Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Code Correctness: Stack Exhaustion
Abstract
A program capable of creating a circular link in a data structure can cause stack exhaustion when the data structure is processed recursively.
Explanation
Using recursion is a staple for creating and managing linked data structures. Recursion also runs the risk of processing indefinitely if the data incorporates a circular link, which in turn will exhaust the stack and crash the program.
Example 1: The following code snippet demonstrates this vulnerability using Apache Log4j2.
When child calls
Example 1: The following code snippet demonstrates this vulnerability using Apache Log4j2.
Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");
child.addParents(parent);
parent.addParents(child);
String toInfinity = child.toString();
When child calls
toString(), which includes a recursive processing method, it triggers a stack overflow exception (stack exhaustion). This exception occurs due to the circular link between child and parent.References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 674
[3] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.3 - Web Software Attack Mitigation
desc.controlflow.java.code_correctness_stack_exhaustion