Resource exhaustion

From OWASP
Revision as of 13:32, 30 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search

In Java:

class Worker implements Executor {
 ...
  public void execute(Runnable r) {
  try {
   ...
  }
  catch (InterruptedException ie) { // postpone response
   Thread.currentThread().interrupt();
  }
 }

 public Worker(Channel ch, int nworkers) { 
  ... 
  }

 protected void activate() {
  Runnable loop = new Runnable() {
   public void run() {
    try {
     for (;;) {
      Runnable r = ...
      r.run();
     }
    }
    catch (InterruptedException ie) {...}
   }
  };
  new Thread(loop).start();
 }

In C/C++:

int main(int argc, char *argv[]) {
  sock=socket(AF_INET, SOCK_STREAM, 0);
  while (1) {    
    newsock=accept(sock, ...);
    printf("A connection has been accepted\n");
    pid = fork();
  }

There are no limits to runnables/forks. Potentially an attacker could cause resource problems very quickly.

Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links


Related Attacks


Related Vulnerabilities

Related Controls

  • Design: Design throttling mechanisms into the system architecture.
  • Design: Ensure that protocols have specific limits of scale placed on them.
  • Implementation: Ensure that all failures in resource allocation place the system into a safe posture.
  • Implementation: Fail safely when a resource exhaustion occurs.


Related Technical Impacts


References

Note: A reference to related CWE or CAPEC article should be added when exists. Eg: