Uncontrolled Recursion| ID: 674 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The product does not properly control the amount of recursion
that takes place, which consumes excessive resources, such as allocated memory
or the program stack.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Availability | DoS: resource consumption
(CPU)DoS: resource consumption
(memory) | Resources including CPU, memory, and stack memory could be rapidly
consumed or exhausted, eventually leading to an exit or crash. |
| Confidentiality | Read application
data | In some cases, an application's interpreter might kill a process or
thread that appears to be consuming too much resources, such as with
PHP's memory_limit setting. When the interpreter kills the
process/thread, it might report an error containing detailed information
such as the application's installation path. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Limit the number of recursive calls to a reasonable number. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-674 ChildOf CWE-892 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2007-1285 : Deeply nested arrays trigger stack exhaustion.
- CVE-2007-3409 : Self-referencing pointers create infinite loop and resultant stack exhaustion.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE_More_Specific |
References:None
