Avoid excessive stack allocations, particularly in situations where the growth of the stack can be controlled or influenced by an attacker. See INT04-C. Enforce limits on integer values originating from tainted sources for more information on preventing attacker-controlled integers from exhausting memory.
Noncompliant Code Example
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int copy_file(FILE *src, FILE *dst, size_t bufsize) {
if (bufsize == 0) {
/* Handle error */
}
char *buf = (char *)malloc(bufsize);
if (!buf) {
return -1;/* Handle error */
}
while (fgets(buf, bufsize, src)) {
if (fputs(buf, dst) == EOF) {
/* Handle error */
}
}
/* ... */
free(buf);
return 0;
}
|
...
Program stacks are frequently used for convenient temporary storage because allocated memory is automatically freed when the function returns. Generally, the operating system grows the stack as needed. However, growing the stack can fail because of a lack of memory or a collision with other allocated areas of the address space (depending on the architecture). When the stack is exhausted, the operating system can terminate the program abnormally. This behavior can be exploited, and an attacker can cause a denial-of-service attack if he or she can control or influence the amount of stack memory allocated.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM05-C | Medium | Likely | Medium | P12 | L1 |
Automated Detection
Tainted size of variable length array
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| IO.TAINT.SIZE MISC.MEM.SIZE.BAD | Tainted Allocation Size Unreasonable Size Argument | ||||||
| STACK_USE | Can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion | |||||||
| Helix QAC |
| C1051, C1520, C3670 | |||||||
| Klocwork |
| MISRA.FUNC.RECUR | |||||||
| LDRA tool suite |
| 44 S | Enhanced Enforcement |
| Parasoft C/C++test |
| CERT_C-MEM05-a | Do not use recursion | ||||||
| PC-lint Plus |
| 9035, 9070 | Partially supported: reports use of variable length arrays and recursion | ||||||
| Polyspace Bug Finder |
| Checks for:
|
|
|
|
|
Size of variable-length array is zero or negative
1520
3670
1051
Rec. partially covered. | |||||||||
| PVS-Studio |
| V505 |
Related Vulnerabilities
Stack overflow has been implicated in Toyota unintended acceleration cases, where Camry and other Toyota vehicles accelerated unexpectedly. Michael Barr testified at the trial that a stack overflow could corrupt the critical variables of the operating system, because they were located in memory adjacent to the top of the stack [Samek 2014].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID MEM05-CPP. Avoid large stack allocations |
| ISO/IEC TR 24772:2013 | Recursion [GDL] |
| MISRA C:2012 | Rule 17.2 (required) |
Bibliography
| [Loosemore 2007] | Section 3.2.5, "Automatic Storage with Variable Size" |
| [Samek 2014] | Are We Shooting Ourselves in the Foot with Stack Overflow? Monday, February 17th, 2014 by Miro Samek |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
...
...