CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.

Vulnerable example

int processMessagesFromServer(char *hostaddr, int port) {

Safe example

int processMessagesFromServer(char *hostaddr, int port) {

However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code.

For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.

Vulnerable example

java

public boolean isReorderNeeded(String bookISBN, int rateSold) {

Safe example

java

public boolean isReorderNeeded(String bookISBN, int rateSold) {

However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop, as in the following code.

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-835?

What CVEs are caused by CWE-835?

How is CWE-835 detected?

What are the consequences of CWE-835?

Is CWE-835 actively exploited?

References

Stay ahead of CWE-835

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-835?

What CVEs are caused by CWE-835?

How is CWE-835 detected?

What are the consequences of CWE-835?

Is CWE-835 actively exploited?

References

Stay ahead of CWE-835