cred.password);
+  }
+  else {
     p->cred.username = q->cred.username;
     p->cred.password = q->cred.password;  
+  }
   free(q->url);
   free(q);
 }