ComputerScienceExpert
$18/per page/
Hello,
I am trying to get help with the attached C code hw. I've attached the complete question and source code that needs to be fixed.
Carefully, review the code and perform analysis as needed. Consider the following rules and recommendations and hints for items that you might want to review. Note, that some rules and recommendations listed below may not be found as issues in the code.
STR31-C. Guarantee that storage for strings has sufficient space for character data and the nullterminator.
MSC24-C. Do not use deprecated or obsolescent functions.
FIO34-C. Distinguish between characters read from a file and EOF or WEOF.
MSC17-C. Finish every set of statements associated with a case label with a break statement.
MSC33-C. Do not pass invalid data to the asctime() function.
MSC17-C. Finish every set of statements associated with a case label with a break statement.
DCL20-C. Explicitly specify void when a function accepts no arguments.
MEM30-C. Do not access freed memory.
Homework 3
Fixing C code with Vulnerabilities
Overview
In this homework, you will modify an existing C code application that violates several C code rules and
recommendations. Your task is to locate the issues, based on the readings for this course, identify the
rule(s) or recommendation(s) being violated and then fix the code. You will discuss each issue in terms
of why the issue may cause a security vulnerability, and how you specifically fixed the issue.
Assignment
Review and Understand the Sample C application.
The current code, developed by a junior developer, has several issues and is not functioning as
expected. The desired functionality of the program is to allow a user to select from several choices on a
menu. After the user selects the “Exit” option from the menu, the program will populate a password
with ‘1’s and then display the value of the password. The program also captures a character so the
screen can stay paused for review before exiting. Below are screen shots for a successful program
execution. 1 Unfortunately, not only are there security issues, the code you were provided doesn’t work as expected.
For the first part of this exercise demonstrate your C developer environment is working properly. You
can do this by running any of the sample C code applications.
Modify the C code in this example to make the desired functionality work properly. Demonstrate the
code works properly through screen captures and describing what changes were made to fix the
functionality issues.
2 Carefully, review the code and perform analysis as needed. Consider the following rules and
recommendations and hints for items that you might want to review. Note, that some rules and
recommendations listed below may not be found as issues in the code. STR31-C. Guarantee that storage for strings has sufficient space for character data and the null
terminator.
MSC24-C. Do not use deprecated or obsolescent functions.
FIO34-C. Distinguish between characters read from a file and EOF or WEOF.
MSC17-C. Finish every set of statements associated with a case label with a break statement.
MSC33-C. Do not pass invalid data to the asctime() function.
MSC17-C. Finish every set of statements associated with a case label with a break statement.
DCL20-C. Explicitly specify void when a function accepts no arguments.
MEM30-C. Do not access freed memory. You can use any C compiler you have access to including:
1. Windows C++ Express or Visual Studio
2. Mac X-Code C
3. Linux gcc
4. VM player with gcc (e.g. SDEV 300 Virtual machine)
Be sure you have a C environment where you can compile. Also review those code tutorial links
provided in the classroom. Post a note, or contact your professor if you are having significant difficulties
compiling a C program.
Once you have your environment working, reviewed and analyzed the code, and determined the rules
and recommendations that are violated, you should fix the code. Be sure to document each issue by
aligning the rule or recommendation and explain exactly how you fixed the issue.
Hints:
a. Make sure your C coding environment is working first. Those C tutorials will help you to test
your environment.
b. Be very careful with the pointers and memory limits of the arrays. Most modern compilers
attempt to protect your system resources, but you could potentially produce access violations
that could lock your system up. Take your time and review the memory bounds for all of your
arrays before you start making code changes
c. Start on this early. This will take you longer than you think.
Deliverables
Provide your fixed C source code along with a PDF document describing how you addressed each
issue. For example, you should list the C Cert rule or recommendation for each issue and show and
3 describe the code that addresses the issue. You should also provide screen shots and descriptions of
the successful execution of the code.
Be sure your PDF document is neat, well-organized and is well-written with minimal spelling and
grammar errors. All references used should be included in your document.
Grading rubric:
Attribute
Sample C code
application C code rules and
recommendations Meets
10 points
Demonstrate your C developer
environment is working properly.
