...
| Code Block | ||
|---|---|---|
| ||
my @array = (1, 2, 3); # array initialized
print "Array size is $#array\n"; # 2 (index of last element)
$array[5] = 0; # array grows so that reference is valid
print "Array size is $#array\n"; # 5
my $value = $array[7]; # array unchanged + uninitialized value warning
$value = $array[-7]; # array unchanged + uninitialized value warning
if (exists $array[9]) { # false, array unchanged
print "That's a big array.\n";
}
print "Array size is $#array\n"; # still 5
$value = $array[10][0]; # reading a value in list context grows array
print "Array size is $#array\n"; # 10!
|
...
If an attacker is able to substitute a number to be used as an array index and provides the value 1000000000 (1 billion), then Perl will happily try to grow the array to 1 billion elements. Depending on the platform's capabilities, this the attempt to grow the array might fail, or hang, or simply cause Perl to consume several gigabytes of memory for the lifetime of the array. Because this can cause a consequent denial of seviceservice could occur, attackers must not be permitted to control array indices.
...
This code clearly skips input lines that do not contain a valid UID or usernameuser name. It also skips lines where the UID is not a positive number. However, a UID that is large might cause excessive growth of the @users array and provoke a denial of service.
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS32-PL | low | likely | high | P3 | L3 |
Bibliography
...