Limit STVar recursion during deserialization (RIPD-1603):

Constructing deeply nested objects could allow an attacker to cause a server to overflow its available stack. We now enforce a 10-deep nesting limit, and signal an error if we encounter objects that are nested deeper. Acknowledgements: Ripple thanks Guido Vranken for responsibly disclosing this issues. Bug Bounties and Responsible Disclosures: We welcome reviews of the rippled codebase and urge reviewers to responsibly disclose any issues that they may find. For more on Ripple's Bug Bounty program, please visit https://ripple.com/bug-bounty
2025-12-06 17:27:52 +00:00 · 2018-03-03 09:02:22 -05:00
parent 9af994ceb4
commit 881cd4cfad
8 changed files with 1323 additions and 109 deletions
--- a/src/ripple/protocol/impl/STVar.cpp
+++ b/src/ripple/protocol/impl/STVar.cpp
@@ -108,8 +108,10 @@ STVar::STVar (nonPresentObject_t, SField const& name)
 {
 }

-STVar::STVar (SerialIter& sit, SField const& name)
+STVar::STVar (SerialIter& sit, SField const& name, int depth)
 {
+    if (depth > 10)
+        Throw<std::runtime_error> ("Maximum nesting depth of STVar exceeded");
    switch (name.fieldType)
    {
    case STI_NOTPRESENT:    construct<STBase>(name); return;
@@ -125,8 +127,8 @@ STVar::STVar (SerialIter& sit, SField const& name)
    case STI_VL:            construct<STBlob>(sit, name); return;
    case STI_ACCOUNT:       construct<STAccount>(sit, name); return;
    case STI_PATHSET:       construct<STPathSet>(sit, name); return;
-    case STI_OBJECT:        construct<STObject>(sit, name); return;
-    case STI_ARRAY:         construct<STArray>(sit, name); return;
+    case STI_OBJECT:        construct<STObject>(sit, name, depth); return;
+    case STI_ARRAY:         construct<STArray>(sit, name, depth); return;
    default:
        Throw<std::runtime_error> ("Unknown object type");
    }