diff --git a/Makefile b/Makefile
index 2a2deee009cc7689efb5546f0152270fca641318..69e9b86684f6cde8b04d6a6f5b12987de89a81e7 100644
--- a/Makefile
+++ b/Makefile
@@ -2166,20 +2166,18 @@ isutf8-clean:
clean:: isutf8-clean
-FILES_WITHOUT_NEWLINE := \
- VERSION \
- VERSION_CODENAME
-
BINARY_DISTRIB_FILES := \
$(sort $(wildcard ivette/src/dome/doc/template/static/fonts/*)) \
- $(sort $(wildcard share/*.ico share/*.png share/theme/*/*.png))
+ $(sort $(wildcard share/*.ico share/*.png share/theme/*/*.png)) \
+
+FILES_WITHOUT_NEWLINE := \
+ $(BINARY_DISTRIB_FILES) \
+ VERSION \
+ VERSION_CODENAME \
BINARY_DISTRIB_TESTS := \
tests/misc/oracle/interpreted_automata_dataflow_backward.dot \
tests/misc/oracle/interpreted_automata_dataflow_forward.dot \
- tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/test \
- tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/array_vs_pointer.ods \
- tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/data_testing.ods \
TESTS_WITHOUT_NEWLINE := \
$(BINARY_DISTRIB_TESTS) \
@@ -2207,8 +2205,8 @@ check-headers: $(HDRCK) $(CHECK_NEWLINES) $(ISUTF8)
$(file >distrib_tests.tmp) $(foreach O,$(DISTRIB_TESTS),$(file >>distrib_tests.tmp,$(subst @, ,$(O))))
$(file >header_exceptions.tmp) $(foreach O,$(HEADER_EXCEPTIONS),$(file >>header_exceptions.tmp,$O))
echo "Checking that distributed files terminate with a newline..."
- $(CHECK_NEWLINES) distrib_files.tmp $(FILES_WITHOUT_NEWLINE) $(BINARY_DISTRIB_FILES)
- $(CHECK_NEWLINES) distrib_tests.tmp $(TESTS_WITHOUT_NEWLINE) $(BINARY_DISTRIB_TESTS)
+ $(CHECK_NEWLINES) distrib_files.tmp $(FILES_WITHOUT_NEWLINE)
+ $(CHECK_NEWLINES) distrib_tests.tmp $(TESTS_WITHOUT_NEWLINE)
echo "Checking that distributed files do not use iso-8859..."
$(ISUTF8) distrib_files.tmp $(BINARY_DISTRIB_FILES)
$(ISUTF8) distrib_tests.tmp $(BINARY_DISTRIB_TESTS)
diff --git a/tests/verisec/suite/README.verisec_suite b/tests/verisec/suite/README.verisec_suite
deleted file mode 100644
index a4b10ca920d1f9837f976c8e5c92c3b0ec631a6f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/README.verisec_suite
+++ /dev/null
@@ -1,60 +0,0 @@
--= Directory Structure of the Verisec Suite =-
-
-/lib contains stubs (simple implementations) of library functions in a file
-stubs.c which should be linked into each testcase at analysis time. It also
-includes two header files, stubs.h and base.h. The header file stubs.h is
-#included in every testcase in the suite and itself #includes base.h. The file
-base.h #defines the macro BASE_SZ which sets the base buffer size for all
-testcases. This macro can be changed either by directly modifying base.h or, if
-a tool supports it, by overriding it at the command line, e.g., via the -D
-option in SatAbs and CBMC.
-
-/programs/apps contains the testcases which are first organized into
-directories by program, e.g., as shown in Figure 1 below, sendmail, OpenSER,
-and MADWiFi. Within each directory is a README file containing a brief
-description of the related program. Then there is a directory for each
-vulnerability in the program for which we developed testcases. Each
-vulnerability has a README file which explains the vulnerability and briefly
-describes its testcases. There are typically multiple testcases capturing the
-vulnerability. For example, in the figure, there are two sets of testcases for
-the CVE-2006-6749 vulnerability in OpenSER. These testcases are partitioned
-into directories according to the depth of the function in the calling context
-of the vulnerability. For example, in the figure below, in vulnerability
-CVE-2006-6749, the overflow occurs in function parse_expression which is called
-by function parse_expression_list. Thus, the testcases in the directory
-parse_expression only capture the body of parse_expression, whereas the
-testcases in the directory parse_expression_list capture the bodies of both
-functions, i.e., they include some of the calling context of parse_expression.
-Each testcase has unsafe and safe variants, indicated by the suffixes "bad" and
-"ok", respectively. The vulnerable statements in unsafe variants are indicated
-by the comment, "/* BAD */," on the line immediately preceding the statement.
-The corresponding statements in safe variants are indicated by the comment, "/*
-OK */." Some vulnerabilities include a subdirectory "complete", which includes
-a testcase capturing most of the calling context of the vulnerability.
-
---------------------------------------------------------------------------
- suite/
- README.verisec_suite
- lib/
- programs/
- apps/
- OpenSER/
- README
- CVE-2006-6749/
- README
- complete/
- parse_expression/
- guard_random_index_bad.c
- guard_random_index_ok.c
- guard_strchr_bad.c
- guard_strchr_ok.c
- guard_strstr_bad.c
- guard_strstr_ok.c
- parse_expression_list/
- sendmail/
- MADWiFi/
- ...
-
-Fig. 1 -- Suite directory structure.
---------------------------------------------------------------------------
-
diff --git a/tests/verisec/suite/lib/base.h b/tests/verisec/suite/lib/base.h
deleted file mode 100644
index bd7b3890fff7213a96b5d32da3a6eac3f4eaa909..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/lib/base.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef _BASE_H
-#define _BASE_H
-
-/* Only #define it if it hasn't already been defined using -D */
-#ifndef BASE_SZ
-#define BASE_SZ 2
-#endif
-
-#ifndef MAX_GETC
-#define MAX_GETC 10
-#endif
-
-#endif
diff --git a/tests/verisec/suite/lib/stubs.c b/tests/verisec/suite/lib/stubs.c
deleted file mode 100644
index 44979a7beddc9dc05aea4b946fcf0cfa2410c39e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/lib/stubs.c
+++ /dev/null
@@ -1,399 +0,0 @@
-#include "stubs.h"
-
-/*
- * KK: I think SatAbs/CBMC front-end complains about this, but the backend
- * knows what it means.
- */
-/* extern int nondet_int(); */
-
-/****************************************************************************
- *
- * Begin duplicate relevant functions.
- *
- ***************************************************************************/
-
-char *r_strcat(char *dest, const char *src)
-{
- int i, j;
- char tmp;
- i = 0; j = 0;
- while (dest[i] != EOS)
- i++;
- do {
- tmp = src[j];
- /* replace this line.... */
- dest[i] = tmp;
- i++; j++;
- } while (src[j] != EOS);
-
- /* strcat man page says that strcat null-terminates dest */
- /* r_strcat RELEVANT */
- dest[i] = EOS;
-
- return dest;
-}
-
-char *r_strncat(char *dest, const char *src, size_t n)
-{
- int i, j;
- char tmp;
- i = 0; j = 0;
- while (dest[i] != EOS)
- i++;
- do {
- if (j >= n) break;
- tmp = src[j];
- /* replace this line.... */
- dest[i] = tmp;
- i++; j++;
- } while (src[j] != EOS);
-
- /* strncat man page says that strcat null-terminates dest */
- /* r_strncat RELEVANT */
- dest[i] = EOS;
-
- return dest;
-}
-
-/* We do the copy backwards in order to trip upper bounds assertion
- * failures more quickly. */
-void *r_memcpy(void *dest, const void *src, size_t n)
-{
- int i;
-
- /*@ assert \valid((char *)dest+(n-1)); */
- /* dest[n-1]; */
-
- for (i = n-1; i >= 0; i--) {
- ((char *) dest)[i] = ((char *) src)[i];
- }
- return dest;
-}
-
-char *r_strncpy (char *dest, const char *src, size_t n)
-{
- int _i;
-
- /* r_strncpy RELEVANT */
- dest[n];
-
- for (_i = 0; _i < n; _i++) {
- dest[_i] = src[_i]; // DO NOT CHANGE THE POSITION OF THIS LINE
- if (src[_i] == EOS)
- break;
- }
- return dest;
-}
-
-char *r_strcpy (char *dest, const char *src)
-{
- int i;
- char tmp;
- for (i = 0; ; i++) {
- tmp = src[i];
- /* r_strcpy RELEVANT */
- dest[i] = tmp; // DO NOT CHANGE THE POSITION OF THIS LINE
- if (src[i] == EOS)
- break;
- }
- return dest;
-}
-
-/****************************************************************************
- *
- * End duplicate relevant functions.
- *
- ***************************************************************************/
-
-
-char *strcat(char *dest, const char *src)
-{
- int i, j;
- char tmp;
- i = 0; j = 0;
- while (dest[i] != EOS)
- i++;
- do {
- tmp = src[j];
- dest[i] = tmp;
- i++; j++;
- } while (src[j] != EOS);
-
- /* strcat man page says that strcat null-terminates dest */
- dest[i] = EOS;
-
- return dest;
-}
-
-/* We do the copy backwards in order to trip upper bounds assertion
- * failures more quickly. */
-void *memcpy(void *dest, const void *src, size_t n)
-{
- int i;
- for (i = n-1; i >= 0; i--) {
- /* I can't find a way to use a temporary here. :-/ */
- ((char *)dest)[i] = ((char *)src)[i];
- }
- return dest;
-}
-
-char *strchr(const char *s, int c)
-{
- int i;
- for (i = 0; s[i] != EOS; i++)
- if (s[i] == c)
- return &s[i];
-
- return (c == EOS) ? &s[i] : NULL;
-}
-
-
-char *strrchr(const char *s, int c)
-{
- char *ret = NULL;
- int i;
-
- for (i = 0; s[i] != EOS; i++)
- if (s[i] == c)
- ret = &s[i];
-
- if (c == EOS)
- return &s[i];
-
- return ret;
-}
-
-char *strncpy (char *dest, const char *src, size_t n)
-{
- int _i;
- char tmp;
- for (_i = 0; _i < n; _i++) {
- tmp = src[_i];
- dest[_i] = tmp;
- if (src[_i] == EOS)
- break;
- }
- return dest;
-}
-
-char *strncpy_ptr (char *dest, const char *src, size_t n)
-{
- char *p, *q;
- p = dest;
- q = src;
- for (; q - src < n; q++, p++) {
- *p = *q;
- if (*p == 0)
- break;
- }
- return dest;
-}
-
-char *strcpy (char *dest, char *src)
-{
- int i;
- char tmp;
- for (i = 0; ; i++) {
- tmp = src[i];
- dest[i] = tmp;
- if (src[i] == EOS)
- break;
- }
- return dest;
-}
-
-/* Version of strstr written for analyzability rather than performance.
- *
- * In this version, EVERYTHING is inlined. This seems to aid
- * analyzability considerably.
- */
-char *strstr(const char *haystack, const char *needle)
-{
- int len;
- int i;
- int j;
-
- len = 0;
- while (needle[len] != EOS) len++;
-
- for (i = 0; haystack[i] != EOS; i++) {
- for (j = 0; j < len-1; j++) {
- if (haystack[i+j] == EOS) break;
- if (haystack[i+j] != needle[j]) break;
- }
- if (j == len-1 &&
- haystack[i+len-1] == needle[len-1])
- return &haystack[i];
- }
-
- return NULL;
-}
-
-unsigned strlen(char *s)
-{
- int i;
- i = 0;
- while (s[i] != EOS)
- ++i;
- return i;
-}
-
-int strncmp (const char *s1, const char *s2, size_t n)
-{
- int i;
- int retval;
- i = 0;
- do {
- retval = s1[i] - s2[i];
- if (i >= n-1) return retval;
- if (retval != 0) return retval;
- if (s1[i] == EOS) return 0;
- i++;
- } while (1);
-}
-
-int strcmp (const char *s1, const char *s2)
-{
- int i;
- for (i = 0; s1[i] == s2[i]; i++)
- if (s1[i] == EOS)
- return 0;
- return s1[i] - s2[i];
-}
-
-/*
- * getc which returns EOF within MAX_GETC calls if preprocessor macro CBMC is
- * defined.
- */
-int getc ()
-{
-#ifdef CBMC
- static int getc_count = 0;
- if (getc_count++ < MAX_GETC)
- {
- if (nondet_int ())
- return (int) nondet_unsigned_char ();
-
- return EOF;
- }
- else
- {
- getc_count = 0;
- return EOF;
- }
-#else
- return nondet_int ();
-#endif
-}
-
-int isascii (int c)
-{
- return ('!' <= c && c <= '~');
-}
-
-int isspace (int c)
-{
- return (c == '\t' || c == '\n' || c == '\v' || c == '\f' || c == '\r'
- || c == ' ');
-}
-
-/*****************************************************************
- *
- * Functions which are like the functions in libc, but return indexes
- * into arrays rather than pointers into arrays. -1 becomes the
- * stand-in for NULL, which is hashish and evil in general.
- *
- ****************************************************************/
-
-char *strrand (char *s)
-{
- int i;
- for (i = 0; s[i] != EOS; i++)
- if (nondet_int () == 1)
- return &s[i];
-
- return NULL;
-}
-
-int istrrand (char *s)
-{
- int i;
- for (i = 0; s[i] != EOS; i++)
- if (nondet_int () == 1)
- return i;
-
- return -1;
-}
-
-int istrchr(const char *s, int c)
-{
- int i;
- for (i = 0; s[i] != EOS; i++)
- if (s[i] == c)
- return i;
-
- return (c == EOS) ? i : -1;
-}
-
-int istrrchr(const char *s, int c)
-{
- int ret = -1;
- int i;
-
- for (i = 0; s[i] != EOS; i++)
- if (s[i] == c)
- ret = i;
-
- if (c == EOS)
- return i;
-
- return ret;
-}
-
-int istrncmp (const char *s1, int start, const char *s2, size_t n)
-{
- int i;
- int end = start + (n-1);
-
- for (i = start; i < end; i++) {
- if (s1[i] == EOS) return 0;
- if (s1[i] - s2[i] != 0) return s1[i] - s2[i];
- }
-
- assert (i == end); //KK: what's this here for?
- return s1[end] - s2[end];
-}
-
-int istrstr(const char *haystack, const char *needle)
-{
- int len;
- int i;
- int j;
-
- len = 0;
- while (needle[len] != EOS) len++;
-
- for (i = 0; haystack[i] != EOS; i++) {
- for (j = 0; j < len-1; j++) {
- if (haystack[i+j] == EOS) break;
- if (haystack[i+j] != needle[j]) break;
- }
- if (j == len-1 &&
- haystack[i+len-1] == needle[len-1])
- return i;
- }
-
- return NULL;
-}
-
-typedef struct modem;
-int put_command( struct modem *mdm, char* command, int clen, char* answer,
- int max, int timeout,char* expect) {
- strcpy(answer,"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\
-ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\
-ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\
-ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\
-ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\
-ABCDEF+CMGR:");
- return 0;
-}
diff --git a/tests/verisec/suite/lib/stubs.h b/tests/verisec/suite/lib/stubs.h
deleted file mode 100644
index 8a642f81ba6e9e78e67bedf0e289a8a57dcab68a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/lib/stubs.h
+++ /dev/null
@@ -1,53 +0,0 @@
-#ifndef _STUBS_H
-#define _STUBS_H
-
-#include "base.h"
-
-#define NULL ((void *)0)
-#define EOS 0
-#define EOF -1
-#define ERR -1
-
-/* I had size_t being an unsigned long before, but that led to the
- * infamous "Equality without matching types" error when I used a
- * size_t to index into an array. */
-typedef int size_t;
-typedef int bool;
-#define true 1
-#define false 0
-
-char *strchr(const char *s, int c);
-char *strrchr(const char *s, int c);
-char *strstr(const char *haystack, const char *needle);
-char *strncpy (char *dest, const char *src, size_t n);
-char *strncpy_ptr (char *dest, const char *src, size_t n);
-char *strcpy (char *dest, const char *src);
-unsigned strlen(const char *s);
-int strncmp (const char *s1, const char *s2, size_t n);
-int strcmp (const char *s1, const char *s2);
-char *strcat(char *dest, const char *src);
-
-void *memcpy(void *dest, const void *src, size_t n);
-
-int isascii (int c);
-int isspace (int c);
-
-int getc (/* ignore FILE* arg */);
-
-/* Extensions to libc's string library */
-char *strrand (char *s);
-int istrrand (char *s);
-int istrchr(const char *s, int c);
-int istrrchr(const char *s, int c);
-int istrncmp (const char *s1, int start, const char *s2, size_t n);
-int istrstr(const char *haystack, const char *needle);
-
-/* Hackish duplicate functions to enable us to determine which claims
- * are relevant. Oh, the hilarity. */
-char *r_strncpy (char *dest, const char *src, size_t n);
-char *r_strcpy (char *dest, const char *src);
-char *r_strcat(char *dest, const char *src);
-char *r_strncat(char *dest, const char *src, size_t n);
-void *r_memcpy(void *dest, const void *src, size_t n);
-
-#endif
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/README b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/README
deleted file mode 100644
index 2cac97d59ac7d20e1adc31e06235f873a677f9a4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/README
+++ /dev/null
@@ -1,30 +0,0 @@
--= CVE-2006-6332 =-
-
-Vulnerable versions: MadWifi < 0.9.2.1
-File(s): net80211/ieee80211_wireless.c
-Download from: http://madwifi.org/wiki/UserDocs/GettingMadwifi
-
-Domain: Device Driver
-
-_ Vulnerable Functions and Buffers _
-
-The overflows are due to lack of bounds checking. buf in encode_ie()
-can be overflowed by a call to sprintf(), and buf in giwscan_cb() can
-by overflowed by a call to memcpy().
-
-_ Notes _
-
-The buffer overflows in this example are simple; however, there are
-technical issues in the original implementation which would make
-analysis difficult. First, in the original program, the overflow in
-encode_ie() is due to a write by sprintf(). Second, giwscan_cb() is
-called via a function pointer stored in a struct in the original.
-
-_ Decomposed Programs _
-
-encode_ie/
- no_sprintf_bad.c
- interproc_bad.c
-
-giwscan_cb/
- giwscan_cb.c
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/constants.h b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/constants.h
deleted file mode 100644
index 9faea5d36f2d5bfdb993f817409738608e6a1e53..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/constants.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-typedef unsigned int u_int;
-typedef unsigned char u_int8_t;
-
-struct ieee80211_scan_entry {
- u_int8_t *se_rsn_ie; /* captured RSN ie */
-};
-
-#define IEEE80211_ELEMID_RSN 200 /* fake */
-
-/* Size of an array leader[] which is written to buf[] before it is
- * overflowed by the ie[] array. */
-#define LEADERSZ 1
-
-/* We first write the "leader" to buf[], and then write from the "ie"
- * array. buf[] has to be bigger than LEADERSZ by at least 2. */
-#define BUFSZ BASE_SZ + LEADERSZ + 2
-
-/* Just has to be big enough to overflow buf[] */
-#define IESZ (BUFSZ - LEADERSZ) + 5
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/interproc_bad.c b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/interproc_bad.c
deleted file mode 100644
index fb2a0cac0cd395ded7cd5f675a5cb971532c3a1a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/interproc_bad.c
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "../constants.h"
-
-static u_int
-encode_ie(void *buf, size_t bufsize, // 8-byte character array
- const u_int8_t *ie, size_t ielen, // 8-byte uint array
- const char *leader, size_t leader_len)
-{
- /* buf is treated as an array of unsigned 8-byte ints */
- u_int8_t *p;
- int i;
-
- // copy the contents of leader into buf
- if (bufsize < leader_len)
- return 0;
- p = buf;
- memcpy(p, leader, leader_len);
- bufsize -= leader_len;
- p += leader_len;
-
- for (i = 0; i < ielen && bufsize > 2; i++) {
- /* This was originally
- * p += sprintf(p, "%02x", ie[i]);
- * This would print two digits from ie[i] into p, and
- * return the number of bytes written.
- *
- * Simplified to remove sprintf.
- *
- */
- /* BAD */
- *p = 'x';
- /* BAD. */
- *(p+1) = 'x';
- p += 2;
- }
-
- // if we wrote all of ie[], say how many bytes written in total,
- // otherwise, claim we wrote nothing
- return (i == ielen ? p - (u_int8_t *)buf : 0);
-}
-
-
-static int
-giwscan_cb(const struct ieee80211_scan_entry *se)
-{
- u_int8_t buf[BUFSZ];
- char rsn_leader [LEADERSZ];
-
- /* Everything up to this point seems irrelevant to the following. */
-
- if (se->se_rsn_ie != NULL) {
- if (se->se_rsn_ie[0] == IEEE80211_ELEMID_RSN)
- encode_ie(buf, sizeof(buf),
- se->se_rsn_ie, se->se_rsn_ie[1] + 2,
- rsn_leader, sizeof(rsn_leader) - 1);
- }
-
- return 0;
-}
-
-int main ()
-{
- struct ieee80211_scan_entry se;
- u_int8_t ie [IESZ];
- se.se_rsn_ie = ie;
- se.se_rsn_ie[1] = IESZ - 2;
-
- giwscan_cb (&se);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/interproc_ok.c b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/interproc_ok.c
deleted file mode 100644
index b78d56fa213a672c5ba1abc721fc87892c954b9d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/interproc_ok.c
+++ /dev/null
@@ -1,74 +0,0 @@
-#include "../constants.h"
-
-static u_int
-encode_ie(void *buf, size_t bufsize, // 8-byte character array
- const u_int8_t *ie, size_t ielen, // 8-byte uint array
- const char *leader, size_t leader_len)
-{
- /* buf is treated as an array of unsigned 8-byte ints */
- u_int8_t *p;
- int i;
-
- // copy the contents of leader into buf
- if (bufsize < leader_len)
- return 0;
- p = buf;
- memcpy(p, leader, leader_len);
- bufsize -= leader_len;
- p += leader_len;
-
- /* This is the fix. */
- if (bufsize < ielen)
- return 0;
-
- for (i = 0; i < ielen && bufsize > 2; i++) {
- /* This was originally
- * p += sprintf(p, "%02x", ie[i]);
- * This would print two digits from ie[i] into p, and
- * return the number of bytes written.
- *
- * Simplified to remove sprintf.
- *
- */
- /* OK */
- *p = 'x';
- /* OK. */
- *(p+1) = 'x';
- p += 2;
- }
-
- // if we wrote all of ie[], say how many bytes written in total,
- // otherwise, claim we wrote nothing
- return (i == ielen ? p - (u_int8_t *)buf : 0);
-}
-
-
-static int
-giwscan_cb(const struct ieee80211_scan_entry *se)
-{
- u_int8_t buf[BUFSZ];
- char rsn_leader [LEADERSZ];
-
- /* Everything up to this point seems irrelevant to the following. */
-
- if (se->se_rsn_ie != NULL) {
- if (se->se_rsn_ie[0] == IEEE80211_ELEMID_RSN)
- encode_ie(buf, sizeof(buf),
- se->se_rsn_ie, se->se_rsn_ie[1] + 2,
- rsn_leader, sizeof(rsn_leader) - 1);
- }
-
- return 0;
-}
-
-int main ()
-{
- struct ieee80211_scan_entry se;
- u_int8_t ie [IESZ];
- se.se_rsn_ie = ie;
- se.se_rsn_ie[1] = IESZ - 2;
-
- giwscan_cb (&se);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/no_sprintf_bad.c b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/no_sprintf_bad.c
deleted file mode 100644
index cce4b96f38e84f7106b7e569422495795e2dc1da..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/no_sprintf_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static u_int
-encode_ie(void *buf, size_t bufsize, // 8-byte character array
- const u_int8_t *ie, size_t ielen, // 8-byte uint array
- const char *leader, size_t leader_len)
-{
- /* buf is treated as an array of unsigned 8-byte ints */
- u_int8_t *p;
- int i;
-
- // copy the contents of leader into buf
- if (bufsize < leader_len)
- return 0;
- p = buf;
- memcpy(p, leader, leader_len);
- bufsize -= leader_len;
- p += leader_len;
-
- for (i = 0; i < ielen && bufsize > 2; i++) {
- /* This was originally
- * p += sprintf(p, "%02x", ie[i]);
- * This would print two digits from ie[i] into p, and
- * return the number of bytes written.
- *
- * Simplified to remove sprintf.
- *
- */
- /* BAD */
- *p = 'x';
- /* BAD. */
- *(p+1) = 'x';
- p += 2;
- }
-
- // if we wrote all of ie[], say how many bytes written in total,
- // otherwise, claim we wrote nothing
- return (i == ielen ? p - (u_int8_t *)buf : 0);
-}
-
-int main()
-{
- u_int8_t buf [BUFSZ];
- u_int8_t ie [IESZ];
- char leader [LEADERSZ];
-
- encode_ie (buf, BUFSZ,
- ie, IESZ,
- leader, LEADERSZ);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/no_sprintf_ok.c b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/no_sprintf_ok.c
deleted file mode 100644
index 0534a4b81ef093ca4f09964becb755b64878fd7d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/encode_ie/no_sprintf_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static u_int
-encode_ie(void *buf, size_t bufsize, // 8-byte character array
- const u_int8_t *ie, size_t ielen, // 8-byte uint array
- const char *leader, size_t leader_len)
-{
- /* buf is treated as an array of unsigned 8-byte ints */
- u_int8_t *p;
- int i;
-
- // copy the contents of leader into buf
- if (bufsize < leader_len)
- return 0;
- p = buf;
- memcpy(p, leader, leader_len);
- bufsize -= leader_len;
- p += leader_len;
-
- /* This is the fix. */
- if (bufsize < ielen)
- return 0;
-
- for (i = 0; i < ielen && bufsize > 2; i++) {
- /* This was originally
- * p += sprintf(p, "%02x", ie[i]);
- * This would print two digits from ie[i] into p, and
- * return the number of bytes written.
- *
- * Simplified to remove sprintf.
- *
- */
- /* OK */
- *p = 'x';
- /* OK. */
- *(p+1) = 'x';
- p += 2;
- }
-
- // if we wrote all of ie[], say how many bytes written in total,
- // otherwise, claim we wrote nothing
- return (i == ielen ? p - (u_int8_t *)buf : 0);
-}
-
-int main()
-{
- u_int8_t buf [BUFSZ];
- u_int8_t ie [IESZ];
- char leader [LEADERSZ];
-
- encode_ie (buf, BUFSZ,
- ie, IESZ,
- leader, LEADERSZ);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/giwscan_cb/giwscan_cb_bad.c b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/giwscan_cb/giwscan_cb_bad.c
deleted file mode 100644
index 30b881e91a26dd9b06bcd06a25e17e77a9b6be13..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/giwscan_cb/giwscan_cb_bad.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "../constants.h"
-
-static int
-giwscan_cb(const struct ieee80211_scan_entry *se)
-{
- char buf[IESZ];
-
- /* Everything up to this point seems irrelevant to the following. */
-
- if (se->se_rsn_ie != NULL) {
- /* BAD */
- r_memcpy(buf, se->se_rsn_ie, se->se_rsn_ie[1] + 2);
- }
-
- return 0;
-}
-
-int main ()
-{
- struct ieee80211_scan_entry se;
- u_int8_t ie [IESZ * 2];
- se.se_rsn_ie = ie;
- se.se_rsn_ie[1] = (IESZ * 2) - 2;
-
- giwscan_cb (&se);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/giwscan_cb/giwscan_cb_ok.c b/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/giwscan_cb/giwscan_cb_ok.c
deleted file mode 100644
index 0ba26b3b6cfbc4fceb1f600b57d18bf0f7caa519..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/CVE-2006-6332/giwscan_cb/giwscan_cb_ok.c
+++ /dev/null
@@ -1,31 +0,0 @@
-#include "../constants.h"
-
-static int
-giwscan_cb(const struct ieee80211_scan_entry *se)
-{
- char buf[IESZ];
-
- /* Everything up to this point seems irrelevant to the following. */
-
- if (se->se_rsn_ie != NULL) {
- /* Here's the fix. */
- if ((se->se_rsn_ie[1] + 2) > IESZ)
- return E2BIG;
- /* OK */
- r_memcpy(buf, se->se_rsn_ie, se->se_rsn_ie[1] + 2);
- }
-
- return 0;
-}
-
-int main ()
-{
- struct ieee80211_scan_entry se;
- u_int8_t ie [IESZ * 2];
- se.se_rsn_ie = ie;
- se.se_rsn_ie[1] = (IESZ * 2) - 2;
-
- giwscan_cb (&se);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/MADWiFi/README b/tests/verisec/suite/programs/apps/MADWiFi/README
deleted file mode 100644
index 68197cf64f8ab565f9ec9bbe38d1ce447a0de0ba..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/MADWiFi/README
+++ /dev/null
@@ -1,7 +0,0 @@
--= MadWiFi =-
-
-Homepage: http://madwifi.org/
-Domain: Device Driver
-
-MadWifi is an open source Linux driver for wireless LAN chipsets made
-by Atheros.
diff --git a/tests/verisec/suite/programs/apps/Makefile b/tests/verisec/suite/programs/apps/Makefile
deleted file mode 100644
index 2d7cb97cd85927ed6419667fe0ca66954bd70932..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/Makefile
+++ /dev/null
@@ -1,46 +0,0 @@
-FRAMAC=frama-c
-STUBS=../../lib/stubs.c
-BIND_DIR=bind
-BIND_CA_DIR=$(BIND_DIR)/CA-1999-14
-BIND_RREXTRACT_NXT_DIR=$(BIND_CA_DIR)/rrextract-nxt
-
-APACHE_DIR=apache
-APACHE_2004_DIR=$(APACHE_DIR)/CVE-2004-0940
-
-EDBROWSE_DIR=edbrowse/CVE-2006-6909/ftpls
-
-GXINE_DIR=gxine/CVE-2007-0406/main
-
-OPENSER_DIR=OpenSER
-OPENSER_6876_DIR=$(OPENSER_DIR)/CVE-2006-6876/fetchsms
-
-all:bind gxine apache edbrowse openser
-
-bind:bind_CA bind_CVE
-
-bind_CA:bind_rrextract_nxt
-
-bind_rrextract_nxt:$(BIND_RREXTRACT_NXT_DIR)/simp_bad.c
- $(FRAMAC) -val $(STUBS) $(BIND_RREXTRACT_NXT_DIR)/simp_bad.c >$(BIND_RREXTRACT_NXT_DIR)/bin_rrextract_nxt.log 2>$(BIND_RREXTRACT_NXT_DIR)/bind_rrxtract_nxt.err
-
-gxine:$(GXINE_DIR)/simp_bad.c
- $(FRAMAC) -val $(STUBS) $(GXINE_DIR)/simp_bad.c >$(GXINE_DIR)/frama-c.log 2>$(GXINE_DIR)/frama-c.err
-
-bind_CVE:$(APACHE_2004_DIR)/apache.c
-
-apache:apache_CVE_2004 apache_CVE_2006
-
-apache_CVE_2004_iter1_prefixLong_arr: $(APACHE_2004_DIR)/apache.c
- $(FRAMAC) -val $(STUBS) $(APACHE_2004_DIR)/apache.c $(APACHE_2004_DIR)/get_tag/iter1_prefixLong_arr_bad.c >$(APACHE_2004_DIR)/ap_iter1_prefixLong_arr.log 2>$(APACHE_2004_DIR)/ap_iter1_prefixLong_arr.err
-
-apache_CVE_2004:apache_CVE_2004_iter1_prefixLong_arr
-
-apache_CVE_2006:
-
-edbrowse: $(EDBROWSE_DIR)/strchr_bad.c
- $(FRAMAC) -val $(STUBS) $(EDBROWSE_DIR)/strchr_bad.c >$(EDBROWSE_DIR)/strchr_bad.log 2>$(EDBROWSE_DIR)/strchr_bad.err
-
-openser:openser_6876
-
-openser_6876:$(OPENSER_6876_DIR)/full_bad.c
- $(FRAMAC) -val $(STUBS) $(OPENSER_6876_DIR)/full_bad.c -slevel 500 >$(OPENSER_6876_DIR)/full_bad.log 2>$(OPENSER_6876_DIR)/full_bad.err
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/README b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/README
deleted file mode 100644
index 839b15cee11653422f64e76560ccd7e3088c8e8b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/README
+++ /dev/null
@@ -1,47 +0,0 @@
--= CVE-2006-6652 =-
-
-Vulnerable versions: libc in NetBSD-current before 20050914,
- NetBSD 2.* and 3.* before 20061203
-File(s): src/lib/libc/gen/glob.c
-Download from:
- To get the original file, do the following (using bash):
- $ CVSROOT=:pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot; export CVSROOT
- $ cvs login
- ---> use the password "anoncvs"
- $ cvs co -D 2005-09-13 src/lib/libc/gen/glob.c
- If NetBSD has changed their anonymouns cvs checkout procedures since
- the time of this writing, visit
- http://www.netbsd.org/Documentation/current/#using-anoncvs-pserver
- for instructions.
-
-Domain: C library
-
-_ Vulnerable Functions and Buffers _
-
-glob1() passes a buffer, pathbuf, to glob2(). glob1() also passes a
-pointer, pathlim, which is meant to point to the end of pathbuf, for
-glob2() and glob3() to use for bounds checking. pathlim is computed
-incorrectly, so multiple instructions in glob2() and glob3() can
-overflow pathbuf.
-
-_ Decomposed Programs _
-
-glob.h
-
-glob1/
- bounds_bad.c
-
-glob2/
- loop_bad.c
- noAnyMeta_int_bad.c
- noAnyMeta_ptr_bad.c
- anyMeta_int_bad.c
- anyMeta_ptr_bad.c
- glob2_int_bad.c
- glob2_ptr_bad.c
-
-glob3/
- loop_int_bad.c
- loop_ptr_bad.c
- glob3_int_bad.c
- glob3_ptr_bad.c
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob.h b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob.h
deleted file mode 100644
index e9daa00581f26cb1c31e0446cf6d31504db4e303..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob.h
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* (One less than the) size of the buffer being overflowed. */
-#define MAXPATHLEN BASE_SZ
-
-/* Make PATTERNLEN bigger than MAXPATHLEN -- we want to be able to overflow
- * the buffer of length MAXPATHLEN+1 without having a tool complain about
- * out-of-bounds reads of the pattern buffer.
- */
-#define PATTERNLEN MAXPATHLEN+5
-
-/* Size of d_name. We don't care about it; like PATTERNLEN, just make
- * it "big enough".
- */
-#define MAXNAMLEN (MAXPATHLEN * 4)
-
-#define DOLLAR '$'
-#define DOT '.'
-#define LBRACKET '['
-#define NOT '!'
-#define QUESTION '?'
-#define QUOTE '\\'
-#define RANGE '-'
-#define RBRACKET ']'
-#define SEP '/'
-#define STAR '*'
-#define TILDE '~'
-#define UNDERSCORE '_'
-#define LBRACE '{'
-#define RBRACE '}'
-#define SLASH '/'
-#define COMMA ','
-
-#define M_QUOTE 0x80
-#define M_PROTECT 0x40
-#define M_MASK 0xff
-#define M_ASCII 0x7f
-
-/* In the original, a Char is an unsigned short.
- *
- * However, this triggers a bug in SatAbs. Hence, it's an int.
- */
-//typedef unsigned short Char;
-typedef int Char;
-typedef char u_char;
-
-#define CHAR(c) ((Char)((c)&M_ASCII))
-#define META(c) ((Char)((c)|M_QUOTE))
-#define M_ALL META('*')
-#define M_END META(']')
-#define M_NOT META('!')
-#define M_ONE META('?')
-#define M_RNG META('-')
-#define M_SET META('[')
-#define ismeta(c) (((c)&(0x80)) != 0)
-
-#define GLOB_ABORTED -1
-
-// For SatAbs
-extern int nondet_int (void);
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob1/bounds_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob1/bounds_bad.c
deleted file mode 100644
index 03074cfb39ab8869e2e88bbb6ab47c98fd4221c6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob1/bounds_bad.c
+++ /dev/null
@@ -1,17 +0,0 @@
-#include "../glob.h"
-
-int main ()
-{
- Char pathbuf[MAXPATHLEN+1];
-
- Char *bound = pathbuf + sizeof(pathbuf) - 1;
-
- /* Force SatAbs to check that bound is in bounds.
- *
- * This test is meant to mimic checking that "bound" is computed
- * correctly *before* passing it to glob2().
- */
- /* BAD */
- *bound = 10;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob1/bounds_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob1/bounds_ok.c
deleted file mode 100644
index 33121ed9aadbdfcea65f13e26ecac496c3cee326..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob1/bounds_ok.c
+++ /dev/null
@@ -1,17 +0,0 @@
-#include "../glob.h"
-
-int main ()
-{
- Char pathbuf[MAXPATHLEN+1];
-
- Char *bound = pathbuf + sizeof(pathbuf)/sizeof(*pathbuf) - 1;
-
- /* Force SatAbs to check that bound is in bounds.
- *
- * This test is meant to mimic checking that "bound" is computed
- * correctly *before* passing it to glob2().
- */
- /* OK */
- *bound = 10;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_int_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_int_bad.c
deleted file mode 100644
index d550ed3fb5fe54262ffb5a360272d8d8cf33ea23..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_int_bad.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int i;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- i = 0;
- while (pattern[i] != EOS && pattern[i] != SEP) {
- if (ismeta(pattern[i]))
- anymeta = 1;
- if (pathend + i >= pathlim)
- return 1;
- tmp = pattern[i];
- /* BAD */
- pathend[i] = tmp;
- i++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_int_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_int_ok.c
deleted file mode 100644
index 86495dae99ac28ce12bd78633f38a06213ee276c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_int_ok.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int i;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- i = 0;
- while (pattern[i] != EOS && pattern[i] != SEP) {
- if (ismeta(pattern[i]))
- anymeta = 1;
- if (pathend + i >= pathlim)
- return 1;
- tmp = pattern[i];
- /* OK */
- pathend[i] = tmp;
- i++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_ptr_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_ptr_bad.c
deleted file mode 100644
index 95ca7a31ff20bbe14d3f972b46e7481a8e7e6fbd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_ptr_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *p, *q;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- q = pathend;
- p = pattern;
- while (*p != EOS && *p != SEP) {
- if (ismeta(*p))
- anymeta = 1;
- if (q >= pathlim)
- return 1;
- tmp = *p;
- /* BAD */
- *q = tmp;
- q++;
- p++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_ptr_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_ptr_ok.c
deleted file mode 100644
index 4b424a6e97c7913fb9d180ed6427158ee66267be..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/anyMeta_ptr_ok.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *p, *q;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- q = pathend;
- p = pattern;
- while (*p != EOS && *p != SEP) {
- if (ismeta(*p))
- anymeta = 1;
- if (q >= pathlim)
- return 1;
- tmp = *p;
- /* OK */
- *q = tmp;
- q++;
- p++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_int_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_int_bad.c
deleted file mode 100644
index 747ef37e78514a722a308768f7b60d41699562db..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_int_bad.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int i;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* End of the pattern. Recursion stops, and we extend the glob
- * structure.
- */
- if (*pattern == EOS) {
- *pathend = EOS;
- if (NONDET()) {
- if (pathend >= pathlim)
- return 1;
- /* BAD */
- *pathend = SEP;
- pathend++;
- /* BAD */
- *pathend = EOS;
- }
- // replaces globextend
- return 0;
- }
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- i = 0;
- while (pattern[i] != EOS && pattern[i] != SEP) {
- if (ismeta(pattern[i]))
- anymeta = 1;
- if (pathend + i >= pathlim)
- return 1;
- tmp = pattern[i];
- /* BAD */
- pathend[i] = tmp;
- i++;
- }
-
- /* If there was no metacharacter, we take whatever came
- * after the string we previously copied, copy it into
- * pathend, and continue.
- *
- * If we did encounter a meta-character, we recurse
- * by calling glob3 () -- we elide glob3 () in
- * this example.
- */
- if (!anymeta) {
- pathend = pathend + i;
- pattern = pattern + i;
- while (*pattern == SEP) {
- // bounds check
- if (pathend >= pathlim)
- return 1;
- tmp = *pattern;
- /* BAD */
- *pathend = tmp;
- pathend++;
- pattern++;
- }
- } else {
- // stand-in for glob3 (which is recursive)
- return 0;
- }
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_int_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_int_ok.c
deleted file mode 100644
index 4b19773c316f0061c0fd0a90e21e34ecdf22f672..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_int_ok.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int i;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* End of the pattern. Recursion stops, and we extend the glob
- * structure.
- */
- if (*pattern == EOS) {
- *pathend = EOS;
- if (NONDET()) {
- if (pathend >= pathlim)
- return 1;
- /* OK */
- *pathend = SEP;
- pathend++;
- /* OK */
- *pathend = EOS;
- }
- // replaces globextend
- return 0;
- }
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- i = 0;
- while (pattern[i] != EOS && pattern[i] != SEP) {
- if (ismeta(pattern[i]))
- anymeta = 1;
- if (pathend + i >= pathlim)
- return 1;
- tmp = pattern[i];
- /* OK */
- pathend[i] = tmp;
- i++;
- }
-
- /* If there was no metacharacter, we take whatever came
- * after the string we previously copied, copy it into
- * pathend, and continue.
- *
- * If we did encounter a meta-character, we recurse
- * by calling glob3 () -- we elide glob3 () in
- * this example.
- */
- if (!anymeta) {
- pathend = pathend + i;
- pattern = pattern + i;
- while (*pattern == SEP) {
- // bounds check
- if (pathend >= pathlim)
- return 1;
- tmp = *pattern;
- /* OK */
- *pathend = tmp;
- pathend++;
- pattern++;
- }
- } else {
- // stand-in for glob3 (which is recursive)
- return 0;
- }
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_ptr_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_ptr_bad.c
deleted file mode 100644
index e0788293294f32406d27b4a7991c2ed00a4260c8..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_ptr_bad.c
+++ /dev/null
@@ -1,92 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *p, *q;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* End of the pattern. Recursion stops, and we extend the glob
- * structure.
- */
- if (*pattern == EOS) {
- *pathend = EOS;
- if (NONDET()) {
- if (pathend >= pathlim)
- return 1;
- *pathend = SEP;
- pathend++;
- /* BAD */
- *pathend = EOS;
- }
- // replaces globextend
- return 0;
- }
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- q = pathend;
- p = pattern;
- while (*p != EOS && *p != SEP) {
- if (ismeta(*p))
- anymeta = 1;
- if (q >= pathlim)
- return 1;
- tmp = *p;
- /* BAD */
- *q = tmp;
- q++;
- p++;
- }
-
- /* If there was no metacharacter, we take whatever came
- * after the string we previously copied, copy it into
- * pathend, and continue.
- *
- * If we did encounter a meta-character, we recurse
- * by calling glob3 () -- we elide glob3 () in
- * this example.
