CME-1311

Input Size and Quantity Bounds Enforcement

Harden Application High Confidence

Description

Validation that user-supplied quantities — sizes, counts, lengths, offsets, indices, and repetition factors — fall within expected bounds before they are used in memory allocation, loop iteration, or buffer operations. Rejects values that are negative, zero when unexpected, or exceed a configured maximum. Applied at the protocol parsing layer before data reaches processing logic. This prevents integer overflow chains (where an oversized count wraps to a small value and bypasses bounds checks) and resource exhaustion attacks (where an unbounded count causes excessive allocation or iteration). The root cause control for vulnerabilities where the attacker controls a size or count field in a binary protocol, serialized format, or API parameter.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Malicious size or count values are rejected before reaching allocation or copy operations; the attacker must find a quantity field that bypasses validation or an alternative code path that does not enforce bounds

CWE Relationships

CWE-1284 CWE-20 CWE-1285 CWE-190 CWE-131

Verification

Verify that the application enforces maximum size limits on user-supplied quantity fields and rejects values outside expected ranges

$ curl -s -o /dev/null -w "%{http_code}" -H "Content-Length: 999999999" -d @/dev/null https://app/api/upload
# Expected: 413 (Payload Too Large)
Platform: linux
$ grep -r "max_.*size\|MAX_.*SIZE\|max_.*length\|MAX_.*LEN\|max_.*count\|MAX_.*COUNT" /etc/nginx/nginx.conf /etc/httpd/conf/httpd.conf 2>/dev/null | head -5
# Expected: configured size limits present
Platform: linux
← CME-1310: File Upload Validation (Content Inspection and Extension Allowlist)