ARCHIVE/rippled
1
0
Fork 0
mirror of https://github.com/XRPLF/rippled.git synced 2025-12-06 17:27:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Limit STVar recursion during deserialization (RIPD-1603):

Browse Source 
Constructing deeply nested objects could allow an attacker to
cause a server to overflow its available stack.

We now enforce a 10-deep nesting limit, and signal an error
if we encounter objects that are nested deeper.

Acknowledgements:
Ripple thanks Guido Vranken for responsibly disclosing this
issues.

Bug Bounties and Responsible Disclosures:
We welcome reviews of the rippled codebase and urge reviewers
to responsibly disclose any issues that they may find. For
more on Ripple's Bug Bounty program, please visit
https://ripple.com/bug-bounty
This commit is contained in:
Howard Hinnant
2018-03-03 09:02:22 -05:00
committed by Nikolaos D. Bougalis
parent 9af994ceb4
commit 881cd4cfad
8 changed files with 1323 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/ripple/protocol/impl/STArray.cpp
View File

@@ -63,7 +63,7 @@ STArray::STArray (SField const& f, int n)
v_.reserve(n);
}
STArray::STArray (SerialIter& sit, SField const& f)
STArray::STArray (SerialIter& sit, SField const& f, int depth)
: STBase(f)
{
while (!sit.empty ())
@@ -97,8 +97,7 @@ STArray::STArray (SerialIter& sit, SField const& f)
Throw<std::runtime_error> ("Non-object in array");
}
v_.emplace_back(fn);
v_.back().set (sit, 1);
v_.emplace_back(sit, fn, depth+1);
if (v_.back().setTypeFromSField (fn) == STObject::typeSetFail)
{