...
| Wiki Markup |
|---|
C99 includes support for variable-length arrays (VLAs) \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. If the array length is derived from an untrusted data source, an attacker couldcan cause the process to perform an excessive allocation on the stack. |
This non-compliant code example temporarily stores data read from a source file into a buffer. The buffer is allocated on the stack as a variable-length array of size bufsize. If bufsize can be controlled by a malicious user, this code could can be exploited to cause a denial-of-service attack.
...