Read Time:1 Minute, 20 Second
Description
The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.
Modes of Introduction:
– Implementation
Related Weaknesses
CWE-770
CWE-789
CWE-476
Consequences
Availability: DoS: Resource Consumption (Memory)
Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.
Potential Mitigations
Phase: Implementation
Description:
Ensure multiple allocations of the same kind of object are properly tracked – possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Phase: Operation
Description:
Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
CVE References
- CVE-2020-36049
- JavaScript-based packet decoder uses concatenation of many small strings, causing out-of-memory (OOM) condition
- CVE-2019-20176
- Product allocates a new buffer on the stack for each file in a directory, allowing stack exhaustion
- CVE-2013-1591
- Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.
