Page History

Avoid excessive stack allocations, particularly in situations where the growth of the stack can be controlled or influenced by an attacker. See INT04-C. Enforce limits on integer values originating from tainted sources for more information on preventing attacker-controlled integers from exhausting memory.

Noncompliant Code Example

...

Code Block

bgColor	#ccccff
lang	c

int copy_file(FILE *src, FILE *dst, size_t bufsize) {
  if (bufsize == 0) {
    /* Handle error */
  }
  char *buf = (char *)malloc(bufsize);
  if (!buf) {
    return -1;/* Handle error */
  }

  while (fgets(buf, bufsize, src)) {
    if (fputs(buf, dst) == EOF) {
      /* Handle error */
    }
  }
  /* ... */
  free(buf);
  return 0;
}

...

Program stacks are frequently used for convenient temporary storage because allocated memory is automatically freed when the function returns. Generally, the operating system grows the stack as needed. However, growing the stack can fail because of a lack of memory or a collision with other allocated areas of the address space (depending on the architecture). When the stack is exhausted, the operating system can terminate the program abnormally. This behavior can be exploited, and an attacker can cause a denial-of-service attack if he or she can control or influence the amount of stack memory allocated.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
MEM05-C	Medium	Likely	Medium	P12	L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

IO.TAINT.SIZE

MISC.MEM.SIZE.BAD

Tainted Allocation Size

Unreasonable Size Argument

Coverity

Include Page

	Coverity_V
	Coverity_V

STACK_USE

Can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion

PRQA QA-C Include PagePRQA_VPRQA_V

1520
3670

Partially implemented

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C1051, C1520, C3670

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

MISRA.FUNC.RECUR

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

44 S

Enhanced Enforcement

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-MEM05-a
CERT_C-MEM05-b

Do not use recursion
Ensure the size of the variable length array is in valid range

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

9035, 9070

Partially supported: reports use of variable length arrays and recursion

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. MEM05-C

Checks for:

Direct or indirect function call to itself
Variable length array with nonpositive size
Tainted size of variable length array

Rec. partially covered.

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V505

Related Vulnerabilities

Stack overflow has been implicated in Toyota unintended acceleration cases, where Camry and other Toyota vehicles accelerated unexpectedly. Michael Barr testified at the trial that a stack overflow could corrupt the critical variables of the operating system, because they were located in memory adjacent to the top of the stack [Samek 2014].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.