CWE-835 不可达退出条件的循环(无限循环)
Loop with Unreachable Exit Condition ('Infinite Loop')
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
扩展描述
If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 834 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 834 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 834 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | ['DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)', 'DoS: Amplification'] | An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond. |
示例代码
例
In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.
bad C
int servsock;
int connected;
struct sockaddr_in servaddr;
// create socket to connect to server
servsock = socket( AF_INET, SOCK_STREAM, 0);
memset( &servaddr, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(port);
servaddr.sin_addr.s_addr = inet_addr(hostaddr);
do {
// establish connection to server
connected = connect(servsock, (struct sockaddr )&servaddr, sizeof(servaddr));
// if connected then read and process messages from server
if (connected > -1) {
// read and process messages
...
// keep trying to establish connection to the server
} while (connected < 0);
// close socket and return success or failure
...
However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code.
good C
// initialize number of attempts counter
int count = 0;
do {
// establish connection to server
connected = connect(servsock, (struct sockaddr )&servaddr, sizeof(servaddr));
// increment counter
count++;
// if connected then read and process messages from server
if (connected > -1) {
// read and process messages
...
// keep trying to establish connection to the server
// up to a maximum number of attempts
} while (connected < 0 && count < MAX_ATTEMPTS);
// close socket and return success or failure
...
例
For this example the method isReorderNeeded as part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
bad Java
boolean isReorder = false;
int minimumCount = 10;
int days = 0;
// get inventory count for book
int inventoryCount = inventory.getIventoryCount(bookISBN);
// find number of days until inventory count reaches minimum
while (inventoryCount > minimumCount) {
inventoryCount = inventoryCount - rateSold;
days++;
// if number of days within reorder timeframe
// set reorder return boolean to true
if (days > 0 && days < 5) {
return isReorder;
However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop,as in the following code.
good Java
// validate rateSold variable
if (rateSold < 1) {
...
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2011-1027 | Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1027 |
| CVE-2011-1142 | Chain: self-referential values in recursive definitions lead to infinite loop. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1142 |
| CVE-2011-1002 | NULL UDP packet is never cleared from a queue, leading to infinite loop. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002 |
| CVE-2010-4476 | Floating point conversion routine cycles back and forth between two different values. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476 |
| CVE-2010-4645 | Floating point conversion routine cycles back and forth between two different values. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4645 |
| CVE-2010-2534 | Chain: improperly clearing a pointer in a linked list leads to infinite loop. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2534 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| OMG ASCSM | ASCSM-CWE-835 |