Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.


Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.

unsigned int size = GetUntrustedInt();
/* ignore integer overflow (CWE-190) for this example */

unsigned int totBytes = size * sizeof(char);
char *string = (char *)malloc(totBytes);
InitializeString(string);

Suppose an attacker provides a size value of:

This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string.

Example Two

Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.

unsigned int size = GetUntrustedInt();
HashMap list = new HashMap(size);

The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.

Example Three

The following code obtains an untrusted number that is used as an index into an array of messages.

my $num = GetUntrustedNumber();
my @messages = ();

$messages[$num] = "Hello World";

The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works.

If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as:

Out of memory during array extend

This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system.

Example Four

This example does a subtraction which results in a negative result. Please note that the buffer declaration ONLY uses unsigned integers as a size specification. The result is that the negative value is interpreted as a VERY LARGE number! Very likely the size is larger than the entire computer's memory space! This calculation will usually not be quite so obvious. The calculation will either be complicated or the result of a malicious user's input to attain the negative value.

int a =5, b = 6;
size_t  len= a - b; // This is now extremely large as size_t  is unsigned
char buf[len];    // Just blew up the stack
int a =5, b = 6;
if (a <= b) { /* Log Error, exit */ }
size_t  len= a - b; // This is now extremely large as size_t  is unsigned
char buf[len];    // Just blew up the stack

Example Five

This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. The buffer length ends up being -1 resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

int proc_msg(char *s, int msg_len)
{

  int pre_len = sizeof("preamble: ");    // Note space at the end of the string - assume all strings have preamble with space

  char buf[pre_len - msg_len];

  ... Do processing here and set status

  return status;
}
char *s = "preamble: message\n";
char *sl = strchr(s, ':');        // Number of characters up to ':' (not including space)
int jnklen = sl == NULL ? 0 : sl - s;    // If undefined pointer, use zero length
int ret_val = proc_msg ("s",  jnklen);    // Violate assumption of preamble length, end up with negative value, blow out stack
int proc_msg(char *s, int msg_len)
{

  int pre_len = sizeof("preamble: ");    // Note space at the end of the string - assume all strings have preamble with space

  if (pre_len <= msg_len) { // Log error; return error_code; }

  char buf[pre_len - msg_len];

  ... Do processing here and set status

  return status;
}
char *s = "preamble: message\n";
char *sl = strchr(s, ':');        // Number of characters up to ':' (not including space)
int jnklen = sl == NULL ? 0 : sl - s;    // If undefined pointer, use zero length
int ret_val = proc_msg ("s",  jnklen);    // Violate assumption of preamble length, end up with negative value, blow out stack

See Also

CISQ Quality Measures - Security

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

CISQ Quality Measures - Security

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.