1. Home
  2. CWE Database
  3. CWE-770
Base · Medium

CWE-770: Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

CWE-770 · Base Level ·10 CVEs ·9 Mitigations

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Potential Impact

Availability

DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Demonstrative Examples

This code allocates a socket and forks each time it receives a new connection.
Bad
sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();}
The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely.
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket.
Bad
int writeDataFromSocketToFile(char *host, int port){
                        
                           char filename[FILENAME_SIZE];char buffer[BUFFER_SIZE];int socket = openSocketConnection(host, port);
                           if (socket < 0) {printf("Unable to open socket connection");return(FAIL);}if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) {
                              if (openFileToWrite(filename) > 0) {
                                    while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){if (!(writeToFile(buffer) > 0))break;
                                       }
                                 }closeFile();
                           }closeSocket(socket);
                     }
This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service.
In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array.
Bad
/* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */
                     int processMessage(char **message){
                        char *body;
                           int length = getMessageLength(message[0]);
                           if (length > 0) {body = &message[1][0];processMessageBody(body);return(SUCCESS);}else {printf("Unable to process message; invalid message length");return(FAIL);}
                     }
This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length check
Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code.
Good
unsigned int length = getMessageLength(message[0]);if ((length > 0) && (length < MAX_LENGTH)) {...}
In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket.
Bad
public void acceptConnections() {
                     
                        try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);t.start();}serverSocket.close();
                           
                           } catch (IOException ex) {...}
                     }
In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources.
The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated.
Good
public static final int SERVER_PORT = 4444;public static final int MAX_CONNECTIONS = 10;...
                     public void acceptConnections() {
                     
                        try {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {hasConnections = checkForMoreConnections();Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + ":" + counter++);ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);pool.execute(t);}serverSocket.close();
                           
                           } catch (IOException ex) {...}
                     }

Mitigations & Prevention

Requirements

Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.

Architecture and Design

Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result set

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Architecture and Design

Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution can be difficult to effectively institu

Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Architecture and DesignImplementation

If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and ha

OperationArchitecture and Design

Use quotas or other resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation o

Detection Methods

  • Manual Static Analysis — Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may n
  • Fuzzing Opportunistic — While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual
  • Automated Dynamic Analysis — Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short t
  • Automated Static Analysis — Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources su

Real-World CVE Examples

CVE IDDescription
CVE-2019-19911Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow
CVE-2009-4017Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts..
CVE-2009-2726Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
CVE-2009-2540Large integer value for a length property in an object causes a large amount of memory allocation.
CVE-2009-2054Product allows exhaustion of file descriptors when processing a large number of TCP packets.
CVE-2008-5180Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
CVE-2008-1700Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
CVE-2005-4650CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion.
CVE-2020-15100web application scanner attempts to read an excessively large file created by a user, causing process termination
CVE-2020-7218Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service

CWE-400: Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

CWE-665: Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected s...

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): FIO04-J — Close resources when they are no longer needed
  • The CERT Oracle Secure Coding Standard for Java (2011): SER12-J — Avoid memory and resource leaks during serialization
  • The CERT Oracle Secure Coding Standard for Java (2011): MSC05-J — Do not exhaust heap space
  • ISA/IEC 62443: Part 4-2 — Req CR 7.2
  • ISA/IEC 62443: Part 4-2 — Req CR 2.7
  • ISA/IEC 62443: Part 4-1 — Req SI-1
  • ISA/IEC 62443: Part 4-1 — Req SI-2
  • ISA/IEC 62443: Part 3-3 — Req SR 7.2
  • ISA/IEC 62443: Part 3-3 — Req SR 2.7

Frequently Asked Questions

What is CWE-770?

CWE-770 (Allocation of Resources Without Limits or Throttling) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

How can CWE-770 be exploited?

Attackers can exploit CWE-770 (Allocation of Resources Without Limits or Throttling) to dos: resource consumption (cpu), dos: resource consumption (memory), dos: resource consumption (other). This weakness is typically introduced during the Architecture and Design, Implementation, Operation, System Configuration phase of software development.

How do I prevent CWE-770?

Key mitigations include: Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.

What is the severity of CWE-770?

CWE-770 is classified as a Base-level weakness (Medium abstraction). It has been observed in 10 real-world CVEs.