(5 points)
Modify the C code to make the
desired functionality work
properly. Demonstrate the code
works properly. (5 points)
70 points
Applies STR31-C, if needed, as
needed to guarantee that storage
for strings has sufficient space for
character data and the null
terminator. (10 points)
Applies MSC24-C, if needed, to
not use deprecated or obsolescent
functions. (10 points)
Applies FIO34-C, if needed, to
distinguish between characters
read from a file and EOF or WEOF.
(10 points)
Applies MSC17-C, if needed, to
finish every set of statements
associated with a case label with a
break statement. (10 points)
Applies MSC33-C, if needed, to
not pass invalid data to the
asctime() function.(5 points)
Applies MSC17-C, if needed, to
finish every set of statements
associated with a case label with a
break statement. (5 points) Does not meet
0 points
Does not demonstrate your C developer
environment is working properly.
Does not modify the C code to make the
desired functionality work properly.
Does not demonstrate the code works
properly.
0 points
Does not apply STR31-C, if needed, as
needed to guarantee that storage for
strings has sufficient space for character
data and the null terminator.
Does not apply, if needed, to not use
deprecated or obsolescent functions.
Does not apply, if needed, to distinguish
between characters read from a file and
EOF or WEOF.
Does not apply, if needed, to finish
every set of statements associated with
a case label with a break statement.
Does not apply, if needed, to not pass
invalid data to the asctime() function.
Does not apply, if needed, to finish
every set of statements associated with
a case label with a break statement.
Does not apply DCL20-C, if needed, to
explicitly specify void when a function
accepts no arguments.
Does not apply MEM30-C, if needed, to
not access freed memory.
4 Applies DCL20-C, if needed, to
explicitly specify void when a
function accepts no arguments.
(10 points) Documentation and
Submission Applies MEM30-C, if needed, to
not access freed memory. (10
points)
20 points
Provides all C source code
including “fixed” code. (5 points)
Provides screen shots and
descriptions of the successful
executing the code and the
resultant output as applied to
each security control. (5 points)
Document is neat, well-organized
and is well-written with minimal
spelling and grammar errors.
(5points) 0 points
Does not provide all Java source code
including “fixed” code.
Does not provide screen shots and
descriptions of the successful executing
the code and the resultant output as
applied to each security control.
Document is not neat, well-organized
and is not well-written with minimal
spelling and grammar errors.
All references used were not included in
your document. All references used should be
included in your document. (5
points) 5
#include<stdio.h>
#include <string.h>
// Function prototypes
void fillPassword(size_t , char);
void showResults(char);
// should have void listed
void showMenu();
// Define a variable to hold a password
// and the copy
char password[15];
char cpassword[15];
int main(void)
{
// Welcome the User
printf("Welcome to the C Array Program!\n");
// Variables
char cont = 'y'; // To continue with loop
int cVar = 0; // process variable
// Display menu and Get Selection
while (cont != 'E' && cont != 'e') {
// Diaply the Menu
showMenu();
// Get the user selection
cont = getchar();
// Display the menu response
showResults(cont); }
// Call the Copy routine
fillPassword(sizeof(password),password);
// Display variable values
printf("password is %s\n", password);
printf("cVar is %d\n", cVar);
// Copy password
memcpy(cpassword, password,sizeof(password)); } // Pause before exiting
char confirm;
printf("Confirm your exit!");
confirm = getchar();
return 0; // Make a String of '1's
void fillPassword(size_t n, char dest) {
// Should be n-1
for (size_t j = 0; j < n; j++) {
dest[j] = '1';
}
// Add null terminator for string
dest[n] = '\0';
}
/* Display the Results*/
void showResults(char value) {
switch (value){ case 'F':
case 'f':
printf("Welcome to the Football season!\n");
case 'S':
case 's':
printf("Welcome to the Soccer season!\n");
break;
case 'B':
case 'b':
printf("Welcome to the Baseball season!\n");
break;
case 'E':
case 'e':
printf("Exiting the Menu system!\n");
break;
default:
printf("Please enter a valid selection\n");
}
}
/* Display the Menu*/
void showMenu(void) {
printf("Enter a selection from the following menu.\n");
printf("B. Baseball season.\n");
printf("F. Football season.\n");
printf("S. Soccer season.\n");
printf("E. Exit the system.\n");
}