Avoid excessive stack allocations, particularly in situations where the growth of the stack can be controlled or influenced by an attacker. See INT04-C. Enforce limits on integer values originating from tainted sources for more information on preventing attacker-controlled integers from exhausting memory.
Noncompliant Code Example
The C Standard includes support for variable length arrays (VLAs). If the array length is derived from an untrusted data source, an attacker can cause the process to perform an excessive allocation on the stack.
This noncompliant code example temporarily stores data read from a source file into a buffer. The buffer is allocated on the stack as a VLA of size
bufsize can be controlled by a malicious user, this code can be exploited to cause a denial-of-service attack:
The BSD extension function
alloca() behaves in a similar fashion to VLAs; its use is not recommended [Loosemore 2007].
This compliant solution replaces the VLA with a call to
malloc() fails, the return value can be checked to prevent the program from terminating abnormally.
Noncompliant Code Example
Recursion can also lead to large stack allocations. Recursive functions must ensure that they do not exhaust the stack as a result of excessive recursions.
This noncompliant implementation of the Fibonacci function uses recursion:
The amount of stack space needed grows linearly with respect to the parameter
n. Large values of
n have been shown to cause abnormal program termination.
This implementation of the Fibonacci functions eliminates the use of recursion:
Because there is no recursion, the amount of stack space needed does not depend on the parameter
n, greatly reducing the risk of stack overflow.
Program stacks are frequently used for convenient temporary storage because allocated memory is automatically freed when the function returns. Generally, the operating system grows the stack as needed. However, growing the stack can fail because of a lack of memory or a collision with other allocated areas of the address space (depending on the architecture). When the stack is exhausted, the operating system can terminate the program abnormally. This behavior can be exploited, and an attacker can cause a denial-of-service attack if he or she can control or influence the amount of stack memory allocated.
Tainted Allocation Size
Unreasonable Size Argument
Can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion
|LDRA tool suite|
|44 S||Enhanced Enforcement|
Do not use recursion
|Polyspace Bug Finder|
Size of the variable-length array (VLA) is from an unsecure source and may be zero, negative, or too large
Size of variable-length array is zero or negative
Functions shall not call themselves, either directly or indirectly
1051, 1520, 2052, 3670
Stack overflow has been implicated in Toyota unintended acceleration cases, where Camry and other Toyota vehicles accelerated unexpectedly. Michael Barr testified at the trial that a stack overflow could corrupt the critical variables of the operating system, because they were located in memory adjacent to the top of the stack2014].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
|SEI CERT C++ Coding Standard||VOID MEM05-CPP. Avoid large stack allocations|
|ISO/IEC TR 24772:2013||Recursion [GDL]|
|MISRA C:2012||Rule 17.2 (required)|
|[Loosemore 2007]||Section 3.2.5, "Automatic Storage with Variable Size"|
Are We Shooting Ourselves in the Foot with Stack Overflow?
Monday, February 17th, 2014 by
|[Seacord 2013]||Chapter 4, "Dynamic Memory Management"|