- */
- if (!anymeta) {
- pathend = q;
- pattern = p;
- while (*pattern == SEP) {
- // bounds check
- if (pathend >= pathlim)
- return 1;
- tmp = *pattern;
- /* BAD */
- *pathend = tmp;
- pathend++;
- pattern++;
- }
- } else {
- // stand-in for glob3 (which is recursive)
- return 0;
- }
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_ptr_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_ptr_ok.c
deleted file mode 100644
index 0f8e8b23c4546206e657af8a24bec54c4209afe9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/glob2_ptr_ok.c
+++ /dev/null
@@ -1,92 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *p, *q;
- int anymeta;
- Char tmp;
-
- for (anymeta = 0;;) {
-
- /* End of the pattern. Recursion stops, and we extend the glob
- * structure.
- */
- if (*pattern == EOS) {
- *pathend = EOS;
- if (NONDET()) {
- if (pathend >= pathlim)
- return 1;
- *pathend = SEP;
- pathend++;
- /* OK */
- *pathend = EOS;
- }
- // replaces globextend
- return 0;
- }
-
- /* Copies a single string from pattern into pathend, checking for
- * the presence of meta-characters.
- */
- q = pathend;
- p = pattern;
- while (*p != EOS && *p != SEP) {
- if (ismeta(*p))
- anymeta = 1;
- if (q >= pathlim)
- return 1;
- tmp = *p;
- /* OK */
- *q = tmp;
- q++;
- p++;
- }
-
- /* If there was no metacharacter, we take whatever came
- * after the string we previously copied, copy it into
- * pathend, and continue.
- *
- * If we did encounter a meta-character, we recurse
- * by calling glob3 () -- we elide glob3 () in
- * this example.
- */
- if (!anymeta) {
- pathend = q;
- pattern = p;
- while (*pattern == SEP) {
- // bounds check
- if (pathend >= pathlim)
- return 1;
- tmp = *pattern;
- /* OK */
- *pathend = tmp;
- pathend++;
- pattern++;
- }
- } else {
- // stand-in for glob3 (which is recursive)
- return 0;
- }
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/loop_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/loop_bad.c
deleted file mode 100644
index 6933502e772d5df9a117580c8ca5b639103ef9b9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/loop_bad.c
+++ /dev/null
@@ -1,24 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathlim)
-{
- Char *p;
-
- for (p = pathbuf; p <= pathlim; p++) {
- /* BAD */
- *p = 1;
- }
-
- return 0;
-}
-
-int main ()
-{
- Char pathbuf[MAXPATHLEN+1];
-
- Char *bound = pathbuf + sizeof(pathbuf) - 1;
-
- glob2 (pathbuf, bound);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/loop_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/loop_ok.c
deleted file mode 100644
index e829aaebb9ffd1c9f3f5c60a06f53f299285c9d7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/loop_ok.c
+++ /dev/null
@@ -1,24 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathlim)
-{
- Char *p;
-
- for (p = pathbuf; p <= pathlim; p++) {
- /* OK */
- *p = 1;
- }
-
- return 0;
-}
-
-int main ()
-{
- Char pathbuf[MAXPATHLEN+1];
-
- Char *bound = pathbuf + sizeof(pathbuf)/sizeof(*pathbuf) - 1;
-
- glob2 (pathbuf, bound);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_int_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_int_bad.c
deleted file mode 100644
index a2107bbc6b2b345d72440f823d9a2130a36eeded..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_int_bad.c
+++ /dev/null
@@ -1,43 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int i;
- Char tmp;
-
- i = 0;
- for (;;) {
- while (pattern[i] != EOS && pattern[i] != SEP) {
- if (pathend + i >= pathlim)
- return 1;
- tmp = pattern[i];
- /* BAD */
- pathend[i] = tmp;
- i++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_int_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_int_ok.c
deleted file mode 100644
index 570d0c45b0e10708aa84e9edb12bfb7a9a2a7ac1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_int_ok.c
+++ /dev/null
@@ -1,43 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int i;
- Char tmp;
-
- i = 0;
- for (;;) {
- while (pattern[i] != EOS && pattern[i] != SEP) {
- if (pathend + i >= pathlim)
- return 1;
- tmp = pattern[i];
- /* OK */
- pathend[i] = tmp;
- i++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_ptr_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_ptr_bad.c
deleted file mode 100644
index eb270541a2d4d43b17846220256c27259ab3df2f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_ptr_bad.c
+++ /dev/null
@@ -1,45 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *p, *q;
- Char tmp;
-
- for (;;) {
- q = pathend;
- p = pattern;
- while (*p != EOS && *p != SEP) {
- if (q >= pathlim)
- return 1;
- tmp = *p;
- /* BAD */
- *q = tmp;
- q++;
- p++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_ptr_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_ptr_ok.c
deleted file mode 100644
index 4bd38b8795f244a8fd18d1bcc313fa47c61fea83..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob2/noAnyMeta_ptr_ok.c
+++ /dev/null
@@ -1,45 +0,0 @@
-#include "../glob.h"
-
-int glob2 (Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *p, *q;
- Char tmp;
-
- for (;;) {
- q = pathend;
- p = pattern;
- while (*p != EOS && *p != SEP) {
- if (q >= pathlim)
- return 1;
- tmp = *p;
- /* OK */
- *q = tmp;
- q++;
- p++;
- }
-
- if (nondet_int ())
- return 0;
- }
-
- /* NOT REACHED */
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob2 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_int_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_int_bad.c
deleted file mode 100644
index d3a77f097d10b3b52546934755f97ac03bea0f8a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_int_bad.c
+++ /dev/null
@@ -1,117 +0,0 @@
-#include "../glob.h"
-
-struct dirent {
- char d_name[MAXNAMLEN + 1];
-};
-
-static int
-g_Ctoc(Char *str, char *buf, size_t len)
-{
- int i;
-
- if (len == 0)
- return 1;
-
- for (i = 0; len && (buf[i] = str[i]) != EOS; len--)
- i++;
-
- return len == 0;
-}
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- struct dirent dp;
- int error;
- char buf[MAXPATHLEN];
-
-
- *pathend = EOS;
-
- if (nondet_int()) {
- if (nondet_int()) {
- if (g_Ctoc(pathbuf, buf, sizeof(buf)))
- return (GLOB_ABORTED);
- if (nondet_int())
- return (GLOB_ABORTED);
- }
-
- if (nondet_int())
- return (GLOB_ABORTED);
-
- return(0);
- }
-
- error = 0;
- while (nondet_int()) {
- int i;
-
- /* Initial DOT must be matched literally. */
- if (dp.d_name[0] == DOT && *pattern != DOT)
- continue;
- /*
- * The resulting string contains EOS, so we can
- * use the pathlim character, if it is the nul
- */
- i = 0;
- for (;;)
- if (pathend + i > pathlim) break;
- else {
- pathend[i] = dp.d_name[i];
- i++;
- /* BAD */
- if (pathend[i] == EOS) break;
- }
-
- /*
- * Have we filled the buffer without seeing EOS?
- */
- if (pathend + i > pathlim && *pathlim != EOS) {
- /*
- * Abort when requested by caller, otherwise
- * reset pathend back to last SEP and continue
- * with next dir entry.
- */
- if (nondet_int()) {
- error = GLOB_ABORTED;
- break;
- }
- else {
- /* BAD */
- pathend[i] = EOS;
- continue;
- }
- }
-
- /* match() is scary, and recursive, which Satabs can't handle.
- * Replacing it with a non-deterministic stub....
- *
- * This is irrelevant to overflow detection anyhow, since this
- * is *after* the overflow. */
- if (/*!match(pathend, pattern, restpattern)*/nondet_int()) {
- /* BAD */
- pathend[i] = EOS;
- continue;
- }
- }
-
- return error;
-}
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_int_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_int_ok.c
deleted file mode 100644
index 2c8d74717da4afc1140afbd4bbee88f1fd6cbc19..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_int_ok.c
+++ /dev/null
@@ -1,117 +0,0 @@
-#include "../glob.h"
-
-struct dirent {
- char d_name[MAXNAMLEN + 1];
-};
-
-static int
-g_Ctoc(Char *str, char *buf, size_t len)
-{
- int i;
-
- if (len == 0)
- return 1;
-
- for (i = 0; len && (buf[i] = str[i]) != EOS; len--)
- i++;
-
- return len == 0;
-}
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- struct dirent dp;
- int error;
- char buf[MAXPATHLEN];
-
-
- *pathend = EOS;
-
- if (nondet_int()) {
- if (nondet_int()) {
- if (g_Ctoc(pathbuf, buf, sizeof(buf)))
- return (GLOB_ABORTED);
- if (nondet_int())
- return (GLOB_ABORTED);
- }
-
- if (nondet_int())
- return (GLOB_ABORTED);
-
- return(0);
- }
-
- error = 0;
- while (nondet_int()) {
- int i;
-
- /* Initial DOT must be matched literally. */
- if (dp.d_name[0] == DOT && *pattern != DOT)
- continue;
- /*
- * The resulting string contains EOS, so we can
- * use the pathlim character, if it is the nul
- */
- i = 0;
- for (;;)
- if (pathend + i > pathlim) break;
- else {
- pathend[i] = dp.d_name[i];
- i++;
- /* OK */
- if (pathend[i] == EOS) break;
- }
-
- /*
- * Have we filled the buffer without seeing EOS?
- */
- if (pathend + i > pathlim && *pathlim != EOS) {
- /*
- * Abort when requested by caller, otherwise
- * reset pathend back to last SEP and continue
- * with next dir entry.
- */
- if (nondet_int()) {
- error = GLOB_ABORTED;
- break;
- }
- else {
- /* OK */
- pathend[i] = EOS;
- continue;
- }
- }
-
- /* match() is scary, and recursive, which Satabs can't handle.
- * Replacing it with a non-deterministic stub....
- *
- * This is irrelevant to overflow detection anyhow, since this
- * is *after* the overflow. */
- if (/*!match(pathend, pattern, restpattern)*/nondet_int()) {
- /* OK */
- pathend[i] = EOS;
- continue;
- }
- }
-
- return error;
-}
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_ptr_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_ptr_bad.c
deleted file mode 100644
index 05c381f61e1a82d9eba59c314beb59c06ebd3f21..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_ptr_bad.c
+++ /dev/null
@@ -1,118 +0,0 @@
-#include "../glob.h"
-
-struct dirent {
- char d_name[MAXNAMLEN + 1];
-};
-
-static int
-g_Ctoc(Char *str, char *buf, size_t len)
-{
- char *dc;
-
- if (len == 0)
- return 1;
-
- for (dc = buf; len && (*dc++ = *str++) != EOS; len--)
- continue;
-
- return len == 0;
-}
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- struct dirent dp;
- int error;
- char buf[MAXPATHLEN];
-
-
- *pathend = EOS;
-
- if (nondet_int()) {
- if (nondet_int()) {
- if (g_Ctoc(pathbuf, buf, sizeof(buf)))
- return (GLOB_ABORTED);
- if (nondet_int())
- return (GLOB_ABORTED);
- }
-
- if (nondet_int())
- return (GLOB_ABORTED);
-
- return(0);
- }
-
- error = 0;
- while (nondet_int()) {
- char *sc;
- Char *dc;
-
- /* Initial DOT must be matched literally. */
- if (dp.d_name[0] == DOT && *pattern != DOT)
- continue;
- /*
- * The resulting string contains EOS, so we can
- * use the pathlim character, if it is the nul
- */
- for (sc = dp.d_name, dc = pathend;;)
- if (dc > pathlim) break;
- else {
- *dc = *sc;
- dc++;
- sc++;
- /* BAD */
- if (*dc == EOS) break;
- }
-
-
- /*
- * Have we filled the buffer without seeing EOS?
- */
- if (dc > pathlim && *pathlim != EOS) {
- /*
- * Abort when requested by caller, otherwise
- * reset pathend back to last SEP and continue
- * with next dir entry.
- */
- if (nondet_int()) {
- error = GLOB_ABORTED;
- break;
- }
- else {
- /* BAD */
- *pathend = EOS;
- continue;
- }
- }
-
- /* match is scary */
- if (/*!match(pathend, pattern, restpattern)*/nondet_int()) {
- /* BAD */
- *pathend = EOS;
- continue;
- }/*
- error = glob2(pathbuf, --dc, pathlim, restpattern, pglob, limit);
- if (error)
- break;*/
- }
-
- return error;
-}
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_ptr_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_ptr_ok.c
deleted file mode 100644
index 90ef685d97786baa17d212cfcaa5c325ea09fd35..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/glob3_ptr_ok.c
+++ /dev/null
@@ -1,118 +0,0 @@
-#include "../glob.h"
-
-struct dirent {
- char d_name[MAXNAMLEN + 1];
-};
-
-static int
-g_Ctoc(Char *str, char *buf, size_t len)
-{
- char *dc;
-
- if (len == 0)
- return 1;
-
- for (dc = buf; len && (*dc++ = *str++) != EOS; len--)
- continue;
-
- return len == 0;
-}
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- struct dirent dp;
- int error;
- char buf[MAXPATHLEN];
-
-
- *pathend = EOS;
-
- if (nondet_int()) {
- if (nondet_int()) {
- if (g_Ctoc(pathbuf, buf, sizeof(buf)))
- return (GLOB_ABORTED);
- if (nondet_int())
- return (GLOB_ABORTED);
- }
-
- if (nondet_int())
- return (GLOB_ABORTED);
-
- return(0);
- }
-
- error = 0;
- while (nondet_int()) {
- char *sc;
- Char *dc;
-
- /* Initial DOT must be matched literally. */
- if (dp.d_name[0] == DOT && *pattern != DOT)
- continue;
- /*
- * The resulting string contains EOS, so we can
- * use the pathlim character, if it is the nul
- */
- for (sc = dp.d_name, dc = pathend;;)
- if (dc > pathlim) break;
- else {
- *dc = *sc;
- dc++;
- sc++;
- /* OK */
- if (*dc == EOS) break;
- }
-
-
- /*
- * Have we filled the buffer without seeing EOS?
- */
- if (dc > pathlim && *pathlim != EOS) {
- /*
- * Abort when requested by caller, otherwise
- * reset pathend back to last SEP and continue
- * with next dir entry.
- */
- if (nondet_int()) {
- error = GLOB_ABORTED;
- break;
- }
- else {
- /* OK */
- *pathend = EOS;
- continue;
- }
- }
-
- /* match is scary */
- if (/*!match(pathend, pattern, restpattern)*/nondet_int()) {
- /* OK */
- *pathend = EOS;
- continue;
- }/*
- error = glob2(pathbuf, --dc, pathlim, restpattern, pglob, limit);
- if (error)
- break;*/
- }
-
- return error;
-}
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_int_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_int_bad.c
deleted file mode 100644
index 9f50377b332def77a8eb8bc1f04230c2f164013c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_int_bad.c
+++ /dev/null
@@ -1,37 +0,0 @@
-#include "../glob.h"
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int dc;
- dc = 0;
- for (;;)
- if (pathend + dc > pathlim) break;
- else {
- pathend[dc] = 1;
- dc++;
- /* BAD */
- if (pathend[dc] == EOS) break;
- }
-
- return 0;
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_int_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_int_ok.c
deleted file mode 100644
index f80f402089e76c45ff049b2264c7d592324df503..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_int_ok.c
+++ /dev/null
@@ -1,37 +0,0 @@
-#include "../glob.h"
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- int dc;
- dc = 0;
- for (;;)
- if (pathend + dc > pathlim) break;
- else {
- pathend[dc] = 1;
- dc++;
- /* OK */
- if (pathend[dc] == EOS) break;
- }
-
- return 0;
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_ptr_bad.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_ptr_bad.c
deleted file mode 100644
index 3801902c7c530751cab52b7ae71764f00f9cb68f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_ptr_bad.c
+++ /dev/null
@@ -1,37 +0,0 @@
-#include "../glob.h"
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *dc;
- dc = pathend;
- for (;;)
- if (dc > pathlim) break;
- else {
- *dc = 1;
- dc++;
- /* BAD */
- if (*dc == EOS) break;
- }
-
- return 0;
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_ptr_ok.c b/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_ptr_ok.c
deleted file mode 100644
index 6c43583b515d3d1eec7abc6d05b47e99b77c34a0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/CVE-2006-6652/glob3/loop_ptr_ok.c
+++ /dev/null
@@ -1,37 +0,0 @@
-#include "../glob.h"
-
-static int
-glob3(Char *pathbuf, Char *pathend, Char *pathlim, Char *pattern)
-{
- Char *dc;
- dc = pathend;
- for (;;)
- if (dc > pathlim) break;
- else {
- *dc = 1;
- dc++;
- /* OK */
- if (*dc == EOS) break;
- }
-
- return 0;
-}
-
-int main ()
-{
- Char *buf;
- Char *pattern;
- Char *bound;
-
- Char A [MAXPATHLEN+1];
- Char B [PATTERNLEN];
-
- buf = A;
- pattern = B;
-
- bound = A + sizeof(A)/sizeof(*A) - 1;
-
- glob3 (buf, buf, bound, pattern);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/NetBSD-libc/README b/tests/verisec/suite/programs/apps/NetBSD-libc/README
deleted file mode 100644
index 2dba58153a53e330831651d32608802352475a0d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/NetBSD-libc/README
+++ /dev/null
@@ -1,7 +0,0 @@
--= NetBSD libc =-
-
-Homepage: http://www.netbsd.org
-Domain: C Library
-
-NetBSD is a Unix-like operating system, and this is it's
-implementation of the C standard library.
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/README b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/README
deleted file mode 100644
index efb3e846c2e31b4ffcb524f19df8f6c5572e3a21..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/README
+++ /dev/null
@@ -1,65 +0,0 @@
--= CVE-2006-6749 =-
-
-Vulnerable versions: OpenSER <= 1.1.0
-File(s): openser-1.1.0-tls/modules/permissions/parse_config.c
-Download from:
- http://www.openser.org/pub/openser/1.1.0/
- src/openser-1.1.0-tls_src.tar.gz
-
-Domain: SIP (Session Initiation Protocol)
-
-_ Vulnerable Functions and Buffers _
-
-Due to the lack of bounds checking, the buffers str2
-in parse_expression() and str2 in parse_expression_list()
-can both be overflowed.
-
-str2 in parse_expression() is overflowed by a call to
-strcpy(); reaching this call depends on the outcome
-of a call to strstr().
-
-str2 in parse_expression_list() is also overflowed by
-a call to strncpy(); however, the overflow depends on
-several branches made according to the value of the
-characters in the input buffer -- including stripping
-of characters from both ends of the substring.
-
-_ Decomposed Programs _
-
-stubs.h
- Defines LINE_LENGTH and EXPRESSION_LENGTH
-
-parse_expression/
- guard_random_index_bad.c
- guard_strchr_e_bad.c
- guard_strstr_e_bad.c
- guard_strstr_eee_bad.c
- guard_strstr_except_bad.c
-
-parse_expression_list/
- single_strip_spaces_copy_bad.c
- single_strip_full_copy_bad.c
-
- copy_zero_bad.c
- copy_bad.c
- copy_apost_bad.c
- copy_strip_spaces_bad.c
- copy_strip_full_bad.c
-
-complete/
- parse_config_bad.c
-
-pel2/
- cases{1,2,3}_strip{None,SpacesStart,SpacesBoth,FullStart,FullBoth}_{arr,ptr}_{ok,bad}.c
- cases1 - switch has only EOS case
- cases2 - switch has EOS and , cases
- cases3 - switch has EOS and , and " cases
- None - no whitespace stripping
- Spaces - strip only spaces
- Full - strip spaces, tabs, and quote marks
- Start - strip only from the start
- Both - strip from both sides
- arr - using array indexing (original)
- ptr - using pointers
-
- relevant assertion is an explicit assert before strncpy
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/complete/parse_config_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/complete/parse_config_bad.c
deleted file mode 100644
index df6db148e97aee99ec231be82933f4a164f60cfd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/complete/parse_config_bad.c
+++ /dev/null
@@ -1,80 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- r_strncpy(str2, str+start, j-start+1);
- /* BAD */
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-int parse_expression (char *str) {
- char *except;
- char str2 [LINE_LENGTH];
-
- except = strstr(str, NEEDLE);
- if (except) {
- strncpy(str2, str, except-str);
- str2[except-str] = EOS;
- if (parse_expression_list(except+NEEDLE_SZ)) {
- /* error */
- return -1;
- }
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/complete/parse_config_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/complete/parse_config_ok.c
deleted file mode 100644
index 1c8e90fd3e788b2c40b289cba70cc56aef389890..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/complete/parse_config_ok.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- r_strncpy(str2, str+start, j-start+1);
- /* OK */
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-int parse_expression (char *str) {
- char *except;
- char str2 [LINE_LENGTH+1];
-
- except = strstr(str, NEEDLE);
- if (except) {
- strncpy(str2, str, except-str);
- str2[except-str] = EOS;
- if (parse_expression_list(except+NEEDLE_SZ)) {
- /* error */
- return -1;
- }
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/constants.h b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/constants.h
deleted file mode 100644
index d7073105b9e1e14a340a18a9a8bf6e0c5ffb63a6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/constants.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef _CONSTANTS_H
-#define _CONSTANTS_H
-
-#include "../../../../lib/stubs.h"
-
-#define EXPRESSION_LENGTH BASE_SZ
-#define NEEDLE "EX"
-#define NEEDLE_SZ 2
-
-/* Enough to fill a buffer of size EXPRESSION_LENGTH, enough to
- * contain the needle, and enough to overflow the buffer. */
-#define LINE_LENGTH EXPRESSION_LENGTH + NEEDLE_SZ + 4
-
-#endif
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_random_index_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_random_index_bad.c
deleted file mode 100644
index 2328704d1c0f15ba44e48ff507149e53a85940d9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_random_index_bad.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "../constants.h"
-
-int parse_expression (char *str) {
- int ind;
- char str2 [LINE_LENGTH];
-
- ind = nondet_int ();
- if (ind < -1 || ind >= LINE_LENGTH)
- return -1;
-
- if (ind != -1) {
- strncpy (str2, str, ind);
- } else {
- /* BAD */
- r_strcpy (str2, str);
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_random_index_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_random_index_ok.c
deleted file mode 100644
index 00aa010f41e447c4507fbefdf481be9d6f3993fd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_random_index_ok.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "../constants.h"
-
-int parse_expression (char *str) {
- int ind;
- char str2 [LINE_LENGTH+1];
-
- ind = nondet_int ();
- if (ind < -1 || ind >= LINE_LENGTH)
- return -1;
-
- if (ind != -1) {
- strncpy (str2, str, ind);
- } else {
- /* OK */
- r_strcpy (str2, str);
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strchr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strchr_bad.c
deleted file mode 100644
index 93da5d5813c6caa8b313fc0f68b75153e2654f1b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strchr_bad.c
+++ /dev/null
@@ -1,27 +0,0 @@
-#include "../constants.h"
-
-int parse_expression (char *str) {
- char *except;
- char str2 [LINE_LENGTH];
-
- except = strchr (str, 'e');
- if (except) {
- // SAFE: the 'e' is not copied
- strncpy (str2, str, (unsigned int)(except-str));
- } else {
- // UNSAFE: can copy up to LINE_LENGTH+1 characters
- /* BAD */
- r_strcpy (str2, str);
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strchr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strchr_ok.c
deleted file mode 100644
index 21a3177eb4989e49620824817dd64e4342a264f5..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strchr_ok.c
+++ /dev/null
@@ -1,25 +0,0 @@
-#include "../constants.h"
-
-int parse_expression (char *str) {
- char *except;
- char str2 [LINE_LENGTH+1];
-
- except = strchr (str, 'e');
- if (except) {
- strncpy (str2, str, (unsigned int)(except-str));
- } else {
- /* OK */
- r_strcpy (str2, str);
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strstr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strstr_bad.c
deleted file mode 100644
index 45bd27a0c85649254c5020dd478bba81b04de3b4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strstr_bad.c
+++ /dev/null
@@ -1,27 +0,0 @@
-#include "../constants.h"
-
-int parse_expression (char *str) {
- char *except;
- char str2 [LINE_LENGTH];
-
- except = strstr(str, NEEDLE);
- if (except) {
- // SAFE: the needle is not copied
- strncpy (str2, str, (unsigned int)(except-str));
- } else {
- // UNSAFE: can copy up to LINE_LENGTH+1 characters
- /* BAD */
- r_strcpy (str2, str);
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strstr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strstr_ok.c
deleted file mode 100644
index 147303f9e2ef4599228d7a18a00d569b2b6db2e4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression/guard_strstr_ok.c
+++ /dev/null
@@ -1,25 +0,0 @@
-#include "../constants.h"
-
-int parse_expression (char *str) {
- char *except;
- char str2 [LINE_LENGTH+1];
-
- except = strstr(str, NEEDLE);
- if (except) {
- strncpy (str2, str, (unsigned int)(except-str));
- } else {
- /* OK */
- r_strcpy (str2, str);
- }
-
- return 0;
-}
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_bad.c
deleted file mode 100644
index 1882e8c80f1b11fdc26b189bb1d66713454c703a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_bad.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_inlined_bad.c
deleted file mode 100644
index a8e2d3efd2ef633e270bb0875dd180f9c4af0e12..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_inlined_bad.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_inlined_ok.c
deleted file mode 100644
index 3e63018d3d9cf1907335cf4c9e478cc334020666..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_inlined_ok.c
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_ok.c
deleted file mode 100644
index 801bd89e7f59447c6c0091b12ccf2486cfa2f529..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullBoth_arr_ok.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_bad.c
deleted file mode 100644
index 81ecb62f2381aa04b83d7826e86e033a5a4b8250..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_bad.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_inlined_bad.c
deleted file mode 100644
index f7ae07263465a5698b9e8243b5f5304385e0bc2e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_inlined_bad.c
+++ /dev/null
@@ -1,51 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_inlined_ok.c
deleted file mode 100644
index c7e508e7d0d7c4e97954baa80b2216e2b2aca9eb..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_inlined_ok.c
+++ /dev/null
@@ -1,54 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_ok.c
deleted file mode 100644
index 0a9b1ce0cfaa815bbc41c5c8fe70a99f176c3bd0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullEnd_arr_ok.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_bad.c
deleted file mode 100644
index befb51f7046c57deb0a3095ebf13721823137f56..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_inlined_bad.c
deleted file mode 100644
index 06c27f5b97acc9c68f713baf569115bead5e55e5..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_inlined_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_inlined_ok.c
deleted file mode 100644
index 49fabbd8b9f024671d8a4dab8d92d7193955d5e2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_inlined_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_ok.c
deleted file mode 100644
index 7adc124c9c137763c76cac3fa07a173e474ef1f6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripFullStart_arr_ok.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_bad.c
deleted file mode 100644
index 21efb20f782c35aaa5393e851cc7a84cdd52bfde..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_bad.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_inlined_bad.c
deleted file mode 100644
index 405eddf8b1da5f1f38e2265eb9e4b8719f6885cd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_inlined_bad.c
+++ /dev/null
@@ -1,47 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_inlined_ok.c
deleted file mode 100644
index ea185d4681be1b7d5051378a820dc069865fc16e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_inlined_ok.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_ok.c
deleted file mode 100644
index 92ec7d54bc5ad95a346a9d103742312aabb15874..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripNone_arr_ok.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_bad.c
deleted file mode 100644
index 3778aad860b6175a2184ed00e6850cb3198827c8..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_inlined_bad.c
deleted file mode 100644
index 9809698ea1f887f6d17419df6560e0e7e61975ee..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_inlined_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_inlined_ok.c
deleted file mode 100644
index 2ba5fcc46a4318b0a936008aff990b0ba7067a0e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_inlined_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_ok.c
deleted file mode 100644
index 7fce9ea2f257bde62e8b0dd3a1fba28fa2b08ddb..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesBoth_arr_ok.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_bad.c
deleted file mode 100644
index e9facd128b7b3177763c47dc3dc085045f2e43b7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_bad.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_inlined_bad.c
deleted file mode 100644
index b9ea298241b4cc29a4fae58d92a0651e58dab73f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_inlined_bad.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_inlined_ok.c
deleted file mode 100644
index 0888a3fd6cdc5a91126e74ec8b8fa8a52a0ad917..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_inlined_ok.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_ok.c
deleted file mode 100644
index d3c55bb51bed0df7640b9787328b56bc62577c3a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesEnd_arr_ok.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_bad.c
deleted file mode 100644
index 068a80bf8284a0b406a527d7851d474a77997ce2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_bad.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_inlined_bad.c
deleted file mode 100644
index a6057e2a807dfacc6e72dfd7ec3384bad8fca870..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_inlined_bad.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_inlined_ok.c
deleted file mode 100644
index 7e1d567e9c136c4facee0f6b4fb6dbd25db77fdd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_inlined_ok.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_ok.c
deleted file mode 100644
index 6a811045b3a9fdd431170ab666ef9f8da4cf137e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases1_stripSpacesStart_arr_ok.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_bad.c
deleted file mode 100644
index 9d2cc2fd99ab35a117fe0ea92d0301e597fedb96..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_bad.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_inlined_bad.c
deleted file mode 100644
index 9bb5e086e7c45ce9f23df62c8616438c01c28bef..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_inlined_bad.c
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_inlined_ok.c
deleted file mode 100644
index 170c5de2c45d3be7dfed9b67a3573f1976a36e67..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_inlined_ok.c
+++ /dev/null
@@ -1,63 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_ok.c
deleted file mode 100644
index 6e019f8c22a3567870264aab0a890c43f62c18ce..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullBoth_arr_ok.c
+++ /dev/null
@@ -1,62 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_bad.c
deleted file mode 100644
index ab3ead9172ac2ab52d476c5a6ec3ef70bec99677..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_inlined_bad.c
deleted file mode 100644
index df572874ec93e1b6073fe8910010518ba43d52f2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_inlined_bad.c
+++ /dev/null
@@ -1,54 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_inlined_ok.c
deleted file mode 100644
index 6b793701918ff22dd60d54a3de5f3f9ffa047ab7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_inlined_ok.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_ok.c
deleted file mode 100644
index 302609605d473b706a5b2bfacd6b361a04e95962..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullEnd_arr_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_bad.c
deleted file mode 100644
index 0aa47f6870a4279b5d21673044da7045068268d2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_bad.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_inlined_bad.c
deleted file mode 100644
index fcd2269b31444e092afdda09aee89e4a6756a3aa..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_inlined_bad.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_inlined_ok.c
deleted file mode 100644
index a3fa1e39a3edaa34378426ddf0b287bcba3f01ef..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_inlined_ok.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_ok.c
deleted file mode 100644
index 966722725d0d8f6fac32f63203f38b69471a7435..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripFullStart_arr_ok.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_bad.c
deleted file mode 100644
index 815e881830692b3c093dc6af4f1d87907599b689..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_bad.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_inlined_bad.c
deleted file mode 100644
index 9e60091ef009559163158d81111cbf1f0237457b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_inlined_bad.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_inlined_ok.c
deleted file mode 100644
index e9ecdcf777ac7614e6e12bef218b3b4cb11ae28c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_inlined_ok.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_ok.c
deleted file mode 100644
index e02530e9f21f0c9244e4e26b55552aec51622c93..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripNone_arr_ok.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_bad.c
deleted file mode 100644
index 3f58564c2a2f728ff513b9b2602b68f41262fdaf..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_bad.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_inlined_bad.c
deleted file mode 100644
index f962ca0c6cda740a8a94412e479ed92995aafeac..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_inlined_bad.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_inlined_ok.c
deleted file mode 100644
index b1b7f53df85cc3d0e1df1f841a0600e213c4543b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_inlined_ok.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_ok.c
deleted file mode 100644
index ec87506f031c030a975c6ddced9ce13ef71de52d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesBoth_arr_ok.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_bad.c
deleted file mode 100644
index 29bfba84aa58838c63ee25303a13c42679712f1e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_inlined_bad.c
deleted file mode 100644
index bba488d88a69807b613972cfd051c0b0572be686..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_inlined_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_inlined_ok.c
deleted file mode 100644
index e47d1fd2bd90ce99dfeacba3c11586f4d44f30f8..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_inlined_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_ok.c
deleted file mode 100644
index 11269b22e358c50b3838f16fd4891a174cebdfc9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesEnd_arr_ok.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_bad.c
deleted file mode 100644
index 8b534b1fc0d99b973ee156419507592fa4c898d2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_inlined_bad.c
deleted file mode 100644
index 805ef40ca2a3a9bafe842e0cc12ffcc3756cfdab..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_inlined_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_inlined_ok.c
deleted file mode 100644
index 075bdd6aa202caf1a17c4aea9d51986ed4fdafa2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_inlined_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_ok.c
deleted file mode 100644
index 173f450ef533bc758967959c3a9220da3ee50bc9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases2_stripSpacesStart_arr_ok.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',':
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_bad.c
deleted file mode 100644
index f1d1a7b62c8d5a83b7432a8652a4f85256583a61..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_bad.c
+++ /dev/null
@@ -1,62 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_inlined_bad.c
deleted file mode 100644
index 230de6e156e6de0ad1f8a54691a830123b5e9588..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_inlined_bad.c
+++ /dev/null
@@ -1,63 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_inlined_ok.c
deleted file mode 100644
index 39cf34485daaf910ed4f99b882b8e5a4487b5fc4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_inlined_ok.c
+++ /dev/null
@@ -1,66 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_ok.c
deleted file mode 100644
index 52865ea80f98f44e493b6f08fe4bd46605569aea..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullBoth_arr_ok.c
+++ /dev/null
@@ -1,65 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_bad.c
deleted file mode 100644
index 35669561f70588eb07c66f3c29c6f82ca078c371..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_bad.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_inlined_bad.c
deleted file mode 100644
index c7085f126cd25d2dbb15270f7d36943dd69e50aa..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_inlined_bad.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_inlined_ok.c
deleted file mode 100644
index 96db0718e21d136100a8be1505a92dd38d342a06..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_inlined_ok.c
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_ok.c
deleted file mode 100644
index d9f6ef5a9aac8fffcbb33cea138f587db2ca9103..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullEnd_arr_ok.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' ') || (str[j] == '\t'))) j--;
- if ((0 < j) && (str[j] == '"')) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_bad.c
deleted file mode 100644
index c9f2bb9920395188f7c161260d319fd5b36bdc45..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_bad.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_inlined_bad.c
deleted file mode 100644
index d2d2fc50c915d48058f0bfd9eea7bc1c4fe38330..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_inlined_bad.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_inlined_ok.c
deleted file mode 100644
index 7a7b9fd06c896839b2b2971440f71d3033e2dc00..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_inlined_ok.c
+++ /dev/null
@@ -1,62 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_ok.c
deleted file mode 100644
index ba32aa932d4ad7943bc95ad368b2fb04b00d8066..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripFullStart_arr_ok.c
+++ /dev/null
@@ -1,61 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ') || (str[start] == '\t')) start++;
-
- /* Skip quote marks */
- if (str[start] == '"') start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_bad.c
deleted file mode 100644
index 9c0ebb8c85d0c53e6ffc8da43411ecc467b11ac9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_inlined_bad.c
deleted file mode 100644
index 5b3323e104a49aed91d4c7e3f74a43ec177c4e43..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_inlined_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_inlined_ok.c
deleted file mode 100644
index b5c802b79b3306188277228488c085dcd06d92ac..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_inlined_ok.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_ok.c
deleted file mode 100644
index 7d4f5aa0cbd458d89d4a154a1af377cd4ea78db0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripNone_arr_ok.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_bad.c
deleted file mode 100644
index e64137a2f09b0b1941c56c337dbe4cf9b61a3ddc..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_bad.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_inlined_bad.c
deleted file mode 100644
index c0f295e547a32301215c19f9a6c00f881baa3770..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_inlined_bad.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_inlined_ok.c
deleted file mode 100644
index 3d4dcf6d800f1c80567ab4444bb24e97191c1516..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_inlined_ok.c
+++ /dev/null
@@ -1,62 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_ok.c
deleted file mode 100644
index 31c9ff7062500a584251d624ad94b1d7d0208259..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesBoth_arr_ok.c
+++ /dev/null
@@ -1,61 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_bad.c
deleted file mode 100644
index 33e10f7fc0cb3844356cf905ac4dfdd2e28e64f1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_bad.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_inlined_bad.c
deleted file mode 100644
index 1c35e86741272564968121b88b43866e69ec83bb..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_inlined_bad.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_inlined_ok.c
deleted file mode 100644
index 8af0f1ed61cc414798e4e7b0936616c59feff471..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_inlined_ok.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_ok.c
deleted file mode 100644
index 777ac94fec20bf72498e27a1559e145f5792a072..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesEnd_arr_ok.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* Skip over quotes and whitespace at the END of the word */
- while ((0 < j) && ((str[j] == ' '))) j--;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_bad.c
deleted file mode 100644
index 77472801cdd2f58878b010161156f7af6cb37fd4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_bad.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_inlined_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_inlined_bad.c
deleted file mode 100644
index 9a81e70246160c36aacdb01d73bdd1adc74c4889..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_inlined_bad.c
+++ /dev/null
@@ -1,56 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- /* BAD */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_inlined_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_inlined_ok.c
deleted file mode 100644
index 4e6b4d8338aba83b046dee56ce38ef65a9937147..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_inlined_ok.c
+++ /dev/null
@@ -1,59 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- assert (j-start+1 < EXPRESSION_LENGTH);
- strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_ok.c
deleted file mode 100644
index fb490bbbfd0d5fdc0f951492390d9d687e50a20c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6749/parse_expression_list/cases3_stripSpacesStart_arr_ok.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../constants.h"
-
-static int parse_expression_list(char *str)
-{
- int start=0, i=-1, j=-1, apost=0;
- char str2[EXPRESSION_LENGTH];
-
- if (!str) return -1;
-
- do {
-
- /* i only changes here --> it's the "current character" */
- i++;
- switch(str[i]) {
- case '"': apost = !apost;
- break;
-
- /* Comman and NULL are both word terminators, stop parsing if
- your word terminator is a NULL. */
- case ',': if (apost) break;
- case EOS: /* word found */
-
- /* Skip initial whitespace from start of the word being processed */
- while ((str[start] == ' ')) start++;
-
- /* Set j to point to the end of the current word */
- j = i-1;
-
- /* If word not empty.... */
- if (start<=j) {
- /* valid word */
- if (j-start+1>=EXPRESSION_LENGTH) {
- return -1;
- }
- /* OK */
- r_strncpy(str2, str+start, j-start+1);
- str2[j-start+1] = EOS;
- } else {
- /* parsing error */
- return -1;
- }
- /* for the next word */
- start = i+1;
- }
- } while (str[i] != EOS);
-
- return 0;
-}
-
-
-int main ()
-{
- char A [LINE_LENGTH+1];
- A[LINE_LENGTH] = EOS;
-
- parse_expression_list (A);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/README b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/README
deleted file mode 100644
index dcc11a31c92cc6e4a635c785a5b32e5a2b0c2c32..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/README
+++ /dev/null
@@ -1,28 +0,0 @@
--= CVE-2006-6876 =-
-
-Vulnerable versions: OpenSER <= 1.2.0
-File(s): openser-1.1.0-tls/modules/sms/libsms_getsms.c
-Download from:
- http://www.openser.org/pub/openser/1.1.0/src/openser-1.1.0-tls_src.tar.gz
-
-Domain: SIP (Session Initiation Protocol)
-
-_ Vulnerable Functions and Buffers _
-
-A buffer, pdu[], is passed to fetchsms(). fetchsms() writes into pdu[]
-from another buffer, answer[], which it gets from the
-modem. fetchsms() does some heavyweight string parsing of answer[],
-and copies part of answer[] into pdu[]. Unfortunately, pdu[] is too
-small to hold this substring of answer[].
-
-_ Decomposed Programs _
-
-constants.h
-
-fetchsms/
- loops_bad.c
- istrstr_bad.c
- istrstr_loops_bad.c
- istrstr2_loops_bad.c
- full_bad.c
-
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/constants.h b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/constants.h
deleted file mode 100644
index 303315fb5b4301114a731c4ec892bd8ac9a64c21..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/constants.h
+++ /dev/null
@@ -1,26 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Note on NEEDLE_SZ: The original program searches for "+CMGR:" or
- * "+CMGL: ", and then skips seven characters in either case. I
- * *think* that they meant to have a space after teh "+CMGR:", but
- * just forgot it, and the parsing works right either way.
- */
-#define NEEDLE "+C" // "+CMGR:" or "+CMGL: "
-#define NEEDLE_SZ 2 // 7
-
-#define NEEDLE2 "," // ",,0\r"
-
-#define MIN_DIFF BASE_SZ
-
-/* fetchsms() aborts if it can't advance end at least MIN_DIFF
- * characters twice; so, make PDUSIZE 2*MIN_DIFF.
- */
-#define PDUSIZE 2*MIN_DIFF
-
-/* NEEDLE_SZ -- because we search for NEEDLE and skip it
- *
- * PDUSIZE + 2 so we have enough left to overflow pdu[]
- */
-#define ANSWERSIZE NEEDLE_SZ + PDUSIZE + 2
-
-
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/fetchsms2.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/fetchsms2.c
deleted file mode 100644
index 14652b5a5237dc0a98ede0eb8ec8f64186267936..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/fetchsms2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
-SMS Server Tools
-Copyright (C) 2000-2002 Stefan Frings
-
-This program is free software unless you got it under another license directly
-from the author. You can redistribute it and/or modify it under the terms of
-the GNU General Public License as published by the Free Software Foundation.
-Either version 2 of the License, or (at your option) any later version.
