CWE-1325: Improperly Controlled Sequential Memory Allocation

Description

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

Extended Description

While the product might limit the amount of memory that is allocated in a single operation for a single object (such as a malloc of an array), if an attacker can cause multiple objects to be allocated in separate operations, then this might cause higher total memory consumption than the developer intended, leading to a denial of service.

ThreatScore

Threat Mapped score: 1.9

Industry: Finiancial

Threat priority: P3 - Important (Medium)

Observed Examples (CVEs)

CVE: CVE-2020-36049

JavaScript-based packet decoder uses concatenation of many small strings, causing out-of-memory (OOM) condition
CVE: CVE-2019-20176

Product allocates a new buffer on the stack for each file in a directory, allowing stack exhaustion
CVE: CVE-2013-1591

Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.

Related Attack Patterns (CAPEC)

CAPEC-130

Attack TTPs

T1499.003 — Application Exhaustion Flood (impact)

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: DoS: Resource Consumption (Memory) — Notes: Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.

Potential Mitigations

Implementation: Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. (N/A)
Operation: Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized. (N/A)

Applicable Platforms

C (N/A, Undetermined)
C++ (N/A, Undetermined)
None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: This example contains a small allocation of stack memory. When the program was first constructed, the number of times this memory was allocated was probably inconsequential and presented no problem. Over time, as the number of objects in the database grow, the number of allocations will grow - eventually consuming the available stack, i.e. "stack exhaustion." An attacker who is able to add elements to the database could cause stack exhaustion more rapidly than assumed by the developer.

Body: Since this uses alloca(), it allocates memory directly on the stack. If end_limit is large enough, then the stack can be entirely consumed.

// Gets the size from the number of objects in a database, which over time can conceivably get very large int end_limit = get_nmbr_obj_from_db(); int i; int *base = NULL; int *p =base; for (i = 0; i < end_limit; i++) { *p = alloca(sizeof(int *)); // Allocate memory on the stack p = *p; // // Point to the next location to be saved }

Notes

No notes available.

← Back to CWE list