Qualifier Challenge - CROMU_00010

Original Versions

Known Vulnerabilities

  • CWE-467 - Use of sizeof() on a Pointer Type
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 1.78
  • CSDS: 1.58
  • TECHx: 1.42
  • TrailofBits: 0.31
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

“James Connor” jymbo@cromulence.co

DARPA performer group

Cromulence (CROMU)


This service performs routing across the map information provided. A user shell is provided to allow input of map data, and route requests

Feature List

The map supports roads, addresses, and intersections. Intersections are constucted by selecting two roads to join. Addresses are numbers on road, between two intersections. The map can be printed and routes from address to address can be resolved.


Routing is performed by traversing intersections on a discovered road to discover additional connected roads. As unique roads(nodes) are discovered, they are pushed to a list stored in a the data[4080] element of a linked list node. The size limit for the number of traversals which can be stored in the data element is checked against sizeof(pointer), rather than sizeof(element), resulting in a heap overwrite.

Generic class of vulnerability

Heap overflow

CWE classification



Different elements are stored in common data containers, creating a challenge for inferring data types. Also, a CRS must created a valid, sufficiently deep graph to reach the vulnerable route function.

Curated by Lunge Technology, LLC. Questions or comments? Send us email