Uncontrolled Memory Allocation
Weakness ID: 789 (Weakness Variant)Status: Draft
+ Description

Description Summary

The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.
+ Time of Introduction
  • Implementation
  • Architecture and Design
+ Applicable Platforms

Languages

C

C++

All

Platform Notes

Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.

+ Common Consequences
ScopeEffect
Availability

Failure to control memory allocation can result in a request for too much system memory, possibly leading to a crash of the application.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.

(Bad Code)
 
unsigned int size = GetUntrustedInt();
/* ignore integer overflow (CWE-190) for this example */
unsigned int totBytes = size * sizeof(char);
char *string = (char *)malloc(totBytes);
InitializeString(string);

Suppose an attacker provides a size value of:

12345678

This will cause 305,419,896 bytes (over 291 megabytes) to be allocated for the string.

Example 2

Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.

(Bad Code)
 
unsigned int size = GetUntrustedInt();
HashMap list = new HashMap(size);

The HashMap constructor will verify that the initial capacity is not negative, however there is no check in place to verify that sufficient memory is present. If the attacker provides a large enough value, the application will run into an OutOfMemoryError.

Example 3

The following code obtains an untrusted number that it used as an index into an array of messages.

(Bad Code)
Example Language: Perl 
my $num = GetUntrustedNumber();
my @messages = ();

$messages[$num] = "Hello World";

The index is not validated at all (CWE-129), so it might be possible for an attacker to modify an element in @messages that was not intended. If an index is used that is larger than the current size of the array, the Perl interpreter automatically expands the array so that the large index works.

If $num is a large value such as 2147483648 (1<<31), then the assignment to $messages[$num] would attempt to create a very large array, then eventually produce an error message such as:

Out of memory during array extend

This memory exhaustion will cause the Perl program to exit, possibly a denial of service. In addition, the lack of memory could also prevent many other programs from successfully running on the system.

+ Observed Examples
ReferenceDescription
CVE-2008-1708memory consumption and daemon exit by specifying a large value in a length field
CVE-2008-0977large value in a length field leads to memory consumption and crash when no more memory is available
CVE-2006-3791large key size in game program triggers crash when a resizing function cannot allocate enough memory
CVE-2004-2589large Content-Length HTTP header value triggers application crash in instant messaging application due to failure to allocate memory
+ Potential Mitigations

Phases: Implementation; Architecture and Design

Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.

Phase: Operation

Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts1000
ChildOfWeakness BaseWeakness Base770Allocation of Resources Without Limits or Throttling
Development Concepts (primary)699
Research Concepts (primary)1000
CanPrecedeWeakness BaseWeakness Base476NULL Pointer Dereference
Research Concepts1000
CanFollowWeakness BaseWeakness Base129Improper Validation of Array Index
Research Concepts1000
+ Relationship Notes

This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC35SOAP Array Abuse
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-10-21MITREInternal CWE Team