...
Noncompliant Code Example
The C standard includes Standard includes support for variable-length arrays (VLAs) [ISO/IEC 9899:2011]. If the array length is derived from an untrusted data source, an attacker can cause the process to perform an excessive allocation on the stack.
This noncompliant code example temporarily stores data read from a source file into a buffer. The buffer is allocated on the stack as a variable-length array a VLA of size bufsize. If bufsize can be controlled by a malicious user, this code can be exploited to cause a denial-of-service attack.
...
The BSD extension function alloca() behaves in a similar fashion to variable-length arraysVLAs; its use is not recommended [Loosemore 2007].
...
This compliant solution replaces the variable-length array the VLA with a call to malloc(). If malloc() fails, the return value can be checked to prevent the program from terminating abnormally.
...
Recursion can also lead to large stack allocations. Recursive functions must ensure they that they do not exhaust the stack due to excessive stack as a result of excessive recursions.
This noncompliant implementation of the Fibonacci function uses recursion.
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned long fib1(unsigned int n) {
if (n == 0) {
return 0;
}
else if (n == 1 || n == 2) {
return 1;
}
else {
return fib1(n-1) + fib1(n-2);
}
}
|
The required stack space needed The amount of stack space needed grows exponentially with respect to the parameter n. Large values of n have been shown to cause abnormal program termination.
...
Program stacks are frequently used for convenient temporary storage because allocated memory is automatically freed when the function returns. Generally, the operating system will grow the stack as needed. However, growing the stack can fail due to a fail because of a lack of memory or collision a collision with other allocated areas of the address space (depending on the architecture). When the stack is exhausted, the operating system can terminate the program abnormally. This behavior can be exploited, and an attacker can cause a denial-of-service attack in situations where the attacker can attack if he or she can control or influence the amount of stack memory allocated.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| STACK_USE | Can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion. | |||||||
| PRQA QA-C |
| 1520 | Partially implemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
| Recursion [GDL] | |
| MISRA |
...
| -C | Rule 16.2 (required): Functions shall not call themselves, either directly or indirectly |
Bibliography
...
...
| Variable Size" | |
| [Seacord 2005a] | Chapter 4, "Dynamic Memory Management" |
| [van Sprundel 2006] | "Stack |
...
| Overflow" |
...