Q:Large stack use Severity:High Techniacl Impact:Denial of service, unreliable execution
Explain:
棧:在Windows下,棧是向低地址擴展的數據結構,是一塊連續的內存的區域。這句話的意思是棧頂的地址和棧的最大容量是系統預先規定好的,在WINDOWS下,棧的大小是2M(也有的說是1M,總之是一個編譯時就確定的常數),如果申請的空間超過棧的剩餘空間時,將提示overflow。因此,能從棧獲得的空間較小。
堆和棧中的存儲內容
棧: 在函數調用時,第一個進棧的是主函數中後的下一條指令(函數調用語句的下一條可執行語句)的地址,然後是函數的各個參數,在大多數的C編譯器中,參數是由右往左入棧的,然後是函數中的局部變量。注意靜態變量是不入棧的。
當本次函數調用結束後,局部變量先出棧,然後是參數,最後棧頂指針指向最開始存的地址,也就是主函數中的下一條指令,程序由該點繼續運行。
堆:一般是在堆的頭部用一個字節存放堆的大小。堆中的具體內容有程序員安排。
Coverity Info:
Severity: High
Technical Impact: Denial of service, unreliable execution
CWE 400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Summary: The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
Details: Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.
Remediation: Design throttling mechanisms into the system architecture. (節流機制)The best protection is to limit the amount of resources that an unauthorized user can cause to be expended.(限制未授權用戶申請資源數) A strong authentication and access control model will help prevent such attacks from occurring in the first place.(加強認證) The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended.(限制數據庫訪問) To further limit the potential for a DoS(Denial of Service) attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Solution:
避免申請超大數組:char a[large number]
改用while循環內多次寫一個write_len=(total_len > MAX_PAGE_SIZE)?MAX_PAGE_SIZE:total_len,寫完一次offset+=write_len,total_len-=write_len.