-
-http://www.isis.de/members/~s.frings
-mailto:s.frings@mail.isis.de
- */
-#include "../constants.h"
-
-/* reads a SMS from the SIM-memory 1-10 */
-/* returns number of SIM memory if successful */
-/* on digicom the return value can be != sim */
-static int fetchsms(char* pdu, int sim)
-{
- char command[16];
- char answer[ANSWERSIZE]= "F+CMGR:";
- char* position;
- char* beginning;
- char* end;
- int foo,err;
- int clen;
-
-/*
- int i;
- for (i = 0; i < ANSWERSIZE; i++)
- {
- answer[i] = nondet_int();
- }
-*/
- answer[sizeof(answer)-1] = EOS;
-
- // Digicom reports date+time only with AT+CMGL
- if (0 && nondet_int() == 0) {
- /* search for beginning of the answer */
- position=strstr(answer,"+CMGL: ");
- if (position) {
- end=position+7;
- while (*end<'9' && *end>'0') end++;
- position = 0;
- }
- } else {
- position=strstr(answer,"+CMGR:");
- }
-
- /* keine SMS empfangen, weil Modem nicht mit +CMGR
- oder +CMGL geantwortet hat */
- if (position==0)
- return 0;
- beginning=position+7;
- /* keine SMS, weil Modem mit +CMGR: 0,,0 geantwortet hat */
- if (strstr(answer,",,0\r"))
- return 0;
-
- /* After that we have the PDU or ASCII string */
- for( end=beginning ; *end && *end!='\r' ; end++ );
- if ( !*end || end-beginning<4)
- return 0;
- for( end=end+1 ; *end && *end!='\r' ; end++ );
- if ( !*end || end-beginning<4)
- return 0;
- /* Now we have the end of the PDU or ASCII string */
- *end=0;
- r_strcpy(pdu,beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [PDUSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
-
-
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_bad.c
deleted file mode 100644
index 8ddf204c74e517a29b5940e38eb776ff9a3c24db..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_bad.c
+++ /dev/null
@@ -1,72 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE] = "ABCDE+C";
- int position;
- int beginning;
- int end;
- int foo,err;
-#if 0
-//@ loop pragma UNROLL 10 ;
- for (int i = 0; i < ANSWERSIZE-1; i++)
- answer[i] = nondet_int();
-
-/* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-#endif
-
- /* Still chopped down a bit from the original in the interests of
- * not being heinous */
- if (0 && nondet_int() == 0) {
- /* Original program uses a different needle here */
- position=istrstr(answer, NEEDLE);
- if (position != -1) {
- end=position+NEEDLE_SZ;
- while (answer[end] < '9' && answer[end] > '0')
- end++;
- position = 0;
- }
- } else {
- position=istrstr(answer, NEEDLE);
- }
-
- /* Skip the needle */
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Answer must contain NEEDLE2; we don't need to skip it. */
- if (istrstr(answer, NEEDLE2) == -1)
- return 0;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* BAD */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [PDUSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_bad.err b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_bad.err
deleted file mode 100644
index 71cc524d1e65f7702892d8573a45070cb46dd9b9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_bad.err
+++ /dev/null
@@ -1,9 +0,0 @@
-No code for function nondet_int, default assigns generated
-../../lib/stubs.c:376: Warning: (TODO: emit a proper alarm) accessing uninitialized left-value: *(haystack + i)
-../../lib/stubs.c:376: Warning: completely unspecified value in {{
-answer -> {0; } ;}} (size:<8>). This path is assumed to be dead.
-../../lib/stubs.c:376: Warning: non termination detected in function istrstr
-OpenSER/CVE-2006-6876/fetchsms/full_bad.c:30: Warning: non termination detected in function fetchsms
-OpenSER/CVE-2006-6876/fetchsms/full_bad.c:66: Warning: non termination detected in function main
-[dominators] computing for function r_memcpy
-[dominators] done for function r_memcpy
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_ok.c
deleted file mode 100644
index 3a0b5241ddbfd390e95adde52c247c003c83bce1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/full_ok.c
+++ /dev/null
@@ -1,67 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Still chopped down a bit from the original in the interests of
- * not being heinous */
- if (nondet_int() == 0) {
- /* Original program uses a different needle here */
- position=istrstr(answer, NEEDLE);
- if (position != -1) {
- end=position+NEEDLE_SZ;
- while (answer[end] < '9' && answer[end] > '0')
- end++;
- position = 0;
- }
- } else {
- position=istrstr(answer, NEEDLE);
- }
-
- /* Skip the needle */
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Answer must contain NEEDLE2; we don't need to skip it. */
- if (istrstr(answer, NEEDLE2) == -1)
- return 0;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* OK */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [ANSWERSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr2_loops_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr2_loops_bad.c
deleted file mode 100644
index bbd88b1f6933e969398e18398fccbfcf3f1cb8fe..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr2_loops_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Search for NEEDLE and skip it */
- position=istrstr(answer,NEEDLE);
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Answer must contain NEEDLE2; we don't need to skip it. */
- if (istrstr(answer, NEEDLE2) == -1)
- return 0;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* BAD */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [PDUSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr2_loops_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr2_loops_ok.c
deleted file mode 100644
index 20dc4ce965ba54167a15a2644f17bc5c03f3bfb6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr2_loops_ok.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Search for NEEDLE and skip it */
- position=istrstr(answer,NEEDLE);
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Answer must contain NEEDLE2; we don't need to skip it. */
- if (istrstr(answer, NEEDLE2) == -1)
- return 0;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* OK */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [ANSWERSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_bad.c
deleted file mode 100644
index b5e2df0bc022abbe49083047c93b1d87ea49a081..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_bad.c
+++ /dev/null
@@ -1,34 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Search for NEEDLE and skip it */
- position=istrstr(answer,NEEDLE);
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* BAD */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [PDUSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_loops_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_loops_bad.c
deleted file mode 100644
index 87fa55173339f22961fc124a3eb6cf8e4542dcd1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_loops_bad.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Search for NEEDLE and skip it */
- position=istrstr(answer,NEEDLE);
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* BAD */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [PDUSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_loops_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_loops_ok.c
deleted file mode 100644
index dc57f176b0b66ed6f20d159b4bb83f55e5f6f34f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_loops_ok.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Search for NEEDLE and skip it */
- position=istrstr(answer,NEEDLE);
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* OK */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [ANSWERSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_ok.c
deleted file mode 100644
index ddd30f0f27332506b1ccfb2e9ad98e0cd4b61711..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/istrstr_ok.c
+++ /dev/null
@@ -1,34 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Search for NEEDLE and skip it */
- position=istrstr(answer,NEEDLE);
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* OK */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [ANSWERSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/loops_bad.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/loops_bad.c
deleted file mode 100644
index 81d2ca68b9ec39158c3826cfb05f5f2c9445b607..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/loops_bad.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Don't skip anything */
- position = 0;
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* BAD */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [PDUSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/loops_ok.c b/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/loops_ok.c
deleted file mode 100644
index 5af797ac4cb637016e7a1274ae8cfe63d192135c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/CVE-2006-6876/fetchsms/loops_ok.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "../constants.h"
-
-int fetchsms (char *pdu, int sim)
-{
- char answer[ANSWERSIZE];
- int position;
- int beginning;
- int end;
- int foo,err;
-
- /* Input magically appears */
- answer[ANSWERSIZE-1] = EOS;
-
- /* Don't skip anything */
- position = 0;
- if (position==-1)
- return 0;
- beginning = position + NEEDLE_SZ + 1;
-
- /* Find (something)\r(something)\r, where each (something) is at
- * least MIN_DIFF characters
- *
- * If we don't find anything satisfying that, abort
- */
- for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF)
- return 0;
- for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ );
- if ( answer[end] == EOS || end-beginning < MIN_DIFF )
- return 0;
-
- /* Change the last '\r' to an EOS */
- answer[end] = EOS;
-
- /* OK */
- r_strcpy(pdu,answer+beginning);
-
- return sim;
-}
-
-int main ()
-{
- char pdu [ANSWERSIZE];
- int sim = 0;
-
- fetchsms (pdu, sim);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/OpenSER/README b/tests/verisec/suite/programs/apps/OpenSER/README
deleted file mode 100644
index e3e7d1fc38c443a355528053f8715c799079ab19..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/OpenSER/README
+++ /dev/null
@@ -1,8 +0,0 @@
--= OpenSER =-
-
-Homepage: http://www.openser.org
-Domain: SIP (Session Initiation Protocol) Server
-
-SIP is the Session Initiation Protocol. It is an application-layer
-networking protocol which handles sessions. OpenSER is an open-source
-SIP server.
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/README b/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/README
deleted file mode 100644
index 3b36778e6ec80bb86b9c86f7ae077e341941022e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/README
+++ /dev/null
@@ -1,30 +0,0 @@
--= BID-6679 =-
-
-Vulnerable versions: SpamAssassin 2.40 to 2.43
-File(s): spamd/libspamc.c
-Download from:
- http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.43.tar.gz
-
-Domain: Spam Filter
-
-_ Note _
-
-This vulnerability doesn't seem to have a CVE entry, so I'm using its
-Bugtraq ID. It also has a Secunia Advisory number, SA7951. I heard
-about it via the CRunner paper.
-
-_ Vulnerable Functions and Buffers _
-
-A buffer called buffer[] is allocated in message_write(). Writes to
-this buffer are protected by a limit check, but there's an off-by-one
-error in the check.
-
-I'm currently not including any of the calling context, but that can
-change if need be.
-
-_ Decomposed Programs _
-
-constants.h
-
-message_write/
- loop.c
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/constants.h b/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/constants.h
deleted file mode 100644
index b0363da34ce62923c9272a67dd4009a68d9fa12f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/constants.h
+++ /dev/null
@@ -1,5 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-#define BUFSZ BASE_SZ + 2
-#define INSZ BUFSZ + 5
-
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/frama-c-journal.ml b/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/frama-c-journal.ml
deleted file mode 100644
index fdbb304337589b1fa9cab267bf862349b6b6a1cc..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/frama-c-journal.ml
+++ /dev/null
@@ -1,11 +0,0 @@
-(* Frama-C journal generated at 15:32 the 02/09/2008 *)
-
-(* Running *)
-let () = Journal.run ()
-let () = Cmdline.ForceValues.set true
-let () = Cmdline.Files.set ["loop_ok.c"; ]
-let () = File.init_from_cmdline ()
-let () = !Db.Syntactic_callgraph.dump ()
-let () = !Db.Value.compute ()
-(* Finished *)
-let () = Journal.finished ()
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/loop_bad.c b/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/loop_bad.c
deleted file mode 100644
index 05e2ce473db8ad7f8467fc609092e99e43a5679a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/loop_bad.c
+++ /dev/null
@@ -1,42 +0,0 @@
-#include "../constants.h"
-
-void message_write (char *msg, int len)
-{
- int i;
- int j;
- char buffer[BUFSZ];
-
- int limit = BUFSZ - 1;
-
- for (i = 0; i < len; ) {
- for (j = 0; i < len && j < limit; ){
- if (i + 1 < len
- && msg[i] == '\n'
- && msg[i+1]== '.') {
- buffer[j] = msg[i]; /* Suppose j == limit - 1 */
- j++;
- i++;
- buffer[j] = msg[i]; /* Now j == limit */
- j++;
- i++;
- /* BAD */
- buffer[j] = '.'; /* Now j == limit + 1 = sizeof(buffer) */
- j++;
- } else {
- buffer[j] = msg[i];
- j++;
- i++;
- }
- }
- }
-}
-
-int main ()
-{
- char msg [INSZ] = "message";
-
- message_write (msg, INSZ);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/loop_ok.c b/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/loop_ok.c
deleted file mode 100644
index 60801800c8d931df74d709988a20977dc5454634..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/loop_ok.c
+++ /dev/null
@@ -1,42 +0,0 @@
-#include "../constants.h"
-
-void message_write (char *msg, int len)
-{
- int i;
- int j;
- char buffer[BUFSZ];
-
- int limit = BUFSZ - 4;
-
- for (i = 0; i < len; ) {
- for (j = 0; i < len && j < limit; ){
- if (i + 1 < len
- && msg[i] == '\n'
- && msg[i+1]== '.') {
- buffer[j] = msg[i];
- j++;
- i++;
- buffer[j] = msg[i];
- j++;
- i++;
- /* OK */
- buffer[j] = '.';
- j++;
- } else {
- buffer[j] = msg[i];
- j++;
- i++;
- }
- }
- }
-}
-
-int main ()
-{
- char msg [INSZ] = "message";
-
- message_write (msg, INSZ);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/test b/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/test
deleted file mode 100755
index b3a5f01f5d6a2492b8091280e8ccc7817da63234..0000000000000000000000000000000000000000
Binary files a/tests/verisec/suite/programs/apps/SpamAssassin/BID-6679/message_write/test and /dev/null differ
diff --git a/tests/verisec/suite/programs/apps/SpamAssassin/README b/tests/verisec/suite/programs/apps/SpamAssassin/README
deleted file mode 100644
index 2b4fd830ecba19971f4a38cd8e5e4d59c3f2a0f1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/SpamAssassin/README
+++ /dev/null
@@ -1,6 +0,0 @@
--= SpamAssassin =-
-
-Homepage: http://spamassassin.apache.org/
-Domain: Spam Filter
-
-SpamAssassin is a popular open source filter for getting rid of email spam.
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/README b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/README
deleted file mode 100644
index 1d159ddb6c1041da720efb56a848ef843b9444be..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/README
+++ /dev/null
@@ -1,36 +0,0 @@
--= CVE-2004-0940 =-
-
-Vulnerable versions: Apache 1.3.x to 1.3.32
-File(s): src/modules/standard/mod_include.c
-Download from:
- http://archive.apache.org/dist/httpd/apache_1.3.32.tar.gz
-
-Domain: Web (HTTP) Server
-
-_ Vulnerable Functions and Buffers _
-
-The function get_tag() is passed a buffer, and an integer representing
-the size of this buffer. A loop get_tag() iterates over this buffer,
-filling it with characters from a file. A bounds check,
- if (t - tag == tagbuf_len)
-is meant to keep get_tag() from writing passed the end of the buffer
-tag[], into which t points.
-
-Unfortunately, there is a path through this loop in which t is
-incremented twice without an intervening check; hence, t - tag can be
-greater than tagbuf_len. Multiple writes to tag[] are thus unsafe.
-
-_ Decomposed Programs _
-
-apache.h
-apache.c
-
-get_tag/
- iter{1,2}_prefix{Short,Long}_{arr,ptr}_{bad,ok}.c
-
-iter1 -- all iteration is forwards
-iter2 -- there is forwards and backwards iteration (only the bad cases do this)
-prefixShort -- little of get_tag() up to the relevant loop is preserved
-prefixLong -- almost all of get_tag() up to the relevant loop is preserved
-
-arr, ptr, bad, and ok mean the standard things
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/ap_iter1_prefixLong_arr.err b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/ap_iter1_prefixLong_arr.err
deleted file mode 100644
index 808bdf632267621446dddc441397d53d685b64e2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/ap_iter1_prefixLong_arr.err
+++ /dev/null
@@ -1,31 +0,0 @@
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:12: Warning: entering loop for the first time
-No code for function nondet_char, default assigns generated
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:30: Warning: entering loop for the first time
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:19: Warning: entering loop for the first time
-apache/CVE-2004-0940/apache.c:19: Warning: assigning non deterministic value for the first time
-apache/CVE-2004-0940/apache.c:30: Warning: entering loop for the first time
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:47: Warning: entering loop for the first time
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:54: Warning: entering loop for the first time
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:62: Warning: entering loop for the first time
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:71: Warning: out of bounds write. assert \valid(tag + t);
-
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:80: Warning: out of bounds write. assert \valid(tag + t);
-
-apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c:85: Warning: out of bounds write. assert \valid(tag + t);
-
-[from] computing for function nondet_char
-[from] done for function nondet_char
-[from] computing for function ap_isspace
-[postdominators] computing for function ap_isspace
-[postdominators] done for function ap_isspace
-[from] done for function ap_isspace
-[from] computing for function ap_cpystrn
-[postdominators] computing for function ap_cpystrn
-[postdominators] done for function ap_cpystrn
-[from] done for function ap_cpystrn
-[from] computing for function ap_tolower
-[from] done for function ap_tolower
-[dominators] computing for function get_tag
-[dominators] done for function get_tag
-[dominators] computing for function r_memcpy
-[dominators] done for function r_memcpy
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/apache.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/apache.c
deleted file mode 100644
index 658cdc3913c3de7bb4960a31cf04d307185af327..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/apache.c
+++ /dev/null
@@ -1,40 +0,0 @@
-#include "apache.h"
-
-int ap_isspace(char c)
-{
- if (c == '\t'
- || c == '\n'
- || c == '\v'
- || c == '\f'
- || c == '\r'
- || c == ' ')
- return 1;
-
- return 0;
-}
-
-int ap_tolower(char c)
-{
- /* do we have tolower() in our stubs? */
- return c;
-}
-
-/* Rewritten to be more analyzable -- use explicit array indexing. */
-char * ap_cpystrn(char *dst, const char *src, size_t dst_size)
-{
- int i;
-
- if (dst_size == 0)
- return (dst);
-
- for (i = 0; i < dst_size - 1; i++) {
- dst[i] = src[i];
- if (src[i] == EOS) {
- return dst + i;
- }
- }
-
- dst[i] = EOS;
-
- return dst + i;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/apache.h b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/apache.h
deleted file mode 100644
index a520164c7e4c21fecf7d8af2626b9369ef218fc4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/apache.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-#define MAX_STRING_LEN BASE_SZ + 2
-
-int ap_isspace(char c);
-int ap_tolower(char c);
-char * ap_cpystrn(char *dst, const char *src, size_t dst_size);
-
-/* GET_CHAR reads a char from a file. We're not modelling the
- * underlying file, so just non-deterministically return something. */
-extern int nondet_char ();
-#define GET_CHAR(c,ret) {c = nondet_char();}
-
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/frama-c-journal.ml b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/frama-c-journal.ml
deleted file mode 100644
index adaccc8a5e35ff53dd7e5f4dfc9ddb33238002ec..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/frama-c-journal.ml
+++ /dev/null
@@ -1,13 +0,0 @@
-(* Frama-C journal generated at 15:05 the 29/08/2008 *)
-
-(* Running *)
-let () = Journal.run ()
-let () = Cmdline.widening level.set 20
-let () = Cmdline.ForceValues.set true
-let () = Cmdline.Files.set ["get_tag/iter1_prefixLong_arr_bad.c"; ]
-let () = Cmdline.Files.set ["apache.c"; "get_tag/iter1_prefixLong_arr_bad.c"; ]
-let () = File.init_from_cmdline ()
-let () = !Db.Syntactic_callgraph.dump ()
-let () = !Db.Value.compute ()
-(* Finished *)
-let () = Journal.finished ()
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c
deleted file mode 100644
index 9da5603477da1dcc5d9db3bc49f245daef5f4291..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_bad.c
+++ /dev/null
@@ -1,98 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- int t;
-
- t = 0;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c == '-') {
- GET_CHAR(c, NULL);
- if (c == '-') {
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
- if (c == '>') {
- ap_cpystrn(tag, "done", tagbuf_len);
- return tag;
- }
- }
- return NULL;
- }
-
- while (1) {
- if (t == tagbuf_len) {
- tag[t] = EOS;
- return NULL;
- }
- if (c == '=' || ap_isspace(c)) {
- break;
- }
- tag[t] = ap_tolower(c);
- t++;
- GET_CHAR(c, NULL);
- }
-
- tag[t] = EOS;
- t++;
- tag_val = tag + t;
-
- while (ap_isspace(c)) {
- GET_CHAR(c, NULL);
- }
- if (c != '=') {
- return NULL;
- }
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tagbuf_len) { /* Suppose t == tagbuf_len - 1 */
- tag[t] = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len */
- GET_CHAR(c, NULL);
- }
- else if (c == term) {
- break;
- }
-
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len + 1
- * So the bounds check (t == tagbuf_len) will fail */
- }
- /* BAD */
- tag[t] = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_ok.c
deleted file mode 100644
index da6f7cc1a7e2855ce2867f5ad38b1265b8b2015b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_arr_ok.c
+++ /dev/null
@@ -1,105 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- int t;
-
- t = 0;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c == '-') {
- GET_CHAR(c, NULL);
- if (c == '-') {
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
- if (c == '>') {
- ap_cpystrn(tag, "done", tagbuf_len);
- return tag;
- }
- }
- return NULL;
- }
-
- while (1) {
- if (t == tagbuf_len) {
- tag[t] = EOS;
- return NULL;
- }
- if (c == '=' || ap_isspace(c)) {
- break;
- }
- tag[t] = ap_tolower(c);
- t++;
- GET_CHAR(c, NULL);
- }
-
- tag[t] = EOS;
- t++;
- tag_val = tag + t;
-
- while (ap_isspace(c)) {
- GET_CHAR(c, NULL);
- }
- if (c != '=') {
- return NULL;
- }
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tagbuf_len) { /* Suppose t == tagbuf_len - 1 */
- tag[t] = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- GET_CHAR(c, NULL);
- if (c != term) {
- /* OK */
- tag[t] = '\\';
- t++;
- if (t == tagbuf_len) {
- /* OK */
- tag[t] = EOS;
- return NULL;
- }
- }
- }
- else if (c == term) {
- break;
- }
-
- /* OK */
- tag[t] = c;
- t++; /* Now t == tagbuf_len + 1
- * So the bounds check (t == tagbuf_len) will fail */
- }
- /* OK */
- tag[t] = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_ptr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_ptr_bad.c
deleted file mode 100644
index 040cafc328946ef0fb00ec7058fc2a5627b457d3..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_ptr_bad.c
+++ /dev/null
@@ -1,98 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- char *t;
-
- t = tag;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c == '-') {
- GET_CHAR(c, NULL);
- if (c == '-') {
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
- if (c == '>') {
- ap_cpystrn(tag, "done", tagbuf_len);
- return tag;
- }
- }
- return NULL;
- }
-
- while (1) {
- if (t == tag + tagbuf_len) {
- *t = EOS;
- return NULL;
- }
- if (c == '=' || ap_isspace(c)) {
- break;
- }
- *t = ap_tolower(c);
- t++;
- GET_CHAR(c, NULL);
- }
-
- *t = EOS;
- t++;
- tag_val = t;
-
- while (ap_isspace(c)) {
- GET_CHAR(c, NULL);
- }
- if (c != '=') {
- return NULL;
- }
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tag + tagbuf_len) { /* Suppose t == tag + tagbuf_len - 1 */
- *t = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len */
- GET_CHAR(c, NULL);
- }
- else if (c == term) {
- break;
- }
-
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len + 1
- * So the bounds check (t == tag + tagbuf_len) will fail */
- }
- /* BAD */
- *t = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_ptr_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_ptr_ok.c
deleted file mode 100644
index b2d6bef6173619d5d49cb197bde1052022265ed4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixLong_ptr_ok.c
+++ /dev/null
@@ -1,105 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- char *t;
-
- t = tag;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c == '-') {
- GET_CHAR(c, NULL);
- if (c == '-') {
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
- if (c == '>') {
- ap_cpystrn(tag, "done", tagbuf_len);
- return tag;
- }
- }
- return NULL;
- }
-
- while (1) {
- if (t == tag + tagbuf_len) {
- *t = EOS;
- return NULL;
- }
- if (c == '=' || ap_isspace(c)) {
- break;
- }
- *t = ap_tolower(c);
- t++;
- GET_CHAR(c, NULL);
- }
-
- *t = EOS;
- t++;
- tag_val = t;
-
- while (ap_isspace(c)) {
- GET_CHAR(c, NULL);
- }
- if (c != '=') {
- return NULL;
- }
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tag + tagbuf_len) { /* Suppose t == tag + tagbuf_len - 1 */
- *t = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- GET_CHAR(c, NULL);
- if (c != term) {
- /* OK */
- *t = '\\';
- t++;
- if (t == tag + tagbuf_len) {
- /* OK */
- *t = EOS;
- return NULL;
- }
- }
- }
- else if (c == term) {
- break;
- }
-
- /* OK */
- *t = c;
- t++; /* Now t == tag + tagbuf_len + 1
- * So the bounds check (t == tag + tagbuf_len) will fail */
- }
- /* OK */
- *t = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_arr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_arr_bad.c
deleted file mode 100644
index 28c51d04c697656395a8fd150492fa4aba3b86c7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_arr_bad.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- int t;
-
- t = 0;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
-
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tagbuf_len) { /* Suppose t == tagbuf_len - 1 */
- tag[t] = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len */
- GET_CHAR(c, NULL);
- }
- else if (c == term) {
- break;
- }
-
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len + 1
- * So the bounds check (t == tagbuf_len) will fail */
- }
- /* BAD */
- tag[t] = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_arr_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_arr_ok.c
deleted file mode 100644
index d74f3a5936499f6facddd52844ba8e1d3d1cec10..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_arr_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- int t;
-
- t = 0;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
-
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tagbuf_len) { /* Suppose t == tagbuf_len - 1 */
- tag[t] = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- GET_CHAR(c, NULL);
- if (c != term) {
- /* OK */
- tag[t] = '\\';
- t++;
- if (t == tagbuf_len) {
- /* OK */
- tag[t] = EOS;
- return NULL;
- }
- }
- }
- else if (c == term) {
- break;
- }
-
- /* OK */
- tag[t] = c;
- t++; /* Now t == tagbuf_len + 1
- * So the bounds check (t == tagbuf_len) will fail */
- }
- /* OK */
- tag[t] = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_ptr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_ptr_bad.c
deleted file mode 100644
index 80d02a7eb977e19e68e68e49ef7e3d4959bb263c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_ptr_bad.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- char *t;
-
- t = tag;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
-
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tag + tagbuf_len) { /* Suppose t == tag + tagbuf_len - 1 */
- *t = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len */
- GET_CHAR(c, NULL);
- }
- else if (c == term) {
- break;
- }
-
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len + 1
- * So the bounds check (t == tag + tagbuf_len) will fail */
- }
- /* BAD */
- *t = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_ptr_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_ptr_ok.c
deleted file mode 100644
index 5775c87dd16b89af5affd309fcc78745cc654e4f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter1_prefixShort_ptr_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- char *t;
-
- t = tag;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
-
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tag + tagbuf_len) { /* Suppose t == tag + tagbuf_len - 1 */
- *t = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- GET_CHAR(c, NULL);
- if (c != term) {
- /* OK */
- *t = '\\';
- t++;
- if (t == tag + tagbuf_len) {
- /* OK */
- *t = EOS;
- return NULL;
- }
- }
- }
- else if (c == term) {
- break;
- }
-
- /* OK */
- *t = c;
- t++; /* Now t == tag + tagbuf_len + 1
- * So the bounds check (t == tag + tagbuf_len) will fail */
- }
- /* OK */
- *t = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixLong_arr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixLong_arr_bad.c
deleted file mode 100644
index fbcebcb204d31479a6baab3f63b85d13e59951c0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixLong_arr_bad.c
+++ /dev/null
@@ -1,103 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- int t;
-
- t = 0;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c == '-') {
- GET_CHAR(c, NULL);
- if (c == '-') {
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
- if (c == '>') {
- ap_cpystrn(tag, "done", tagbuf_len);
- return tag;
- }
- }
- return NULL;
- }
-
- while (1) {
- if (t == tagbuf_len) {
- tag[t] = EOS;
- return NULL;
- }
- if (c == '=' || ap_isspace(c)) {
- break;
- }
- tag[t] = ap_tolower(c);
- t++;
- GET_CHAR(c, NULL);
- }
-
- tag[t] = EOS;
- t++;
- tag_val = tag + t;
-
- while (ap_isspace(c)) {
- GET_CHAR(c, NULL);
- }
- if (c != '=') {
- return NULL;
- }
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tagbuf_len) { /* Suppose t == tagbuf_len - 1 */
- tag[t] = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len */
- GET_CHAR(c, NULL);
- if (c == term) { /* Assume this branch isn't taken */
- --t;
- /* BAD */
- tag[t] = c;
- }
- }
- else if (c == term) {
- break;
- }
-
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len + 1
- * So the bounds check (t == tagbuf_len) will fail */
- }
- /* BAD */
- tag[t] = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixLong_ptr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixLong_ptr_bad.c
deleted file mode 100644
index 461a3593cb1ed37e3b00424503d34e06708115ff..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixLong_ptr_bad.c
+++ /dev/null
@@ -1,103 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- char *t;
-
- t = tag;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c == '-') {
- GET_CHAR(c, NULL);
- if (c == '-') {
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
- if (c == '>') {
- ap_cpystrn(tag, "done", tagbuf_len);
- return tag;
- }
- }
- return NULL;
- }
-
- while (1) {
- if (t == tag + tagbuf_len) {
- *t = EOS;
- return NULL;
- }
- if (c == '=' || ap_isspace(c)) {
- break;
- }
- *t = ap_tolower(c);
- t++;
- GET_CHAR(c, NULL);
- }
-
- *t = EOS;
- t++;
- tag_val = t;
-
- while (ap_isspace(c)) {
- GET_CHAR(c, NULL);
- }
- if (c != '=') {
- return NULL;
- }
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tag + tagbuf_len) { /* Suppose t == tag + tagbuf_len - 1 */
- *t = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len */
- GET_CHAR(c, NULL);
- if (c == term) { /* Assume this branch isn't taken */
- --t;
- /* BAD */
- *t = c;
- }
- }
- else if (c == term) {
- break;
- }
-
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len + 1
- * So the bounds check (t == tag + tagbuf_len) will fail */
- }
- /* BAD */
- *t = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixShort_arr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixShort_arr_bad.c
deleted file mode 100644
index 37e2a5d358b1ede85b32ebdc591a3d61f9fb37b0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixShort_arr_bad.c
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- int t;
-
- t = 0;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tagbuf_len) { /* Suppose t == tagbuf_len - 1 */
- tag[t] = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len */
- GET_CHAR(c, NULL);
- if (c == term) { /* Assume this branch isn't taken */
- --t;
- /* BAD */
- tag[t] = c;
- }
- }
- else if (c == term) {
- break;
- }
- /* BAD */
- tag[t] = c;
- t++; /* Now t == tagbuf_len + 1
- * So the bounds check (t == tagbuf_len) will fail */
- }
- /* BAD */
- tag[t] = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixShort_ptr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixShort_ptr_bad.c
deleted file mode 100644
index 94f4ca24cffc21013545d5e4242ef3fb612b21f2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2004-0940/get_tag/iter2_prefixShort_ptr_bad.c
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "../apache.h"
-
-char *get_tag(char *tag, int tagbuf_len)
-{
- char *tag_val, c, term;
- char *t;
-
- t = tag;
-
- --tagbuf_len;
-
- do {
- GET_CHAR(c, NULL);
- } while (ap_isspace(c));
-
- if (c != '"' && c != '\'') {
- return NULL;
- }
- term = c;
- while (1) {
- GET_CHAR(c, NULL);
- if (t == tag + tagbuf_len) { /* Suppose t == tag + tagbuf_len - 1 */
- *t = EOS;
- return NULL;
- }
-
- if (c == '\\') {
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len */
- GET_CHAR(c, NULL);
- if (c == term) { /* Assume this branch isn't taken */
- --t;
- /* BAD */
- *t = c;
- }
- }
- else if (c == term) {
- break;
- }
- /* BAD */
- *t = c;
- t++; /* Now t == tag + tagbuf_len + 1
- * So the bounds check (t == tag + tagbuf_len) will fail */
- }
- /* BAD */
- *t = EOS;
-
- return tag;
-}
-
-int main ()
-{
- char tag[MAX_STRING_LEN];
-
- /* The caller always passes in (tag, sizeof(tag)) */
- get_tag (tag, MAX_STRING_LEN);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/README b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/README
deleted file mode 100644
index 7b7f0329aa1720295e13174b5bcdb22643468440..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/README
+++ /dev/null
@@ -1,37 +0,0 @@
--= CVE-2006-3747 =-
-
-Vulnerable versions: Apache 1.3.x, where x >= 28
- Apache 2.0.x, where 46 <= x < 2.0.59
- Apache 2.2.0, 2.2.2
-File(s): modules/mappers/mod_rewrite.c
-Download from:
- http://archive.apache.org/dist/httpd/httpd-2.2.2.tar.gz
-
-Domain: Web (HTTP) Server
-
-_ Vulnerable Functions and Buffers _
-
-The function escape_absolute_uri() declares an array of strings
-token[] of size 5 and uses an int, c, to index into it. c is protected
-by a bounds check, "c < 5"; however, c is incremented in the loop
-prior to being used as an array index, so we have an off-by-one error.
-
-_ Decomposed Programs _
-
-apache.h
-apache.c
-
-escape_absolute_uri/
- simp1_bad.c
- simp2_bad.c
- simp3_bad.c
- strncmp_bad.c
- full_bad.c
-
-_ Note _
-
-Note that the original example uses apr_pstrdup(), which I elided to
-avoid dynamic memory allocation, and strncasecmp(), for which I
-substituted strncmp() to avoid penalizing tools for not understanding
-ASCII arithmetic.
-
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/apache.h b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/apache.h
deleted file mode 100644
index 755998e182305f6915652c3ca59e30f312768297..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/apache.h
+++ /dev/null
@@ -1,26 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Vary these to affect the analysis difficulty of the variants
- * calling strncmp() */
-#define LDAP "ldap"
-#define LDAP_SZ 4
-
-/* Size of the buffer being overflowed
- * Must ensure that 0 < TOKEN_SZ - 1 */
-#define TOKEN_SZ BASE_SZ + 1
-
-/* This requires an explanation. escape_absolute_uri() gets passed a
- * buffer uri[] and an offset into uri[]. The loop which overflows
- * token[] is only executed if uri[] starts with the string LDAP of
- * size LDAP_SZ, and if the character in uri[] which is one past the
- * offset is a slash. Hence the LDAP_SZ (for the string LDAP) and the
- * first +1 (for the slash).
- *
- * The second +1 is because we increment our iterator over uri[] at
- * least once before reaching the loop which overflows token[].
- *
- * The TOKEN_SZ + 2 is there so that uri[] will have enough characters
- * after the offset to overflow token[].
- */
-#define URI_SZ LDAP_SZ + 1 + 1 + TOKEN_SZ + 2
-
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_bad.c
deleted file mode 100644
index 4f1abd1154e28e21176ea78e47b530d95df7545b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_bad.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = scheme;
-
- if (uri[cp-1] == '/') {
- while (uri[cp] != EOS
- && uri[cp] != '/') {
- ++cp;
- }
-
- if (uri[cp] == EOS || uri[cp+1] == EOS) return;
- ++cp;
-
- scheme = cp;
-
- if (strncmp(uri, LDAP, LDAP_SZ) == 0) {
- c = 0;
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ) {
- if (uri[cp] == '?') {
- ++c;
- /* BAD */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
- return;
- }
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ok.c
deleted file mode 100644
index fc4c80fd59f1f2a052bf07a877498e1676fa3cce..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ok.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = scheme;
-
- if (uri[cp-1] == '/') {
- while (uri[cp] != EOS
- && uri[cp] != '/') {
- ++cp;
- }
-
- if (uri[cp] == EOS || uri[cp+1] == EOS) return;
- ++cp;
-
- scheme = cp;
-
- if (strncmp(uri, LDAP, LDAP_SZ) == 0) {
- c = 0;
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ - 1) {
- if (uri[cp] == '?') {
- ++c;
- /* OK */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
- return;
- }
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ptr_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ptr_bad.c
deleted file mode 100644
index 9049210161187398a8b3cbff7e34a577fa66add2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ptr_bad.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- char *cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = uri + scheme;
-
- if (cp[-1] == '/') {
- while (*cp != EOS && *cp != '/') {
- ++cp;
- }
-
- if (*cp == EOS || *(cp+1) == EOS) return;
- ++cp;
-
- scheme = cp - uri;
-
- if (strncmp(uri, LDAP, LDAP_SZ) == 0) {
- c = 0;
- token[0] = uri;
- while (*cp != EOS
- && c < TOKEN_SZ) {
- if (*cp == '?') {
- ++c;
- /* BAD */
- token[c] = cp + 1;
- *cp = EOS;
- }
- ++cp;
- }
- return;
- }
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ptr_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ptr_ok.c
deleted file mode 100644
index 96d88e2941aa6ac0472aa87b938c8e2755143b9d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/full_ptr_ok.c
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- char *cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = uri + scheme;
-
- if (cp[-1] == '/') {
- while (*cp != EOS && *cp != '/') {
- ++cp;
- }
-
- if (*cp == EOS || *(cp+1) == EOS) return;
- ++cp;
-
- scheme = cp - uri;
-
- if (strncmp(uri, LDAP, LDAP_SZ) == 0) {
- c = 0;
- token[0] = uri;
- while (*cp != EOS
- && c < TOKEN_SZ - 1) {
- if (*cp == '?') {
- ++c;
- /* OK */
- token[c] = cp + 1;
- *cp = EOS;
- }
- ++cp;
- }
- return;
- }
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp1_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp1_bad.c
deleted file mode 100644
index 611904a7accc664e63953b93fee062767b9aa2bb..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp1_bad.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- cp = 0;
- c = 0;
-
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ) {
- if (uri[cp] == '?') {
- ++c;
- /* BAD */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
-
- uri [URI_SZ-1] = EOS;
-
- escape_absolute_uri (uri);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp1_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp1_ok.c
deleted file mode 100644
index 365c2d461c2e1ac75a62f19128a67208a2eb65e5..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp1_ok.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- cp = 0;
- c = 0;
-
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ - 1) {
- if (uri[cp] == '?') {
- ++c;
- /* OK */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
-
- uri [URI_SZ-1] = EOS;
-
- escape_absolute_uri (uri);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp2_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp2_bad.c
deleted file mode 100644
index b0d64f7b028a65f5ebad2c26a106343f1cbc377b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp2_bad.c
+++ /dev/null
@@ -1,43 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = scheme;
- c = 0;
-
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ) {
- if (uri[cp] == '?') {
- ++c;
- /* BAD */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp2_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp2_ok.c
deleted file mode 100644
index 91c24255732e032d7b0bcf3cfe965dcafa14e8e3..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp2_ok.c
+++ /dev/null
@@ -1,43 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = scheme;
- c = 0;
-
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ - 1) {
- if (uri[cp] == '?') {
- ++c;
- /* OK */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp3_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp3_bad.c
deleted file mode 100644
index 55c43d1740bf5bbe8c870a31ab4ac4ff51343a9e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp3_bad.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = scheme;
-
- if (uri[cp-1] == '/') {
- while (uri[cp] != EOS
- && uri[cp] != '/') {
- ++cp;
- }
-
- if (uri[cp] == EOS || uri[cp+1] == EOS) return;
- ++cp;
-
- scheme = cp;
-
- c = 0;
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ) {
- if (uri[cp] == '?') {
- ++c;
- /* BAD */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp3_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp3_ok.c
deleted file mode 100644
index 107aa711367b4aa45ddb756f6894077b6b774a4c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/simp3_ok.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- if (scheme == 0
- || strlen(uri) < scheme) {
- return;
- }
-
- cp = scheme;
-
- if (uri[cp-1] == '/') {
- while (uri[cp] != EOS
- && uri[cp] != '/') {
- ++cp;
- }
-
- if (uri[cp] == EOS || uri[cp+1] == EOS) return;
- ++cp;
-
- scheme = cp;
-
- c = 0;
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ - 1) {
- if (uri[cp] == '?') {
- ++c;
- /* OK */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/strncmp_bad.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/strncmp_bad.c
deleted file mode 100644
index 16e1c99ee8531b1dd09c51a6c0c3b3cd5774dd49..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/strncmp_bad.c
+++ /dev/null
@@ -1,41 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- cp = scheme;
-
- if (strncmp(uri, LDAP, LDAP_SZ) == 0) {
- c = 0;
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ) {
- if (uri[cp] == '?') {
- ++c;
- /* BAD */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
- return;
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/strncmp_ok.c b/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/strncmp_ok.c
deleted file mode 100644
index 44e7162ee3772945447f3bf7484742cbf79dbd97..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/CVE-2006-3747/escape_absolute_uri/strncmp_ok.c
+++ /dev/null
@@ -1,41 +0,0 @@
-#include "../apache.h"
-
-void escape_absolute_uri (char *uri, int scheme)
-{
- int cp;
- char *token[TOKEN_SZ];
- int c;
-
- cp = scheme;
-
- if (strncmp(uri, LDAP, LDAP_SZ) == 0) {
- c = 0;
- token[0] = uri;
- while (uri[cp] != EOS
- && c < TOKEN_SZ - 1) {
- if (uri[cp] == '?') {
- ++c;
- /* OK */
- token[c] = uri + cp + 1;
- uri[cp] = EOS;
- }
- ++cp;
- }
- return;
- }
-
- return;
-}
-
-int main ()
-{
- char uri [URI_SZ];
- int scheme;
-
- uri [URI_SZ-1] = EOS;
- scheme = LDAP_SZ + 2;
-
- escape_absolute_uri (uri, scheme);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/apache/README b/tests/verisec/suite/programs/apps/apache/README
deleted file mode 100644
index 04a9f3899eeccab0caeb39a8526c0e58cbd1b780..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/apache/README
+++ /dev/null
@@ -1,7 +0,0 @@
--= Apache =-
-
-Homepage: http://www.apache.org/
-Domain: Web (HTTP) Server
-
-Apache is a popular open source web server, which can be extended via
-modules.
diff --git a/tests/verisec/suite/programs/apps/bargraph_tests b/tests/verisec/suite/programs/apps/bargraph_tests
deleted file mode 100644
index a2152130f613bb9e19cc7adc421546f1f4b8a883..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bargraph_tests
+++ /dev/null
@@ -1,6 +0,0 @@
-sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_ok.c
-sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_bad.c
-sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_ok.c
-sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_bad.c
-sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_bad.c
-sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_ok.c
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/README b/tests/verisec/suite/programs/apps/bind/CA-1999-14/README
deleted file mode 100644
index 6566efb9bce7e15a28905ca51bec98a5dcadce33..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/README
+++ /dev/null
@@ -1,74 +0,0 @@
--= CA-1999-14 =-
-
-Vulnerable versions:
- NXT: BIND [8.2, 8.2.2)
- SIG: BIND [4.9.5, 8.x]
-File(s): src/bin/named/ns_resp.c
-Download from:
- ftp://ftp.isc.org/isc/bind/src/DEPRECATED/8.2/bind-8.2-src.tar.gz
-
-Domain: DNS Server
-
-_ Vulnerable Functions and Buffers _
-
-There are two unrelated vulnerabilities in rrextract(), reported in
-the same CERT advisory. rrextract() processes a Resource Record in
-packet form, and extracts fields out of it to store in BIND's internal
-database format. (For the format of Resource Records, see
-http://en.wikipedia.org/wiki/Domain_Name_System and
-http://tools.ietf.org/html/rfc1035). The Resource Record packet is an
-array of unsigned chars, ie. bytes. The data read from the packet
-initializes many of rrextract()'s local variables.
-
-The "nxt bug" can overflow the local buffer data[] in rrextract() via
-a call to memcpy(). The size argument comes from a call to
-dn_expand(), and there is no check that this is less than or equal to
-the size of dest[]. Creating a path to this error is complicated by
-numerous reads of the input buffer, and much arithmetic on pointers
-into the buffer.
-
-The "sig bug" is similar -- the data[] buffer is also overflowed. This
-time, the size argument for memcpy() is a function of both a call to
-dn_expand(), and the dlen field read out of the input buffer. It is
-possible for this size to be a negative signed int, which causes
-memcpy() to interpret it as a large unsigned amount.
-
-** NOTE ** For a tool to find the "sig bug", it must have support for
-specific integer overflow semantics.
-
-The "nxt bug" is "b1" in Zitser's suite, and the "sig bug" is b2.
-
-These examples involve reading data "off-the-wire", offsets into
-packets which aren't necessarily related through IF conditions, and a
-bunch of pointer arithmetic based on these offsets. These factors make
-it difficult for SMC; hence, the current decompositions are
-significantly simpler than Zitser's.
