...
If an attacker is able to substitute a number to be used as an array index and provides the value 1000000000 (1 billion), then Perl will happily try to grow the array to 1 billion elements. Depending on the platform's capabilities, this might fail, or hang, or simply cause Perl to consume several gigabytes of memory for the lifetime of the array. Because this can cause a denial of sevice, attackers must not be permitted to control array indices.
Noncompliant Code Example
This noncompliant code example takes a set of users via standard input and adds them to an array, indexed by their UIDs. This program may, for instance, be fed the contents of the /etc/passwd file.
...
This code clearly skips input lines that do not contain a valid UID or username. It also skips lines where the UID is not a positive number. However, a UID that is large might cause excessive growth of the @users array and provoke a denial of service.
Compliant Solution
This compliant solution enforces a limit on how large a UID may be. Consequently, the array may not contain more than $max_uid elements.
| Code Block | ||||
|---|---|---|---|---|
| ||||
my @users;
my $max_uid = 10000;
while (<STDIN>) {
my ($username, $dummy, $uid) = split( /:/);
if (not (defined( $uid) and defined( $username))) {next;}
if (not $uid =~ /^\d*$/) {next;}
if ($uid > $max_uid) {next;}
$users[$uid] = $username;
}
# ... Work with @users
|
Risk Assessment
Using unsanitized array index values may exhaust memory and cause the program to terminate or hang.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS32-PL | low | likely | high | P3 | L3 |
Bibliography
...