CWE-789: Memory Allocation with Excessive Size Value (Stack Exhaustion)

CWE-789: Memory Allocation with Excessive Size Value (Stack Exhaustion) | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.

Vulnerable example

/* ignore integer overflow (CWE-190) for this example */
unsigned int size = GetUntrustedInt();

Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.

Vulnerable example

java

unsigned int size = GetUntrustedInt();

The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.

This code performs a stack allocation based on a length calculation.

Vulnerable example

int a = 5, b = 6;

This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action.

The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

The following code obtains an untrusted number that is used as an index into an array of messages.

Vulnerable example

perl

my $num = GetUntrustedNumber();

This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. The buffer length ends up being -1 resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

CWE-789: Memory Allocation with Excessive Size Value

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Fuzzing

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-789?

What CVEs are caused by CWE-789?

How do you prevent CWE-789?

How is CWE-789 detected?

What are the consequences of CWE-789?

Is CWE-789 actively exploited?

References

Stay ahead of CWE-789

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Fuzzing

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Can precede

Related

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-789?

What CVEs are caused by CWE-789?

How do you prevent CWE-789?

How is CWE-789 detected?

What are the consequences of CWE-789?

Is CWE-789 actively exploited?

References

Stay ahead of CWE-789