Page History

Avoid excessive stack allocations, particularly in situations where the growth of the stack can be controlled or influenced by an attacker.

...

Noncompliant Code Example

C99 includes support for variable-length arrays (VLAs) \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. If the array length is derived from an untrusted data source, an attacker can cause the process to perform an excessive allocation on the stack.

This non-compliant noncompliant code example temporarily stores data read from a source file into a buffer. The buffer is allocated on the stack as a variable-length array of size bufsize. If bufsize can be controlled by a malicious user, this code can be exploited to cause a denial-of-service attack.

...

The BSD extension function {{alloca()}} behaves in a similar fashion to VLAs; its use is not recommended \[[Loosemore 07|AA. C References#Loosemore 07]\] .

Compliant Solution

This compliant solution replaces the variable-length array with a call to malloc(). If malloc() fails, the return value can be checked to prevent the program from terminating abnormally.

int copy_file(FILE *src, FILE *dst, size_t bufsize) {
  if (bufsize == 0) {
    /* Handle Error */
  }
  char *buf = (char *)malloc(bufsize);
  if (!buf) {
    return -1;
  }

  while (fgets(buf, bufsize, src)) {
    if (fputs(buf, dst) == EOF) {
      /* Handle Error */
    }
  }
  /* ... */
  free(buf);
  return 0;
}

...

Noncompliant Code Example

Recursion can also lead to large stack allocations. Recursive functions must ensure they they do not exhaust the stack due to excessive recursions.

This non-compliant noncompliant implementation of the Fibonacci function uses recursion.

...

The stack space needed grows exponentially with respect to the parameter n. Large values of n have been shown to cause abnormal program termination.

Compliant Solution

This implementation of the Fibonacci functions eliminates the use of recursion.

...

Because there is no recursion, the amount of stack space needed does not depend on the parameter n, greatly reducing the risk of stack overflow.

Risk Assessment

Program stacks are frequently used for convenient temporary storage, because allocated memory is automatically freed when the function returns. Generally, the operating system will grow the stack as needed. However, growing the stack can fail due to a lack of memory or collision with other allocated areas of the address space (depending on the architecture). When the stack is exhausted, the operating system may terminate the program abnormally. This behavior can be exploited by an attacker to cause a denial-of-service attack in situations where the attacker can control or influence the amount of stack memory allocated.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

The Coverity Prevent STACK_USE checker can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion. Because Coverity Prevent cannot discover all violations of this rule, further verification is necessary.

References

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators", Section 7.20.3, "Memory management functions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "GDL Recursion"
\[[Loosemore 07|AA. C References#Loosemore 07]\] [Section 3.2.5, "Automatic Storage with Variable Size"|http://www.gnu.org/software/libc/manual/html_mono/libc.html#Variable-Size-Automatic]
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 16.2
\[[Seacord 05a|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[van Sprundel 06|http://ilja.netric.org/files/Unusual%20bugs.pdf]\] "Stack Overflow"

...

MEM04-C. Do not perform zero length allocations      08. Memory Management (MEM)       MEM06-A. Ensure that sensitive data is not written out to disk Image Added