-
-_ Simplifications _
-
-rrextract-nxt:
- simp - aims for as little detail as possible while preserving the vulnerability
- two-expands - calls dn_expand() a second time, and increments cp by the result
- expand_vars - reads several fields out of the rrp packet
-
-rrextract-sig:
- vars - reads a variable out of rrp
- expand - uses dn_expand() and advances cp and cp1
- simp - does neither of the above
- both - does both of the above
-
-_ Decomposed Programs _
-
-bind.h
-bind.c
-
-rrextract-nxt/
- simp_{ok,bad}.c
- two_expands_{ok,bad}.c
- expands_vars_{ok,bad}.c
-
-rrextract-sig/
- simp_{ok,bad}.c
- vars_{ok,bad}.c
- expand_{ok,bad}.c
- both_{ok,bad}.c
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/bind.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/bind.c
deleted file mode 100644
index 36bd6be50525af18222f1fae660aa0e8ad9f2560..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/bind.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "bind.h"
-
-int dn_expand(const u_char *msg, const u_char *eomorig,
- const u_char *comp_dn, char *exp_dn, int length)
-{
- if (nondet_int ())
- return -1;
- else {
- exp_dn[length-1] = (u_char) EOS;
- }
- return strlen(comp_dn);
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/bind.h b/tests/verisec/suite/programs/apps/bind/CA-1999-14/bind.h
deleted file mode 100644
index 251653d171c8d0ca7f97c81d0b0d4ff8a0c6e0ae..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/bind.h
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Make u_char be a char. If we use unsigned chars, SatAbs gives us an
- * error whenever we use strlen, since it won't iterate over a string
- * of unsigned chars passed as chars.
- */
-typedef char u_char;
-typedef int u_int;
-typedef int u_int32_t;
-
-/* Buffer being overflowed has size (MAXDATA*2); I believe this is
- * because its a buffer of bytes, and two bytes keep being written at
- * a time.
- *
- * Overflowed buffers in rrextract-sig/ may have an additional
- * SPACE_FOR_VARS elements. */
-#define MAXDATA BASE_SZ
-
-/* Input buffer has this size, plus some constant depent on how many
- * bytes get skipped before the operations involved in the
- * overflow. This constant is different different variants (and is 0
- * for most of them).
- *
- * Input buffers buffers in rrextract-sig/ may have an additional
- * SPACE_FOR_VARS elements.*/
-#define MSGLEN MAXDATA + 2
-
-/* We don't loop over this, so we don't really care what it is. */
-#define NAMELEN 3
-
-#define INT16SZ 2
-#define INT32SZ 4
-
-#define CLASS_MAX 100
-#define MAXIMUM_TTL 101
-
-/* Macros rrextract() uses */
-#define GETSHORT(to, from) \
- do {(to) = nondet_short(); (from) += INT16SZ;} while(0)
-#define GETLONG(to, from) \
- do {(to) = nondet_long(); (from) += INT32SZ;} while(0)
-#define BOUNDS_CHECK(ptr, count) \
- do {if ((ptr) + (count) > eom) return -1;} while(0)
-
-/* dn_expand -- "domain name expand"
- * -- expands comp_dn (compressed domain name) to exp_dn (full domain name)
- * -- returns -1 on error, or else strlen(comp_dn)
- */
-int dn_expand(const u_char *msg, const u_char *eomorig,
- const u_char *comp_dn, char *exp_dn, int length);
-
-
-extern int nondet_int();
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/frama-c-journal.ml b/tests/verisec/suite/programs/apps/bind/CA-1999-14/frama-c-journal.ml
deleted file mode 100644
index b72b3050c0b1e5531f479c0cc9d708470a84f59b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/frama-c-journal.ml
+++ /dev/null
@@ -1,12 +0,0 @@
-(* Frama-C journal generated at 16:32 the 05/09/2008 *)
-
-(* Running *)
-let () = Journal.run ()
-let () = Cmdline.ForceValues.set true
-let () = Cmdline.Files.set ["bind.c"; ]
-let () = File.init_from_cmdline ()
-let () = !Db.Syntactic_callgraph.dump ()
-(* exception raised on: *)
-let __ : unit = !Db.Value.compute ()
-(* Finished *)
-let () = Journal.finished ()
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/bind_rrxtract_nxt.err b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/bind_rrxtract_nxt.err
deleted file mode 100644
index 9f88b014896fb05ee74c9ef685896289f63a2ca0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/bind_rrxtract_nxt.err
+++ /dev/null
@@ -1,21 +0,0 @@
-bind/CA-1999-14/rrextract-nxt/simp_bad.c:15: Warning: entering loop for the first time
-No code for function nondet_short, default assigns generated
-bind/CA-1999-14/rrextract-nxt/simp_bad.c:16: Warning: entering loop for the first time
-No code for function dn_expand, default assigns generated
-No code for function nondet_int, default assigns generated
-bind/CA-1999-14/rrextract-nxt/simp_bad.c:29: Warning: assigning non deterministic value for the first time
-../../lib/stubs.c:236: Warning: entering loop for the first time
-../../lib/stubs.c:236: Warning: (TODO: emit a proper alarm) accessing uninitialized left-value: *(s + i)
-../../lib/stubs.c:236: Warning: out of bounds read. assert \valid(s + i);
-
-../../lib/stubs.c:64: Warning: Assertion got status unknown.
-../../lib/stubs.c:67: Warning: entering loop for the first time
-../../lib/stubs.c:68: Warning: out of bounds read. assert \valid((char *)src + i);
-
-../../lib/stubs.c:68: Warning: (TODO: emit a proper alarm) accessing uninitialized left-value: *((char *)src + i)
-../../lib/stubs.c:68: Warning: out of bounds write. assert \valid((char *)dest + i);
-
-[dominators] computing for function r_memcpy
-[dominators] done for function r_memcpy
-[dominators] computing for function strlen
-[dominators] done for function strlen
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/expands_vars_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/expands_vars_bad.c
deleted file mode 100644
index d1cb25258c2829a5eb882d1bac4fad3b0a56901f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/expands_vars_bad.c
+++ /dev/null
@@ -1,82 +0,0 @@
-#include "../bind.h"
-
-#define BYTES_TO_SKIP 10
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- u_int32_t ttl;
- u_char data[MAXDATA*2];
- data [(MAXDATA*2)-1] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- if ((n = dn_expand(msg, eom, cp, (char *) dname, namelen)) < 0) {
- return (-1);
- }
-
- cp += n;
- BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
- GETSHORT(type, cp);
- GETSHORT(class, cp);
-
- if (class > CLASS_MAX) {
- return (-1);
- }
- GETLONG(ttl, cp);
-
- if (ttl > MAXIMUM_TTL) {
- ttl = 0;
- }
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
- rdatap = cp;
-
- if (nondet_int()) {
- return (-1);
- }
-
-
- /* Cut the switch.... */
-
- n = dn_expand(msg, eom, cp, (char *)data, sizeof data);
-
- if (n < 0) {
- return (-1);
- }
-
- if (nondet_int()) {
- return (-1);
- }
- cp += n;
- cp1 = data + strlen((char *)data) + 1;
-
- /* BAD */
- r_memcpy(cp1, cp, dlen - n);
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+BYTES_TO_SKIP];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN+BYTES_TO_SKIP-1] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/expands_vars_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/expands_vars_ok.c
deleted file mode 100644
index 8d553e7682136a5bde5f0b153a8063f190bf2046..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/expands_vars_ok.c
+++ /dev/null
@@ -1,89 +0,0 @@
-#include "../bind.h"
-
-#define BYTES_TO_SKIP 10
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- int n1,n2;
- u_int32_t ttl;
- u_char data[MAXDATA*2];
- data [(MAXDATA*2)-1] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- if ((n = dn_expand(msg, eom, cp, (char *) dname, namelen)) < 0) {
- return (-1);
- }
-
- cp += n;
- BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
- GETSHORT(type, cp);
- GETSHORT(class, cp);
-
- if (class > CLASS_MAX) {
- return (-1);
- }
- GETLONG(ttl, cp);
-
- if (ttl > MAXIMUM_TTL) {
- ttl = 0;
- }
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
- rdatap = cp;
-
- if (nondet_int()) {
- return (-1);
- }
-
-
- /* Cut the switch.... */
-
- n = dn_expand(msg, eom, cp, (char *)data, sizeof data);
-
- if (n < 0) {
- return (-1);
- }
-
- if (nondet_int()) {
- return (-1);
- }
- cp += n;
-
- n1 = strlen((char *)data) + 1;
- cp1 = data + n1 + 1;
-
- n2 = dlen - n;
- if (n2 > sizeof data - n1) {
- return -1;
- }
- /* OK */
- r_memcpy(cp1, cp, n2);
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+BYTES_TO_SKIP];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN+BYTES_TO_SKIP-1] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/frama-c-journal.ml b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/frama-c-journal.ml
deleted file mode 100644
index c11083a295f36d87cacaf0416f1659054c74eea8..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/frama-c-journal.ml
+++ /dev/null
@@ -1,12 +0,0 @@
-(* Frama-C journal generated at 16:10 the 26/08/2008 *)
-
-(* Running *)
-let () = Journal.run ()
-let () = Cmdline.ForceValues.set true
-let () = Cmdline.Files.set ["expands_vars_bad.c"; ]
-let () = Cmdline.Files.set ["../bind.c"; "expands_vars_bad.c"; ]
-let () = File.init_from_cmdline ()
-let () = !Db.Syntactic_callgraph.dump ()
-let () = !Db.Value.compute ()
-(* Finished *)
-let () = Journal.finished ()
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/frama-c.err b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/frama-c.err
deleted file mode 100644
index 863db886a5a6be280c4a44bafb9f15e5e3b492af..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/frama-c.err
+++ /dev/null
@@ -1,17 +0,0 @@
-bind/CA-1999-14/rrextract-nxt/simp_bad.c:15: Warning: entering loop for the first time
-No code for function nondet_short, default assigns generated
-bind/CA-1999-14/rrextract-nxt/simp_bad.c:16: Warning: entering loop for the first time
-No code for function dn_expand, default assigns generated
-No code for function nondet_int, default assigns generated
-bind/CA-1999-14/rrextract-nxt/simp_bad.c:29: Warning: assigning non deterministic value for the first time
-../../lib/stubs.c:236: Warning: entering loop for the first time
-../../lib/stubs.c:236: Warning: (TODO: emit a proper alarm) accessing uninitialized left-value: *(s + i)
-../../lib/stubs.c:236: Warning: out of bounds read. assert \valid(s + i);
-
-../../lib/stubs.c:64: Warning: Assertion got status unknown.
-../../lib/stubs.c:67: Warning: entering loop for the first time
-../../lib/stubs.c:68: Warning: out of bounds read. assert \valid((char *)src + i);
-
-../../lib/stubs.c:68: Warning: (TODO: emit a proper alarm) accessing uninitialized left-value: *((char *)src + i)
-../../lib/stubs.c:68: Warning: out of bounds write. assert \valid((char *)dest + i);
-
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/simp_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/simp_bad.c
deleted file mode 100644
index 2bf8d91ca326ca5a3e3d5dd6021b3b7021256f87..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/simp_bad.c
+++ /dev/null
@@ -1,55 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS 2
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- u_char data[MAXDATA*2 + SPACE_FOR_VARS];
- data [(MAXDATA*2 + SPACE_FOR_VARS)-1] = EOS; cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
- /* Cut a bunch of stuff which we can reintroduce later. */
-
- n = dn_expand(msg, eom, cp, (char *)data, sizeof data);
-
- if (n < 0) {
- return (-1);
- }
-
- if (nondet_int()) {
- return (-1);
- }
- cp += n;
- cp1 = data + strlen((char *)data) + 1;
-
- /* BAD */
- r_memcpy(cp1, cp, dlen - n);
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/simp_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/simp_ok.c
deleted file mode 100644
index 6befd2b6d8fd098a79b1078caa45334d1c7894ba..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/simp_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS 2
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- int n1,n2;
- u_char data[MAXDATA*2 + SPACE_FOR_VARS];
- data [(MAXDATA*2 + SPACE_FOR_VARS)-1] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
- /* Cut a bunch of stuff which we can reintroduce later. */
-
- n = dn_expand(msg, eom, cp, (char *)data, sizeof data);
-
- if (n < 0) {
- return (-1);
- }
-
- if (nondet_int()) {
- return (-1);
- }
- cp += n;
-
- n1 = strlen((char *)data) + 1;
- cp1 = data + n1 + 1;
-
- n2 = dlen - n;
- if (n2 > sizeof data - n1) {
- return -1;
- }
- /* OK */
- r_memcpy(cp1, cp, n2);
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/two_expands_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/two_expands_bad.c
deleted file mode 100644
index 8f092cb4d059ae0dbd6b881b8dbc8389f58119fc..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/two_expands_bad.c
+++ /dev/null
@@ -1,63 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS 2
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- u_char data[MAXDATA*2 + SPACE_FOR_VARS];
- data [(MAXDATA*2 + SPACE_FOR_VARS)-1] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
- if ((n = dn_expand(msg, eom, cp, (char *) dname, namelen)) < 0) {
- return (-1);
- }
-
- cp += n;
-
- /* Cut a bunch of stuff which we can reintroduce later. */
-
- n = dn_expand(msg, eom, cp, (char *)data, sizeof data);
-
- if (n < 0) {
- return (-1);
- }
-
- if (nondet_int()) {
- return (-1);
- }
- cp += n;
- cp1 = data + strlen((char *)data) + 1;
-
- /* BAD */
- r_memcpy(cp1, cp, dlen - n);
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/two_expands_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/two_expands_ok.c
deleted file mode 100644
index c2283d92562c72e5bbbaf9f9809dd61d96b86c9b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-nxt/two_expands_ok.c
+++ /dev/null
@@ -1,71 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS 2
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- int n1, n2;
- u_char data[MAXDATA*2 + SPACE_FOR_VARS];
- data [(MAXDATA*2 + SPACE_FOR_VARS)-1] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
- if ((n = dn_expand(msg, eom, cp, (char *) dname, namelen)) < 0) {
- return (-1);
- }
-
- cp += n;
-
- /* Cut a bunch of stuff which we can reintroduce later. */
-
- n = dn_expand(msg, eom, cp, (char *)data, sizeof data);
-
- if (n < 0) {
- return (-1);
- }
-
- if (nondet_int()) {
- return (-1);
- }
- cp += n;
-
- n1 = strlen((char *)data) + 1;
- cp1 = data + n1 + 1;
-
- n2 = dlen - n;
- if (n2 > sizeof data - n1) {
- return -1;
- }
-
- /* OK */
- r_memcpy(cp1, cp, n2);
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/both_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/both_bad.c
deleted file mode 100644
index 1fa3b58e160aad3afe3a429ee68c70375998b2d1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/both_bad.c
+++ /dev/null
@@ -1,81 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Just read one variable --- the original reads several. */
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- cp1 = cp;
- GETLONG(origTTL, cp1);
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* Expand the domain name, set cp1 past the end of the uncompressed
- * domain name.
- */
- n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data));
- if (n < 0) {
- return (-1);
- }
- cp += n;
- cp1 += strlen((char*)cp1)+1;
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (int)(sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* BAD */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/both_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/both_ok.c
deleted file mode 100644
index 8ab7f06f9e41b293d888a39a2f1e50ce89db4ce2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/both_ok.c
+++ /dev/null
@@ -1,81 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Just read one variable --- the original reads several. */
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- cp1 = cp;
- GETLONG(origTTL, cp1);
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* Expand the domain name, set cp1 past the end of the uncompressed
- * domain name.
- */
- n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data));
- if (n < 0) {
- return (-1);
- }
- cp += n;
- cp1 += strlen((char*)cp1)+1;
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* OK */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/expand_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/expand_bad.c
deleted file mode 100644
index ca715a37a8cde5527ca2f8a959c58c167d58b168..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/expand_bad.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Don't read any variables. */
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* Expand the domain name, set cp1 past the end of the uncompressed
- * domain name.
- */
- n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data));
- if (n < 0) {
- return (-1);
- }
- cp += n;
- cp1 += strlen((char*)cp1)+1;
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (int)(sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* BAD */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/expand_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/expand_ok.c
deleted file mode 100644
index 353a32a4d5267a1276f5d0f85e5ec2429d9d2a04..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/expand_ok.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Don't read any variables. */
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* Expand the domain name, set cp1 past the end of the uncompressed
- * domain name.
- */
- n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data));
- if (n < 0) {
- return (-1);
- }
- cp += n;
- cp1 += strlen((char*)cp1)+1;
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* OK */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/simp_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/simp_bad.c
deleted file mode 100644
index 92b4670c6a840685f1f3271be5c1ca3db44b2d93..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/simp_bad.c
+++ /dev/null
@@ -1,75 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Don't read any variables. */
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* No dn_expand(), no incrementing the pointers.
- */
- n = nondet_int();
- if (n < 0) {
- return (-1);
- }
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (int)(sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* BAD */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/simp_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/simp_ok.c
deleted file mode 100644
index 4f7358b1824fd39f39de27627d6b8a112a5eabbe..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/simp_ok.c
+++ /dev/null
@@ -1,75 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Don't read any variables. */
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* No dn_expand(), no incrementing the pointers.
- */
- n = nondet_int();
- if (n < 0) {
- return (-1);
- }
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* OK */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/vars_bad.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/vars_bad.c
deleted file mode 100644
index 0f655c325d3e168943bb8bc048ccd09b9ae3d74e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/vars_bad.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Just read one variable --- the original reads several. */
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- cp1 = cp;
- GETLONG(origTTL, cp1);
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* No dn_expand(), no incrementing the pointers.
- */
- n = nondet_int();
- if (n < 0) {
- return (-1);
- }
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (int)(sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* BAD */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/vars_ok.c b/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/vars_ok.c
deleted file mode 100644
index 8d56a039cf4b839d9e2f8a4b6d812573ae1ff8ff..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CA-1999-14/rrextract-sig/vars_ok.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../bind.h"
-
-#define SPACE_FOR_VARS INT32SZ
-
-static int
-rrextract(u_char *msg, int msglen, u_char *rrp, u_char *dname, int namelen)
-{
- /* cp is used to read data from rrp[] (the Resource Record)
- * cp1 is used to write data into data[]
- * However, we sometimes abuse cp1 and use it for reading too. :-/
- */
- u_char *eom, *cp, *cp1, *rdatap;
- u_int class, type, dlen;
- int n;
- long origTTL;
- u_char data[MAXDATA*2+SPACE_FOR_VARS];
- data [(MAXDATA*2)-1+SPACE_FOR_VARS] = EOS;
-
- cp = rrp;
- eom = msg + msglen;
-
- GETSHORT(dlen, cp);
- BOUNDS_CHECK(cp, dlen);
-
-
- /* Begin case T_SIG: */
-
- /* Just read one variable --- the original reads several. */
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- cp1 = cp;
- GETLONG(origTTL, cp1);
-
- /* Skip checks on times which are present in the original. */
-
- /* Copy over initial fields, which we read above. */
- cp1 = (u_char *)data;
- BOUNDS_CHECK(cp, SPACE_FOR_VARS);
- memcpy(cp1, cp, SPACE_FOR_VARS);
- cp += SPACE_FOR_VARS;
- cp1 += SPACE_FOR_VARS;
-
- /* No dn_expand(), no incrementing the pointers.
- */
- n = nondet_int();
- if (n < 0) {
- return (-1);
- }
-
- /* Figure out the length of the "signature" to copy over and copy it. */
- n = dlen - (SPACE_FOR_VARS + n);
- if (n > (sizeof data) - (cp1 - (u_char *)data)) {
- return (-1); /* out of room! */
- }
- /* OK */
- r_memcpy(cp1, cp, n);
-
-
- return 0;
-}
-
-int main(){
-
- int msglen, ret;
- u_char *dp;
- u_char name [NAMELEN];
- u_char msg [MSGLEN+SPACE_FOR_VARS];
-
- name [NAMELEN-1] = EOS;
- msg [MSGLEN-1+SPACE_FOR_VARS] = EOS;
-
- msglen = MSGLEN;
- dp = msg;
-
- ret = rrextract(msg, msglen, dp, name, NAMELEN);
-
- return 0;
-
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/README b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/README
deleted file mode 100644
index 845e506797b71ee750f558d17c885fa5ebaf4b3c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/README
+++ /dev/null
@@ -1,36 +0,0 @@
--= CVE-2001-0011 =-
-
-Vulnerable versions: BIND 4.9.x, where x < 8
-File(s): named/ns_forw.c
-Download from:
- ftp://ftp.isc.org/isc/bind/src/DEPRECATED/4.9.11/bind-4.9.11-REL.tar.gz
-
-Domain: DNS Server
-
-_ Vulnerable Functions and Buffers _
-
-nslookupComplain uses sprintf() to overflow a local buffer. The input
-buffers used to overflow the output buffer are passed through many
-functions, and which contain data that must be logged.
-
-The program does not do heavy buffer manipulations, but the input
-buffers are long-lived, so the model-checker needs to discover long
-paths through the code. We observe two things:
- 1. We cannot see any way in which this code is "special" due to its
- involving a buffer overflow.
- 2. This code is much easier to analyze than many smaller programs
- containing buffer overflows, since it doesn't do much string
- manipulation.
-
-We take only a limited slice of this program -- pulling in more of the
-original program decreases the comprehensibility of the example,
-without leading to any useful variable static measures.
-
-_ Decomposed Programs _
-
-bind.h
-
-nslookupComplain/
- small_bad.c
- med_bad.c
- big_bad.c
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/bind.h b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/bind.h
deleted file mode 100644
index fa0e51b2b8fc6847d2a393cf5d47049672380bca..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/bind.h
+++ /dev/null
@@ -1,75 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Size of the buffer being overflowed. */
-#define BUFSZ BASE_SZ
-
-/* Size of the input buffer. */
-#define INSZ BUFSZ + 3
-
-typedef char u_char;
-typedef short int16_t;
-typedef int time_t;
-typedef int u_int;
-typedef int uint32_t;
-typedef long u_long;
-
-struct databuf {
- struct databuf *d_next; /* linked list */
- int16_t d_type; /* type number */
- u_char d_data[sizeof(char*)]; /* malloc'd (padded) */
- int16_t d_class; /* class number */
- int d_flags; /* see below */
- int16_t d_zone; /* zone number or 0 for the cache */
-};
-
-struct namebuf {
- u_int n_hashval; /* hash value of n_dname */
- struct namebuf *n_next; /* linked list */
- struct databuf *n_data; /* data records */
- struct namebuf *n_parent; /* parent domain */
- struct hashbuf *n_hash; /* hash table for children */
- char _n_name[sizeof(void*)]; /* Counted str, malloc'ed. */
-};
-
-struct timeval
-{
- time_t tv_sec; /* Seconds. */
-};
-
-/* Internet address. */
-typedef uint32_t in_addr_t;
-struct in_addr {
- in_addr_t s_addr;
-};
-
-struct sockaddr_in {
- short sin_family; // e.g. AF_INET
- unsigned short sin_port; // e.g. htons(3490)
- struct in_addr sin_addr; // see struct in_addr, below
-};
-
-#define NSMAX 16 /* from bind's ns_defs.h */
-struct qinfo {
- struct databuf *q_usedns[NSMAX]; /* databuf for NS that we've tried */
- u_char q_naddr; /* number of addr's in q_addr */
- u_char q_nusedns; /* number of elements in q_usedns[] */
-};
-
-#define T_A 1
-#define T_NS 2
-
-#define INIT_REFRESH 600 /* retry time for initial secondary */
- /* contact (10 minutes) */
-
-#define NAME(nb) ((nb)._n_name + 1)
-
-#define C_ANY 255 /* wildcard match */
-#define T_ANY 255 /* wildcard match */
-
-/*
- * d_flags definitions
- */
-#define DB_F_HINT 0x01 /* databuf belongs to fcachetab */
-#define DB_F_ACTIVE 0x02 /* databuf is linked into a cache */
-
-#define DB_Z_CACHE (0) /* cache-zone-only db_dump() */
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/big_bad.c b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/big_bad.c
deleted file mode 100644
index 4298bf3dd8fc69faa5954a24063b9825df71e2d5..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/big_bad.c
+++ /dev/null
@@ -1,238 +0,0 @@
-#include "../bind.h"
-
-extern int nondet_int();
-
-/* Avoid mallocing databufs and namebufs. */
-struct databuf dummybuf;
-struct namebuf dummyNameBuf;
-struct databuf dummybuf2;
-
-struct timeval tt;
-
-/* Another completely unsound stub brought to you by the Verisec Project. */
-const char *p_type (int type)
-{
- return NULL;
-}
-
-/* Since I'm not providing a complete model, this'll complain about some
- * invalid pointer dereferences.
- */
-int haveComplained (const char *tag1,
- const char *tag2)
-{
- struct complaint {
- const char *tag1, *tag2;
- time_t expire;
- struct complaint *next;
- };
- static struct complaint *List = NULL;
- struct complaint *cur, *next, *prev;
- int r = 0;
- struct complaint dummy;
-
- for (cur = List, prev = NULL; cur; prev = cur, cur = next) {
- next = cur->next;
- if (tt.tv_sec > cur->expire) {
- if (prev)
- prev->next = next;
- else
- List = next;
- //free((char*) cur);
- cur = prev;
- } else if ((tag1 == cur->tag1) && (tag2 == cur->tag2)) {
- r++;
- }
- }
- if (!r) {
- cur = &dummy;//(struct complaint *)malloc(sizeof(struct complaint));
- if (cur) {
- cur->tag1 = tag1;
- cur->tag2 = tag2;
- cur->expire = tt.tv_sec + INIT_REFRESH; /* "10:00" */
- cur->next = NULL;
- if (prev)
- prev->next = cur;
- else
- List = cur;
- }
- }
- return (r);
-
-}
-
-static void
-nslookupComplain(const char *sysloginfo,
- const char *net_queryname,
- const char *complaint,
- const char *net_dname,
- const struct databuf *a_rr,
- const struct databuf *nsdp)
-{
- char queryname[INSZ+1], dname[INSZ+1];
- const char *a, *ns;
- const char *a_type;
- int print_a;
-
- strncpy(queryname, net_queryname, sizeof queryname);
- queryname[(sizeof queryname) - 1] = EOS;
- strncpy(dname, net_dname, sizeof dname);
- dname[(sizeof dname) - 1] = EOS;
-
- if (sysloginfo && queryname && !haveComplained(queryname, complaint)) {
- char buf[BUFSZ];
-
- a = ns = (char *)NULL;
- print_a = (a_rr->d_type == T_A);
- a_type = p_type(a_rr->d_type);
-
- if ( a != NULL || ns != NULL) {
- /* BAD */
- r_strcpy (buf, sysloginfo);
- } else {
- /* BAD */
- r_strcpy (buf, sysloginfo);
- }
- }
-}
-
-int
-match(struct databuf *dp,
- int class,
- int type)
-{
- if (dp->d_class != class && class != C_ANY)
- return (0);
- if (dp->d_type != type && type != T_ANY)
- return (0);
- return (1);
-}
-
-/* Really dumb stub. */
-struct namebuf *
-nlookup(const char *name,
- struct hashbuf **htpp,
- const char **fname,
- int insert)
-{
- dummyNameBuf.n_data = &dummybuf2;
- /* I suspect SatAbs assumes globals are initialized to 0 -- I really
- shouldn't need to be hard-wiring these. - Tom */
- dummybuf2.d_type = T_NS;
- dummybuf2.d_zone = 1;
- return &dummyNameBuf;
-}
-
-int
-findMyZone(struct namebuf *np,
- int class)
-{
- return nondet_int ();
-}
-
-
-int
-nslookup(struct databuf *nsp[],
- struct qinfo *qp,
- const char *syslogdname,
- const char *sysloginfo)
-{
- struct namebuf *np;
- struct databuf *dp, *nsdp;
- struct qserv *qs;
- int n;
- u_int i;
- struct hashbuf *tmphtp;
- char *dname;
- const char *fname;
- int oldn, naddr, class, found_arr, potential_ns;
- time_t curtime;
-
-
- potential_ns = 0;
- n = qp->q_naddr;
- naddr = n;
- curtime = (u_long) tt.tv_sec;
- while (1) {
- nsdp = *nsp;
- nsp++;
- if (nsdp == NULL) break;
- class = nsdp->d_class;
- dname = (char *)nsdp->d_data;
-
- for (i = 0; i < qp->q_nusedns; i++) {
- if (qp->q_usedns[i] == nsdp) {
- goto skipserver;
- }
- }
-
- /* Heap-allocated pointers seem to break SatAbs. */
- /*tmphtp = ((nsdp->d_flags & DB_F_HINT) ?fcachetab :hashtab);*/
- np = nlookup(dname, &tmphtp, &fname, 1);
- if (np == NULL) {
- found_arr = 0;
- goto need_sysquery;
- }
- if (fname != dname) {
- if (findMyZone(np, class) == DB_Z_CACHE) {
- assert (np != NULL);
- for (; np != NULL; /*np = np_parent(np)*/) {
- for (dp = np->n_data; dp; dp = dp->d_next) {
- if (match(dp, class, T_NS)) {
- /* SatAbs won't accept just "if (dp->d_zone)" :-/ */
- if (dp->d_zone != 0) {
- //assert (0);
- static char *complaint =
- "Glue A RR missing";
- nslookupComplain(sysloginfo,
- syslogdname,
- complaint,
- dname, dp,
- nsdp);
- goto skipserver;
- } else {
- found_arr = 0;
- goto need_sysquery;
- }
- }
- }
- }
- found_arr = 0;
- goto need_sysquery;
- } else {
- continue;
- }
- }
-
- break;
- }
-
- /* Totally bogus GOTO targets. */
- need_sysquery:
- skipserver:
- return (n - naddr);
-
-}
-
-
-int main ()
-{
- struct databuf *nsp[2];
- struct qinfo qp;
- char sysloginfo [INSZ];
- char syslogdname [INSZ];
-
- nsp[0] = &dummybuf;
- nsp[1] = NULL;
-
- sysloginfo[INSZ-1] = EOS;
- syslogdname[INSZ-1] = EOS;
-
-
- nslookup(nsp,
- &qp,
- &sysloginfo,
- &syslogdname);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/big_ok.c b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/big_ok.c
deleted file mode 100644
index 0ae06ca37ba673b62cb946f78d5a294b137276a4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/big_ok.c
+++ /dev/null
@@ -1,238 +0,0 @@
-#include "../bind.h"
-
-extern int nondet_int();
-
-/* Avoid mallocing databufs and namebufs. */
-struct databuf dummybuf;
-struct namebuf dummyNameBuf;
-struct databuf dummybuf2;
-
-struct timeval tt;
-
-/* Another completely unsound stub brought to you by the Verisec Project. */
-const char *p_type (int type)
-{
- return NULL;
-}
-
-/* Since I'm not providing a complete model, this'll complain about some
- * invalid pointer dereferences.
- */
-int haveComplained (const char *tag1,
- const char *tag2)
-{
- struct complaint {
- const char *tag1, *tag2;
- time_t expire;
- struct complaint *next;
- };
- static struct complaint *List = NULL;
- struct complaint *cur, *next, *prev;
- int r = 0;
- struct complaint dummy;
-
- for (cur = List, prev = NULL; cur; prev = cur, cur = next) {
- next = cur->next;
- if (tt.tv_sec > cur->expire) {
- if (prev)
- prev->next = next;
- else
- List = next;
- //free((char*) cur);
- cur = prev;
- } else if ((tag1 == cur->tag1) && (tag2 == cur->tag2)) {
- r++;
- }
- }
- if (!r) {
- cur = &dummy;//(struct complaint *)malloc(sizeof(struct complaint));
- if (cur) {
- cur->tag1 = tag1;
- cur->tag2 = tag2;
- cur->expire = tt.tv_sec + INIT_REFRESH; /* "10:00" */
- cur->next = NULL;
- if (prev)
- prev->next = cur;
- else
- List = cur;
- }
- }
- return (r);
-
-}
-
-static void
-nslookupComplain(const char *sysloginfo,
- const char *net_queryname,
- const char *complaint,
- const char *net_dname,
- const struct databuf *a_rr,
- const struct databuf *nsdp)
-{
- char queryname[INSZ+1], dname[INSZ+1];
- const char *a, *ns;
- const char *a_type;
- int print_a;
-
- strncpy(queryname, net_queryname, sizeof queryname);
- queryname[(sizeof queryname) - 1] = EOS;
- strncpy(dname, net_dname, sizeof dname);
- dname[(sizeof dname) - 1] = EOS;
-
- if (sysloginfo && queryname && !haveComplained(queryname, complaint)) {
- char buf[BUFSZ];
-
- a = ns = (char *)NULL;
- print_a = (a_rr->d_type == T_A);
- a_type = p_type(a_rr->d_type);
-
- if ( a != NULL || ns != NULL) {
- /* OK */
- r_strncpy (buf, sysloginfo, BUFSZ);
- } else {
- /* OK */
- r_strncpy (buf, sysloginfo, BUFSZ);
- }
- }
-}
-
-int
-match(struct databuf *dp,
- int class,
- int type)
-{
- if (dp->d_class != class && class != C_ANY)
- return (0);
- if (dp->d_type != type && type != T_ANY)
- return (0);
- return (1);
-}
-
-/* Really dumb stub. */
-struct namebuf *
-nlookup(const char *name,
- struct hashbuf **htpp,
- const char **fname,
- int insert)
-{
- dummyNameBuf.n_data = &dummybuf2;
- /* I suspect SatAbs assumes globals are initialized to 0 -- I really
- shouldn't need to be hard-wiring these. - Tom */
- dummybuf2.d_type = T_NS;
- dummybuf2.d_zone = 1;
- return &dummyNameBuf;
-}
-
-int
-findMyZone(struct namebuf *np,
- int class)
-{
- return nondet_int ();
-}
-
-
-int
-nslookup(struct databuf *nsp[],
- struct qinfo *qp,
- const char *syslogdname,
- const char *sysloginfo)
-{
- struct namebuf *np;
- struct databuf *dp, *nsdp;
- struct qserv *qs;
- int n;
- u_int i;
- struct hashbuf *tmphtp;
- char *dname;
- const char *fname;
- int oldn, naddr, class, found_arr, potential_ns;
- time_t curtime;
-
-
- potential_ns = 0;
- n = qp->q_naddr;
- naddr = n;
- curtime = (u_long) tt.tv_sec;
- while (1) {
- nsdp = *nsp;
- nsp++;
- if (nsdp == NULL) break;
- class = nsdp->d_class;
- dname = (char *)nsdp->d_data;
-
- for (i = 0; i < qp->q_nusedns; i++) {
- if (qp->q_usedns[i] == nsdp) {
- goto skipserver;
- }
- }
-
- /* Heap-allocated pointers seem to break SatAbs. */
- /*tmphtp = ((nsdp->d_flags & DB_F_HINT) ?fcachetab :hashtab);*/
- np = nlookup(dname, &tmphtp, &fname, 1);
- if (np == NULL) {
- found_arr = 0;
- goto need_sysquery;
- }
- if (fname != dname) {
- if (findMyZone(np, class) == DB_Z_CACHE) {
- assert (np != NULL);
- for (; np != NULL; /*np = np_parent(np)*/) {
- for (dp = np->n_data; dp; dp = dp->d_next) {
- if (match(dp, class, T_NS)) {
- /* SatAbs won't accept just "if (dp->d_zone)" :-/ */
- if (dp->d_zone != 0) {
- //assert (0);
- static char *complaint =
- "Glue A RR missing";
- nslookupComplain(sysloginfo,
- syslogdname,
- complaint,
- dname, dp,
- nsdp);
- goto skipserver;
- } else {
- found_arr = 0;
- goto need_sysquery;
- }
- }
- }
- }
- found_arr = 0;
- goto need_sysquery;
- } else {
- continue;
- }
- }
-
- break;
- }
-
- /* Totally bogus GOTO targets. */
- need_sysquery:
- skipserver:
- return (n - naddr);
-
-}
-
-
-int main ()
-{
- struct databuf *nsp[2];
- struct qinfo qp;
- char sysloginfo [INSZ];
- char syslogdname [INSZ];
-
- nsp[0] = &dummybuf;
- nsp[1] = NULL;
-
- sysloginfo[INSZ-1] = EOS;
- syslogdname[INSZ-1] = EOS;
-
-
- nslookup(nsp,
- &qp,
- &sysloginfo,
- &syslogdname);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/med_bad.c b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/med_bad.c
deleted file mode 100644
index e02e8dc18f9468271fc2edeabdb47d2daa9e0438..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/med_bad.c
+++ /dev/null
@@ -1,109 +0,0 @@
-#include "../bind.h"
-
-extern int nondet_int();
-
-struct timeval tt;
-
-/* Another completely unsound stub brought to you by the Verisec Project. */
-const char *p_type (int type)
-{
- return NULL;
-}
-
-int haveComplained (const char *tag1,
- const char *tag2)
-{
- struct complaint {
- const char *tag1, *tag2;
- time_t expire;
- struct complaint *next;
- };
- static struct complaint *List = NULL;
- struct complaint *cur, *next, *prev;
- int r = 0;
- struct complaint dummy;
-
- for (cur = List, prev = NULL; cur; prev = cur, cur = next) {
- next = cur->next;
- if (tt.tv_sec > cur->expire) {
- if (prev)
- prev->next = next;
- else
- List = next;
- //free((char*) cur);
- cur = prev;
- } else if ((tag1 == cur->tag1) && (tag2 == cur->tag2)) {
- r++;
- }
- }
- if (!r) {
- cur = &dummy;//(struct complaint *)malloc(sizeof(struct complaint));
- if (cur) {
- cur->tag1 = tag1;
- cur->tag2 = tag2;
- cur->expire = tt.tv_sec + INIT_REFRESH; // "10:00"
- cur->next = NULL;
- if (prev)
- prev->next = cur;
- else
- List = cur;
- }
- }
- return (r);
-
-}
-
-static void
-nslookupComplain(const char *sysloginfo,
- const char *net_queryname,
- const char *complaint,
- const char *net_dname,
- const struct databuf *a_rr,
- const struct databuf *nsdp)
-{
- char queryname[INSZ+1], dname[INSZ+1];
- const char *a, *ns;
- const char *a_type;
- int print_a;
-
- strncpy(queryname, net_queryname, sizeof queryname);
- queryname[(sizeof queryname) - 1] = EOS;
- strncpy(dname, net_dname, sizeof dname);
- dname[(sizeof dname) - 1] = EOS;
-
- if (sysloginfo && queryname && !haveComplained(queryname, complaint)) {
- char buf[BUFSZ];
-
- a = ns = (char *)NULL;
- print_a = (a_rr->d_type == T_A);
- a_type = p_type(a_rr->d_type);
-
- if ( a != NULL || ns != NULL) {
- /* BAD */
- r_strcpy (buf, sysloginfo);
- } else {
- /* BAD */
- r_strcpy (buf, sysloginfo);
- }
- }
-}
-
-int main ()
-{
- char sysloginfo [INSZ];
- char net_queryname [INSZ];
- char net_dname [INSZ];
- struct databuf a_rr;
- struct databuf nsdp;
- static char *complaint =
- "Glue A RR missing";
-
- sysloginfo [INSZ-1] = EOS;
- net_queryname [INSZ-1] = EOS;
- net_dname [INSZ-1] = EOS;
-
- nslookupComplain (sysloginfo, net_queryname, complaint, net_dname,
- &a_rr, &nsdp);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/med_ok.c b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/med_ok.c
deleted file mode 100644
index 538836171126645254f2ccecf30a7460c1d31f36..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/med_ok.c
+++ /dev/null
@@ -1,109 +0,0 @@
-#include "../bind.h"
-
-extern int nondet_int();
-
-struct timeval tt;
-
-/* Another completely unsound stub brought to you by the Verisec Project. */
-const char *p_type (int type)
-{
- return NULL;
-}
-
-int haveComplained (const char *tag1,
- const char *tag2)
-{
- struct complaint {
- const char *tag1, *tag2;
- time_t expire;
- struct complaint *next;
- };
- static struct complaint *List = NULL;
- struct complaint *cur, *next, *prev;
- int r = 0;
- struct complaint dummy;
-
- for (cur = List, prev = NULL; cur; prev = cur, cur = next) {
- next = cur->next;
- if (tt.tv_sec > cur->expire) {
- if (prev)
- prev->next = next;
- else
- List = next;
- //free((char*) cur);
- cur = prev;
- } else if ((tag1 == cur->tag1) && (tag2 == cur->tag2)) {
- r++;
- }
- }
- if (!r) {
- cur = &dummy;//(struct complaint *)malloc(sizeof(struct complaint));
- if (cur) {
- cur->tag1 = tag1;
- cur->tag2 = tag2;
- cur->expire = tt.tv_sec + INIT_REFRESH; // "10:00"
- cur->next = NULL;
- if (prev)
- prev->next = cur;
- else
- List = cur;
- }
- }
- return (r);
-
-}
-
-static void
-nslookupComplain(const char *sysloginfo,
- const char *net_queryname,
- const char *complaint,
- const char *net_dname,
- const struct databuf *a_rr,
- const struct databuf *nsdp)
-{
- char queryname[INSZ+1], dname[INSZ+1];
- const char *a, *ns;
- const char *a_type;
- int print_a;
-
- strncpy(queryname, net_queryname, sizeof queryname);
- queryname[(sizeof queryname) - 1] = EOS;
- strncpy(dname, net_dname, sizeof dname);
- dname[(sizeof dname) - 1] = EOS;
-
- if (sysloginfo && queryname && !haveComplained(queryname, complaint)) {
- char buf[BUFSZ];
-
- a = ns = (char *)NULL;
- print_a = (a_rr->d_type == T_A);
- a_type = p_type(a_rr->d_type);
-
- if ( a != NULL || ns != NULL) {
- /* OK */
- r_strncpy (buf, sysloginfo, BUFSZ);
- } else {
- /* OK */
- r_strncpy (buf, sysloginfo, BUFSZ);
- }
- }
-}
-
-int main ()
-{
- char sysloginfo [INSZ];
- char net_queryname [INSZ];
- char net_dname [INSZ];
- struct databuf a_rr;
- struct databuf nsdp;
- static char *complaint =
- "Glue A RR missing";
-
- sysloginfo [INSZ-1] = EOS;
- net_queryname [INSZ-1] = EOS;
- net_dname [INSZ-1] = EOS;
-
- nslookupComplain (sysloginfo, net_queryname, complaint, net_dname,
- &a_rr, &nsdp);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/small_bad.c b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/small_bad.c
deleted file mode 100644
index ded977dd46bb8807f55d98ae9cbac7e74dddfaa6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/small_bad.c
+++ /dev/null
@@ -1,72 +0,0 @@
-#include "../bind.h"
-
-extern int nondet_int();
-
-int haveComplained (const char *tag1,
- const char *tag2)
-{
- return nondet_int();
-}
-
-/* Another completely unsound stub brought to you by the Verisec Project. */
-const char *p_type (int type)
-{
- return NULL;
-}
-
-
-static void
-nslookupComplain(const char *sysloginfo,
- const char *net_queryname,
- const char *complaint,
- const char *net_dname,
- const struct databuf *a_rr,
- const struct databuf *nsdp)
-{
- char queryname[INSZ+1], dname[INSZ+1];
- const char *a, *ns;
- const char *a_type;
- int print_a;
-
- strncpy(queryname, net_queryname, sizeof queryname);
- queryname[(sizeof queryname) - 1] = EOS;
- strncpy(dname, net_dname, sizeof dname);
- dname[(sizeof dname) - 1] = EOS;
-
- if (sysloginfo && queryname && !haveComplained(queryname, complaint))
- {
- char buf[BUFSZ];
-
- a = ns = (char *)NULL;
- print_a = (a_rr->d_type == T_A);
- a_type = p_type(a_rr->d_type);
-
- if ( a != NULL || ns != NULL) {
- /* BAD */
- r_strcpy (buf, sysloginfo);
- } else {
- /* BAD */
- r_strcpy (buf, sysloginfo);
- }
- }
-}
-
-int main ()
-{
- char sysloginfo [INSZ];
- char net_queryname [INSZ];
- char net_dname [INSZ];
- struct databuf a_rr;
- struct databuf nsdp;
- static char *complaint =
- "Glue A RR missing";
-
- sysloginfo [INSZ-1] = EOS;
- net_queryname [INSZ-1] = EOS;
- net_dname [INSZ-1] = EOS;
-
- nslookupComplain (sysloginfo, net_queryname, complaint, net_dname,
- &a_rr, &nsdp);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/small_ok.c b/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/small_ok.c
deleted file mode 100644
index b41f12c29e567531e1a60ee0c8a5bcd1b8feb596..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/CVE-2001-0011/nslookupComplain/small_ok.c
+++ /dev/null
@@ -1,72 +0,0 @@
-#include "../bind.h"
-
-extern int nondet_int();
-
-int haveComplained (const char *tag1,
- const char *tag2)
-{
- return nondet_int();
-}
-
-/* Another completely unsound stub brought to you by the Verisec Project. */
-const char *p_type (int type)
-{
- return NULL;
-}
-
-
-static void
-nslookupComplain(const char *sysloginfo,
- const char *net_queryname,
- const char *complaint,
- const char *net_dname,
- const struct databuf *a_rr,
- const struct databuf *nsdp)
-{
- char queryname[INSZ+1], dname[INSZ+1];
- const char *a, *ns;
- const char *a_type;
- int print_a;
-
- strncpy(queryname, net_queryname, sizeof queryname);
- queryname[(sizeof queryname) - 1] = EOS;
- strncpy(dname, net_dname, sizeof dname);
- dname[(sizeof dname) - 1] = EOS;
-
- if (sysloginfo && queryname && !haveComplained(queryname, complaint))
- {
- char buf[BUFSZ];
-
- a = ns = (char *)NULL;
- print_a = (a_rr->d_type == T_A);
- a_type = p_type(a_rr->d_type);
-
- if ( a != NULL || ns != NULL) {
- /* OK */
- r_strncpy (buf, sysloginfo, BUFSZ);
- } else {
- /* OK */
- r_strncpy (buf, sysloginfo, BUFSZ);
- }
- }
-}
-
-int main ()
-{
- char sysloginfo [INSZ];
- char net_queryname [INSZ];
- char net_dname [INSZ];
- struct databuf a_rr;
- struct databuf nsdp;
- static char *complaint =
- "Glue A RR missing";
-
- sysloginfo [INSZ-1] = EOS;
- net_queryname [INSZ-1] = EOS;
- net_dname [INSZ-1] = EOS;
-
- nslookupComplain (sysloginfo, net_queryname, complaint, net_dname,
- &a_rr, &nsdp);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/bind/README b/tests/verisec/suite/programs/apps/bind/README
deleted file mode 100644
index bd31da22afd5120a5ff4748883567ba6f5e0db38..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/README
+++ /dev/null
@@ -1,7 +0,0 @@
--= BIND =-
-
-Homepage: http://www.isc.org/sw/bind/
-Domain: DNS Server
-
-DNS is the Domain Name System. BIND (Berkeley Internet Name Daemon) is
-the most common DNS server.
diff --git a/tests/verisec/suite/programs/apps/bind/frama-c-journal.ml b/tests/verisec/suite/programs/apps/bind/frama-c-journal.ml
deleted file mode 100644
index 9cb404714a9b5bd2ed19e5c229449d497cecc036..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/bind/frama-c-journal.ml
+++ /dev/null
@@ -1,12 +0,0 @@
-(* Frama-C journal generated at 16:31 the 05/09/2008 *)
-
-(* Running *)
-let () = Journal.run ()
-let () = Cmdline.ForceValues.set true
-let () = Cmdline.Files.set ["loop_ok.c"; ]
-let () = File.init_from_cmdline ()
-let () = !Db.Syntactic_callgraph.dump ()
-(* exception raised on: *)
-let __ : unit = !Db.Value.compute ()
-(* Finished *)
-let () = Journal.finished ()
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/README b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/README
deleted file mode 100644
index 43b77899aac945322dbf675437e856ebee347ea8..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/README
+++ /dev/null
@@ -1,30 +0,0 @@
--= CVE-2006-6909 =-
-
-Vulnerable versions: Edbrowse 3.1.3
-File(s): {ebc,ebsmjs}/http.c
-Download from: http://sourceforge.net/projects/edbrowse/
-Domain: Text-based editor/browser/email
-
-_ Vulnerable Functions and Buffers _
-
-A call to sscanf() with no bounds checks allows a buffer user[] to be
-overflowed in ftpls(). The function which calls ftpls(), ftpConnect(),
-does some nifty looping to fill a buffer and see if ftpls() should be
-called.
