Page History

Avoid excessive stack allocations, particularly in situations where the growth of the stack can be controlled or influenced by an attacker. See INT04-C. Enforce limits on integer values originating from tainted sources for more information on preventing attacker-controlled integers from exhausting memory.

Noncompliant Code Example

...

Code Block

bgColor	#ccccff
lang	c

int copy_file(FILE *src, FILE *dst, size_t bufsize) {
  if (bufsize == 0) {
    /* Handle error */
  }
  char *buf = (char *)malloc(bufsize);
  if (!buf) {
    return -1;/* Handle error */
  }

  while (fgets(buf, bufsize, src)) {
    if (fputs(buf, dst) == EOF) {
      /* Handle error */
    }
  }
  /* ... */
  free(buf);
  return 0;
}

...

Recommendation	Severity	Likelihood	Detectable	RepairableRemediation Cost	Priority	Level
MEM05-C	Medium	Likely	No	MediumNo	P12P6	L1L2

Automated Detection

Tainted size of variable length array

Size the - (VLA) is from an unsecure source and may be zero, negative, or too large

Size of variable-length array is zero or negative

General analysis rule

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

IO.TAINT.SIZE

MISC.MEM.SIZE.BAD

Tainted Allocation Size

Unreasonable Size Argument

Coverity

Include Page

	Coverity_V
	Coverity_V

STACK_USE

Can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C1051, C1520, C3670

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

MISRA.FUNC.RECUR

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

44 S

Enhanced Enforcement

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-MEM05-a
CERT_C-MEM05-b

Do not use recursion
Ensure the size of the variable length array is in valid range

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

9035, 9070

Partially supported: reports use of variable length arrays and recursion

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. MEM05-C

Polyspace Bug Finder

R2016a

Checks for:

Direct or indirect function call to itself

Variable length array with nonpositive size

Tainted size of

variable

length array

PRQA QA-C

Include Page

PRQA QA-C_v

1520
3670

1051

Partially implemented

PVS-Studio

6.22

V505

Rec. partially covered.

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V505

Security Reviewer - Static Reviewer

Include Page

	Security Reviewer - Static Reviewer_V
	Security Reviewer - Static Reviewer_V

CPP_010

Fully implemented

Related Vulnerabilities

Stack overflow has been implicated in Toyota unintended acceleration cases, where Camry and other Toyota vehicles accelerated unexpectedly. Michael Barr testified at the trial that a stack overflow could corrupt the critical variables of the operating system, because they were located in memory adjacent to the top of the stack [Samek 2014].

...

[Loosemore 2007]

Section 3.2.5, "Automatic Storage with Variable Size"

[Samek 2014]

Are We Shooting Ourselves in the Foot with Stack Overflow?

Monday, February 17th, 2014 by Miro Samek

[Seacord 2013]

Chapter 4, "Dynamic Memory Management"

[van Sprundel 2006]

"Stack Overflow"

...