CWE-674 未经控制的递归

Uncontrolled Recursion

结构: Simple

Abstraction: Class

状态: Draft

被利用可能性: unkown

基本描述

The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 691 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Availability ['DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)'] Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.
Confidentiality Read Application Data In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path.

可能的缓解方案

Implementation

策略:

Limit the number of recursive calls to a reasonable number.

分析过的案例

标识 说明 链接
CVE-2007-1285 Deeply nested arrays trigger stack exhaustion. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285
CVE-2007-3409 Self-referencing pointers create infinite loop and resultant stack exhaustion. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
OWASP Top Ten 2004 A9 CWE More Specific Denial of Service
Software Fault Patterns SFP13 Unrestricted Consumption
OMG ASCRM ASCRM-CWE-674

相关攻击模式

  • CAPEC-230
  • CAPEC-231
  • CAPEC-82
  • CAPEC-99

引用