-
-Note that there are technical issues in the original program which we
-elide in our current decomposed probrams:
- - ftpConnect() uses a custom string library which does reallocation of
- string buffers; we don't attempt to model this, and we use
- standard C strings instead
- - ftpls() uses sscanf(); since we don't have anything close to a sscanf()
- stub, we change it to strcpy()
-
-_ Decomposed Programs _
-
-constants.h
-
-ftpls/
- strchr_{bad,ok}.c /* No calling context */
- no_strcmp_{bad,ok}.c /* Simplified ftpConnect() calls ftpls() */
- strcmp_{bad,ok}.c /* Less simplified ftpConnect() calls ftpls() */
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/constants.h b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/constants.h
deleted file mode 100644
index 9d3762b5f795fcadb06b096b817cae85188d9831..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/constants.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef CONSTANTS_C
-#define CONSTANTS_C
-
-#include "../../../../lib/stubs.h"
-
-/* Originally "-rwxdls". This will affect the number of times strchr()
- * loops, so vary it to vary analysis difficulty. */
-#define CHARS_NOT_WANTED "-"
-
-/* Size of the buffer being overflowed */
-#define USERSZ BASE_SZ
-
-/* One less than the number of iterations the first FOR loop must go
- * through in order to hit the error.
- *
- * XXX Not sure how this affects analysis difficulty, except that the
- * XXX bigger this is, the bigger INSZ has to be.*/
-#define J 2
-
-/* Must read at least NPFLEN characters and contain the string NPF in
- * order to cal ftpls(). */
-#define NPF "N"
-#define NPFSZ 1
-
-/* Size of the input buffer. Also affects a loop bound. */
-#define INSZ USERSZ + NPFSZ + J + 2
-
-#endif
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/no_strcmp_bad.c b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/no_strcmp_bad.c
deleted file mode 100644
index ff6538924f45979cfd6072159eb1d95ceb794154..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/no_strcmp_bad.c
+++ /dev/null
@@ -1,65 +0,0 @@
-#include "../constants.h"
-
-extern int nondet_int();
-
-void ftpls (char *line)
-{
- int j;
-
- /* Stop at either:
- * (1) first char before EOS which isn't in "-rwxdls", or,
- * (2) first EOS
- */
- for(j = 0; line[j] != EOS; ++j)
- if (!strchr("-", line[j]))
- break;
-
- if(j == J && line[j] == ' ') { /* long list */
- /* BUG! No bounds check. */
- char user[USERSZ];
- /* BAD */
- r_strcpy (user, line + j);
- }
-}
-
-int main ()
-{
- char out [INSZ];
- int out_l;
- bool dirmode;
- static const char npf[] = NPF;
- const int npfsize = NPFSZ;
- int c;
-
- dirmode = false;
-
- out_l = 0;
- out[INSZ-1] = EOS;
-
- top:
-
- while((c = nondet_int()) != EOF) {
- if(c == '\r')
- c = '\n';
- if(c == '\n') {
- if(dirmode) {
- ftpls(out);
- } else {
- if(!out_l)
- continue;
- if (out_l > npfsize) {
- dirmode = true;
- goto top;
- }
- }
- out_l = 0;
- } else {
- out[out_l] = c;
- out_l++;
- if (out_l > INSZ-1)
- return ERR;
- }
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/no_strcmp_ok.c b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/no_strcmp_ok.c
deleted file mode 100644
index 5334400a89b50fc402fe109d36f89d46c29c3b00..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/no_strcmp_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../constants.h"
-
-extern int nondet_int();
-
-void ftpls (char *line)
-{
- int j;
-
- /* Stop at either:
- * (1) first char before EOS which isn't in "-rwxdls", or,
- * (2) first EOS
- */
- for(j = 0; line[j] != EOS; ++j)
- if (!strchr("-", line[j]))
- break;
-
- if(j == J && line[j] == ' ') { /* long list */
- char user[USERSZ];
- /* OK */
- r_strncpy (user, line + j, USERSZ);
- }
-}
-
-int main ()
-{
- char out [INSZ];
- int out_l;
- bool dirmode;
- static const char npf[] = NPF;
- const int npfsize = NPFSZ;
- int c;
-
- dirmode = false;
-
- out_l = 0;
- out[INSZ-1] = EOS;
-
- top:
-
- while((c = nondet_int()) != EOF) {
- if(c == '\r')
- c = '\n';
- if(c == '\n') {
- if(dirmode) {
- ftpls(out);
- } else {
- if(!out_l)
- continue;
- if (out_l > npfsize) {
- dirmode = true;
- goto top;
- }
- }
- out_l = 0;
- } else {
- out[out_l] = c;
- out_l++;
- if (out_l > INSZ-1)
- return ERR;
- }
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_bad.c b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_bad.c
deleted file mode 100644
index aa1660bb4b2db0bebf44e9ea8c4ee09f2e33f684..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_bad.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "../constants.h"
-
-/* Input of death is:
- * (OTHER)^2(' ')(NOT_EOS)^(sizeof(user))
- *
- */
-
-void ftpls (char *line)
-{
- int j;
-
- /* Stop at either:
- * (1) first char before EOS which isn't in "-rwxdls", or,
- * (2) first EOS
- */
- for(j = 0; line[j] != EOS; ++j)
- if (!strchr("-", line[j]))
- break;
-
- if(j == J && line[j] == ' ') { /* long list */
- /* BUG! No bounds check. */
- char user[USERSZ];
- /* BAD */
- r_strcpy (user, line + j);
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- ftpls(in);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_bad.err b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_bad.err
deleted file mode 100644
index efb034c16ee39166f895b30cb6ef1b2dbb94686d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_bad.err
+++ /dev/null
@@ -1,8 +0,0 @@
-edbrowse/CVE-2006-6909/ftpls/strchr_bad.c:16: Warning: entering loop for the first time
-edbrowse/CVE-2006-6909/ftpls/strchr_bad.c:16: Warning: (TODO: emit a proper alarm) accessing uninitialized left-value: *(line + j)
-edbrowse/CVE-2006-6909/ftpls/strchr_bad.c:16: Warning: completely unspecified value in {{
-in -> {0; } ;}} (size:<8>). This path is assumed to be dead.
-edbrowse/CVE-2006-6909/ftpls/strchr_bad.c:16: Warning: non termination detected in function ftpls
-edbrowse/CVE-2006-6909/ftpls/strchr_bad.c:35: Warning: non termination detected in function main
-[dominators] computing for function r_memcpy
-[dominators] done for function r_memcpy
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_ok.c b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_ok.c
deleted file mode 100644
index 7fa32704f8dc233f32201ad1614f7cd1dec27478..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strchr_ok.c
+++ /dev/null
@@ -1,35 +0,0 @@
-#include "../constants.h"
-
-/* Input of death is:
- * (OTHER)^2(' ')(NOT_EOS)^(sizeof(user))
- *
- */
-
-void ftpls (char *line)
-{
- int j;
-
- /* Stop at either:
- * (1) first char before EOS which isn't in "-rwxdls", or,
- * (2) first EOS
- */
- for(j = 0; line[j] != EOS; ++j)
- if (!strchr("-", line[j]))
- break;
-
- if(j == J && line[j] == ' ') { /* long list */
- char user[USERSZ];
- /* OK */
- r_strncpy (user, line + j, USERSZ);
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- ftpls(in);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strcmp_bad.c b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strcmp_bad.c
deleted file mode 100644
index cc3dd62a52710e422a957d2df598615c435a0ba2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strcmp_bad.c
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "../constants.h"
-
-extern int nondet_int();
-
-void ftpls (char *line)
-{
- int j;
-
- /* Stop at either:
- * (1) first char before EOS which isn't in "-rwxdls", or,
- * (2) first EOS
- */
- for(j = 0; line[j] != EOS; ++j)
- if (!strchr("-", line[j]))
- break;
-
- if(j == J && line[j] == ' ') { /* long list */
- /* BUG! No bounds check. */
- char user[USERSZ];
- /* BAD */
- r_strcpy (user, line + j);
- }
-}
-
-int main ()
-{
- char out [INSZ];
- int out_l;
- bool dirmode;
- static const char npf[] = NPF;
- const int npfsize = NPFSZ;
- int c;
-
- dirmode = false;
-
- out_l = 0;
- out[INSZ-1] = EOS;
-
- top:
-
- while((c = nondet_int()) != EOF) {
- if(c == '\r')
- c = '\n';
- if(c == '\n') {
- if(dirmode) {
- ftpls(out);
- } else {
- if(!out_l)
- continue;
- /* This assertion is meant to stop SatAbs from going insane
- * and reporting a spurious error in strcmp. Which it still
- * does. :-/
- *
- */
- assert (out_l <= INSZ-1);
- if (out_l > npfsize && !strcmp(out + out_l - npfsize, npf)) {
- dirmode = true;
- goto top;
- }
- }
- out_l = 0;
- } else {
- out_l++;
- if (out_l > INSZ-1)
- return ERR;
- }
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strcmp_ok.c b/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strcmp_ok.c
deleted file mode 100644
index 70cf4145d0481bcb074d5a2ef3c1bc5c82800109..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/CVE-2006-6909/ftpls/strcmp_ok.c
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "../constants.h"
-
-extern int nondet_int();
-
-void ftpls (char *line)
-{
- int j;
-
- /* Stop at either:
- * (1) first char before EOS which isn't in "-rwxdls", or,
- * (2) first EOS
- */
- for(j = 0; line[j] != EOS; ++j)
- if (!strchr("-", line[j]))
- break;
-
- if(j == J && line[j] == ' ') { /* long list */
- char user[USERSZ];
- /* OK */
- r_strncpy (user, line + j, USERSZ);
- }
-}
-
-int main ()
-{
- char out [INSZ];
- int out_l;
- bool dirmode;
- static const char npf[] = NPF;
- const int npfsize = NPFSZ;
- int c;
-
- dirmode = false;
-
- out_l = 0;
- out[INSZ-1] = EOS;
-
- top:
-
- while((c = nondet_int()) != EOF) {
- if(c == '\r')
- c = '\n';
- if(c == '\n') {
- if(dirmode) {
- ftpls(out);
- } else {
- if(!out_l)
- continue;
- /* This assertion is meant to stop SatAbs from going insane
- * and reporting a spurious error in strcmp. Which it still
- * does. :-/
- *
- */
- assert (out_l <= INSZ-1);
- if (out_l > npfsize && !strcmp(out + out_l - npfsize, npf)) {
- dirmode = true;
- goto top;
- }
- }
- out_l = 0;
- } else {
- out_l++;
- if (out_l > INSZ-1)
- return ERR;
- }
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/edbrowse/README b/tests/verisec/suite/programs/apps/edbrowse/README
deleted file mode 100644
index 720058df841b44292d3d224a0e85d8e05addddff..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/edbrowse/README
+++ /dev/null
@@ -1,8 +0,0 @@
--= Edbrowse =-
-
-Homepage: http://www.eklhad.net/linux/app/
-Domain: Text-based editor/browser/email
-
-Edbrowse is a command-line editor, browser, and email client, intended
-to be usable by the blind.
-
diff --git a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/README b/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/README
deleted file mode 100644
index eb69316ca75cdc7d52ec314598e4229a20d7f626..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/README
+++ /dev/null
@@ -1,28 +0,0 @@
--= CVE-2007-0406 =-
-
-Vulnerable versions: gxine <= 0.5.9
-File(s): src/server.c, src/client.c
-Download from:
- http://prdownloads.sourceforge.net/xine/gxine-0.5.9.tar.bz2?download
-
-Domain: GUI (Media Player)
-
-_ Vulnerable Functions and Buffers _
-
-Functions main() in client.c and functions server_setup() and
-server_client_connect() in server.c are vulnerable. All three
-functions use snprintf() to copy the $HOME environment variable into a
-fixed-size buffer (safe); however, the contents of this buffer are
-later copied into a smaller buffer using strcpy().
-
-Algorithmically, this overflow is very simple, and isn't
-string-content-based. The difficult parts are the technical bits --
-modelling snprintf, structures, and unions.
-
-_ Decomposed Programs _
-
-constants.h
-
-main/
- simp_bad.c
- nonsimp_bad.c
diff --git a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/constants.h b/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/constants.h
deleted file mode 100644
index 8a30b40a59feb4baedfd4ebd97d45b422f9afbea..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/constants.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Size of buffer being overflowed.
- * Ensure that SUN_PATH_SZ - 1 is non-negative */
-#define SUN_PATH_SZ BASE_SZ + 1/* originally 108 */
-
-/* Size of input buffer. */
-#define FILENAME_SZ SUN_PATH_SZ + 2 /* originally 1024 */
-
-struct sockaddr_un
-{
- char sun_path[SUN_PATH_SZ]; /* Path name. */
-};
diff --git a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/frama-c.err b/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/frama-c.err
deleted file mode 100644
index e625fdc0f23ddafc6e4ee83e68e0e31cc51c1f8b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/frama-c.err
+++ /dev/null
@@ -1,12 +0,0 @@
-../../lib/stubs.c:92: Warning: entering loop for the first time
-../../lib/stubs.c:92: Warning: assigning non deterministic value for the first time
-../../lib/stubs.c:95: Warning: out of bounds write. assert \valid(dest + i);
-
-../../lib/stubs.c:93: Warning: out of bounds read. assert \valid(src + i);
-
-../../lib/stubs.c:96: Warning: out of bounds read. assert \valid(src + i);
-
-[dominators] computing for function r_memcpy
-[dominators] done for function r_memcpy
-[dominators] computing for function r_strcpy
-[dominators] done for function r_strcpy
diff --git a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/simp_bad.c b/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/simp_bad.c
deleted file mode 100644
index 36314bfd40ae3254d610b9e6fff56eb03aba98cd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/simp_bad.c
+++ /dev/null
@@ -1,16 +0,0 @@
-#include "../constants.h"
-
-int main ()
-{
- struct sockaddr_un serv_adr;
- char filename [FILENAME_SZ] = "test";
-
- /* server filename */
- filename[FILENAME_SZ-1] = EOS;
-
- /* initialize the server address structure */
- /* BAD */
- r_strcpy (serv_adr.sun_path, filename);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/simp_ok.c b/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/simp_ok.c
deleted file mode 100644
index 2af279ba08d382a47dfbc4773a23b169aaaf6db6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/gxine/CVE-2007-0406/main/simp_ok.c
+++ /dev/null
@@ -1,16 +0,0 @@
-#include "../constants.h"
-
-int main ()
-{
- struct sockaddr_un serv_adr;
- char filename [FILENAME_SZ];
-
- /* server filename */
- filename[FILENAME_SZ-1] = EOS;
-
- /* initialize the server address structure */
- /* OK */
- r_strncpy (serv_adr.sun_path, filename, SUN_PATH_SZ-1);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/gxine/README b/tests/verisec/suite/programs/apps/gxine/README
deleted file mode 100644
index 5025e1ebd1c1b0b36789bd13730875430755d7c1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/gxine/README
+++ /dev/null
@@ -1,7 +0,0 @@
--= gxine =-
-
-Homepage: http://xinehq.de
-Domain: GUI (Media Player)
-
-Xine is an open source media player; gxine is a gtk-based graphical
-front-end for it.
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/README b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/README
deleted file mode 100644
index 824d542f165b3f8ca3c65857ef3e4b2384b13c93..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/README
+++ /dev/null
@@ -1,46 +0,0 @@
--= CVE-2007-0455 =-
-
-Vulnerable versions: LibGD <= 2.0.33
-File(s): gdft.c
-Download from:
- http://www.libgd.org/releases/oldreleases/gd-2.0.33.tar.gz
-
-Domain: Graphics Library
-
-_ Vulnerable Functions and Buffers _
-
-This is actually an out-of-bounds read, but it seems structurally the
-same as the out-of-bounds writes, and was reported using the term
-"buffer overflow."
-
-A buffer, string[], is a parameter to the function
-gdImageStringFTEx(). This string is traversed using a loop containing
-a switch statement, with cases based on the character encoding of the
-string. If the string is JIS-encoded, the iterator variable can be
-incremented twice. The second increment is performed without first
-checking for the end-of-string character, which can thus cause the
-loop reading the string to access out-of-bounds memory. This can lead
-to a crash.
-
-I've chopped out the stuff that doesn't relate to how the iterator is
-incremented -- we don't care about cruft for which we just need to
-know "there is some path through this."
-
-The variants in the program actually come from variations in the
-algorithm used to parse Unicode characters. Since Unicode characters
-are encoded using a variable number of bytes, the iterator over
-string[] can be advanced by a variable number of bytes on each
-iteration. The helper function for reading Unicode recognizes HTML 4.0
-entities; I've made versions of this function dealing with different
-subsets of the characters recognized by the original.
-
-_ Decomposed Programs _
-
-gd.h
-
-gdImageStringFTEx/
- gd_simp_bad.c
- gd_no_entities_bad.c
- gd_some_entities_bad.c
- gd_full_bad.c
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gd.h b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gd.h
deleted file mode 100644
index 47e078f56e9c88c5cec442b6939f33ebcce9b4da..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gd.h
+++ /dev/null
@@ -1,34 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Size of the input buffer. Since this example is a read overflow,
- * there is no output buffer. Must be at least 2 for things to work. */
-#define INSZ BASE_SZ + 1
-
-/* Size of a buffer used in gd_full.c; will affect a loop bound, so is
- * important for that example. */
-#define ENTITY_NAME_LENGTH_MAX 8
-
-/* The number of entities in entities[] and NR_OF_ENTITIES must
- * match. NR_OF_ENTITIES affects the number of iterations of search()
- * in gd_full_bad.c, so varying it should affect difficulty of that
- * example.
- *
- * Note that this is a *very* chopped-down array of entities -- see
- * entities.h in the gd sources for the real one. */
-struct entities_s {
- char *name;
- int value;
-};
-struct entities_s entities[] = {
- {"AElig", 198},
- {"Aacute", 193},
- {"Acirc", 194},
-};
-#define NR_OF_ENTITIES 3
-
-/* These things don't matter. */
-#define Tcl_UniChar int
-#define gdFTEX_Unicode 0
-#define gdFTEX_Shift_JIS 1
-#define gdFTEX_Big5 2
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_full_bad.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_full_bad.c
deleted file mode 100644
index 578477c24da3c0863ba77b9146c021c7304e3ca1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_full_bad.c
+++ /dev/null
@@ -1,218 +0,0 @@
-#include "../gd.h"
-
-struct entities_s * search(struct entities_s *key,
- struct entities_s *base,
- int nmemb)
-{
- int iter;
- for (iter = 0; iter < nmemb; iter++)
- if (strcmp (key->name, base[iter].name) == 0)
- return base + iter;
- return NULL;
-}
-
-/* All we care about is what it returns, and that it doesn't enable us
- * to skip past the terminating EOS. */
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- int byte;
- char entity_name_buf[ENTITY_NAME_LENGTH_MAX+1];
- char *p;
- struct entities_s key, *res;
-
- byte = (unsigned char)(str[0]);
-
- /* If we see an ampersand, treat what follows as an HTML4.0 entity,
- * terminated with a semicolon
- */
- if (byte == '&') {
- int i, n = 0;
-
- byte = *((unsigned char *) (str + 1));
- if (byte == '#') {
- byte = *((unsigned char *) (str + 2));
- if (byte == 'x' || byte == 'X') {
- for (i = 3; i < 8; i++) {
- byte = *((unsigned char *) (str + i));
- if (byte >= 'A' && byte <= 'F')
- byte = byte - 'A' + 10;
- else if (byte >= 'a' && byte <= 'f')
- byte = byte - 'a' + 10;
- else if (byte >= '0' && byte <= '9')
- byte = byte - '0';
- else
- break; /* end FOR */
- n = (n * 16) + byte;
- }
- }
- else {
- for (i = 2; i < 8; i++) {
- byte = (unsigned char)(str[i]);
- if (byte >= '0' && byte <= '9')
- n = (n * 10) + (byte - '0');
- else
- break;
- }
- }
- /* In each of the above branches, i was computed. It's the number of
- * characters representing an HTML4.0 entity. Increment i since we're
- * also consuming the semicolon.
- *
- * If this branch isn't taken, we're not dealing with an HTML4.0
- * entity, so we go back to the start of str, and process it as
- * UTF-8.
- */
- if (byte == ';') {
- return ++i;
- }
- }
- /* This isn't an HTML4.0 entity. But it could be an entity name --
- * they're listed in the entities[] array. So we read until we see
- * an EOS or a comma, and write what we're seeing into
- * entity_name_buf as we go, using it to do a search.
- *
- * ...
- *
- * Ugh. That'll be hard.
- *
- * What can we vary? The size of this entities[] buffer, I
- * guess. We'd definitely have to provide a bsearch stub -- which
- * would easily be a linear search, since we don't care about
- * runtime performance.
- *
- */
- else {
- key.name = p = entity_name_buf;
- for (i = 1; i < 1 + ENTITY_NAME_LENGTH_MAX; i++) {
- byte = (unsigned char)(str[i]);
- if (byte == EOS)
- break;
- if (byte == ';') {
- *p++ = EOS;
- /* This was originally bsearch(), which is a polymorphic
- * function that uses void pointers and size arguments. I
- * think most tools and tool users would rewrite the program
- * as a first phase, using type information to choose the
- * implementation of bsearch.
- */
- res = search(&key, entities, NR_OF_ENTITIES);
- if (res != NULL) {
- return ++i;
- }
- break;
- }
- *p++ = byte;
- } /* End FOR */
- }
- }
-
- /* This is the UTF-8 case. */
- byte = (unsigned char)(str[0]);
- if (byte < 0xC0) {
- return 1;
- }
- else if (byte < 0xE0) {
- if ((str[1] & 0xC0) == 0x80) {
- return 2;
- }
- return 1;
- }
- else if (byte < 0xF0) {
- if (((str[1] & 0xC0) == 0x80) && ((str[2] & 0xC0) == 0x80)) {
- return 3;
- }
- return 1;
- }
-
- return 1;
-}
-
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* Unsafe read -- next can be out of bounds. */
- /* BAD */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- /* We're incrementing next twice, which could make us skip
- * the terminating EOS character. The read of "string"
- * could then be out of bounds. */
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161
- && string[next] != EOS)
- {
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_full_ok.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_full_ok.c
deleted file mode 100644
index a95f865bc6884038531520337d536d983bec42d6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_full_ok.c
+++ /dev/null
@@ -1,215 +0,0 @@
-#include "../gd.h"
-
-struct entities_s * search(struct entities_s *key,
- struct entities_s *base,
- int nmemb)
-{
- int iter;
- for (iter = 0; iter < nmemb; iter++)
- if (strcmp (key->name, base[iter].name) == 0)
- return base + iter;
- return NULL;
-}
-
-/* All we care about is what it returns, and that it doesn't enable us
- * to skip past the terminating EOS. */
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- int byte;
- char entity_name_buf[ENTITY_NAME_LENGTH_MAX+1];
- char *p;
- struct entities_s key, *res;
-
- byte = (unsigned char)(str[0]);
-
- /* If we see an ampersand, treat what follows as an HTML4.0 entity,
- * terminated with a semicolon
- */
- if (byte == '&') {
- int i, n = 0;
-
- byte = *((unsigned char *) (str + 1));
- if (byte == '#') {
- byte = *((unsigned char *) (str + 2));
- if (byte == 'x' || byte == 'X') {
- for (i = 3; i < 8; i++) {
- byte = *((unsigned char *) (str + i));
- if (byte >= 'A' && byte <= 'F')
- byte = byte - 'A' + 10;
- else if (byte >= 'a' && byte <= 'f')
- byte = byte - 'a' + 10;
- else if (byte >= '0' && byte <= '9')
- byte = byte - '0';
- else
- break; /* end FOR */
- n = (n * 16) + byte;
- }
- }
- else {
- for (i = 2; i < 8; i++) {
- byte = (unsigned char)(str[i]);
- if (byte >= '0' && byte <= '9')
- n = (n * 10) + (byte - '0');
- else
- break;
- }
- }
- /* In each of the above branches, i was computed. It's the number of
- * characters representing an HTML4.0 entity. Increment i since we're
- * also consuming the semicolon.
- *
- * If this branch isn't taken, we're not dealing with an HTML4.0
- * entity, so we go back to the start of str, and process it as
- * UTF-8.
- */
- if (byte == ';') {
- return ++i;
- }
- }
- /* This isn't an HTML4.0 entity. But it could be an entity name --
- * they're listed in the entities[] array. So we read until we see
- * an EOS or a comma, and write what we're seeing into
- * entity_name_buf as we go, using it to do a search.
- *
- * ...
- *
- * Ugh. That'll be hard.
- *
- * What can we vary? The size of this entities[] buffer, I
- * guess. We'd definitely have to provide a bsearch stub -- which
- * would easily be a linear search, since we don't care about
- * runtime performance.
- *
- */
- else {
- key.name = p = entity_name_buf;
- for (i = 1; i < 1 + ENTITY_NAME_LENGTH_MAX; i++) {
- byte = (unsigned char)(str[i]);
- if (byte == EOS)
- break;
- if (byte == ';') {
- *p++ = EOS;
- /* This was originally bsearch(), which is a polymorphic
- * function that uses void pointers and size arguments. I
- * think most tools and tool users would rewrite the program
- * as a first phase, using type information to choose the
- * implementation of bsearch.
- */
- res = search(&key, entities, NR_OF_ENTITIES);
- if (res != NULL) {
- return ++i;
- }
- break;
- }
- *p++ = byte;
- } /* End FOR */
- }
- }
-
- /* This is the UTF-8 case. */
- byte = (unsigned char)(str[0]);
- if (byte < 0xC0) {
- return 1;
- }
- else if (byte < 0xE0) {
- if ((str[1] & 0xC0) == 0x80) {
- return 2;
- }
- return 1;
- }
- else if (byte < 0xF0) {
- if (((str[1] & 0xC0) == 0x80) && ((str[2] & 0xC0) == 0x80)) {
- return 3;
- }
- return 1;
- }
-
- return 1;
-}
-
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* OK */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- if (string[next] != EOS)
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161
- && string[next] != EOS)
- {
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_no_entities_bad.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_no_entities_bad.c
deleted file mode 100644
index 745d8df102d43674f8379630e0819c1678babac6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_no_entities_bad.c
+++ /dev/null
@@ -1,118 +0,0 @@
-#include "../gd.h"
-
-/* All we care about is what it returns, and that it doesn't enable us
- * to skip past the terminating EOS. */
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- int byte;
-
- /* This is the UTF-8 case. */
- byte = (unsigned char)(str[0]);
- if (byte < 0xC0) {
- return 1;
- }
- else if (byte < 0xE0) {
- if ((str[1] & 0xC0) == 0x80) {
- return 2;
- }
- return 1;
- }
- else if (byte < 0xF0) {
- if (((str[1] & 0xC0) == 0x80) && ((str[2] & 0xC0) == 0x80)) {
- return 3;
- }
- return 1;
- }
-
- return 1;
-}
-
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* Unsafe read -- next can be out of bounds. */
- /* BAD */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- /* We're incrementing next twice, which could make us skip
- * the terminating EOS character. The read of "string"
- * could then be out of bounds. */
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161
- && string[next] != EOS)
- {
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_no_entities_ok.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_no_entities_ok.c
deleted file mode 100644
index a1f161eac7b44b97bd4c8b70471e93f97d2b2b48..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_no_entities_ok.c
+++ /dev/null
@@ -1,115 +0,0 @@
-#include "../gd.h"
-
-/* All we care about is what it returns, and that it doesn't enable us
- * to skip past the terminating EOS. */
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- int byte;
-
- /* This is the UTF-8 case. */
- byte = (unsigned char)(str[0]);
- if (byte < 0xC0) {
- return 1;
- }
- else if (byte < 0xE0) {
- if ((str[1] & 0xC0) == 0x80) {
- return 2;
- }
- return 1;
- }
- else if (byte < 0xF0) {
- if (((str[1] & 0xC0) == 0x80) && ((str[2] & 0xC0) == 0x80)) {
- return 3;
- }
- return 1;
- }
-
- return 1;
-}
-
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* OK */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- if (string[next] != EOS)
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161
- && string[next] != EOS)
- {
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_simp_bad.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_simp_bad.c
deleted file mode 100644
index 02a2ead7d8f3175ef5637b06ceecc45bc0ef0896..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_simp_bad.c
+++ /dev/null
@@ -1,96 +0,0 @@
-#include "../gd.h"
-
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- return 1;
-}
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* Unsafe read -- next can be out of bounds. */
- /* BAD */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- /* We're incrementing next twice, which could make us skip
- * the terminating EOS character. The read of "string"
- * could then be out of bounds. */
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161 /* first code of JIS-8 pair */
- && string[next] != EOS)
- {
- ch = (ch * 256) + ((string[next]) & 255);
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_simp_ok.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_simp_ok.c
deleted file mode 100644
index 9e9a6dc4677b375d0e9b5fac66b66555844e31c9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_simp_ok.c
+++ /dev/null
@@ -1,93 +0,0 @@
-#include "../gd.h"
-
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- return 1;
-}
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* OK */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- if (string[next] != EOS)
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161 /* first code of JIS-8 pair */
- && string[next] != EOS)
- {
- ch = (ch * 256) + ((string[next]) & 255);
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_some_entities_bad.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_some_entities_bad.c
deleted file mode 100644
index a47d0ae97c535ddaf2aa8d47a1e39f9846f1c7ff..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_some_entities_bad.c
+++ /dev/null
@@ -1,166 +0,0 @@
-#include "../gd.h"
-
-/* All we care about is what it returns, and that it doesn't enable us
- * to skip past the terminating EOS. */
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- int byte;
-
- byte = (unsigned char)(str[0]);
-
- /* If we see an ampersand, treat what follows as an HTML4.0 entity,
- * terminated with a semicolon
- */
- if (byte == '&') {
- int i, n = 0;
-
- byte = *((unsigned char *) (str + 1));
- if (byte == '#') {
- byte = *((unsigned char *) (str + 2));
- if (byte == 'x' || byte == 'X') {
- for (i = 3; i < 8; i++) {
- byte = *((unsigned char *) (str + i));
- if (byte >= 'A' && byte <= 'F')
- byte = byte - 'A' + 10;
- else if (byte >= 'a' && byte <= 'f')
- byte = byte - 'a' + 10;
- else if (byte >= '0' && byte <= '9')
- byte = byte - '0';
- else
- break; /* end FOR */
- n = (n * 16) + byte;
- }
- }
- else {
- for (i = 2; i < 8; i++) {
- byte = (unsigned char)(str[i]);
- if (byte >= '0' && byte <= '9')
- n = (n * 10) + (byte - '0');
- else
- break;
- }
- }
- /* In each of the above branches, i was computed. It's the number of
- * characters representing an HTML4.0 entity. Increment i since we're
- * also consuming the semicolon.
- *
- * If this branch isn't taken, we're not dealing with an HTML4.0
- * entity, so we go back to the start of str, and process it as
- * UTF-8.
- */
- if (byte == ';') {
- return ++i;
- }
- }
- }
-
- /* This is the UTF-8 case. */
- byte = (unsigned char)(str[0]);
- if (byte < 0xC0) {
- return 1;
- }
- else if (byte < 0xE0) {
- if ((str[1] & 0xC0) == 0x80) {
- return 2;
- }
- return 1;
- }
- else if (byte < 0xF0) {
- if (((str[1] & 0xC0) == 0x80) && ((str[2] & 0xC0) == 0x80)) {
- return 3;
- }
- return 1;
- }
-
- return 1;
-}
-
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* Unsafe read -- next can be out of bounds. */
- /* BAD */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- /* We're incrementing next twice, which could make us skip
- * the terminating EOS character. The read of "string"
- * could then be out of bounds. */
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161
- && string[next] != EOS)
- {
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_some_entities_ok.c b/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_some_entities_ok.c
deleted file mode 100644
index 3657ce5908c9799088b55b89098ad70a80c059de..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/CVE-2007-0455/gdImageStringFTEx/gd_some_entities_ok.c
+++ /dev/null
@@ -1,163 +0,0 @@
-#include "../gd.h"
-
-/* All we care about is what it returns, and that it doesn't enable us
- * to skip past the terminating EOS. */
-static int
-gdTcl_UtfToUniChar (char *str, Tcl_UniChar * chPtr)
-{
- int byte;
-
- byte = (unsigned char)(str[0]);
-
- /* If we see an ampersand, treat what follows as an HTML4.0 entity,
- * terminated with a semicolon
- */
- if (byte == '&') {
- int i, n = 0;
-
- byte = *((unsigned char *) (str + 1));
- if (byte == '#') {
- byte = *((unsigned char *) (str + 2));
- if (byte == 'x' || byte == 'X') {
- for (i = 3; i < 8; i++) {
- byte = *((unsigned char *) (str + i));
- if (byte >= 'A' && byte <= 'F')
- byte = byte - 'A' + 10;
- else if (byte >= 'a' && byte <= 'f')
- byte = byte - 'a' + 10;
- else if (byte >= '0' && byte <= '9')
- byte = byte - '0';
- else
- break; /* end FOR */
- n = (n * 16) + byte;
- }
- }
- else {
- for (i = 2; i < 8; i++) {
- byte = (unsigned char)(str[i]);
- if (byte >= '0' && byte <= '9')
- n = (n * 10) + (byte - '0');
- else
- break;
- }
- }
- /* In each of the above branches, i was computed. It's the number of
- * characters representing an HTML4.0 entity. Increment i since we're
- * also consuming the semicolon.
- *
- * If this branch isn't taken, we're not dealing with an HTML4.0
- * entity, so we go back to the start of str, and process it as
- * UTF-8.
- */
- if (byte == ';') {
- return ++i;
- }
- }
- }
-
- /* This is the UTF-8 case. */
- byte = (unsigned char)(str[0]);
- if (byte < 0xC0) {
- return 1;
- }
- else if (byte < 0xE0) {
- if ((str[1] & 0xC0) == 0x80) {
- return 2;
- }
- return 1;
- }
- else if (byte < 0xF0) {
- if (((str[1] & 0xC0) == 0x80) && ((str[2] & 0xC0) == 0x80)) {
- return 3;
- }
- return 1;
- }
-
- return 1;
-}
-
-
-
-/* Greatly, GREATLY simplified. There's a bunch of cruft that doesn't
- * have to do with the manipulation of "string". */
-void gdImageStringFTEx (char *string) {
- int next;
- int encoding;
- int i;
- int ch;
- int len;
-
- encoding = nondet_int();
- if (encoding > 2 || encoding < 0)
- return;
-
- next = 0;
- /* OK */
- for (i=0; string[next] != EOS; i++)
- {
- /* grabbing a character and storing it in an int
- *
- * this'll fill the low-order byte, and keep more space free for
- * extra bytes for Unicode encoding, etc.
- */
- ch = string[next];
-
- /* carriage returns */
- if (ch == '\r')
- {
- next++;
- continue;
- }
- /* newlines */
- if (ch == '\n')
- {
- next++;
- continue;
- }
-
-
- switch (encoding)
- {
- case gdFTEX_Unicode:
- {
- len = gdTcl_UtfToUniChar (string + next, &ch);
- next += len;
- }
- break;
- case gdFTEX_Shift_JIS:
- {
- unsigned char c;
- c = (unsigned char) string[next];
- if (0xA1 <= c && c <= 0xFE)
- {
- next++;
- }
- if (string[next] != EOS)
- next++;
- }
- break;
- case gdFTEX_Big5:
- {
- ch = (string[next]) & 0xFF; /* don't extend sign */
- next++;
- if (ch >= 161
- && string[next] != EOS)
- {
- next++;
- }
- }
- break;
- }
- }
-}
-
-int main ()
-{
- char in [INSZ];
- in [INSZ-1] = EOS;
-
- gdImageStringFTEx (in);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/libgd/README b/tests/verisec/suite/programs/apps/libgd/README
deleted file mode 100644
index e1f6a9ccb9c2a930cebf0fcc3f4a908f20c51c1e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/libgd/README
+++ /dev/null
@@ -1,8 +0,0 @@
--= LibGD =-
-
-Homepage: http://www.libgd.org
-Domain: Graphics Library
-
-GD is an open source library for dynamically creating images. It is
-often used by higher-level languages, like PHP, to creates graphs,
-charts, etc.
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/README b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/README
deleted file mode 100644
index d775a8fb20de416331a3fc6b82518b254e59f6b1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/README
+++ /dev/null
@@ -1,27 +0,0 @@
--= CVE-2007-0453 =-
-
-Vulnerable versions: Samba 3.0.21 through 3.0.23d
-File(s): source/nsswitch/winbind_nss_solaris.c
-Download from:
- http://us4.samba.org/samba/ftp/old-versions/samba-3.0.23d.tar.gz
-
-Domain: SMB (Server Message Block) Suite
-
-_ Vulnerable Functions and Buffers _
-
-The library functions _nss_winbind_ipnodes_getbyname() and
-_nss_winbind_hosts_getbyname() are both vulnerable. Each function copies
-data into request.data.winsreq, passing an incorrect bound to strncpy().
-
-Algorithmically, this overflow is very simple, and isn't
-string-content-based. The difficult parts are the technical bits --
-modelling structures, unions, and typecasting.
