SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 76

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 77

changes.mady.by.user Tracey Tamules

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some of these causes are platform-dependent, and difficult to anticipate. Others are fairly easy to anticipate, such as reading data from a file. As a result, programs shall not accept untrusted input in a manner that can cause the program to exhaust memory.

Noncompliant Code Example (readLine())

This noncompliant code example reads lines of text from a file, and adds each one to a vector, until a line with the word "quit" is encountered.

...

Any code that uses this method is susceptible to abuse because the user can enter a string of any length.

Compliant Solution (limited length input)

This compliant solution imposes limits, both on the length of each line, and on the total number of items to add to the vector.

...

The readLimitedLine() method defined above takes a numeric limit, indicating the total number of characters that may exist on one line. If a line contains more characters, the line is truncated, and they are returned on the next invocation. This prevents an attacker from exhausting memory by supplying input with no line breaks.

Compliant Solution (Java 1.7, limited file size)

This compliant solution impose a limit on the size of the file being read. This is accomplished with the Files.size() method which is new to Java 1.7. If the file is within the limit, we can assume the standard readLine() method will not exhaust memory, nor will memory be exhausted by the while loop.

Code Block
bgColor#ccccff
class ShowHeapError {
  // ...other methods
  static public final int fileSizeLimit = 1000000;

  public ShowHeapError(String filename) throws IOException {
    if (Files.size( Paths.get( filename)) > fileSizeLimit) {
      throw new IOException("File too large");
    }
    this.input = new FileReader(filename);
    this.reader = new BufferedReader(input);
  }
}

Noncompliant Code Example

Wiki Markup
In a server-class machine using a parallel garbage collector, the default initial and maximum heap sizes are as follows for J2SE 6.0 \[[Sun 2006|AA. Bibliography#Sun 06]\]:

...

Code Block
bgColor#FFcccc
/** Assuming the heap size as 512 MB (calculated as 1/4th of 2 GB RAM = 512 MB)
 *  Considering long values being entered (64 bits each, the max number of elements
 *  would be 512 MB/64bits = 67108864)
 */
public class ShowHeapError {
  Vector<Long> names = new Vector<Long>(); // Accepts unknown number of records
  long newID = 0L;
  int count = 67108865;
  int i = 0;
  InputStreamReader input = new InputStreamReader(System.in);
  Scanner reader = new Scanner(input);

  public void addNames() {
    do {
      // Adding unknown number of records to a list
      // The user can enter more IDs than the heap can support and thus 
      // exhaust the heap. Assume that the record ID is a 64 bit long value
    
      System.out.print("Enter recordID (To quit, enter -1): ");
      newID = reader.nextLong();
     
      names.addElement(newID);
      i++;
    } while (i < count || newID != -1);
    // Close "reader" and "input"
  }

  public static void main(String[] args) {
    ShowHeapError demo = new ShowHeapError();
    demo.addNames();
  }
}

Compliant Solution

A simple compliant solution is to lower the number of names to read.

Code Block
bgColor#ccccff
  // ...
  int count = 10000000;
  // ...

Compliant Solution

Wiki Markup
The {{OutOfMemoryError}} can be avoided by ensuring that the absence of infinite loops, memory leaks, and unnecessary object retention. When memory requirements are known ahead of time, the heap size can be tailored to fit the requirements using the following runtime parameters \[[Java 2006|AA. Bibliography#Java 06]\]:

...

This setting can be changed either using the Java Control Panel or from the command line. It cannot be adjusted through the application itself.

Risk Assessment

Assuming that infinite heap space is available can result in denial of service.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC11-J

low

probable

medium

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website

Other Languages

This rule appears in the C Secure Coding Standard as MEM11-C. Do not assume infinite heap space.

This rule appears in the C++ Secure Coding Standard as MEM12-CPP. Do not assume infinite heap space.

Related Vulnerabilities

GERONIMO-4224

Related Guidelines

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a5cf812ee9be54f9-fc28fd27-435f448d-a341a93b-628ba7eaf75bb9ab167c2642"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE-400

http://cwe.mitre.org/data/definitions/400.html] "Uncontrolled Resource Consumption ('Resource Exhaustion')"

]]></ac:plain-text-body></ac:structured-macro>

 

CWE-770 "Allocation of Resources Without Limits or Throttling"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="969092a98cb779ba-0683e076-4c0c4001-b436b022-4059faf4de8c5274e270627b"><ac:plain-text-body><![CDATA[

[[Sun 2006

AA. Bibliography#Sun 06]]

[Garbage Collection Ergonomics

http://java.sun.com/javase/6/docs/technotes/guides/vm/gc-ergonomics.html ], "Default values for the Initial and Maximum heap size"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8153f1f753c19f2b-00791f7c-4ec34859-a68ba80a-0b7e86dd7097e851cb545cb5"><ac:plain-text-body><![CDATA[

[[Java 2006

AA. Bibliography#Java 06]]

[java - the Java application launcher

http://java.sun.com/javase/6/docs/technotes/tools/windows/java.html ], "Syntax for increasing the heap size"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2ab3cd8790c01f57-ef8debc1-4f674c6f-a715824b-7c381a1f0c73cfea4f002cef"><ac:plain-text-body><![CDATA[

[[Sun 2003

AA. Bibliography#Sun 03]]

Chapter 5: Tuning the Java Runtime System, [Tuning the Java Heap

http://docs.sun.com/source/817-2180-10/pt_chap5.html#wp57027]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="685ceaf9f5d0cd32-73ed3dd3-439043ea-982e92e8-8b24c4377fb2d4ac4cdf7fce"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class ObjectInputStream and ObjectOutputStream

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="182e5f9a4f8e40ef-ad22dbf7-41b74394-bc16b1e4-3c5ca9b1f2c07f9c6dedfef0"><ac:plain-text-body><![CDATA[

[[SDN 2008

AA. Bibliography#SDN 08]]

[Serialization FAQ

http://java.sun.com/javase/technologies/core/basic/serializationFAQ.jsp]

]]></ac:plain-text-body></ac:structured-macro>

...