[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97389

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Loop with Unreachable Exit Condition ('Infinite Loop')

ID: 835Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Extended Description

If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

Applicable Platforms
Language Class: Language-independent

Common Consequences

ScopeTechnical ImpactNotes
Availability
 
DoS: resource consumption (CPU)
DoS: resource consumption (memory)
DoS: amplification
 
An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond.
 

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWETypeViewChain
CWE-835 ChildOf CWE-834 Weakness CWE-1000
CWE-699 
 

Demonstrative Examples   (Details)

  1. For this example the method isReorderNeeded as part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
  2. In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.

Observed Examples

  1. CVE-2011-1027 : Chain: off-by-one error leads to infinite loop using invalid hex-encoded characters.
  2. CVE-2011-1142 : Chain: self-referential values in recursive definitions lead to infinite loop.
  3. CVE-2011-1002 : NULL UDP packet is never cleared from a queue, leading to infinite loop.
  4. CVE-2010-4476 : Floating point conversion routine cycles back and forth between two different values.
  5. CVE-2010-4645 : Floating point conversion routine cycles back and forth between two different values.
  6. CVE-2010-2534 : Chain: improperly clearing a pointer in a linked list leads to infinite loop.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 7, "Looping Constructs", Page 327.'. Published on 2006.

© 2013 SecPod Technologies