-
-_ Decomposed Programs _
-
-constants.h
-structs.h
-
-_nss_winbind_ipnodes_getbyname/
- simp_bad.c
- nonsimp_bad.c
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/nonsimp_bad.c b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/nonsimp_bad.c
deleted file mode 100644
index 3fe6dc46e8ad518f5c015ac86a951790f01676d1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/nonsimp_bad.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "../structs.h"
-
-char in [INSZ];
-
-static NSS_STATUS
-_nss_winbind_ipnodes_getbyname(void *args)
-{
- nss_XbyY_args_t *argp = (nss_XbyY_args_t*) args;
- struct winbindd_request request;
-
- /* BAD */
- r_strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name)) ;
-
- return 0;
-}
-
-int main ()
-{
- nss_XbyY_args_t k;
-
- in[INSZ] = EOS;
- k.key.name = in;
-
- _nss_winbind_ipnodes_getbyname(&k);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/nonsimp_ok.c b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/nonsimp_ok.c
deleted file mode 100644
index aa7812ed8f53ab2da2b34e933917306c0a673c91..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/nonsimp_ok.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "../structs.h"
-
-char in [INSZ];
-
-static NSS_STATUS
-_nss_winbind_ipnodes_getbyname(void *args)
-{
- nss_XbyY_args_t *argp = (nss_XbyY_args_t*) args;
- struct winbindd_request request;
-
- /* OK */
- r_strncpy(request.data.winsreq, argp->key.name, FSTRING_LEN) ;
-
- return 0;
-}
-
-int main ()
-{
- nss_XbyY_args_t k;
-
- in[INSZ] = EOS;
- k.key.name = in;
-
- _nss_winbind_ipnodes_getbyname(&k);
-
- return 0;
-}
-
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/simp_bad.c b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/simp_bad.c
deleted file mode 100644
index 2ace21f53876a8eff776549d2600b7ad03cd5019..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/simp_bad.c
+++ /dev/null
@@ -1,22 +0,0 @@
-#include "../constants.h"
-
-static NSS_STATUS
-_nss_winbind_ipnodes_getbyname(char *name)
-{
- char winsreq [FSTRING_LEN];
-
- /* BAD */
- r_strncpy(winsreq, name, strlen(name)) ;
-
- return 0;
-}
-
-int main ()
-{
- char in [INSZ];
- in[INSZ-1] = EOS;
-
- _nss_winbind_ipnodes_getbyname(in);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/simp_ok.c b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/simp_ok.c
deleted file mode 100644
index b77d408900a5650ec6eba964e7026b260bb2f3a2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/_nss_winbind_ipnodes_getbyname/simp_ok.c
+++ /dev/null
@@ -1,22 +0,0 @@
-#include "../constants.h"
-
-static NSS_STATUS
-_nss_winbind_ipnodes_getbyname(char *name)
-{
- char winsreq [FSTRING_LEN];
-
- /* OK */
- r_strncpy(winsreq, name, FSTRING_LEN) ;
-
- return 0;
-}
-
-int main ()
-{
- char in [INSZ];
- in[INSZ-1] = EOS;
-
- _nss_winbind_ipnodes_getbyname(in);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/constants.h b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/constants.h
deleted file mode 100644
index 566ac22b74d7c2e7406ad8637b4f80a1d32512ef..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/constants.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-typedef int NSS_STATUS;
-
-/* Size of overflowed buffer. */
-#define FSTRING_LEN BASE_SZ /* originally 256 */
-typedef char fstring[FSTRING_LEN];
-
-/* Size of input buffer. */
-#define INSZ (FSTRING_LEN+2)
diff --git a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/structs.h b/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/structs.h
deleted file mode 100644
index d4d7965889e36082f4b63235b29456cd6d50b105..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/CVE-2007-0453/structs.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#include "constants.h"
-
-#ifndef BOOL
-typedef int BOOL;
-#endif
-
-struct winbindd_request {
- union {
- /* Got rid of most union fields.... */
- fstring winsreq; /* WINS request */
- BOOL list_all_domains;
- } data;
-};
-
-union nss_XbyY_key {
- /* Got rid of most fields.... */
- const char *name;
- int number;
-};
-
-typedef struct nss_XbyY_args {
- union nss_XbyY_key key;
-} nss_XbyY_args_t;
-
diff --git a/tests/verisec/suite/programs/apps/samba/README b/tests/verisec/suite/programs/apps/samba/README
deleted file mode 100644
index c6b63b0fdbf32da88081520eab706b9f0d6cb850..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/samba/README
+++ /dev/null
@@ -1,8 +0,0 @@
--= Samba =-
-
-Homepage: http://www.samba.org
-Domain: SMB (Server Message Block) Suite
-
-SMB is the Server Message Block protocol. It is an application-layer
-networking protocol for accessing files, printers, etc. on Microsoft
-Windows networks. Samba is an open-source SMB suite.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/README b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/README
deleted file mode 100644
index 0aa014903278cf01fd5319688667523e4f52a13b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/README
+++ /dev/null
@@ -1,26 +0,0 @@
--= CVE-1999-0047 =-
-
-Vulnerable version: Sendmail 8.8.3 and 8.8.4
-File: sendmail/mime.c
-Download from: source not available anymore
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function mime7to8 reads four characters at a time from a file and copies each character into a fixed sized buffer. The number of elements copied depends on the length of the input, but the pointer into the dest buffer is reset if a '\n' is encountered. A typo (fbuf >= &fbuf[X], which is always false, instead of fbufp >= &fbuf[X]) prevents the copying loop from stopping early if the end of the dest buffer is reached. The patched version fixes the typo.
-
-_ Decomposed Programs _
-
-Zitser's model program:
-
-mime7to8/
- mime7to8_{arr,ptr}_{one,two,three}_char*_{no,med,heavy}_test_{bad,ok}.c
-
-Variants arr and ptr use array indexing and pointer operations, respectively. Variants one, two, and three read (and test) one, two, and three characters from input on each iteration of the while loop. Variant no only checks whether the input char is EOF; med also checks whether the input is '=', '\n', or '\r'; heavy also checks the input with isascii and isspace.
-
-_ Notes _
-
-This is Zitser's sendmail/s4, simplified.
-
-BASE_SZ was originally 50.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/complete/mime2-bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/complete/mime2-bad.c
deleted file mode 100644
index 31b6b300b6cc417847d77d9b508b4d36da11d3fe..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/complete/mime2-bad.c
+++ /dev/null
@@ -1,318 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:44 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s4/mime2-bad.c,v 1.1.1.1 2004/01/05 17:27:44 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:44 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s4/mime2-bad.c,v 1.1.1.1 2004/01/05 17:27:44 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-# include "mime2.h"
-# include <string.h>
-#include <assert.h>
-
-void mime7to8(HDR *, ENVELOPE *);
-char * hvalue(char *, HDR *);
-
-int main(int argc, char **argv){
-
- HDR *header;
- register ENVELOPE *e;
- FILE *temp;
-
- assert (argc==2);
-
- header = (HDR *) malloc(sizeof(struct header));
-
- header->h_field = "Content-Transfer-Encoding";
- header->h_value = "base64";
-
- e = (ENVELOPE *) malloc(sizeof(struct envelope));
- e->e_id = "First Entry";
-
- temp = fopen(argv[1],"r");
-
- e->e_dfp = temp;
- mime7to8(header, e);
-
- fclose(temp);
-
- return 0;
-
-
- return 0;
-}
-
-static char index_64[128] =
-{
- -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
- -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,-1,
- -1,-1,-1,-1, -1,-1,-1,-1, -1,-1,-1,62, -1,-1,-1,63,
- 52,53,54,55, 56,57,58,59, 60,61,-1,-1, -1,-1,-1,-1,
- -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10, 11,12,13,14,
- 15,16,17,18, 19,20,21,22, 23,24,25,-1, -1,-1,-1,-1,
- -1,26,27,28, 29,30,31,32, 33,34,35,36, 37,38,39,40,
- 41,42,43,44, 45,46,47,48, 49,50,51,-1, -1,-1,-1,-1
-};
-
-#define CHAR64(c) (((c) < 0 || (c) > 127) ? -1 : index_64[(c)])
-
-/*
-** MIME7TO8 -- output 7 bit encoded MIME body in 8 bit format
-**
-** This is a hack. Supports translating the two 7-bit body-encodings
-** (quoted-printable and base64) to 8-bit coded bodies.
-**
-** There is not much point in supporting multipart here, as the UA
-** will be able to deal with encoded MIME bodies if it can parse MIME
-** multipart messages.
-**
-** Note also that we wont be called unless it is a text/plain MIME
-** message, encoded base64 or QP and mailer flag '9' has been defined
-** on mailer.
-**
-** Contributed by Marius Olaffson <marius@rhi.hi.is>. Modified by Misha Zitser
-**
-** Parameters:
-** header -- the header for this body part.
-** e -- envelope.
-**
-** Returns:
-** none.
-*/
-
-void
-mime7to8(header, e)
- HDR *header;
- register ENVELOPE *e;
-{
-
- register char *p;
- u_char *fbufp;
- char canary[10];
- u_char fbuf[MAXLINE + 1];
-
- strcpy(canary, "GOOD"); /* use canary to see if fbuf gets overflowed */
-
- p = hvalue("Content-Transfer-Encoding", header);
- if (p == NULL)
- {
- printf("Content-Transfer-Encoding not found in header\n");
- return;
- }
-
- /*
- ** Translate body encoding to 8-bit. Supports two types of
- ** encodings; "base64" and "quoted-printable". Assume qp if
- ** it is not base64.
- */
-
- if (strcasecmp(p, "base64") == 0)
- {
- int c1, c2, c3, c4;
-
- fbufp = fbuf;
- while ((c1 = fgetc(e->e_dfp)) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = fgetc(e->e_dfp);
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- do
- {
- c3 = fgetc(e->e_dfp);
- } while (isascii(c3) && isspace(c3));
- if (c3 == EOF)
- break;
-
- do
- {
- c4 = fgetc(e->e_dfp);
- } while (isascii(c4) && isspace(c4));
- if (c4 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
- c1 = CHAR64(c1);
- c2 = CHAR64(c2);
-
- /*We have read in four characters, skipping spaces */
- /*BAD*/
- *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); /* Write first char to fbuf */
-
-
- /* Check to see if either 1) reached a '\n' or */
- /* 2) fbufp about to point past end of fbuf (unfortunately there is a typo in the if-check) */
-
- /* suppose the string in e->e_dfp is longer than MAXLINE + 1 and doesn't contain any '\n's, then" */
- /* we will never catch the case when fbufp points past the end of fbuf because of the */
- /*typo in the check below. fbuf will get overflowed with arbitrary data */
-
- if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) /* it shoud say fbufp >= &fbuf[MAXLINE] */
- {
- /*BAD*/
- if (*--fbufp != '\n' || *--fbufp != '\r') /* possible illegal read *--fbufp != '\r'*/
- fbufp++; /* if fbufp points to */
- /* fbuf[0] and first char read in is \n */
- *fbufp = '\0';
- /* putline((char *) fbuf, mci); */
- printf("resetting fbufp\n");
- fbufp = fbuf; /* fbufp gets reset to fbuf. unfortunately this never */
- /* happens */
- }
- if (c3 == '=')
- continue;
- c3 = CHAR64(c3);
-
- /*BAD*/
- *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
- if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
- {
- /*BAD*/
- if (*--fbufp != '\n' || *--fbufp != '\r')
- fbufp++;
- *fbufp = '\0';
- /* putline((char *) fbuf, mci);*/
- printf("resetting fbufp\n");
- fbufp = fbuf;
- }
- if (c4 == '=')
- continue;
- c4 = CHAR64(c4);
-
- /*BAD*/
- *fbufp = ((c3 & 0x03) << 6) | c4;
- if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE])
- {
- /*BAD*/
- if (*--fbufp != '\n' || *--fbufp != '\r')
- fbufp++;
- *fbufp = '\0';
- /* putline((char *) fbuf, mci); */
- printf("resetting fbufp\n");
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /*BAD*/
- *fbufp = '\0';
- /* putline((char *) fbuf, mci); */
- }
- }
- else
- {
- /* do something else... */
- printf("We only support base64 encoding...\n");
- }
-
- printf("canary should be GOOD\n");
- printf("canary = %s\n", canary);
-}
-
-
-
-/*
-** HVALUE -- return value of a header.
-**
-** Only "real" fields (i.e., ones that have not been supplied
-** as a default) are used.
-**
-** Parameters:
-** field -- the field name.
-** header -- the header list.
-**
-** Returns:
-** pointer to the value part.
-** NULL if not found.
-**
-** Side Effects:
-** none.
-*/
-
-char * hvalue(field, header)
- char *field;
- HDR *header;
-{
- register HDR *h;
-
- for (h = header; h != NULL; h = h->h_link)
- {
- if (!bitset(H_DEFAULT, h->h_flags) &&
- strcasecmp(h->h_field, field) == 0)
- return (h->h_value);
- }
- return (NULL);
-}
-
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/complete/mime2.h b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/complete/mime2.h
deleted file mode 100644
index 802160eb92ba30116495ff559b316d4bb5ae333e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/complete/mime2.h
+++ /dev/null
@@ -1,167 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:44 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s4/mime2.h,v 1.1.1.1 2004/01/05 17:27:44 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:44 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s4/mime2.h,v 1.1.1.1 2004/01/05 17:27:44 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <string.h>
-#include <ctype.h>
-#include <stddef.h>
-
-/* I have cut out the BITMAP field of header */
-struct header
-{
- char *h_field; /* the name of the field */
- char *h_value; /* the value of that field */
- struct header *h_link; /* the next header */
- u_short h_flags; /* status bits, see below */
-
-};
-
-typedef struct header HDR;
-
-/* modified address structure */
-struct address
-{
- char *q_paddr; /* the printname for the address */
- char *q_user; /* user name */
- char *q_ruser; /* real user name, or NULL if q_user */
- char *q_host; /* host name */
- /*struct mailer *q_mailer;*/ /* mailer to use */
- u_long q_flags; /* status flags, see below */
- uid_t q_uid; /* user-id of receiver (if known) */
- gid_t q_gid; /* group-id of receiver (if known) */
- char *q_home; /* home dir (local mailer only) */
- char *q_fullname; /* full name if known */
- struct address *q_next; /* chain */
- struct address *q_alias; /* address this results from */
- char *q_owner; /* owner of q_alias */
- struct address *q_tchain; /* temporary use chain */
- char *q_orcpt; /* ORCPT parameter from RCPT TO: line */
- char *q_status; /* status code for DSNs */
- char *q_rstatus; /* remote status message for DSNs */
- /*time_t q_statdate; */ /* date of status messages */
- char *q_statmta; /* MTA generating q_rstatus */
- short q_specificity; /* how "specific" this address is */
-};
-
-typedef struct address ADDRESS;
-
-
-/* modified envelope structure */
-struct envelope
-{
- HDR *e_header; /* head of header list */
- long e_msgpriority; /* adjusted priority of this message */
- time_t e_ctime; /* time message appeared in the queue */
- char *e_to; /* the target person */
- ADDRESS e_from; /* the person it is from */
- char *e_sender; /* e_from.q_paddr w comments stripped */
- char **e_fromdomain; /* the domain part of the sender */
- ADDRESS *e_sendqueue; /* list of message recipients */
- ADDRESS *e_errorqueue; /* the queue for error responses */
- long e_msgsize; /* size of the message in bytes */
- long e_flags; /* flags, see below */
- int e_nrcpts; /* number of recipients */
- short e_class; /* msg class (priority, junk, etc.) */
- short e_hopcount; /* number of times processed */
- short e_nsent; /* number of sends since checkpoint */
- short e_sendmode; /* message send mode */
- short e_errormode; /* error return mode */
- short e_timeoutclass; /* message timeout class */
- struct envelope *e_parent; /* the message this one encloses */
- struct envelope *e_sibling; /* the next envelope of interest */
- char *e_bodytype; /* type of message body */
- FILE *e_dfp; /* temporary file */
- char *e_id; /* code for this entry in queue */
- FILE *e_xfp; /* transcript file */
- FILE *e_lockfp; /* the lock file for this message */
- char *e_message; /* error message */
- char *e_statmsg; /* stat msg (changes per delivery) */
- char *e_msgboundary; /* MIME-style message part boundary */
- char *e_origrcpt; /* original recipient (one only) */
- char *e_envid; /* envelope id from MAIL FROM: line */
- char *e_status; /* DSN status for this message */
- time_t e_dtime; /* time of last delivery attempt */
- int e_ntries; /* number of delivery attempts */
- dev_t e_dfdev; /* df file's device, for crash recov */
- ino_t e_dfino; /* df file's ino, for crash recovery */
- char *e_macro[256]; /* macro definitions */
-};
-
-
-typedef struct envelope ENVELOPE;
-
-# define bitset(bit, word) (((word) & (bit)) != 0)
-# define MAXLINE 50 /* modified max line length */
-# define H_DEFAULT 0x0004 /* if another value is found, drop this */
-
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/array_vs_pointer.ods b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/array_vs_pointer.ods
deleted file mode 100644
index 8e05c904f61495ec4c75cf8dab2fc957e267877a..0000000000000000000000000000000000000000
Binary files a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/array_vs_pointer.ods and /dev/null differ
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/data_testing.ods b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/data_testing.ods
deleted file mode 100644
index fccc8e020aae30023453744be4e2a34290add009..0000000000000000000000000000000000000000
Binary files a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/data_testing.ods and /dev/null differ
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_heavy_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_heavy_test_bad.c
deleted file mode 100644
index 71d0789d9a252e57fb16e5b9a4f6fa12459b8d84..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_heavy_test_bad.c
+++ /dev/null
@@ -1,48 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii (c1) && isspace (c1))
- continue;
- if (c1 == '=')
- continue;
-
- /* BAD */
- fbuf[fb] = c1;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_heavy_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_heavy_test_ok.c
deleted file mode 100644
index e7ff1350937c7a0335e377fd4d90758d2795afc6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_heavy_test_ok.c
+++ /dev/null
@@ -1,48 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii (c1) && isspace (c1))
- continue;
- if (c1 == '=')
- continue;
-
- /* OK */
- fbuf[fb] = c1;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_med_test_bad.c
deleted file mode 100644
index 80eb47717f6e57fba8abfe2d709905886aa7faed..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_med_test_bad.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (c1 == '=')
- continue;
-
- /* BAD */
- fbuf[fb] = c1;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_med_test_ok.c
deleted file mode 100644
index 432905b0b9af5f44510639bd77f2207c49b35d7c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_med_test_ok.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (c1 == '=')
- continue;
-
- /* OK */
- fbuf[fb] = c1;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_bad.c
deleted file mode 100644
index ddfd8d06ba10d2469d59adefe0018e6056cc67df..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_bad.c
+++ /dev/null
@@ -1,29 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1;
-
- fb = 0;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- /* BAD */
- fbuf[fb] = c1;
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_ok.c
deleted file mode 100644
index c62504b24f35d29dc15f6357bdde3676f037f66e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_ok.c
+++ /dev/null
@@ -1,31 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1;
-
- fb = 0;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- /* OK */
- fbuf[fb] = c1;
- fb++;
- if (fb >= MAXLINE)
- fb = 0;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_heavy_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_heavy_test_bad.c
deleted file mode 100644
index e2d08161e022cc2a7467e856118921ce6fca2887..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_heavy_test_bad.c
+++ /dev/null
@@ -1,103 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2, c3;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- do
- {
- c3 = nondet_int ();
- } while (isascii(c3) && isspace(c3));
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- fbuf[fb] = c1;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* BAD */
- fbuf[fb] = c2;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- if (c3 == '=')
- continue;
- /* BAD */
- fbuf[fb] = c3;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_heavy_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_heavy_test_ok.c
deleted file mode 100644
index f2cf11187a1bae6d832f573db3efe635fb0781e3..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_heavy_test_ok.c
+++ /dev/null
@@ -1,103 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2, c3;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- do
- {
- c3 = nondet_int ();
- } while (isascii(c3) && isspace(c3));
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- fbuf[fb] = c1;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* OK */
- fbuf[fb] = c2;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- if (c3 == '=')
- continue;
- /* OK */
- fbuf[fb] = c3;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_med_test_bad.c
deleted file mode 100644
index bb49cf3fe74af12760aa20b71c9b75194224ef47..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_med_test_bad.c
+++ /dev/null
@@ -1,94 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2, c3;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- fbuf[fb] = c1;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* BAD */
- fbuf[fb] = c2;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- if (c3 == '=')
- continue;
- /* BAD */
- fbuf[fb] = c3;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_med_test_ok.c
deleted file mode 100644
index 02a4c4b4ab4f6a0f2ff910cf20ace4c6a302920b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_med_test_ok.c
+++ /dev/null
@@ -1,94 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2, c3;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- fbuf[fb] = c1;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* OK */
- fbuf[fb] = c2;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- if (c3 == '=')
- continue;
- /* OK */
- fbuf[fb] = c3;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_no_test_bad.c
deleted file mode 100644
index 31412b4f6b2de96bb82c8245e947d3b51cb4a47c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_no_test_bad.c
+++ /dev/null
@@ -1,44 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2, c3;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- /* BAD */
- fbuf[fb] = c1;
- fb++;
-
- /* BAD */
- fbuf[fb] = c2;
- fb++;
-
- /* BAD */
- fbuf[fb] = c3;
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_no_test_ok.c
deleted file mode 100644
index 5f14a7674d2f0c92792c7e2013377a29e0ba6ca2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_three_chars_no_test_ok.c
+++ /dev/null
@@ -1,50 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2, c3;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- /* OK */
- fbuf[fb] = c1;
- fb++;
- if (fb >= MAXLINE)
- fb = 0;
-
- /* OK */
- fbuf[fb] = c2;
- fb++;
- if (fb >= MAXLINE)
- fb = 0;
-
- /* OK */
- fbuf[fb] = c3;
- fb++;
- if (fb >= MAXLINE)
- fb = 0;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_heavy_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_heavy_test_bad.c
deleted file mode 100644
index a8168a5b06e9a9e9a58e4794295cdfe353170be9..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_heavy_test_bad.c
+++ /dev/null
@@ -1,75 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- fbuf[fb] = c1;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* BAD */
- fbuf[fb] = c2;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_heavy_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_heavy_test_ok.c
deleted file mode 100644
index 646ba64f7e5dd0cb106c6bb30ae0a9555b920325..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_heavy_test_ok.c
+++ /dev/null
@@ -1,75 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- fbuf[fb] = c1;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* OK */
- fbuf[fb] = c2;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_med_test_bad.c
deleted file mode 100644
index 128b1f93abdd4e1262dce8aa2537b92590af5bba..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_med_test_bad.c
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- fbuf[fb] = c1;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* BAD */
- fbuf[fb] = c2;
-
- /* BAD */
- if (fbuf[fb] == '\n')
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* BAD */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_med_test_ok.c
deleted file mode 100644
index a6ea7e06b337827fc30a3e2273aa868fef52866e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_med_test_ok.c
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- fbuf[fb] = c1;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
-
- /* OK */
- fbuf[fb] = c2;
-
- /* OK */
- if (fbuf[fb] == '\n' || fb >= MAXLINE)
- {
- fb--;
- if (fb < 0)
- fb = 0;
- else if (fbuf[fb] != '\r')
- fb++;
-
- /* OK */
- fbuf[fb] = 0;
- fb = 0;
- }
- else
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_no_test_bad.c
deleted file mode 100644
index 2ec2a40a8a8eab6a0e0d6d43ddf66d33965f9c35..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_no_test_bad.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- /* BAD */
- fbuf[fb] = c1;
- fb++;
-
- /* BAD */
- fbuf[fb] = c2;
- fb++;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* BAD */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_no_test_ok.c
deleted file mode 100644
index 25d8cd09807dc1efeaebd85a8a4ca191c7874498..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_arr_two_chars_no_test_ok.c
+++ /dev/null
@@ -1,40 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- int fb;
- int c1, c2;
-
- fb = 0;
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- /* OK */
- fbuf[fb] = c1;
- fb++;
- if (fb >= MAXLINE)
- fb = 0;
-
- /* OK */
- fbuf[fb] = c2;
- fb++;
- if (fb >= MAXLINE)
- fb = 0;
- }
-
- /* force out partial last line */
- if (fb > 0)
- {
- /* OK */
- fbuf[fb] = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_heavy_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_heavy_test_bad.c
deleted file mode 100644
index 4c41c58fc274d2152231bc410658f60a9883a269..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_heavy_test_bad.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii (c1) && isspace (c1))
- continue;
- if (c1 == '=')
- continue;
-
- /* BAD */
- *fbufp = c1;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_heavy_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_heavy_test_ok.c
deleted file mode 100644
index 3207ec2bfdac55fbf0188bce911300d41088aa6d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_heavy_test_ok.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii (c1) && isspace (c1))
- continue;
- if (c1 == '=')
- continue;
-
- /* OK */
- *fbufp = c1;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_med_test_bad.c
deleted file mode 100644
index 6245be879617565d379b0ba7a22afa7e9aaef2f6..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_med_test_bad.c
+++ /dev/null
@@ -1,44 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (c1 == '=')
- continue;
-
- /* BAD */
- *fbufp = c1;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_med_test_ok.c
deleted file mode 100644
index f65f123ea44c78611bcd560fdea558e42d44339c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_med_test_ok.c
+++ /dev/null
@@ -1,44 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (c1 == '=')
- continue;
-
- /* OK */
- *fbufp = c1;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_no_test_bad.c
deleted file mode 100644
index c92fc5cc4201a423daf13cff51d1621d4fb81f8a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_no_test_bad.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- /* BAD */
- *fbufp++ = c1;
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_no_test_ok.c
deleted file mode 100644
index 3e5c1f145d519373aec33a4d65b296f0afce19e7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_one_char_no_test_ok.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- /* OK */
- *fbufp++ = c1;
- if (fbufp >= &fbuf[MAXLINE])
- fbufp = fbuf;
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_bad.c
deleted file mode 100644
index 71a6810bae6cd9096da02ffd9b074fe65d1fd603..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_bad.c
+++ /dev/null
@@ -1,94 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2, c3;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- do
- {
- c3 = nondet_int ();
- } while (isascii(c3) && isspace(c3));
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- *fbufp = c1;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* BAD */
- *fbufp = c2;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- if (c3 == '=')
- continue;
- /* BAD */
- *fbufp = c3;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_ok.c
deleted file mode 100644
index 6741211f426dc8ef9167a1511eaa4d0f090ac469..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_ok.c
+++ /dev/null
@@ -1,94 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2, c3;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- do
- {
- c3 = nondet_int ();
- } while (isascii(c3) && isspace(c3));
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- *fbufp = c1;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* OK */
- *fbufp = c2;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- if (c3 == '=')
- continue;
- /* OK */
- *fbufp = c3;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_med_test_bad.c
deleted file mode 100644
index dac91a3f957145b5ecf381ab5920334b8bba3c00..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_med_test_bad.c
+++ /dev/null
@@ -1,86 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2, c3;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- *fbufp = c1;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* BAD */
- *fbufp = c2;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- if (c3 == '=')
- continue;
- /* BAD */
- *fbufp = c3;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_med_test_ok.c
deleted file mode 100644
index 19606575d86b966193f6e487cd95c76a868ca7e4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_med_test_ok.c
+++ /dev/null
@@ -1,86 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2, c3;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- *fbufp = c1;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* OK */
- *fbufp = c2;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- if (c3 == '=')
- continue;
- /* OK */
- *fbufp = c3;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_no_test_bad.c
deleted file mode 100644
index 11343d33220833ae948c8cd9a9023b3bb80e6afd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_no_test_bad.c
+++ /dev/null
@@ -1,42 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2, c3;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- /* BAD */
- *fbufp++ = c1;
-
- /* BAD */
- *fbufp++ = c2;
-
- /* BAD */
- *fbufp++ = c3;
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_no_test_ok.c
deleted file mode 100644
index 1ae0174322bf6d5f5c682a1fa3de7b9e1628221a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_no_test_ok.c
+++ /dev/null
@@ -1,48 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2, c3;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- c3 = nondet_int ();
- if (c3 == EOF)
- break;
-
- /* OK */
- *fbufp++ = c1;
- if (fbufp >= &fbuf[MAXLINE])
- fbufp = fbuf;
-
- /* OK */
- *fbufp++ = c2;
- if (fbufp >= &fbuf[MAXLINE])
- fbufp = fbuf;
-
- /* OK */
- *fbufp++ = c3;
- if (fbufp >= &fbuf[MAXLINE])
- fbufp = fbuf;
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_heavy_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_heavy_test_bad.c
deleted file mode 100644
index c4e5300aa25d710eb3e45f7e73c4fb7b8e415e3a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_heavy_test_bad.c
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- *fbufp = c1;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* BAD */
- *fbufp = c2;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_heavy_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_heavy_test_ok.c
deleted file mode 100644
index b19eeba36e6de70837ad95ab6538f88743294e9d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_heavy_test_ok.c
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- if (isascii(c1) && isspace(c1))
- continue;
-
- do
- {
- c2 = nondet_int ();
- } while (isascii(c2) && isspace(c2));
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- *fbufp = c1;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* OK */
- *fbufp = c2;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_med_test_bad.c
deleted file mode 100644
index 37595e872caa46fe17378bee45fb07824af44216..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_med_test_bad.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* BAD */
- *fbufp = c1;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* BAD */
- *fbufp = c2;
-
- /* BAD */
- if (*fbufp++ == '\n')
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* BAD */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_med_test_ok.c
deleted file mode 100644
index 7a665eb586639e2256993a5fb8037b9a4f9a7005..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_med_test_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- if (c1 == '=' || c2 == '=')
- continue;
-
- /* OK */
- *fbufp = c1;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
-
- /* OK */
- *fbufp = c2;
-
- /* OK */
- if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE])
- {
- if (fbufp <= fbuf)
- fbufp = fbuf;
- else if (*--fbufp != '\r')
- fbufp++;
-
- /* OK */
- *fbufp = EOS;
- fbufp = fbuf;
- }
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_no_test_bad.c
deleted file mode 100644
index 6a5f1d44cdd70b72cbd248b4ab1b316f535c667b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_no_test_bad.c
+++ /dev/null
@@ -1,35 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- /* BAD */
- *fbufp++ = c1;
-
- /* BAD */
- *fbufp++ = c2;
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* BAD */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_no_test_ok.c
deleted file mode 100644
index a1a9d52e191dc6395233beb28a2ed2430d77406a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0047/mime7to8/mime7to8_ptr_two_chars_no_test_ok.c
+++ /dev/null
@@ -1,39 +0,0 @@
-#include "../../../../../lib/stubs.h"
-#include "../../../../../lib/base.h"
-
-#define MAXLINE BASE_SZ
-
-int main (void)
-{
- char fbuf[MAXLINE+1];
- char *fbufp;
- int c1, c2;
-
- fbufp = fbuf;
-
- while ((c1 = nondet_int ()) != EOF)
- {
- c2 = nondet_int ();
- if (c2 == EOF)
- break;
-
- /* OK */
- *fbufp++ = c1;
- if (fbufp >= &fbuf[MAXLINE])
- fbufp = fbuf;
-
- /* OK */
- *fbufp++ = c2;
- if (fbufp >= &fbuf[MAXLINE])
- fbufp = fbuf;
- }
-
- /* force out partial last line */
- if (fbufp > fbuf)
- {
- /* OK */
- *fbufp = EOS;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/README b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/README
deleted file mode 100644
index 561a617bba28a5d8c713ec4bc78ba1cf3fbb3b9d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/README
+++ /dev/null
@@ -1,24 +0,0 @@
--= CVE-1999-0206 =-
-
-Vulnerable version: Sendmail 8.8.0 to ?
-File: sendmail/mime.c
-Download from: source not available anymore
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function mime7to8 (not shown in testcases) loops over fgets, passing each fgets'd string to function mime_fromqp which decodes input into a fixed sized buffer passed in from mime7to8. However, mime_fromqp's return value indicates to mime7to8 whether the current fgets string includes the continuation string "=\n", in which case the subsequent fgets'd string is also passed to mime_fromqp which continues writing into the buffer where it previously left off. Thus, a sufficiently long input where each substring between "=\n"s is not too long will yield an overflow. In the patched version, the pointer into the dest buffer is reset to the start of dest before mime_fromqp is called again.
-
-_ Decomposed Programs _
-
-mime_fromqp/
- mime_fromqp_{arr,ptr}_{bad,ok}.c
-
-Variant arr replaces pointer operations with array operations.
-
-_ Notes _
-
-This is Zitser's sendmail/s3, simplified.
-
-BASE_SZ was originally 50.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_arr_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_arr_bad.c
deleted file mode 100644
index e92485d19fa343c9793ce264252c1ed191babdde..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_arr_bad.c
+++ /dev/null
@@ -1,74 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- // XXX infile originally at most MAXLINE long per call to mime_fromqp
-
- char outfile[BASE_SZ]; // originally MAXLINE
- // originally a function argument **ooutfile; this function modified
- // caller's pointer into outbut buffer
-
- int c1, c2;
-
- // number of chars copied from infile into outfile; reset when
- // continuation sequence "=\n" is read
- int nchar = 0;
-
- int out = 0; // index into outfile
-
- while ((c1 = nondet_char ()) != EOS)
- {
- if (c1 == '=')
- {
- // malformed: early EOS
- if ((c1 = nondet_char ()) == EOS)
- // in Zitser, these breaks actually return to the caller where the
- // pointer into outfile is reset before this is called again
- break;
-
- // =\n: continuation; signal to caller it's ok to pass in more infile
- // BAD: forgot to reset out
- if (c1 == '\n')
- {
- nchar = 0;
- continue;
- }
- else
- {
- // convert, e.g., "=5c" to int
-
- // malformed: early EOF
- if ((c2 = nondet_char ()) == EOS)
- break;
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* BAD */
- outfile[out] = c1;
- out++;
- }
- }
- else
- {
- // regular character, copy verbatim
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* BAD */
- outfile[out] = c1;
- out++;
-
- if (c1 == '\n')
- break;
- }
- }
-
- /* BAD */
- outfile[out] = EOS;
- out++;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_arr_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_arr_ok.c
deleted file mode 100644
index 45c1d59bdd33cd5cc3091f7d49fd77567c223224..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_arr_ok.c
+++ /dev/null
@@ -1,75 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- // XXX infile originally at most MAXLINE long per call to mime_fromqp
-
- char outfile[BASE_SZ]; // originally MAXLINE
- // originally a function argument **ooutfile; this function modified
- // caller's pointer into outbut buffer
-
- int c1, c2;
-
- // number of chars copied from infile into outfile; reset when
- // continuation sequence "=\n" is read
- int nchar = 0;
-
- int out = 0; // index into outfile
-
- while ((c1 = nondet_char ()) != EOS)
- {
- if (c1 == '=')
- {
- // malformed: early EOS
- if ((c1 = nondet_char ()) == EOS)
- // in Zitser, these breaks actually return to the caller where the
- // pointer into outfile is reset before this is called again
- break;
-
- // =\n: continuation; signal to caller it's ok to pass in more infile
- // OK: reset out before taking more input
- if (c1 == '\n')
- {
- out = 0;
- nchar = 0;
- continue;
- }
- else
- {
- // convert, e.g., "=5c" to int
-
- // malformed: early EOF
- if ((c2 = nondet_char ()) == EOS)
- break;
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* OK */
- outfile[out] = c1;
- out++;
- }
- }
- else
- {
- // regular character, copy verbatim
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* OK */
- outfile[out] = c1;
- out++;
-
- if (c1 == '\n')
- break;
- }
- }
-
- /* OK */
- outfile[out] = EOS;
- out++;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_bad.c
deleted file mode 100644
index 1ecc9893fa71bff8f0cea49512a236d080776508..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_bad.c
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- // XXX infile originally at most MAXLINE long per call to mime_fromqp
-
- char outfile[BASE_SZ]; // originally MAXLINE
- // originally a function argument **ooutfile; this function modified
- // caller's pointer into outbut buffer
- char *outp = outfile;
-
- int c1, c2;
-
- // number of chars copied from infile into outfile; reset when
- // continuation sequence "=\n" is read
- int nchar = 0;
-
- while ((c1 = nondet_char ()) != EOS)
- {
- if (c1 == '=')
- {
- // malformed: early EOS
- if ((c1 = nondet_char ()) == EOS)
- // in Zitser, these breaks actually return to the caller where the
- // pointer into outfile is reset before this is called again
- break;
-
- // =\n: continuation; signal to caller it's ok to pass in more infile
- // BAD: forgot to reset outp
- if (c1 == '\n')
- {
- nchar = 0;
- continue;
- }
- else
- {
- // convert, e.g., "=5c" to int
-
- // malformed: early EOF
- if ((c2 = nondet_char ()) == EOS)
- break;
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* BAD */
- *outp++ = c1;
- }
- }
- else
- {
- // regular character, copy verbatim
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* BAD */
- *outp++ = c1;
-
- if (c1 == '\n')
- break;
- }
- }
-
- /* BAD */
- *outp++ = EOS;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_ok.c
deleted file mode 100644
index c3d1dc8d9ddb8ddfad3b32eca51bdd847b5428dd..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_ok.c
+++ /dev/null
@@ -1,71 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- // XXX infile originally at most MAXLINE long per call to mime_fromqp
-
- char outfile[BASE_SZ]; // originally MAXLINE
- // originally a function argument **ooutfile; this function modified
- // caller's pointer into outbut buffer
- char *outp = outfile;
-
- int c1, c2;
-
- // number of chars copied from infile into outfile; reset when
- // continuation sequence "=\n" is read
- int nchar = 0;
-
- while ((c1 = nondet_char ()) != EOS)
- {
- if (c1 == '=')
- {
- // malformed: early EOS
- if ((c1 = nondet_char ()) == EOS)
- // in Zitser, these breaks actually return to the caller where the
- // pointer into outfile is reset before this is called again
- break;
-
- // =\n: continuation; signal to caller it's ok to pass in more infile
- // OK: reset out before taking more input
- if (c1 == '\n')
- {
- outp = outfile;
- nchar = 0;
- continue;
- }
- else
- {
- // convert, e.g., "=5c" to int
-
- // malformed: early EOF
- if ((c2 = nondet_char ()) == EOS)
- break;
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* OK */
- *outp++ = c1;
- }
- }
- else
- {
- // regular character, copy verbatim
-
- nchar++;
- if (nchar > BASE_SZ)
- break;
-
- /* OK */
- *outp++ = c1;
-
- if (c1 == '\n')
- break;
- }
- }
-
- /* OK */
- *outp++ = EOS;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/README b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/README
deleted file mode 100644
index 534e76640414c1d1f6f4342e797720bbd6195e09..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/README
+++ /dev/null
@@ -1,25 +0,0 @@
--= CVE-2001-0653 =-
-
-Vulnerable version: Sendmail up to 8.12.9
-File: sendmail/parseaddr.c
-Download from: ftp://ftp.sendmail.org/pub/sendmail/past-releases/
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function tTflag parses a string of digits into two signed integers, first and last. If first <= last, first is used afterwards to index into an array. Since a signed integer is used to store the temporary values of the number being accumulated from the input, it is possible for arithmetic overflow to occur and a negative value is assigned to first. If this happens, first passes the comparison to last and is subsequently used to access negative indices of a local buffer. The patched version declares first and last as unsigned integers, thereby inhibiting the arithmetic overflow.
-
-_ Decomposed Programs _
-
-tTflag/
- tTflag_arr_one_loop_{bad,ok}.c
- tTflag_arr_two_loops_{bad,ok}.c
-
-Variant one_loop computes (lexes) a single int from the char input. Variant two_loops computs two ints from the input.
-
-_ Notes _
-
-This is Zitser's sendmail/s6, simplified.
-
-BASE_SZ originally 100.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/my-main.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/my-main.c
deleted file mode 100644
index cbfc5806f17295910e2655ed26c79052e7b73d01..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/my-main.c
+++ /dev/null
@@ -1,125 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:45 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/my-main.c,v 1.1.1.1 2004/01/05 17:27:45 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:45 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/my-main.c,v 1.1.1.1 2004/01/05 17:27:45 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <getopt.h>
-#include <sendmail.h>
-
-#define OPTIONS "B:b:C:cd:e:F:f:Gh:IiL:M:mN:nO:o:p:q:R:r:sTtUV:vX:"
-
-#define LEN 100
-unsigned char tTdvect[LEN];
-
-
-int
-main(argc, argv, envp)
- int argc;
- char **argv;
- char **envp;
-{
- int j;
-
- tTsetup(tTdvect, LEN, "0-99.1");
-
- while ((j = getopt(argc, argv, OPTIONS)) != -1)
- {
- switch (j)
- {
- case 'd':
- /* hack attack -- see if should use ANSI mode */
- if (strcmp(optarg, "ANSI") == 0)
- {
- break;
- }
- tTflag(optarg);
- setbuf(stdout, (char *) NULL);
- break;
-
- case 'G': /* relay (gateway) submission */
- break;
-
- case 'L':
- break;
-
- case 'U': /* initial (user) submission */
- break;
- }
- }
-
-
- return 0;
-
-
-}
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/sendmail.h b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/sendmail.h
deleted file mode 100644
index b84fba9d5695644b065f0b1b05f4ffbaa8bcc2c1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/sendmail.h
+++ /dev/null
@@ -1,75 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:46 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/sendmail.h,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:46 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/sendmail.h,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-extern u_char tTdvect[]; /* trace vector */
-
-extern void tTflag __P((char *));
-extern void tTsetup __P((u_char *, int, char *));
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/tTflag-bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/tTflag-bad.c
deleted file mode 100644
index ba10fc1fda3fb2a6f4c53bfe481637c6d75a1666..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/tTflag-bad.c
+++ /dev/null
@@ -1,192 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:46 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/tTflag-bad.c,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:46 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/tTflag-bad.c,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-/**
-** TtSETUP -- set up for trace package.
-**
-** Parameters:
-** vect -- pointer to trace vector.
-** size -- number of flags in trace vector.
-** defflags -- flags to set if no value given.
-**
-** Returns:
-** none
-**
-** Side Effects:
-** environment is set up.
-*/
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <getopt.h>
-#include <sendmail.h>
-
-static u_char *tTvect;
-static int tTsize;
-static char *DefFlags;
-
-#define OPTIONS "B:b:C:cd:e:F:f:Gh:IiL:M:mN:nO:o:p:q:R:r:sTtUV:vX:"
-
-void
-tTsetup(vect, size, defflags)
- u_char *vect;
- int size;
- char *defflags;
-{
- tTvect = vect; /* vect is an alias for tTdvect, tTvect is an alias for vect */
- tTsize = size;
- DefFlags = defflags;
-}
-
-/*
-** TtFLAG -- process an external trace flag description.
-**
-** Parameters:
-** s -- the trace flag.
-**
-** Returns:
-** none.
-**
-** Side Effects:
-** sets/clears trace flags.
-*/
-
-void
-tTflag(s)
- register char *s;
-{
- int first, last;
- register unsigned int i;
-
- printf ("s: %s", s);
-
- if (*s == '\0')
- s = DefFlags;
-
- for (;;)
- {
- /* find first flag to set */
- i = 0;
-
- while (isascii(*s) && isdigit(*s))
- i = i * 10 + (*s++ - '0');
-
- /* assigning unsigned int to signed int */
- /* if i is a large positive number, first will become a negative number */
- first = i;
-
- /* find last flag to set */
- if (*s == '-')
- {
- i = 0;
- while (isascii(*++s) && isdigit(*s))
- i = i * 10 + (*s - '0');
- }
- last = i;
-
- /* find the level to set it to */
- i = 1;
- if (*s == '.')
- {
- i = 0;
- while (isascii(*++s) && isdigit(*s))
- i = i * 10 + (*s - '0');
- }
-
- /* clean up args */
-
- if (first >= tTsize) /* check will fail if first is negative! */
- first = tTsize - 1;
- if (last >= tTsize)
- last = tTsize - 1;
-
- /* set the flags */
- while (first <= last){ /* this check will hold true for a while if */
- { /* first is negative and last is positive */
- printf("index = %d\n", first);
- /*BAD*/
- tTvect[first++] = i; /* UNDERFLOW CAN OCCUR HERE. */
- /* tTvect can only hold tTsize elements */
- }
- /* This is a potential BSS underflow of tTdvect defined inside sendmail.h */
- }
- /* more arguments? */
- if (*s++ == '\0')
- return;
- }
-}
-
-
-
-
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/tTflag-ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/tTflag-ok.c
deleted file mode 100644
index 8a00bedfd1cda0f134903a291f462829735e3993..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/complete/tTflag-ok.c
+++ /dev/null
@@ -1,189 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:46 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/tTflag-ok.c,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:46 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s6/tTflag-ok.c,v 1.1.1.1 2004/01/05 17:27:46 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-/**
-** TtSETUP -- set up for trace package.
-**
-** Parameters:
-** vect -- pointer to trace vector.
-** size -- number of flags in trace vector.
-** defflags -- flags to set if no value given.
-**
-** Returns:
-** none
-**
-** Side Effects:
-** environment is set up.
-*/
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <getopt.h>
-#include <sendmail.h>
-
-static u_char *tTvect;
-static int tTsize;
-static char *DefFlags;
-
-#define OPTIONS "B:b:C:cd:e:F:f:Gh:IiL:M:mN:nO:o:p:q:R:r:sTtUV:vX:"
-
-void
-tTsetup(vect, size, defflags)
- u_char *vect;
- int size;
- char *defflags;
-{
- tTvect = vect; /* vect is an alias for tTdvect, tTvect is an alias for vect */
- tTsize = size;
- DefFlags = defflags;
-}
-
-/*
-** TtFLAG -- process an external trace flag description.
-**
-** Parameters:
-** s -- the trace flag.
-**
-** Returns:
-** none.
-**
-** Side Effects:
-** sets/clears trace flags.
-*/
-
-void
-tTflag(s)
- register char *s;
-{
- unsigned int first, last; /* here we make sure that first and last are unsigned */
- register unsigned int i;
-
- if (*s == '\0')
- s = DefFlags;
-
- for (;;)
- {
- /* find first flag to set */
- i = 0;
-
- while (isascii(*s) && isdigit(*s))
- i = i * 10 + (*s++ - '0');
-
- first = i;
-
- /* find last flag to set */
- if (*s == '-')
- {
- i = 0;
- while (isascii(*++s) && isdigit(*s))
- i = i * 10 + (*s - '0');
- }
- last = i;
-
- /* find the level to set it to */
- i = 1;
- if (*s == '.')
- {
- i = 0;
- while (isascii(*++s) && isdigit(*s))
- i = i * 10 + (*s - '0');
- }
-
- /* clean up args */
-
-
- if (first >= tTsize) /* check will fail if first is negative! */
- first = tTsize - 1;
- if (last >= tTsize)
- last = tTsize - 1;
-
- /* set the flags */
- while (first <= last){
- {
- printf("index = %u\n", first);
- /*OK*/
- tTvect[first++] = i;
- }
-
-
- }
- /* more arguments? */
- if (*s++ == '\0')
- return;
- }
-}
-
-
-
-
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_one_loop_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_one_loop_bad.c
deleted file mode 100644
index 4f9f12e41a190b22358afe2b1040ae4a1428bdac..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_one_loop_bad.c
+++ /dev/null
@@ -1,23 +0,0 @@
-int main (void)
-{
- char in[11]; // = "3277192070";
- char *s;
- unsigned char c;
- int i, j;
- int idx_in;
- in[10] = 0;
- idx_in = 0;
- s = in;
- i = 0;
- c = in[idx_in];
- while (('0' <= c) && (c <= '9'))
- {
- j = c - '0';
- i = i * 10 + j;
- idx_in++;
- c = in[idx_in];
- }
- /* BAD */
- assert (i >= 0);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_one_loop_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_one_loop_ok.c
deleted file mode 100644
index cd94a70c16a52a828a5b33088fc94923396a6a55..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_one_loop_ok.c
+++ /dev/null
@@ -1,23 +0,0 @@
-int main (void)
-{
- char in[11]; // = "3277192070";
- char *s;
- unsigned char c;
- unsigned int i, j;
- int idx_in;
- in[10] = 0;
- idx_in = 0;
- s = in;
- i = 0;
- c = in[idx_in];
- while (('0' <= c) && (c <= '9'))
- {
- j = c - '0';
- i = i * 10 + j;
- idx_in++;
- c = in[idx_in];
- }
- /* OK */
- assert (i >= 0);
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_two_loops_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_two_loops_bad.c
deleted file mode 100644
index bce0e905548a097be06ca4711939be201379f79d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_two_loops_bad.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-#define INSIZE 14
-
-int main (void)
-{
- unsigned char in[INSIZE+1]; // = "3277192070-100";
- unsigned char buf[BASE_SZ];
- unsigned char *s;
- unsigned char c;
- int first, last;
- int i, j;
- int idx_in;
-
- idx_in = 0;
- s = in;
- i = 0;
-
- /* accumulate first (int) from in (char[]) */
- c = in[idx_in];
- while (('0' <= c) && (c <= '9'))
- {
- j = c - '0';
- i = i * 10 + j;
- idx_in++;
- c = in[idx_in];
- }
- first = i;
-
- /* accumulate last (int) from in (char[]) */
- c = in[idx_in];
- if (c == '-')
- {
- i = 0;
- idx_in++;
- c = in[idx_in];
- while (('0' <= c) && (c <= '9'))
- {
- j = c - '0';
- i = i * 10 + j;
- idx_in++;
- c = in[idx_in];
- }
- }
- last = i;
-
-// printf ("first: %d, last: %d\n", first, last);
-
- /* clean up args */
-
- if (first >= BASE_SZ) /* check will fail if first is negative! */
- first = BASE_SZ - 1;
- if (last >= BASE_SZ)
- last = BASE_SZ - 1;
-
- while (first <= last)
- {
- /* BAD */
- buf[first] = 'a'; /* possibly first < 0, cast to uint is huuuuge */
- first++; /* signed int arithmetic */
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_two_loops_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_two_loops_ok.c
deleted file mode 100644
index 4c66e086076fc1e3ac3e3895e75e7c76854ac4af..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2001-0653/tTflag/tTflag_arr_two_loops_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-#define INSIZE 14
-
-int main (void)
-{
- unsigned char in[INSIZE+1]; // = "3277192070-100";
- unsigned char buf[BASE_SZ];
- unsigned char *s;
- unsigned char c;
- unsigned int first, last;
- int i, j;
- int idx_in;
-
- idx_in = 0;
- s = in;
- i = 0;
-
- /* accumulate first (int) from in (char[]) */
- c = in[idx_in];
- while (('0' <= c) && (c <= '9'))
- {
- j = c - '0';
- i = i * 10 + j;
- idx_in++;
- c = in[idx_in];
- }
- first = i;
-
- /* accumulate last (int) from in (char[]) */
- c = in[idx_in];
- if (c == '-')
- {
- i = 0;
- idx_in++;
- c = in[idx_in];
- while (('0' <= c) && (c <= '9'))
- {
- j = c - '0';
- i = i * 10 + j;
- idx_in++;
- c = in[idx_in];
- }
- }
- last = i;
-
-// printf ("first: %d, last: %d\n", first, last);
-
- /* clean up args */
-
- if (first >= BASE_SZ) /* check will fail if first is negative! */
- first = BASE_SZ - 1;
- if (last >= BASE_SZ)
- last = BASE_SZ - 1;
-
- while (first <= last)
- {
- /* OK */
- buf[first] = 'a'; /* possibly first < 0, cast to uint is huuuuge */
- first++; /* signed int arithmetic */
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/README b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/README
deleted file mode 100644
index 4012771fe4705251480209adc0b3036284f7edd0..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/README
+++ /dev/null
@@ -1,25 +0,0 @@
--= CVE-2002-0906 =-
-
-Vulnerable version: Sendmail up to 8.12.5
-File: sendmail/sm_resolve.c
-Download from: ftp://ftp.sendmail.org/pub/sendmail/past-releases/
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function parse_dns_reply allocates a buffer of a user-specified size, then copies a separately user-specified amount of user-data into that buffer. All data is passed into the function as an unsigned char array over which a sequence of different types of records is overlaid. The overflow only occurs if a record contains a specific "type" field value. The patched version only copies as much data as the buffer can hold.
-
-_ Decomposed Programs _
-
-parse_dns_reply/
- parse_dns_reply_no_cast_{bad,ok}.c
- parse_dns_reply_cast_{bad,ok}.c
-
-Variant cast casts an array of uchars to an int (size) using bitops. Variant no_cast assigns size non-deterministically.
-
-_ Notes _
-
-This is Zitser's sendmail/s7, simplified.
-
-This vulnerability does not depend on BASE_SZ.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply.h b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply.h
deleted file mode 100644
index f748ff9ab45b8dce548f1d98e4f44ac2f4903f9b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply.h
+++ /dev/null
@@ -1,24 +0,0 @@
-typedef unsigned short u_int16_t;
-typedef unsigned char u_char;
-
-void *malloc(unsigned int size);
-
-#define NS_GET32(l, cp) do { \
- u_char *t_cp = (u_char *)(cp); \
- (l) = ((u_int32_t)t_cp[0] << 24) \
- | ((u_int32_t)t_cp[1] << 16) \
- | ((u_int32_t)t_cp[2] << 8) \
- | ((u_int32_t)t_cp[3]) \
- ; \
- (cp) += 4; \
-} while (0)
-
-#define NS_GET16(s, cp) do { \
- u_char *t_cp = (u_char *)(cp); \
- (s) = ((u_int16_t)t_cp[0] << 8) \
- | ((u_int16_t)t_cp[1]) \
- ; \
- (cp) += 2; \
-} while (0)
-
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_bad.c
deleted file mode 100644
index 9c8e8efcfa639dcafaf2a076b9267830f6a662d7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_bad.c
+++ /dev/null
@@ -1,24 +0,0 @@
-#include "parse_dns_reply.h"
-#include "../../../../../lib/stubs.h"
-
-#define DATA 100
-
-int main (void)
-{
- unsigned char data[sizeof (u_int16_t) + sizeof (u_char) + DATA];
- unsigned char *p;
- int size;
- char *rr_txt;
-
- p = data;
-
- NS_GET16(size, p);
- rr_txt = (char *) malloc (size + 1);
- if (rr_txt == 0)
- return 0;
-
- /* BAD */
- strncpy (rr_txt, (char *) p + 1, *p);
- /* BAD */
- rr_txt[*p] = 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_ok.c
deleted file mode 100644
index b2e6b50dcce65297dda8577aea7fbecbbe603b96..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_ok.c
+++ /dev/null
@@ -1,24 +0,0 @@
-#include "parse_dns_reply.h"
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- unsigned char data[sizeof (u_int16_t) + sizeof (u_char) + BASE_SZ];
- unsigned char *p;
- int size, txtlen;
- char *rr_txt;
-
- p = data;
-
- NS_GET16(size, p); // size is no longer used
-
- txtlen = *p;
- rr_txt = (char *) malloc (txtlen + 1);
- if (rr_txt == 0)
- return 0;
-
- /* OK */
- strncpy (rr_txt, (char *) p + 1, *p);
- /* OK */
- rr_txt[*p] = 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_bad.c
deleted file mode 100644
index f8cdb1803a75016d488978176bf8382d38c38438..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_bad.c
+++ /dev/null
@@ -1,23 +0,0 @@
-#include "parse_dns_reply.h"
-#include "../../../../../lib/stubs.h"
-
-#define DATA 100
-
-int main (void)
-{
- unsigned char *p;
- int size;
- char *rr_txt;
-
- *p = nondet_unsigned_char ();
-
- size = nondet_int ();
- rr_txt = (char *) malloc (size + 1);
- if (rr_txt == 0)
- return 0;
-
- /* BAD */
- strncpy (rr_txt, (char *) p + 1, *p);
- /* BAD */
- rr_txt[*p] = 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_ok.c
deleted file mode 100644
index 6d8095a73558913103a355fc2e922a5a55f09fec..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_ok.c
+++ /dev/null
@@ -1,23 +0,0 @@
-#include "parse_dns_reply.h"
-#include "../../../../../lib/stubs.h"
-
-#define DATA 100
-
-int main (void)
-{
- unsigned char *p;
- int size;
- char *rr_txt;
-
- *p = nondet_unsigned_char ();
- size = *p;
-
- rr_txt = (char *) malloc (size + 1);
- if (rr_txt == 0)
- return 0;
-
- /* OK */
- strncpy (rr_txt, (char *) p + 1, *p);
- /* OK */
- rr_txt[*p] = 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/txt-dns.h b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/txt-dns.h
deleted file mode 100644
index ac3dd6fedef6699684bf42d98995b15fbc8104c7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-0906/parse_dns_reply/txt-dns.h
+++ /dev/null
@@ -1,133 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:47 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/txt-dns.h,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:47 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s7/txt-dns.h,v 1.1.1.1 2004/01/05 17:27:47 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-#include <arpa/nameser.h>
-
-#define DNSMAP 1
-
-typedef struct
-{
- char *dns_q_domain;
- unsigned int dns_q_type;
- unsigned int dns_q_class;
-} DNS_QUERY_T;
-
-typedef struct
-{
- unsigned int mx_r_preference;
- char mx_r_domain[1];
-} MX_RECORD_T;
-
-typedef struct
-{
- unsigned int srv_r_priority;
- unsigned int srv_r_weight;
- unsigned int srv_r_port;
- char srv_r_target[1];
-} SRV_RECORDT_T;
-
-
-typedef struct resource_record RESOURCE_RECORD_T; /* from sm_resolve.h */
-
-struct resource_record
-{
- char *rr_domain;
- unsigned int rr_type;
- unsigned int rr_class;
- unsigned int rr_ttl;
- unsigned int rr_size;
- union
- {
- void *rr_data;
- MX_RECORD_T *rr_mx;
- MX_RECORD_T *rr_afsdb; /* mx and afsdb are identical */
- SRV_RECORDT_T *rr_srv;
-# if NETINET
- struct in_addr *rr_a;
-# endif /* NETINET */
-# if NETINET6
- struct in6_addr *rr_aaaa;
-# endif /* NETINET6 */
- char *rr_txt;
- } rr_u;
- RESOURCE_RECORD_T *rr_next;
-};
-
-typedef struct
-{
- HEADER dns_r_h;
- DNS_QUERY_T dns_r_q;
- RESOURCE_RECORD_T *dns_r_head;
-} DNS_REPLY_T;
-
-
-
-
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/README b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/README
deleted file mode 100644
index 9df43c11841776dc71583fa30e31bf52357e16a1..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/README
+++ /dev/null
@@ -1,24 +0,0 @@
--= CVE-2002-1337 =-
-
-Vulnerable versions: Sendmail 5.79 to 8.12.7
-File: sendmail/headers.c
-Download from: ftp://ftp.sendmail.org/pub/sendmail/past-releases/sendmail.8.12.7.tar.gz
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function crackaddr copies the source string, addr, into the dest buffer, buf, but incorrectly computes the amount of space to reserve at the end of buf to insert angle brackets ('>') which are missing in the input. Specific inputs can lead to an overflow of buf. The patched version reserves more space at the end of buf.
-
-_ Decomposed Programs _
-
-close_angle/
- close-angle_ptr_{no,one,two}_test*_{bad,ok}.c
-
-Variant no_test simply copies the input into the dest buffer and writes ">\0" at the end. Variant one_test additionally checks for '<' in the input and only writes '>' at the end if '<' was seen. Variant two_tests also keeps track of "skipping" mode, in which input is not copied into the dest buffer.
-
-_ Notes _
-
-This is from Zitser's sendmail/s1.
-
-BASE_SZ was originally 30.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_bad.c
deleted file mode 100644
index d08d8e7c82775389ecb2a1c9e7c4c4b823b9780e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_bad.c
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * This one just blindly copies the input into buffer and writes '>''\0' at the
- * end.
- */
-
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- char buffer[BASE_SZ+1];
- char input[BASE_SZ+70];
- char *buf;
- char *buflim;
- char *in;
- char cur;
-
-// shouldn't be necessary unless checking for safety of *in
-// input[BASE_SZ+70-1] = EOS;
- in = input;
- buf = buffer;
- buflim = &buffer[sizeof buffer - 1];
- // didn't reserve enough space for both '>' and '\0'!
-
- cur = *in;
- while (cur != EOS)
- {
- if (buf == buflim)
- break;
-
- *buf = cur;
- buf++;
-out:
- in++;
- cur = *in;
- }
-
- *buf = '>';
- buf++;
-
- /* BAD */
- *buf = EOS;
- buf++;
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_ok.c
deleted file mode 100644
index c7c3abf3d25ae92934fd9b00b505831b1cb59957..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_no_test_ok.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Variant: This one just blindly copies the input into buffer and writes '>''\0' at the end.
- */
-
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- char buffer[BASE_SZ+1];
- char input[BASE_SZ+70];
- char *buf;
- char *buflim;
- char *in;
- char cur;
-
-// shouldn't be necessary unless checking for safety of *in
-// input[BASE_SZ+70-1] = EOS;
- in = input;
- buf = buffer;
- buflim = &buffer[sizeof buffer - 2];
- // reserved enough space for both '>' and '\0'!
-
- cur = *in;
- while (cur != EOS)
- {
- if (buf == buflim)
- break;
-
- *buf = cur;
- buf++;
-out:
- in++;
- cur = *in;
- }
-
- *buf = '>';
- buf++;
-
- /* OK */
- *buf = EOS;
- buf++;
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_bad.c
deleted file mode 100644
index 365e19dfd0e6e8eaf8429b52841c5daeebc86e6e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_bad.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * This one bails out of the copy loop as soon as the end of buffer is
- * reached, keeping only one extra spot at the end for either a '\0' or a
- * '<', but not both.
- */
-
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- char buffer[BASE_SZ+1];
- char input[BASE_SZ+70];
- char *buf;
- char *buflim;
- char *in;
- char cur;
- int anglelev;
- int skipping;
-
- in = input;
- buf = buffer;
- buflim = &buffer[sizeof buffer - 1];
- // didn't reserve enough space for both '>' and '\0'!
-
- skipping = 0;
-
- cur = *in;
- while (cur != EOS)
- {
- if (buf == buflim)
- break;
-
- if (cur == '<')
- anglelev = 1;
- else
- goto out;
-
- *buf = cur;
- buf++;
-
-out:
- in++;
- cur = *in;
- }
-
- if (anglelev > 0)
- {
- *buf = '>';
- buf++;
- }
-
- /* BAD */
- *buf = EOS;
- buf++;
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_ok.c
deleted file mode 100644
index 776fa13525f989f6dc1a11bc82be37ec59c5ab39..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_one_test_ok.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * This one bails out of the copy loop as soon as the end of buffer is
- * reached, keeping only one extra spot at the end for either a '\0' or a
- * '<', but not both.
- */
-
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- char buffer[BASE_SZ+1];
- char input[BASE_SZ+70];
- char *buf;
- char *buflim;
- char *in;
- char cur;
- int anglelev;
- int skipping;
-
- in = input;
- buf = buffer;
- buflim = &buffer[sizeof buffer - 2];
- // reserved enough space for both '>' and '\0'!
-
- skipping = 0;
-
- cur = *in;
- while (cur != EOS)
- {
- if (buf == buflim)
- break;
-
- if (cur == '<')
- anglelev = 1;
- else
- goto out;
-
- *buf = cur;
- buf++;
-
-out:
- in++;
- cur = *in;
- }
-
- if (anglelev > 0)
- {
- *buf = '>';
- buf++;
- }
-
- /* OK */
- *buf = 0;
- buf++;
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_bad.c
deleted file mode 100644
index 692f6dd2739056c1c51ac8b4b11c47fb49e1d7ce..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_bad.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * This one copies '<' as long as there's safe space, then writes
- * '>''\0' at the end if at least one '<' was read.
- */
-
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- char buffer[BASE_SZ+1];
- char input[BASE_SZ+70]; // = "<";
- char *buf;
- char *buflim;
- char *in;
- char cur;
- int anglelev;
- int skipping;
-
- in = input;
- buf = buffer;
- buflim = &buffer[sizeof buffer - 1];
- // didn't reserve enough space for both '>' and '\0'!
-
- skipping = 0;
-
- cur = *in;
- while (cur != EOS)
- {
- if (buf >= buflim)
- skipping = 1;
- else
- skipping = 0;
-
- if (cur == '<')
- {
- if (!skipping)
- anglelev = 1;
- }
- else
- goto out;
-
- if (!skipping)
- {
- *buf = cur;
- buf++;
- }
-
-out:
- in++;
- cur = *in;
- }
-
- if (anglelev > 0)
- {
- *buf = '>';
- buf++;
- }
-
- /* BAD */
- *buf = EOS;
- buf++;
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_ok.c
deleted file mode 100644
index 0191abd110fb0fdfaedd9c7f6e62d4eb15061f57..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/close_angle/close-angle_ptr_two_tests_ok.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * This one copies '<' as long as there's safe space, then writes
- * '>''\0' at the end if at least one '<' was read.
- */
-
-#include "../../../../../lib/stubs.h"
-
-int main (void)
-{
- char buffer[BASE_SZ+1];
- char input[BASE_SZ+70]; // = "<";
- char *buf;
- char *buflim;
- char *in;
- char cur;
- int anglelev;
- int skipping;
-
- in = input;
- buf = buffer;
- buflim = &buffer[sizeof buffer - 2];
- // reserved enough space for both '>' and '\0'!
-
- skipping = 0;
-
- cur = *in;
- while (cur != EOS)
- {
- if (buf >= buflim)
- skipping = 1;
- else
- skipping = 0;
-
- if (cur == '<')
- {
- if (!skipping)
- anglelev = 1;
- }
- else
- goto out;
-
- if (!skipping)
- {
- *buf = cur;
- buf++;
- }
-
-out:
- in++;
- cur = *in;
- }
-
- if (anglelev > 0)
- {
- *buf = '>';
- buf++;
- }
-
- /* OK */
- *buf = EOS;
- buf++;
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/complete/crackaddr_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/complete/crackaddr_bad.c
deleted file mode 100644
index f4d521c90b9883b41c4b2c90294ad3b42e4c240b..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2002-1337/complete/crackaddr_bad.c
+++ /dev/null
@@ -1,538 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:48 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s1/crackaddr-bad.c,v 1.1.1.1 2004/01/05 17:27:48 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/01/05 17:27:48 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s1/crackaddr-bad.c,v 1.1.1.1 2004/01/05 17:27:48 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-// NB: Derived from sendmail/headers.c
-
-/*
- * Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- * All rights reserved.
- * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
- * Copyright (c) 1988, 1993
- * The Regents of the University of California. All rights reserved.
- *
- * By using this file, you agree to the terms and conditions set
- * forth in the LICENSE file which can be found at the top level of
- * the sendmail distribution.
- *
- */
-
-
-
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-/* ccured needs this */
-#pragma ccuredvararg("scanf", printf(1))
-
-/* macro substitution character */
-#define MACROEXPAND ((unsigned char)0201) /* macro expansion */
-#define MAXNAME 30 /* max length of a name */
-#define MAXCANARY 10
-
-enum bool {false, true};
-
-
-int ColonOkInAddr; /* single colon legal in address */
-char *MustQuoteChars; /* quote these characters in phrases */
-
-
-/*
-** CRACKADDR -- parse an address and turn it into a macro
-**
-** This doesn't actually parse the address -- it just extracts
-** it and replaces it with "$g". The parse is totally ad hoc
-** and isn't even guaranteed to leave something syntactically
-** identical to what it started with. However, it does leave
-** something semantically identical.
-**
-** This algorithm has been cleaned up to handle a wider range
-** of cases -- notably quoted and backslash escaped strings.
-** This modification makes it substantially better at preserving
-** the original syntax.
-**
-** Parameters:
-** addr -- the address to be cracked.
-**
-** Returns:
-** a pointer to the new version.
-**
-** Side Effects:
-** none.
-**
-** Warning:
-** The return value is saved in local storage and should
-** be copied if it is to be reused.
-*/
-
-char *
-crackaddr(addr)
- register char *addr;
-{
- register char *p;
- register char c;
- int cmtlev;
- int realcmtlev;
- int anglelev, realanglelev;
- int copylev;
- int bracklev;
- enum bool qmode;
- enum bool realqmode;
- enum bool skipping;
- enum bool putgmac = false;
- enum bool quoteit = false;
- enum bool gotangle = false;
- enum bool gotcolon = false;
- register char *bp;
- char *obp;
- char *buflim;
- char *bufhead;
- char *addrhead;
- static char canary[MAXCANARY+1];
- static char buf[MAXNAME + 1];
- static char test_buf[10]; /* will use as a canary to detect overflow */
- /* of buf[] */
-
- memset (canary, 'A', MAXCANARY+1);
- strcpy(test_buf, "GOOD");
-
- printf("Inside crackaddr!\n");
-
-
- /* strip leading spaces */
- while (*addr != '\0' && isascii((int)*addr) && isspace((int)*addr))
- addr++;
-
- /*
- ** Start by assuming we have no angle brackets. This will be
- ** adjusted later if we find them.
- */
-
-
- bp = bufhead = buf;
- obp = bp;
- buflim = &buf[sizeof buf - 7];
- p = addrhead = addr;
- copylev = anglelev = realanglelev = cmtlev = realcmtlev = 0;
- bracklev = 0;
- qmode = realqmode = false;
-
- printf("qmode = %d\n", qmode);
-
- while ((c = *p++) != '\0')
- {
- /*
- ** If the buffer is overful, go into a special "skipping"
- ** mode that tries to keep legal syntax but doesn't actually
- ** output things.
- */
-
- printf("c = %c\n", c);
-
- skipping = bp >= buflim;
-
- if (copylev > 0 && !skipping)
- {
- /*BAD*/
- *bp++ = c;
- }
- /* check for backslash escapes */
- if (c == '\\')
- {
- /* arrange to quote the address */
- if (cmtlev <= 0 && !qmode)
- quoteit = true;
-
- if ((c = *p++) == '\0')
- {
- /* too far */
- p--;
- goto putg;
- }
- if (copylev > 0 && !skipping)
- {
- /*BAD*/
- *bp++ = c;
- }
- goto putg;
- }
-
- /* check for quoted strings */
- if (c == '"' && cmtlev <= 0)
- {
- printf("quoted string...\n");
- qmode = !qmode;
- if (copylev > 0 && !skipping)
- realqmode = !realqmode;
- continue;
- }
- if (qmode)
- goto putg;
-
- /* check for comments */
- if (c == '(')
- {
- printf("left ( seen....\n");
- cmtlev++;
-
- /* allow space for closing paren */
- if (!skipping)
- {
- buflim--;
- realcmtlev++;
- if (copylev++ <= 0)
- {
- if (bp != bufhead)
- {
- /*BAD*/
- *bp++ = ' ';
- }
-
- /*BAD*/
- *bp++ = c;
- }
- }
- }
- if (cmtlev > 0)
- {
- if (c == ')')
- {
- cmtlev--;
- copylev--;
- if (!skipping)
- {
- realcmtlev--;
- buflim++;
- }
- }
- continue;
- }
- else if (c == ')')
- {
- /* syntax error: unmatched ) */
- if (copylev > 0 && !skipping)
- bp--;
- }
-
- /* count nesting on [ ... ] (for IPv6 domain literals) */
- if (c == '[')
- bracklev++;
- else if (c == ']')
- bracklev--;
-
- /* check for group: list; syntax */
- if (c == ':' && anglelev <= 0 && bracklev <= 0 &&
- !gotcolon && !ColonOkInAddr)
- {
- register char *q;
-
- /*
- ** Check for DECnet phase IV ``::'' (host::user)
- ** or ** DECnet phase V ``:.'' syntaxes. The latter
- ** covers ``user@DEC:.tay.myhost'' and
- ** ``DEC:.tay.myhost::user'' syntaxes (bletch).
- */
-
- if (*p == ':' || *p == '.')
- {
- if (cmtlev <= 0 && !qmode)
- quoteit = true;
- if (copylev > 0 && !skipping)
- {
- /*BAD*/
- *bp++ = c;
- /*BAD*/
- *bp++ = *p;
- }
- p++;
- goto putg;
- }
-
- gotcolon = true;
-
- bp = bufhead;
- if (quoteit)
- {
- /*BAD*/
- *bp++ = '"';
-
- /* back up over the ':' and any spaces */
- --p;
-
- while (isascii((int) *--p) && isspace((int) *p))
- continue;
- p++;
- }
- for (q = addrhead; q < p; )
- {
- c = *q++;
- if (bp < buflim)
- {
- if (quoteit && c == '"')
- /*BAD*/
- *bp++ = '\\';
- /*BAD*/
- *bp++ = c;
-
- }
- }
- if (quoteit)
- {
- if (bp == &bufhead[1])
- bp--;
- else{
- /*BAD*/
- *bp++ = '"';
- }
- while ((c = *p++) != ':')
- {
- if (bp < buflim){
- /*BAD*/
- *bp++ = c;
- }
- }
- /*BAD*/
- *bp++ = c;
- }
-
- /* any trailing white space is part of group: */
- while (isascii((int) *p) && isspace((int)*p) && bp < buflim)
- {
- /*BAD*/
- *bp++ = *p++;
- }
- copylev = 0;
- putgmac = quoteit = false;
- bufhead = bp;
- addrhead = p;
- continue;
- }
-
- if (c == ';' && copylev <= 0 && !ColonOkInAddr)
- {
- if (bp < buflim)
- /*BAD*/
- *bp++ = c;
- }
-
- /* check for characters that may have to be quoted */
- if (strchr(MustQuoteChars, c) != NULL)
- {
- /*
- ** If these occur as the phrase part of a <>
- ** construct, but are not inside of () or already
- ** quoted, they will have to be quoted. Note that
- ** now (but don't actually do the quoting).
- */
-
- if (cmtlev <= 0 && !qmode)
- quoteit = true;
- }
-
- /* check for angle brackets */
- if (c == '<')
- {
- register char *q;
-
- /* assume first of two angles is bogus */
- if (gotangle)
- quoteit = true;
- gotangle = true;
-
- /* oops -- have to change our mind */
- anglelev = 1;
- if (!skipping)
- realanglelev = 1;
-
- bp = bufhead;
- if (quoteit)
- {
- /*BAD*/
- *bp++ = '"';
-
- /* back up over the '<' and any spaces */
- --p;
- while (isascii((int)*--p) && isspace((int)*p))
- continue;
- p++;
- }
- for (q = addrhead; q < p; )
- {
- c = *q++;
- if (bp < buflim)
- {
- if (quoteit && c == '"')
- /*BAD*/
- *bp++ = '\\';
- /*BAD*/
- *bp++ = c;
- }
- }
- if (quoteit)
- {
- if (bp == &buf[1])
- bp--;
- else
- /*BAD*/
- *bp++ = '"';
- while ((c = *p++) != '<')
- {
- if (bp < buflim)
- /*BAD*/
- *bp++ = c;
- }
- /*BAD*/
- *bp++ = c;
- }
- copylev = 0;
- putgmac = quoteit = false;
- continue;
- }
-
- if (c == '>')
- {
- if (anglelev > 0)
- {
- anglelev--;
- if (!skipping)
- {
- realanglelev--;
- buflim++;
- }
- }
- else if (!skipping)
- {
- /* syntax error: unmatched > */
- if (copylev > 0)
- bp--;
- quoteit = true;
- continue;
- }
- if (copylev++ <= 0)
- /*BAD*/
- *bp++ = c;
- continue;
- }
-
- /* must be a real address character */
- putg:
- if (copylev <= 0 && !putgmac)
- {
- if (bp > bufhead && bp[-1] == ')')
- /*BAD*/
- *bp++ = ' ';
- /*BAD*/
- *bp++ = MACROEXPAND;
- /*BAD*/
- *bp++ = 'g';
- putgmac = true;
- }
- printf("Buf = %s\n", buf);
- }
-
- /* repair any syntactic damage */
- if (realqmode)
- /*BAD*/
- *bp++ = '"';
- while (realcmtlev-- > 0)
- /*BAD*/
- *bp++ = ')';
- while (realanglelev-- > 0)
- /*BAD*/
- *bp++ = '>';
- /*BAD*/
- *bp++ = '\0';
-
- printf("canary:\n");
- printbuf (canary, MAXCANARY+1);
- printf("buf:\n");
- printbuf (buf, MAXNAME+1);
-
- return buf;
-}
-
-
-int main(){
-
- char address[100];
- char *res_addr;
-
- MustQuoteChars = "@,;:\\()[].'";
-
- printf("Enter email address:\n");
- scanf("%99s", address);
-
- res_addr = crackaddr(address);
-
- return 0;
-}
-
-/*
-
-</source>
-
-*/
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/README b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/README
deleted file mode 100644
index 848f7a02f964f61562bdb319854631c30850068d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/README
+++ /dev/null
@@ -1,28 +0,0 @@
--= CVE-2003-0161 =-
-
-Vulnerable versions: Sendmail to 8.12.9
-File: sendmail/parseaddr
-Download from: ftp://ftp.sendmail.org/pub/sendmail/past-releases/
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function prescan writes to a fixed size buffer, pvpbuf, while scanning a user string, addr. In the original code, it sets a temporary variable, int c, to the current character (char) in addr, but can also set c to (int) -1 to indicate that the current char should not be copied to pvpbuf. This causes the loop which scans addr to skip a bounds check on pvpbuf in the next iteration. Subsequently, if '\\' is the next char in addr, it is written into pvpbuf without a bounds check. The special value -1 is not supposed to be in the character set of addr, but due to sign extension from int to char, the (char) value '\377' is interpreted as (int) -1. Thus, a sufficiently long input of the pattern ('\\''\377')+ overflows pvpbuf. The patched version masks out the high bits of each input char to prevent sign extension.
-
-_ Decomposed Programs _
-
-prescan/
- prescan_arr_{min,med}_test_{bad,ok}.c
-
-Variant min_test omits an input test which guards a dereference and increment of the dest pointer.
-
-_ Notes _
-
-This is Zitser's sendmail/s5, simplified.
-
-BASE_SZ was originally 50.
-
-LOGIN is originally unbounded, but passwd (1) probably limits it to something small.
-
-GECOS is shorter than BASE_SZ.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_med_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_med_test_bad.c
deleted file mode 100644
index 5f8dd7ac6c505b1f16fb0d1f051a725574c3ca32..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_med_test_bad.c
+++ /dev/null
@@ -1,86 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-#define ADDRSIZE 500 // originally 500
-#define PSBUFSIZE BASE_SZ
-#define MAXNAME (4 * BASE_SZ / 5)
-#define NOCHAR -1
-#define TRUE 1
-#define FALSE 0
-
-int main (void)
-{
- // originally function arguments
- char addr[ADDRSIZE];
- char pvpbuf[PSBUFSIZE];
-
- int p, q, q_old;
- int c;
-
- int pvpbuf_end = sizeof (pvpbuf);
-
- int bslashmode;
- int i;
-
- p = 0;
- q = 0;
- bslashmode = FALSE;
-
- c = NOCHAR;
-
- q_old = q;
- do
- {
- // bounds check and write lookahead (c) to pvpbuf
- if (c != NOCHAR && !bslashmode)
- {
- if (q >= pvpbuf_end - 1)
- return 0;
- pvpbuf[q] = c;
- q++;
- }
-
- // read next input char
- c = addr[p];
- p++;
- if (c == EOS)
- break;
-
- //assert (q < pvpbuf_end);
- /* BAD */
- pvpbuf[q] = EOS; // precautiously write EOS to dest
-
- if (bslashmode)
- {
- bslashmode = FALSE;
-
- if (c != '!')
- {
- //assert (q < pvpbuf_end);
- /* BAD */
- pvpbuf[q] = '\\'; // SatAbs 1.8 says this is safe
- q++;
- continue;
- }
- }
-
- if (c == '\\')
- bslashmode = TRUE;
- if (c == NOCHAR) // not supposed to be in the input alphabet
- continue; // skip bounds check on next for loop so another \ can be copied
- if (c == EOS)
- break;
- } while (1);
-
- if (q_old != q)
- {
- //assert (q < pvpbuf_end);
- /* BAD */
- pvpbuf[q] = 0;
- q++;
-
- if (q - q_old > MAXNAME)
- return 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_med_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_med_test_ok.c
deleted file mode 100644
index f590b2e06c23d7522af80f44ea1e3190c3af5fde..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_med_test_ok.c
+++ /dev/null
@@ -1,86 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-#define ADDRSIZE 500 // originally 500
-#define PSBUFSIZE BASE_SZ
-#define MAXNAME (4 * BASE_SZ / 5)
-#define NOCHAR -1
-#define TRUE 1
-#define FALSE 0
-
-int main (void)
-{
- // originally function arguments
- char addr[ADDRSIZE];
- char pvpbuf[PSBUFSIZE];
-
- int p, q, q_old;
- int c;
-
- int pvpbuf_end = sizeof (pvpbuf);
-
- int bslashmode;
- int i;
-
- p = 0;
- q = 0;
- bslashmode = FALSE;
-
- c = NOCHAR;
-
- q_old = q;
- do
- {
- // bounds check and write lookahead (c) to pvpbuf
- if (c != NOCHAR && !bslashmode)
- {
- if (q >= pvpbuf_end - 1)
- return 0;
- pvpbuf[q] = c;
- q++;
- }
-
- // read next input char
- c = addr[p] & 0xff; // mask out high bits to prevent sign extension
- p++;
- if (c == EOS)
- break;
-
- //assert (q < pvpbuf_end);
- /* OK */
- pvpbuf[q] = EOS; // precautiously write EOS to dest
-
- if (bslashmode)
- {
- bslashmode = FALSE;
-
- if (c != '!')
- {
- //assert (q < pvpbuf_end);
- /* OK */
- pvpbuf[q] = '\\'; // SatAbs 1.8 says this is safe
- q++;
- continue;
- }
- }
-
- if (c == '\\')
- bslashmode = TRUE;
- if (c == NOCHAR) // not supposed to be in the input alphabet
- continue; // skip bounds check on next for loop so another \ can be copied
- if (c == EOS)
- break;
- } while (1);
-
- if (q_old != q)
- {
- //assert (q < pvpbuf_end);
- /* OK */
- pvpbuf[q] = 0;
- q++;
-
- if (q - q_old > MAXNAME)
- return 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_min_test_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_min_test_bad.c
deleted file mode 100644
index 259f890230e01586bf0da5fed3e3c567f175d591..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_min_test_bad.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-#define ADDRSIZE 500 // originally 500
-#define PSBUFSIZE BASE_SZ
-#define MAXNAME (4 * BASE_SZ / 5)
-#define NOCHAR -1
-#define TRUE 1
-#define FALSE 0
-
-int main (void)
-{
- // originally function arguments
- char addr[ADDRSIZE];
- char pvpbuf[PSBUFSIZE];
-
- int p, q, q_old;
- int c;
-
- int pvpbuf_end = sizeof (pvpbuf);
-
- int bslashmode;
- int i;
-
- p = 0;
- q = 0;
- bslashmode = FALSE;
-
- c = NOCHAR;
-
- q_old = q;
- do
- {
- // bounds check and write lookahead (c) to pvpbuf
- if (c != NOCHAR && !bslashmode)
- {
- if (q >= pvpbuf_end - 1)
- return 0;
- pvpbuf[q] = c;
- q++;
- }
-
- // read next input char
- c = addr[p];
- p++;
- if (c == EOS)
- break;
-
- //assert (q < pvpbuf_end);
- /*BAD*/
- pvpbuf[q] = EOS; // precautiously write EOS to dest
-
- if (bslashmode)
- {
- bslashmode = FALSE;
-
- //assert (q < pvpbuf_end);
- /*BAD*/
- pvpbuf[q] = '\\';
- q++;
- continue;
- }
-
- if (c == '\\')
- bslashmode = TRUE;
- if (c == NOCHAR) // not supposed to be in the input alphabet
- continue; // skip bounds check on next for loop so another \ can be copied
- if (c == EOS)
- break;
- } while (1);
-
- if (q_old != q)
- {
- //assert (q < pvpbuf_end);
- /*BAD*/
- pvpbuf[q] = 0;
- q++;
-
- if (q - q_old > MAXNAME)
- return 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_min_test_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_min_test_ok.c
deleted file mode 100644
index 51a1ec55ab739f033fee6e46d66d359d2b26843c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0161/prescan/prescan_arr_min_test_ok.c
+++ /dev/null
@@ -1,92 +0,0 @@
-#include "../../../../../lib/stubs.h"
-
-#define ADDRSIZE 500 // originally 500
-#define PSBUFSIZE BASE_SZ
-#define MAXNAME (4 * BASE_SZ / 5)
-#define NOCHAR -1
-#define TRUE 1
-#define FALSE 0
-
-int main (void)
-{
- // originally function arguments
- char addr[ADDRSIZE];
- char pvpbuf[PSBUFSIZE];
-
- int p, q, q_old;
- int c;
-
- int pvpbuf_end = sizeof (pvpbuf);
-
- int bslashmode;
- int i;
-
- // alternative method to initialize addr to attack string
- /*
- for(i=0; i<20; i=i+2)
- {
- addr[i] = '\\';
- addr[i+1] = '\377'; // when cast to int, gets sign extended to -1 (NOCHAR)
- }
- */
-
- p = 0;
- q = 0;
- bslashmode = FALSE;
-
- c = NOCHAR;
-
- q_old = q;
- do
- {
- // bounds check and write lookahead (c) to pvpbuf
- if (c != NOCHAR && !bslashmode)
- {
- if (q >= pvpbuf_end - 1)
- return 0;
- pvpbuf[q] = c;
- q++;
- }
-
- // read next input char
- c = addr[p] & 0xff; // mask out high bits to prevent sign extension
- p++;
- if (c == EOS)
- break;
-
- //assert (q < pvpbuf_end);
- /* OK */
- pvpbuf[q] = EOS; // precautiously write EOS to dest
-
- if (bslashmode)
- {
- bslashmode = FALSE;
-
- //assert (q < pvpbuf_end);
- /* OK */
- pvpbuf[q] = '\\';
- q++;
- continue;
- }
-
- if (c == '\\')
- bslashmode = TRUE;
- if (c == NOCHAR) // not supposed to be in the input alphabet
- continue; // skip bounds check on next for loop so another \ can be copied
- if (c == EOS)
- break;
- } while (1);
-
- if (q_old != q)
- {
- //assert (q < pvpbuf_end);
- /* OK */
- pvpbuf[q] = 0;
- q++;
-
- if (q - q_old > MAXNAME)
- return 0;
- }
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/README b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/README
deleted file mode 100644
index b3c059dd9f40869fc9385a129259eb89e302749e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/README
+++ /dev/null
@@ -1,24 +0,0 @@
--= CVE-2003-0681 =-
-
-Vulnerable versions: Sendmail 8.6.12 to ?
