Indicate all potential vulnerabilities and suggest fixes for them

[A]

int table[800];

int insert_in_table(int val, int pos){

if(pos > sizeof(table) / sizeof(int)){

return -1;

}

table[pos] = val;

return 0;

}

[B]

int copy_something(char *buf, int len){

char kbuf[800];

if(len > sizeof(kbuf)){

return -1;

}

return memcpy(kbuf, buf, len);

}

[C]

int myfunction(int *array, int len){

int *myarray, i;

myarray = malloc(len * sizeof(int));

if(myarray == NULL){

return -1;

}

for(i = 0; i < len; i++){

myarray[i] = array[i];

}

return myarray;

}

[D]

int get_two_vars(int sock, char *out, int len){

char buf1[512], buf2[512];

unsigned int size1, size2;

int size;

if( recv(sock, buf1, sizeof(buf1), 0) < 0){

return -1;

}

if(recv(sock, buf2, sizeof(buf2), 0) < 0){

return -1;

}

/* packet begins with length information */

memcpy(&size1, buf1, sizeof(int));

memcpy(&size2, buf2, sizeof(int));

size = size1 + size2;

if(size > len){

return -1;

}

memcpy(out, buf1, size1);

memcpy(out + size1, buf2, size2);

return size;

}

[E]

This example was taken from a security module for linux. This code runs in the kernel context:

int rsbac_acl_sys_group( enum rsbac_acl_group_syscall_type_t call,

union rsbac_acl_group_syscall_arg_t arg)

{

...

switch(call)

{

case ACLGS_get_group_members:

if ((arg.get_group_members.maxnum<=0)|| !arg.get_group_members.group)

{

...

rsbac_uid_t * user_array;

rsbac_time_t * ttl_array;

user_array = vmalloc(sizeof(*user_array) *

arg.get_group_members.maxnum);

if (!user_array)

return -RSBAC_ENOMEM;

ttl_array = vmalloc(sizeof(*ttl_array) *

arg.get_group_members.maxnum);

if(!ttl_array)

{

vfree(user_array);

return -RSBAC_ENOMEM;

}

err =

rsbac_acl_get_group_members(arg.get_group_members.group,

user_array,

ttl_array, arg.get_group_members.max num); ... }