...
C99 includes support for variable length arrays. If the value used for the length of the array is taken from user input, an attacker could cause the program to use a large number of stack pages, possibly resulting in the process being killed due to lack of memory, or simply cause the stack pointer to point to a different region of memory. The latter could result in a page fault and the process being killed or a write to an arbitrary memory location. An easy solution is to use the malloc family of functions to allocate and free memory, and handle any errors that malloc returns.
Non-compliant code example:
| Code Block |
|---|
Compliant example:
| Code Block |
|---|
Excessive recursion also requires the kernel to grow the autostack, and can thus lead to the process being killed due to lack of memory. Depending on the algorithm, this can be much more difficult to fix than the use of dynamic arrays. However, the use of recursion in most C programs is limited in part because non-recursive solutions are often faster.
Non-compliant code example:
| Code Block |
|---|
int fib1(unsigned int n)
{
if (n == 0)
return 0;
else if (n == 1 || n == 2)
return 1;
else
return fib1(n-1) + fib1(n-2);
}
|
Compliant example:
| Code Block |
|---|
int fib2(unsigned int n)
{
if (n == 0)
return 0;
else if (n == 1 || n == 2)
return 1;
unsigned int prev = 1;
unsigned int cur = 1;
int i;
for (i = 3; i <= n; i++)
{
int tmp = cur;
cur = cur + prev;
prev = tmp;
}
return cur;
}
|