-File: libsm/mbdb.c
-Download from: source not available anymore
-
-Domain: Server
-
-_ Vulnerable Functions and Buffers _
-
-Function buildfname (originally sm_pwfullname) takes a gecos and a login string as arguments and, for each occurence of the '&' character in the gecos string, blindly appends (strcpy) the login string to a fixed size buffer. The patched version uses strncpy with a safe bound instead of strcpy.
-
-_ Decomposed Programs _
-
-buildfname/
- buildfname_arr_{one,two}_gecos_{bad,ok}.c
-
-Variant two_gecos allocates a gecos string of strlen two (so the login string can be copied into the dest buffer twice), whereas one_gecos only allocates a gecos string of strlen one.
-
-_ Notes _
-
-This is Zitser's sendmail/s2, simplified.
-
-BASE_SZ was originally 256.
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_one_gecos_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_one_gecos_bad.c
deleted file mode 100644
index e89e33601c43b9411bb8528dad281c38ed60bc28..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_one_gecos_bad.c
+++ /dev/null
@@ -1,47 +0,0 @@
-#define BUF BASE_SZ
-#define GECOS 1
-#define LOGIN (BASE_SZ + 1)/GECOS // unbounded?
-
-#include "../../../../../lib/stubs.h"
-
-int
-main (void)
-{
- // these were parameters
- char login[LOGIN + 1];
- char gecos[GECOS + 1];
-
- char buf[BUF + 1];
- char c;
- int i, j;
-
- login[(int) (sizeof login - 1)] = EOS;
- gecos[(int) (sizeof gecos - 1)] = EOS;
-
- i = 0;
- if (gecos[i] == '*')
- i++;
-
- c = gecos[i];
- j = 0;
- while (c != EOS && c != ',' && c != ';' && c != '%')
- {
- if (c == '&')
- {
- /* BAD */
- (void) strcpy (buf + j, login);
- while (buf[j] != EOS)
- j++;
- }
- else
- {
- /* BAD */
- buf[j] = c;
- j++;
- }
- i++;
- c = gecos[i];
- }
- buf[j] = EOS;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_one_gecos_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_one_gecos_ok.c
deleted file mode 100644
index 2b688fe1d8da0f9effcf68c7fea0e79367fca0b5..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_one_gecos_ok.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#define BUF BASE_SZ
-#define GECOS 1
-#define LOGIN (BASE_SZ + 1)/GECOS // unbounded?
-
-//#include <assert.h>
-//#include <stdio.h>
-#include "../../../../../lib/stubs.h"
-
-int
-main (void)
-{
- // these were parameters
- char login[LOGIN + 1];
- char gecos[GECOS + 1];
-
- char buf[BUF + 1];
- char c;
- int i, j;
-
- login[(int) (sizeof login - 1)] = EOS;
- gecos[(int) (sizeof gecos - 1)] = EOS;
-
- i = 0;
- if (gecos[i] == '*')
- i++;
-
- c = gecos[i];
- j = 0;
- while (c != EOS && c != ',' && c != ';' && c != '%')
- {
- if (c == '&')
- {
- /* OK */
- (void) strncpy (buf + j, login, sizeof (buf) - j);
- while (buf[j] != EOS)
- j++;
- }
- else
- {
- /* OK */
- buf[j] = c;
- j++;
- }
- i++;
- c = gecos[i];
- }
- buf[j] = EOS;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_two_gecos_bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_two_gecos_bad.c
deleted file mode 100644
index b41e0968c1c357cad190076dc0f010901c4fe0cf..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_two_gecos_bad.c
+++ /dev/null
@@ -1,47 +0,0 @@
-#define BUF BASE_SZ
-#define GECOS 2
-#define LOGIN (BASE_SZ + 2)/GECOS
-
-#include "../../../../../lib/stubs.h"
-
-int
-main (void)
-{
- // these were parameters
- char login[LOGIN + 1];
- char gecos[GECOS + 1];
-
- char buf[BUF + 1];
- char c;
- int i, j;
-
- login[(int) (sizeof login - 1)] = EOS;
- gecos[(int) (sizeof gecos - 1)] = EOS;
-
- i = 0;
- if (gecos[i] == '*')
- i++;
-
- c = gecos[i];
- j = 0;
- while (c != EOS && c != ',' && c != ';' && c != '%')
- {
- if (c == '&')
- {
- /* BAD */
- (void) strcpy (buf + j, login);
- while (buf[j] != EOS)
- j++;
- }
- else
- {
- /* BAD */
- buf[j] = c;
- j++;
- }
- i++;
- c = gecos[i];
- }
- buf[j] = EOS;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_two_gecos_ok.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_two_gecos_ok.c
deleted file mode 100644
index da4f62270415248e084c6039e5a0fc728130724a..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/buildfname/buildfname_arr_two_gecos_ok.c
+++ /dev/null
@@ -1,47 +0,0 @@
-#define BUF BASE_SZ
-#define GECOS 2
-#define LOGIN (BASE_SZ + 2)/GECOS
-
-#include "../../../../../lib/stubs.h"
-
-int
-main (void)
-{
- // these were parameters
- char login[LOGIN + 1];
- char gecos[GECOS + 1];
-
- char buf[BUF + 1];
- char c;
- int i, j;
-
- login[(int) (sizeof login - 1)] = EOS;
- gecos[(int) (sizeof gecos - 1)] = EOS;
-
- i = 0;
- if (gecos[i] == '*')
- i++;
-
- c = gecos[i];
- j = 0;
- while (c != EOS && c != ',' && c != ';' && c != '%')
- {
- if (c == '&')
- {
- /* OK */
- (void) strncpy (buf + j, login, sizeof (buf) - j);
- while (buf[j] != EOS)
- j++;
- }
- else
- {
- /* OK */
- buf[j] = c;
- j++;
- }
- i++;
- c = gecos[i];
- }
- buf[j] = EOS;
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/complete/util-bad.c b/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/complete/util-bad.c
deleted file mode 100644
index 440202b23db9fd2f8e14bcf90b4b3171c079b466..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/CVE-2003-0681/complete/util-bad.c
+++ /dev/null
@@ -1,136 +0,0 @@
-
-/*
-
-MIT Copyright Notice
-
-Copyright 2003 M.I.T.
-
-Permission is hereby granted, without written agreement or royalty fee, to use,
-copy, modify, and distribute this software and its documentation for any
-purpose, provided that the above copyright notice and the following three
-paragraphs appear in all copies of this software.
-
-IN NO EVENT SHALL M.I.T. BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL,
-INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE
-AND ITS DOCUMENTATION, EVEN IF M.I.T. HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMANGE.
-
-M.I.T. SPECIFICALLY DISCLAIMS ANY WARRANTIES INCLUDING, BUT NOT LIMITED TO
-THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
-AND NON-INFRINGEMENT.
-
-THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND M.I.T. HAS NO OBLIGATION TO
-PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
-
-$Author: tleek $
-$Date: 2004/02/05 15:19:49 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s2/util-bad.c,v 1.2 2004/02/05 15:19:49 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-Sendmail Copyright Notice
-
-
-Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
- All rights reserved.
-Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
-Copyright (c) 1988, 1993
- The Regents of the University of California. All rights reserved.
-
-By using this file, you agree to the terms and conditions set
-forth in the LICENSE file which can be found at the top level of
-the sendmail distribution.
-
-
-$Author: tleek $
-$Date: 2004/02/05 15:19:49 $
-$Header: /mnt/leo2/cvs/sabo/hist-040105/sendmail/s2/util-bad.c,v 1.2 2004/02/05 15:19:49 tleek Exp $
-
-
-
-*/
-
-
-/*
-
-<source>
-
-*/
-
-#include <ctype.h>
-#include <stdio.h>
-#include <string.h>
-
-/*
-** BUILDFNAME -- build full name from gecos style entry.
-**
-** This routine interprets the strange entry that would appear
-** in the GECOS field of the password file.
-**
-** Parameters:
-** p -- name to build.
-** login -- the login name of this user (for &).
-** buf -- place to put the result.
-**
-** Returns:
-** none.
-**
-** Side Effects:
-** none.
-*/
-
-int
-main (void)
-{
- char *gecos, *login, *buf; // these were parameters
- char *p;
- char *bp;
- int l;
-
- bp = buf;
-
- if (*gecos == '*')
- gecos++;
-
- /* find length of final string */
- l = 0;
- for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
- {
- if (*p == '&')
- l += strlen(login);
- else
- l++;
- }
-
- /* now fill in buf */
- for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
- {
- if (*p == '&')
- {
-
- // printf ("strcpy(bp,login)\n");
- // printf ("strlen(bp) = %d strlen(login) = %d\n",
- // strlen(bp), strlen(login));
-
- /*BAD*/
- (void) strcpy(bp, login);
- // *bp = toupper(*bp);
- while (*bp != '\0')
- bp++;
- }
- else {
- /*BAD*/
- *bp++ = *p;
- // printf ("bp-buf = %d\n", (bp-buf));
- }
- }
- *bp = '\0';
-
- // printf("buf can store at most %d bytes; strlen(buf) = %d\n", MAXNAME+1, strlen(buf));
-}
-
diff --git a/tests/verisec/suite/programs/apps/sendmail/README b/tests/verisec/suite/programs/apps/sendmail/README
deleted file mode 100644
index 27c23f5f8dce1a9a78746a59a422971bf07ff018..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/README
+++ /dev/null
@@ -1,6 +0,0 @@
--= Sendmail =-
-
-Homepage: http://www.sendmail.org
-Domain: Server
-
-Sendmail is the standard Unix mail (SMTP) server.
diff --git a/tests/verisec/suite/programs/apps/sendmail/main_tests b/tests/verisec/suite/programs/apps/sendmail/main_tests
deleted file mode 100644
index c3c32707d2cc7a8edbc528fc345e8c94334bd4fe..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/sendmail/main_tests
+++ /dev/null
@@ -1,28 +0,0 @@
-./CVE-2003-0161/prescan/prescan_arr_min_test_ok.c
-./CVE-2003-0161/prescan/prescan_arr_min_test_bad.c
-./CVE-2003-0161/prescan/prescan_arr_med_test_bad.c
-./CVE-2003-0161/prescan/prescan_arr_med_test_ok.c
-./CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_bad.c
-./CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_bad.c
-./CVE-2002-0906/parse_dns_reply/parse_dns_reply_no_cast_ok.c
-./CVE-2002-0906/parse_dns_reply/parse_dns_reply_cast_ok.c
-./CVE-2001-0653/tTflag/tTflag_arr_two_loops_ok.c
-./CVE-2001-0653/tTflag/tTflag_arr_one_loop_bad.c
-./CVE-2001-0653/tTflag/tTflag_arr_two_loops_bad.c
-./CVE-2001-0653/tTflag/tTflag_arr_one_loop_ok.c
-./CVE-2003-0681/buildfname/buildfname_arr_one_gecos_ok.c
-./CVE-2003-0681/buildfname/buildfname_arr_two_gecos_ok.c
-./CVE-2003-0681/buildfname/buildfname_arr_one_gecos_bad.c
-./CVE-2003-0681/buildfname/buildfname_arr_two_gecos_bad.c
-./CVE-2002-1337/close_angle/close-angle_ptr_no_test_ok.c
-./CVE-2002-1337/close_angle/close-angle_ptr_one_test_bad.c
-./CVE-2002-1337/close_angle/close-angle_ptr_no_test_bad.c
-./CVE-2002-1337/close_angle/close-angle_ptr_one_test_ok.c
-./CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_ok.c
-./CVE-1999-0047/mime7to8/mime7to8_arr_one_char_no_test_bad.c
-./CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_bad.c
-./CVE-1999-0047/mime7to8/mime7to8_ptr_three_chars_heavy_test_ok.c
-./CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_bad.c
-./CVE-1999-0206/mime_fromqp/mime_fromqp_ptr_ok.c
-./CVE-1999-0206/mime_fromqp/mime_fromqp_arr_bad.c
-./CVE-1999-0206/mime_fromqp/mime_fromqp_arr_ok.c
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/README b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/README
deleted file mode 100644
index bb9146ac56c69e6ff03f9c084597f5ee12a696cb..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/README
+++ /dev/null
@@ -1,52 +0,0 @@
--= CVE-1999-0368 =-
-
-Vulnerable versions: wu-ftpd < 2.4.2-beta18-vr10
-File(s): src/realpath.c
-Download from:
- ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.4.2-beta18-vr8.tar.gz
-
-Domain: FTP Server
-
-_ Vulnerable Functions and Buffers _
-
-The vulnerabilities are in the realpath() funtion.
-
-First, no bounds checking is done on the input pathname, which is
-blindly strcpy()'d into curpath, a global variable.
-
-Second, a local buffer workpath can be filled with up to MAXPATHLEN
-bytes via a call to getcwd(); workpath is then strcpy()'d to
-namebuf. More bytes are then written to namebuf using
-strcat(). Several subsequent calls to strcpy() and strcat() can
-propagate this overflow. We only try to find the initial overflow.
-
-Third, a buffer linkpath is filled, potentially to capacity of
-MAXPATHLEN, using readlink(). More data is then appended to linkpath
-using strcat(), which can overflow it.
-
-NOTE: SatAbs was having a lot of problems with the namebuf example in
-the original version which used pointers as iterators (similar to the
-NetBSD glob() example). Since my experience with YASM indicates that
-using pointers as iterators shouldn't be much harder than using ints
-(explicit aliasing, model pointers as <OBJECT, OFFSET> pairs), I
-suspect this to be a technical limitation of SatAbs rather than an
-algorithmic one. I've therefore turned the iterators into ints in
-these examples.
-
-_ Decomposed Programs _
-
-wu-ftpd.h
-
-realpath-curpath/
- simple.c
-
-realpath-namebuf/
- strcpy_strcat_bad.c
- iter_ints_simp_bad.c
- iter_ints_bad.c
-
-realpath-linkpath/
- strcpy_strcat_bad.c
- prefix_simp_bad.c
- prefix_bad.c
-
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-curpath/simple_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-curpath/simple_bad.c
deleted file mode 100644
index 97ecbc93fd397528f726097153444092c8a0b585..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-curpath/simple_bad.c
+++ /dev/null
@@ -1,38 +0,0 @@
-#include "../wu-ftpd.h"
-
-/* Allocated size of buffer pathname[] in main () */
-#define PATHNAME_SZ MAXPATHLEN+1
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN];
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- /* BAD */
- r_strcpy(curpath, pathname);
-
- return result;
-}
-
-int main ()
-{
- char pathname [PATHNAME_SZ];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- pathname [PATHNAME_SZ-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-curpath/simple_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-curpath/simple_ok.c
deleted file mode 100644
index 984c2e02702ac5fd141d011f6b81f9b67f0e8a0c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-curpath/simple_ok.c
+++ /dev/null
@@ -1,38 +0,0 @@
-#include "../wu-ftpd.h"
-
-/* Allocated size of buffer pathname[] in main () */
-#define PATHNAME_SZ MAXPATHLEN+1
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN];
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- /* OK */
- r_strncpy(curpath, pathname, MAXPATHLEN);
-
- return result;
-}
-
-int main ()
-{
- char pathname [PATHNAME_SZ];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- pathname [PATHNAME_SZ-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_bad.c
deleted file mode 100644
index 93317c14f31e2e3b8e530bac1f1ef4adad3798b3..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_bad.c
+++ /dev/null
@@ -1,115 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (*pathname != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- *workpath = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
- if (!strncmp(curpath + where, "./", 2)) {
- where += 2;
- continue;
- }
- if (!strncmp(curpath + where, "../", 3)) {
- where += 3;
- ptr = last = 0;
- while (workpath[ptr] != EOS) {
- if (workpath[ptr] == '/')
- last = ptr;
- ptr++;
- }
- workpath[last] = EOS;
- continue;
- }
- ptr = istrchr(curpath + where, '/');
- if (curpath[ptr] == EOS)
- ptr = where + strlen(curpath + where) - 1;
- else
- curpath[ptr] = EOS;
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
-
- /* Chop out the out-of-bounds writes.... */
- }
-
- /* Stand-in for checking stat fields. */
- if (nondet_int() == 1) {
- len = readlink(namebuf, linkpath, MAXPATHLEN);
- if (len <= 0)
- return NULL;
-
- linkpath[len] = EOS;
-
- if (linkpath[0] == '/')
- workpath[0] = EOS;
- if (curpath[where] != EOS) {
- /* BAD */
- r_strcat(linkpath, "/");
- /* BAD */
- r_strcat(linkpath, curpath + where);
- }
- /* BAD */
- r_strcpy(curpath, linkpath);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_ok.c
deleted file mode 100644
index ba87fe8ad87255db7aafde51c4989d78716dd868..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_ok.c
+++ /dev/null
@@ -1,121 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (*pathname != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- *workpath = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
- if (!strncmp(curpath + where, "./", 2)) {
- where += 2;
- continue;
- }
- if (!strncmp(curpath + where, "../", 3)) {
- where += 3;
- ptr = last = 0;
- while (workpath[ptr] != EOS) {
- if (workpath[ptr] == '/')
- last = ptr;
- ptr++;
- }
- workpath[last] = EOS;
- continue;
- }
- ptr = istrchr(curpath + where, '/');
- if (curpath[ptr] == EOS)
- ptr = where + strlen(curpath + where) - 1;
- else
- curpath[ptr] = EOS;
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
-
- /* Chop out the out-of-bounds writes.... */
- }
-
- /* Stand-in for checking stat fields. */
- if (nondet_int() == 1) {
- len = readlink(namebuf, linkpath, MAXPATHLEN);
- if (len <= 0)
- return NULL;
-
- linkpath[len] = EOS;
-
- if (linkpath[0] == '/')
- workpath[0] = EOS;
- if (where[0] != EOS) {
- /* OK */
- r_strncat(linkpath, "/", MAXPATHLEN-strlen(linkpath)-1);
- if (strlen(linkpath)+strlen(where)>=MAXPATHLEN) {
- return NULL;
- }
- /* OK */
- r_strncat(linkpath, where, MAXPATHLEN-strlen(linkpath)- 1);
- }
- if (strlen(linkpath) >= MAXPATHLEN) {
- return NULL;
- }
- /* OK */
- r_strcpy(curpath, linkpath);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_simp_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_simp_bad.c
deleted file mode 100644
index 5eb30e666f935ec9d4cea6174fe5ba8e5607137c..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_simp_bad.c
+++ /dev/null
@@ -1,95 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (pathname[0] != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- workpath[0] = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
-
- /* Chop out the out-of-bounds writes.... */
- }
-
- /* Stand-in for checking stat fields. */
- if (nondet_int() == 1) {
- len = readlink(namebuf, linkpath, MAXPATHLEN);
- if (len <= 0)
- return NULL;
-
- linkpath[len] = EOS;
-
- if (linkpath[0] == '/')
- workpath[0] = EOS;
- if (curpath[where] != EOS) {
- /* BAD */
- r_strcat(linkpath, "/");
- /* BAD */
- r_strcat(linkpath, curpath + where);
- }
- /* BAD */
- r_strcpy(curpath, linkpath);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_simp_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_simp_ok.c
deleted file mode 100644
index 17ace98bffb6819e94158c74d2f6d367afd17b3f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/prefix_simp_ok.c
+++ /dev/null
@@ -1,101 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (pathname[0] != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- workpath[0] = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
-
- /* Chop out the out-of-bounds writes.... */
- }
-
- /* Stand-in for checking stat fields. */
- if (nondet_int() == 1) {
- len = readlink(namebuf, linkpath, MAXPATHLEN);
- if (len <= 0)
- return NULL;
-
- linkpath[len] = EOS;
-
- if (linkpath[0] == '/')
- workpath[0] = EOS;
- if (where[0] != EOS) {
- /* OK */
- r_strncat(linkpath, "/", MAXPATHLEN-strlen(linkpath)-1);
- if (strlen(linkpath)+strlen(where)>=MAXPATHLEN) {
- return NULL;
- }
- /* OK */
- r_strncat(linkpath, where, MAXPATHLEN-strlen(linkpath)- 1);
- }
- if (strlen(linkpath) >= MAXPATHLEN) {
- return NULL;
- }
- /* OK */
- r_strcpy(curpath, linkpath);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/strcpy_strcat_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/strcpy_strcat_bad.c
deleted file mode 100644
index bbc6caeeb5d2e23cd58d1aecae05170ae249323e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/strcpy_strcat_bad.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN],
- *where;
- int len;
-
- where = curpath;
-
- /* Stand-in for checking stat fields. */
- if (nondet_int() == 1) {
- len = readlink(namebuf, linkpath, MAXPATHLEN);
- if (len <= 0)
- return NULL;
-
- linkpath[len] = EOS;
-
- if (linkpath[0] == '/')
- workpath[0] = EOS;
- if (where[0] != EOS) {
- /* BAD */
- r_strcat(linkpath, "/");
- /* BAD */
- r_strcat(linkpath, where);
- }
- /* BAD */
- r_strcpy(curpath, linkpath);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/strcpy_strcat_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/strcpy_strcat_ok.c
deleted file mode 100644
index b29db46f0a867336aac74dc5665ae8ea81c72d97..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-linkpath/strcpy_strcat_ok.c
+++ /dev/null
@@ -1,58 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN],
- *where;
- int len;
-
- where = curpath;
-
- /* Stand-in for checking stat fields. */
- if (nondet_int() == 1) {
- len = readlink(namebuf, linkpath, MAXPATHLEN);
- if (len <= 0)
- return NULL;
-
- linkpath[len] = EOS;
-
- if (linkpath[0] == '/')
- workpath[0] = EOS;
- if (where[0] != EOS) {
- /* OK */
- r_strncat(linkpath, "/", MAXPATHLEN-strlen(linkpath)-1);
- if (strlen(linkpath)+strlen(where)>=MAXPATHLEN) {
- return NULL;
- }
- /* OK */
- r_strncat(linkpath, where, MAXPATHLEN-strlen(linkpath)- 1);
- }
- if (strlen(linkpath) >= MAXPATHLEN) {
- return NULL;
- }
- /* OK */
- r_strcpy(curpath, linkpath);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_bad.c
deleted file mode 100644
index f89d49dada0bf54d301e03cf636cdcc737a835e7..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_bad.c
+++ /dev/null
@@ -1,98 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (*pathname != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- *workpath = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
- if (!strncmp(curpath + where, "./", 2)) {
- where += 2;
- continue;
- }
- if (!strncmp(curpath + where, "../", 3)) {
- where += 3;
- ptr = last = 0;
- while (workpath[ptr] != EOS) {
- if (workpath[ptr] == '/')
- last = ptr;
- ptr++;
- }
- workpath[last] = EOS;
- continue;
- }
- ptr = istrchr(curpath + where, '/');
- if (curpath[ptr] == EOS)
- ptr = where + strlen(curpath + where) - 1;
- else
- curpath[ptr] = EOS;
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
- if ((last == 0) || (namebuf[--last] != '/'))
- /* BAD */
- r_strcat(namebuf, "/");
-
- /* BAD */
- r_strcat(namebuf, curpath + where);
- }
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_ok.c
deleted file mode 100644
index 84ada2aebd571dc7f471a37ee88efede6dba4e11..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_ok.c
+++ /dev/null
@@ -1,98 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (*pathname != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- *workpath = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
- if (!strncmp(curpath + where, "./", 2)) {
- where += 2;
- continue;
- }
- if (!strncmp(curpath + where, "../", 3)) {
- where += 3;
- ptr = last = 0;
- while (workpath[ptr] != EOS) {
- if (workpath[ptr] == '/')
- last = ptr;
- ptr++;
- }
- workpath[last] = EOS;
- continue;
- }
- ptr = istrchr(curpath + where, '/');
- if (curpath[ptr] == EOS)
- ptr = where + strlen(curpath + where) - 1;
- else
- curpath[ptr] = EOS;
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
- if ((last == 0) || (namebuf[--last] != '/'))
- /* OK */
- r_strncat(namebuf, "/", MAXPATHLEN-strlen(namebuf)-1);
-
- /* OK */
- r_strncat(namebuf, curpath + where, MAXPATHLEN-strlen(namebuf)-1);
- }
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_simp_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_simp_bad.c
deleted file mode 100644
index d2a5eaec35e8fa0fc972ad537f96b532bef09508..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_simp_bad.c
+++ /dev/null
@@ -1,79 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (pathname[0] != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- workpath[0] = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
- if ((last == 0) || (namebuf[--last] != '/'))
- /* BAD */
- r_strcat(namebuf, "/");
-
- /* BAD */
- r_strcat(namebuf, curpath + where);
- }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_simp_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_simp_ok.c
deleted file mode 100644
index d7c60fb5a150572a591cf6ebeec54133763c714e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/iter_ints_simp_ok.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
- int len;
- int where;
- int ptr;
- int last;
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- strcpy(curpath, pathname);
-
- if (pathname[0] != '/') {
- uid_t userid;
-
- if (!getcwd(workpath,MAXPATHLEN)) {
- userid = geteuid();
- delay_signaling();
- seteuid(0);
- if (!getcwd(workpath,MAXPATHLEN)) {
- strcpy(result, ".");
- seteuid(userid);
- enable_signaling();
- return (NULL);
- }
- seteuid(userid);
- enable_signaling();
- }
- } else
- workpath[0] = EOS;
-
- where = 0;
- while (curpath[where] != EOS) {
- if (!strcmp(curpath + where, ".")) {
- where++;
- continue;
- }
-
- strcpy(namebuf, workpath);
- for (last = 0; namebuf[last] != EOS; last++)
- continue;
- if ((last == 0) || (namebuf[--last] != '/'))
- /* OK */
- r_strncat(namebuf, "/", MAXPATHLEN-strlen(namebuf)-1);
-
- /* OK */
- r_strncat(namebuf, curpath + where, MAXPATHLEN-strlen(namebuf)-1); }
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/strcpy_strcat_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/strcpy_strcat_bad.c
deleted file mode 100644
index 983e8a31fc58f8fd7a0c3efbd5f42fffc7fa5446..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/strcpy_strcat_bad.c
+++ /dev/null
@@ -1,42 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- workpath[MAXPATHLEN-1] = EOS;
- strcpy(curpath, pathname);
- strcpy(namebuf, workpath);
-
- /* BAD */
- r_strcat(namebuf, curpath);
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/strcpy_strcat_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/strcpy_strcat_ok.c
deleted file mode 100644
index 66d01c8b101c0f9e6ad14abbd08951a29668d8fb..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/realpath-namebuf/strcpy_strcat_ok.c
+++ /dev/null
@@ -1,42 +0,0 @@
-#include "../wu-ftpd.h"
-
-char *
-realpath(const char *pathname, char *result, char* chroot_path)
-{
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- namebuf[MAXPATHLEN];
-
- if (result == NULL)
- return(NULL);
-
- if(pathname == NULL){
- *result = EOS;
- return(NULL);
- }
-
- workpath[MAXPATHLEN-1] = EOS;
- strcpy(curpath, pathname);
- strcpy(namebuf, workpath);
-
- /* OK */
- r_strncat(namebuf, curpath, MAXPATHLEN-strlen(namebuf)-1);
-
- return result;
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char result [MAXPATHLEN];
- char chroot_path [MAXPATHLEN];
-
- /* Don't use too big a pathname; we're not trying to overflow curpath */
- pathname [MAXPATHLEN-1] = EOS;
- result [MAXPATHLEN-1] = EOS;
- chroot_path [MAXPATHLEN-1] = EOS;
-
- realpath(pathname, result, chroot_path);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/wu-ftpd.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/wu-ftpd.c
deleted file mode 100644
index 4cee13e3cb0c55789dc5cf74a97eed103baf31cf..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/wu-ftpd.c
+++ /dev/null
@@ -1,44 +0,0 @@
-#include "wu-ftpd.h"
-
-uid_t geteuid(void)
-{
- return nondet_short();
-}
-
-int seteuid(uid_t euid)
-{
- if (nondet_int() == 0)
- return 0;
- return -1;
-}
-
-int enable_signaling()
-{
- return (0);
-}
-
-int delay_signaling()
-{
- return (0);
-}
-
-/* Returns the number of bytes written to buf, or -1 if there's an
- error. This'll do it, assuming buf is initially uninitialized. */
-int readlink(const char *path, char *buf, int bufsiz)
-{
- int n = nondet_int ();
- if (n < bufsiz && n >= 0)
- return n;
- return -1;
-}
-
-/* Just make sure buf is null-terminated unless we simulate an error. */
-char *getcwd(char *buf, size_t size)
-{
- if (nondet_int() == 0) {
- return NULL;
- }
- buf [size-1] = EOS;
- return buf;
-}
-
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/wu-ftpd.h b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/wu-ftpd.h
deleted file mode 100644
index ba881c29372e31e9f4d4d7d9edbe7052c535d5d4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-1999-0368/wu-ftpd.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Size of buffer being overflowed, and most input buffers. We
- * strncmp() it against "../", so make sure it has at least 3
- * cells. */
-#define MAXPATHLEN BASE_SZ + 3
-
-typedef short uid_t;
-uid_t geteuid(void);
-int seteuid(uid_t euid);
-
-int enable_signaling();
-int delay_signaling();
-
-int readlink(const char *path, char *buf, int bufsiz);
-char *getcwd(char *buf, size_t size);
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/README b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/README
deleted file mode 100644
index 1887a485b9948bb82ae2604a705b85e9d3fc43b2..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/README
+++ /dev/null
@@ -1,36 +0,0 @@
--= CVE-2003-0466 =-
-
-Vulnerable versions: wu-ftpd 2.5.0 - 2.6.2
-File(s): src/realpath.c
-Download from:
- ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.5.0.tar.gz
-
-Domain: FTP Server
-
-_ Vulnerable Functions and Buffers _
-
-The buffer resolved[], which is an input to fb_realpath(), can be
-overflowed. This buffer can be filled with up to MAXPATHLEN bytes by a
-call to getcwd(). A slash ("/") and another buffer, wbuf[], can then
-be appended to resolved[] using strcat. The bounds check is wrong ---
-it should be saying that we need more room if we copy in a slash, but
-it says that we need more if we *don't*. Hence there's an off-by-one
-error if we do copy the salsh in.
-
-The patch involves adding a single exclamation point. ;-)
-
-fb_realpath() does some heavy string manipulations on the way to these
-calls, and makes calls to the filesystem (which we model with
-nondeterminism). For every decomposed program but the most simple one,
-SatAbs gets a lot of timeouts.
-
-_ Decomposed Programs _
-
-wu-ftpd.h
-
-fb_realpath/
- simple_bad.c
- almost_simple_bad.c
- istrrchr_bad.c
- no_symlinks_bad.c
- symlinks_bad.c
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/almost_simple_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/almost_simple_bad.c
deleted file mode 100644
index 2953adbbfb7622e7aea8aa8c7909aac49aff5d36..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/almost_simple_bad.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- p = 0;
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* BAD */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/almost_simple_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/almost_simple_ok.c
deleted file mode 100644
index 19b3e332153eedb27a54b02f569504ffe0a2c614..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/almost_simple_ok.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- p = 0;
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + !rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* OK */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/istrrchr_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/istrrchr_bad.c
deleted file mode 100644
index d27bcf2c6431c1408973cebb78f12fbbad09c817..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/istrrchr_bad.c
+++ /dev/null
@@ -1,63 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- /* Once this loop terminates, the final slash in resolved has been
- * replaced with an EOS, and p points to the filename after it.
- */
- q = istrrchr(resolved, '/');
- if (q != -1) {
- /* p is whatever's after the last slash */
- p = q + 1;
- }
- else
- /* no slashes found ==> just a filename */
- p = 0;
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* BAD */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/istrrchr_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/istrrchr_ok.c
deleted file mode 100644
index efc9362ee8f4409915f26ca7e2eecd91ccc33e85..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/istrrchr_ok.c
+++ /dev/null
@@ -1,63 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- /* Once this loop terminates, the final slash in resolved has been
- * replaced with an EOS, and p points to the filename after it.
- */
- q = istrrchr(resolved, '/');
- if (q != -1) {
- /* p is whatever's after the last slash */
- p = q + 1;
- }
- else
- /* no slashes found ==> just a filename */
- p = 0;
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + !rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* OK */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/no_symlinks_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/no_symlinks_bad.c
deleted file mode 100644
index a39c9ca9c0768bdd76b458a88f1eeea5aecf7318..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/no_symlinks_bad.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- /* Once this loop terminates, the final slash in resolved has been
- * replaced with an EOS, and p points to the filename after it.
- */
- q = istrrchr(resolved, '/');
- if (q != -1) {
- /* p is whatever's after the last slash */
- p = q + 1;
-
- if (q == 0) {
- /* Don't do anything. Originally, q was a pointer, we set it
- * to "/", and chdir'd to "/". Since we're chopping out the chdir,
- * we don't need to do anything.
- */
- } else {
- /* chops off the last slash and terminates resolved[] at it */
- do {
- --q;
- } while (q > 0 && resolved[q] == '/');
- resolved[q+1] = EOS;
- q = 0;
- }
-
- }
- else
- /* no slashes found ==> just a filename */
- p = 0;
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* BAD */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/no_symlinks_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/no_symlinks_ok.c
deleted file mode 100644
index d05fb9ba048786d5c9542f5375d07ed32a92782f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/no_symlinks_ok.c
+++ /dev/null
@@ -1,78 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- /* Once this loop terminates, the final slash in resolved has been
- * replaced with an EOS, and p points to the filename after it.
- */
- q = istrrchr(resolved, '/');
- if (q != -1) {
- /* p is whatever's after the last slash */
- p = q + 1;
-
- if (q == 0) {
- /* Don't do anything. Originally, q was a pointer, we set it
- * to "/", and chdir'd to "/". Since we're chopping out the chdir,
- * we don't need to do anything.
- */
- } else {
- /* chops off the last slash and terminates resolved[] at it */
- do {
- --q;
- } while (q > 0 && resolved[q] == '/');
- resolved[q+1] = EOS;
- q = 0;
- }
-
- }
- else
- /* no slashes found ==> just a filename */
- p = 0;
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + !rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* OK */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/simple_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/simple_bad.c
deleted file mode 100644
index 094c4db5acb4a8d22b2e98081edd8fb7c087742d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/simple_bad.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char *p, *q, wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
-
- wbuf[MAXPATHLEN-1] = EOS;
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* BAD */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/simple_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/simple_ok.c
deleted file mode 100644
index 36cccc5a77637f2a041bdd0a307ab869ac8ab94d..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/simple_ok.c
+++ /dev/null
@@ -1,46 +0,0 @@
-#include "../wu-ftpd.h"
-
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char *p, *q, wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
-
- wbuf[MAXPATHLEN-1] = EOS;
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + !rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* OK */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/symlinks_bad.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/symlinks_bad.c
deleted file mode 100644
index 164348cee5a8bf0744f26b0aa7d4697a770ec5a4..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/symlinks_bad.c
+++ /dev/null
@@ -1,108 +0,0 @@
-#include "../wu-ftpd.h"
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- loop:
- /* Once this loop terminates, the final slash in resolved has been
- * replaced with an EOS, and p points to the filename after it.
- */
- q = istrrchr(resolved, '/');
- if (q != -1) {
- /* p is whatever's after the last slash */
- p = q + 1;
-
- if (q == 0) {
- /* Don't do anything. Originally, q was a pointer, we set it
- * to "/", and chdir'd to "/". Since we're chopping out the chdir,
- * we don't need to do anything.
- */
- } else {
- /* chops off the last slash and terminates resolved[] at it */
- do {
- --q;
- } while (q > 0 && resolved[q] == '/');
- resolved[q+1] = EOS;
- q = 0;
- }
-
- }
- else
- /* no slashes found ==> just a filename */
- p = 0;
-
- if (resolved[p] != EOS) {
- resultcode = nondet_int();
- /* If lstat() didn't fail.... */
- if (resultcode == 0) {
- int symlinks = 0;
- int n;
-
- /* If this was a symlink.... */
- if (nondet_int()) {
- if (++symlinks > MAXSYMLINKS) {
- return NULL;
- }
- strcpy(tmp, resolved + p);
- n = readlink(tmp, resolved, MAXPATHLEN);
- if (n < 0) {
- return NULL;
- }
- resolved[n] = EOS;
-
- goto loop;
- }
- /* p was originally a pointer, and it could have been set to ""
- * here if the final component were a directory.
- *
- * That's hard to do with an integer, so I'm slicing that
- * out. This example's already plenty complex.
- */
- }
- }
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* BAD */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/symlinks_ok.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/symlinks_ok.c
deleted file mode 100644
index d755601ef5a16d8e2a061b7d94106c2d0786cf0f..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/fb_realpath/symlinks_ok.c
+++ /dev/null
@@ -1,108 +0,0 @@
-#include "../wu-ftpd.h"
-
-/* resolved is an *input*, initially uninitialized */
-char *fb_realpath(const char *path, char *resolved)
-{
- int rootd;
- char wbuf[MAXPATHLEN];
- int resultcode;
- char tmp [MAXPATHLEN];
- int p, q;
-
- (void) strncpy(resolved, path, MAXPATHLEN - 1);
- resolved[MAXPATHLEN - 1] = EOS;
-
- loop:
- /* Once this loop terminates, the final slash in resolved has been
- * replaced with an EOS, and p points to the filename after it.
- */
- q = istrrchr(resolved, '/');
- if (q != -1) {
- /* p is whatever's after the last slash */
- p = q + 1;
-
- if (q == 0) {
- /* Don't do anything. Originally, q was a pointer, we set it
- * to "/", and chdir'd to "/". Since we're chopping out the chdir,
- * we don't need to do anything.
- */
- } else {
- /* chops off the last slash and terminates resolved[] at it */
- do {
- --q;
- } while (q > 0 && resolved[q] == '/');
- resolved[q+1] = EOS;
- q = 0;
- }
-
- }
- else
- /* no slashes found ==> just a filename */
- p = 0;
-
- if (resolved[p] != EOS) {
- resultcode = nondet_int();
- /* If lstat() didn't fail.... */
- if (resultcode == 0) {
- int symlinks = 0;
- int n;
-
- /* If this was a symlink.... */
- if (nondet_int()) {
- if (++symlinks > MAXSYMLINKS) {
- return NULL;
- }
- strcpy(tmp, resolved + p);
- n = readlink(tmp, resolved, MAXPATHLEN);
- if (n < 0) {
- return NULL;
- }
- resolved[n] = EOS;
-
- goto loop;
- }
- /* p was originally a pointer, and it could have been set to ""
- * here if the final component were a directory.
- *
- * That's hard to do with an integer, so I'm slicing that
- * out. This example's already plenty complex.
- */
- }
- }
-
- /* wbuf contains the filename, but not the path to it */
- strcpy(wbuf, resolved + p);
-
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- return NULL;
-
- if (resolved[0] == '/' && resolved[1] == EOS)
- rootd = 1;
- else
- rootd = 0;
-
- if (wbuf[0] != EOS) {
- if (strlen(resolved) + strlen(wbuf) + !rootd + 1 > MAXPATHLEN) {
- return NULL;
- }
- if (rootd == 0)
- (void) strcat(resolved, "/");
-
- /* OK */
- (void) r_strcat(resolved, wbuf);
- }
- return (NULL);
-}
-
-int main ()
-{
- char pathname [MAXPATHLEN];
- char resolved [MAXPATHLEN];
-
- pathname [MAXPATHLEN-1] = EOS;
- resolved [MAXPATHLEN-1] = EOS;
-
- fb_realpath(pathname, resolved);
-
- return 0;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/wu-ftpd.c b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/wu-ftpd.c
deleted file mode 100644
index 225b0f9ae979854dc627702077453d68ff169323..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/wu-ftpd.c
+++ /dev/null
@@ -1,26 +0,0 @@
-#include "wu-ftpd.h"
-
-extern char nondet_char();
-
-/* Returns the number of bytes written to buf, or -1 if there's an
- error. This'll do it, assuming buf is initially uninitialized. */
-int readlink(const char *path, char *buf, int bufsiz)
-{
- int n = nondet_int ();
- if (n < bufsiz && n >= 0)
- return n;
- return -1;
-}
-
-/* Havoc everything in buf, then null-terminate it. */
-char *getcwd(char *buf, size_t size)
-{
- int i;
- if (nondet_int() == 0) {
- return NULL;
- }
- for (i = 0; i < size-1; i++)
- buf[i] = nondet_char();
- buf [size-1] = EOS;
- return buf;
-}
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/wu-ftpd.h b/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/wu-ftpd.h
deleted file mode 100644
index f81c6be04231e64f08b1f09e70d2b93b3b8ce8ec..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/CVE-2003-0466/wu-ftpd.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "../../../../lib/stubs.h"
-
-/* Size of input buffers and overflowed buffer; must be able to hold
- * null-terminators in addition to actual data. */
-#define MAXPATHLEN BASE_SZ + 2
-
-/* Used in symlinks_bad.c. */
-#define MAXSYMLINKS 1
-
-int readlink(const char *path, char *buf, int bufsiz);
-char *getcwd(char *buf, size_t size);
-
diff --git a/tests/verisec/suite/programs/apps/wu-ftpd/README b/tests/verisec/suite/programs/apps/wu-ftpd/README
deleted file mode 100644
index 4135d1e6865e365d8cdb1347bbb7fde1b631203e..0000000000000000000000000000000000000000
--- a/tests/verisec/suite/programs/apps/wu-ftpd/README
+++ /dev/null
@@ -1,6 +0,0 @@
--= WU-FTPD =-
-
-Homepage: http://www.wu-ftpd.org
-Domain: FTP Server
-
-FTP is the File Transfer Protocol.