shared × unstructured — bad data written permanently, and it spreads
Stack Smash via Unbounded Recursion
Recursion depth driven by attacker-shaped nested input runs off the stack and corrupts adjacent memory.
01the recipe
In the wild
compound ofStack Overflow BugsCWE-674 Uncontrolled RecursionUnconstrained InputsCWE-400 Resource ExhaustioncompoundCWE-787 OOB Write
example.c
/* SMELL: recursion depth driven by attacker-shaped nested input.
(stack-overflow x unconstrained-inputs) */
void parse(Node *n) {
char scratch[4096]; /* a frame, per level of nesting */
if (n->child) parse(n->child); /* depth == nesting depth of input */
use(scratch, n);
}
/* deeply nested input blows past the stack guard page -> smashes adjacent
memory / crashes; in C this is memory corruption, not a clean exception. */
/* RIGHT: bound the depth at the boundary (and prefer iteration). */
void parse(Node *n, int depth) {
if (depth > MAX_DEPTH) { reject(); return; }
if (n->child) parse(n->child, depth + 1);
}Each recursive call adds a frame; input nested deeper than the stack allows runs off the end. Unlike a managed runtime's clean error, in C the overrun corrupts whatever lies past the stack -- a durable, exploitable memory bug. Bound the nesting depth at the boundary.
// observed
unbounded: deep nesting overruns the stack -> memory corruption / crash bounded: input past MAX_DEPTH rejected before recursing
02weakness catalog
Mapped weaknesses (CWE)
On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.