Limit STVar recursion during deserialization (RIPD-1603):

Constructing deeply nested objects could allow an attacker to cause a server to overflow its available stack. We now enforce a 10-deep nesting limit, and signal an error if we encounter objects that are nested deeper. Acknowledgements: Ripple thanks Guido Vranken for responsibly disclosing this issues. Bug Bounties and Responsible Disclosures: We welcome reviews of the rippled codebase and urge reviewers to responsibly disclose any issues that they may find. For more on Ripple's Bug Bounty program, please visit https://ripple.com/bug-bounty
2025-12-06 17:27:52 +00:00 · 2018-03-03 09:02:22 -05:00
parent d5f981f5fc
commit 40dc6b1458
8 changed files with 1323 additions and 109 deletions
--- a/src/ripple/protocol/impl/STObject.cpp
+++ b/src/ripple/protocol/impl/STObject.cpp
@@ -67,11 +67,13 @@ STObject::STObject (SOTemplate const& type,
    setType (type);
 }

-STObject::STObject (SerialIter& sit, SField const& name)
+STObject::STObject (SerialIter& sit, SField const& name, int depth)
    : STBase(name)
    , mType(nullptr)
 {
-    set(sit, 0);
+    if (depth > 10)
+        Throw<std::runtime_error> ("Maximum nesting depth of STObject exceeded");
+    set(sit, depth);
 }

 STObject&
@@ -206,7 +208,7 @@ bool STObject::set (SerialIter& sit, int depth)
            }

            // Unflatten the field
-            v_.emplace_back(sit, fn);
+            v_.emplace_back(sit, fn, depth+1);

            // If the object type has a known SOTemplate then set it.
            STObject* const obj = dynamic_cast <STObject*> (&(v_.back().get()));