Modified integer overflow tests

Change-Id: I7042daa3920f132680160e3f107cdd45747e8526
2016-05-18 11:37:39 -05:00 · 2016-05-18 11:37:39 -05:00 · fa17e5c1da
commit fa17e5c1da
parent 82c3555291
2 changed files with 23 additions and 2 deletions
--- a/data/integer-overflow.txt
+++ b/data/integer-overflow.txt
@ -1,7 +1,12 @@
 -1
+-0
+-0xff
+999999999999999
+-999999999999999
+-0.999999999999999
+9 ** 100
+\x00
 0
-0x100
-0x1000
 0x3fffffff
 0x7ffffffe
 0x7fffffff
--- a/syntribos/tests/fuzz/integer_overflow.py
+++ b/syntribos/tests/fuzz/integer_overflow.py
@ -11,6 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+from syntribos.issue import Issue
 from syntribos.tests.fuzz import base_fuzz


@ -19,6 +20,21 @@ class IntOverflowBody(base_fuzz.BaseFuzzTestCase):
    test_type = "data"
    data_key = "integer-overflow.txt"

+    def test_case(self):
+        time_diff = self.config.time_difference_percent / 100
+        if (self.resp.elapsed.total_seconds() >
+                time_diff * self.init_response.elapsed.total_seconds()):
+            self.register_issue(
+                Issue(test="int_timing",
+                      severity="Medium",
+                      confidence="Medium",
+                      text=("The time it took to resolve a request with an "
+                            "invalid integer was too long compared to the "
+                            "baseline request. This could indicate a "
+                            "vulnerability to buffer overflow attacks")
+                      )
+            )
+

 class IntOverflowParams(IntOverflowBody):
    test_name = "INT_OVERFLOW_PARAMS"