...
Perl,
...
unlike
...
most
...
other
...
languages,
...
uses
...
arrays
...
that
...
are
...
not
...
declared
...
with
...
a
...
particular
...
length,
...
and
...
may
...
grow
...
and
...
shrink
...
in
...
size
...
as
...
is
...
required
...
by
...
subsequent
...
code.
...
In
...
fact,
...
when
...
assigning
...
a
...
value
...
to
...
an
...
element
...
within
...
the
...
array,
...
if
...
the
...
index
...
provided
...
is
...
beyond
...
the
...
end
...
of
...
the
...
array,
...
the
...
array
...
grows
...
to
...
make
...
it
...
valid.
...
Consider
...
the
...
following
...
example:
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} my @array = (1, 2, 3); # array contains 3 elements $array[5] = 0; # array grows to contain 6 elements my $value = $array[7]; # array unchanged + uninitialized value warning $value = $array[-7]; # array unchanged + uninitialized value warning if (exists $array[9]) { # false, array unchanged print "That's a big array.\n"; } {code} |
This
...
automatic
...
growth
...
only
...
occurs
...
if
...
the
...
index
...
provided
...
is
...
positive,
...
and
...
the
...
array
...
value
...
is
...
being
...
written,
...
not
...
read,
...
and
...
not
...
passed
...
to
...
a
...
testing
...
function
...
like
...
exists()
...
or
...
defined()
...
.
...
If
...
an
...
attacker
...
is
...
able
...
to
...
substitute
...
a
...
number
...
to
...
be
...
used
...
as
...
an
...
array
...
index,
...
and
...
they
...
provide
...
the
...
value
...
1000000000
...
(one
...
billion),
...
then
...
Perl
...
will
...
happily
...
try
...
to
...
grow
...
the
...
array
...
to
...
one
...
billion
...
elements.
...
Depending
...
on
...
the
...
platform's
...
capabilities,
...
this
...
might
...
fail,
...
or
...
hang,
...
or
...
simply
...
cause
...
Perl
...
to
...
consume
...
several
...
gigabytes
...
of
...
memory
...
for
...
the
...
lifetime
...
of
...
the
...
array.
...
As
...
this
...
can
...
cause
...
a
...
denial
...
of
...
sevice,
...
attackers
...
must
...
not
...
be
...
permitted
...
to
...
control
...
array
...
indices.
Noncompliant Code Example
This noncompliant code example takes a set of users via standard input, and adds them to an array, indexed by their UIDs. This program may, for instance, be fed the contents of the /etc/passwd file.
| Code Block | ||||
|---|---|---|---|---|
| ||||
h2. Noncompliant Code Example This noncompliant code example takes a set of users via standard input, and adds them to an array, indexed by their UIDs. This program may, for instance, be fed the contents of the {{/etc/passwd}} file. {code:bgColor=#ffcccc|lang=perl} my @users; while (<STDIN>) { my ($username, $dummy, $uid) = split( /:/); if (not (defined( $uid) and defined( $username))) {next;} if (not $uid =~ /^\d*$/) {next;} $users[$uid] = $username; } # ... Work with @users {code} |
This
...
code
...
clearly
...
skips
...
input
...
lines
...
that
...
do
...
not
...
contain
...
a
...
valid
...
UID
...
or
...
username.
...
It
...
also
...
skips
...
lines
...
where
...
the
...
UID
...
is
...
not
...
a
...
positive
...
number.
...
However,
...
a
...
UID
...
that
...
is
...
large
...
might
...
cause
...
excessive
...
growth
...
of
...
the
...
@users
...
array
...
and
...
provoke
...
a
...
denial
...
of
...
service.
...
Compliant
...
Solution
...
This
...
compliant
...
solution
...
enforces
...
a
...
limit
...
on
...
how
...
large
...
a
...
UID
...
may
...
be.
...
Consequently,
...
the
...
array
...
may
...
not
...
contain
...
more
...
than
...
$max_uid
...
elements.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| =
| |
| =
| |||||||
} my @users; my $max_uid = 10000; while (<STDIN>) { my ($username, $dummy, $uid) = split( /:/); if (not (defined( $uid) and defined( $username))) {next;} if (not $uid =~ /^\d*$/) {next;} if ($uid > $max_uid) {next;} $users[$uid] = $username; } # ... Work with @users {code} h2. Risk Assessment Using unsanitized array index values may exhaust memory and cause the program to terminate or hang. || Recommendation || Severity || Likelihood || Remediation Cost || Priority || Level || | INT30-PL | low | likely | high | {color:green}{*}P3{*}{color} | {color:green}{*}L3{*}{color} | h2. Bibliography |
Risk Assessment
Using unsanitized array index values may exhaust memory and cause the program to terminate or hang.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT30-PL | low | likely | high | P3 | L3 |
Bibliography
| Wiki Markup |
|---|
\[[Wall 2011|AA. Bibliography#Manpages]\] [perldata|http://perldoc.perl.org/perldata.html] |
...
...
...
...
...
...
...
...
...
...
...