CWE-789: Memory Allocation with Excessive Size Value

Intro: Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.

Body: Suppose an attacker provides a size value of:

unsigned int size = GetUntrustedInt(); /* ignore integer overflow (CWE-190) for this example */ unsigned int totBytes = size * sizeof(char); char *string = (char *)malloc(totBytes); InitializeString(string);

Intro: Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.

Body: The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.

unsigned int size = GetUntrustedInt(); HashMap list = new HashMap(size);

Intro: This code performs a stack allocation based on a length calculation.

Body: Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space.

int a = 5, b = 6; size_t len = a - b; char buf[len];    // Just blows up the stack }

Intro: This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action.

Body: The buffer length ends up being -1, resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

int proc_msg(char *s, int msg_len) { // Note space at the end of the string - assume all strings have preamble with space int pre_len = sizeof("preamble: "); char buf[pre_len - msg_len]; ... Do processing here if we get this far } char *s = "preamble: message\n"; char *sl = strchr(s, ':');        // Number of characters up to ':' (not including space) int jnklen = sl == NULL ? 0 : sl - s;    // If undefined pointer, use zero length int ret_val = proc_msg ("s",  jnklen);    // Violate assumption of preamble length, end up with negative value, blow out stack

Intro: The following code obtains an untrusted number that is used as an index into an array of messages.

Body: The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works.

my $num = GetUntrustedNumber(); my @messages = (); $messages[$num] = "Hello World";

Intro: This example shows a typical attempt to parse a string with an error resulting from a difference in assumptions between the caller to a function and the function's action. The buffer length ends up being -1 resulting in a blown out stack. The space character after the colon is included in the function calculation, but not in the caller's calculation. This, unfortunately, is not usually so obvious but exists in an obtuse series of calculations.

int proc_msg(char *s, int msg_len) { int pre_len = sizeof("preamble: ");    // Note space at the end of the string - assume all strings have preamble with space char buf[pre_len - msg_len]; ... Do processing here and set status return status; } char *s = "preamble: message\n"; char *sl = strchr(s, ':');        // Number of characters up to ':' (not including space) int jnklen = sl == NULL ? 0 : sl - s;    // If undefined pointer, use zero length int ret_val = proc_msg ("s",  jnklen);    // Violate assumption of preamble length, end up with negative value, blow out stack