[lmm]

> Recursion based stack overflow issues are easier to exploit because modern computer's stack space is much smaller relative to other resources.

Sounds like a design issue in particular language implementations rather than a problem with the programming technique.

[Enginerrrd]

>Sounds like a design issue in particular language implementations rather than a problem with the programming technique.

You say this like these are fundamentally separable things? I find this comment deeply confusing. Every single real software stack ever has a layer where the sausage gets made so to speak.

[fc417fc802]

Stack overflow should not be a vulnerability for any modern tool chain. As to resource limits, LLVM has supported segmented stacks for something like a decade or maybe longer. Recursion is absolutely not the problem here. Outdated programming practices are.

[BradSwain]

> Outdated programming practices are.

What is the outdated programming practice at fault here?

[fc417fc802]

In the general case? The failure to compile with -fsplit-stack when that's necessary for whatever your requirements are. The failure to enable the stack protector when ... pretty much always.

For this particular CVE? I'm not clear. Possibly none. The writeup didn't provide sufficient detail and I haven't bothered to wade through the code. There may well be a reason recursion won't work here but it certainly isn't general.

I'd be curious to know in this case why resource limits couldn't be enforced for the recursive implementation but could be for the iterative one.