Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes for DoS vulnerabilities in C++ #1210

Merged
merged 7 commits into from
Oct 2, 2024
Merged

Conversation

jandupej
Copy link
Contributor

The following changes are included:

  • Recursion depth is now also limited when deserializing JSON payloads in C++. Maximum depth can be set with bond::SetDeserializeMaxDepth.
  • When deserializing containers in C++, arrays are now preallocated only after it is verified that there is enough data in the buffer to fill the array. If the expected serialized size cannot be calculated, a growing array is used to prevent excessive memory allocations using malicious payloads.
  • bond::CoreException is now thrown when deseralizing an object whose declared size exceeds the remaining size of the payload in C++.
  • InputBuffer now throws a bond::StreamException when trying to skip beyond the end of the stream in C++.
  • Custom buffers (in C++) must now implement a CanRead method to check the remaining buffer size for reading.
  • Custom protocols (in C++) must now implement a CanReadArray method to check the remaining buffer size for reading.
  • Custom containers (in C++) must now supply reset_list and list_insert implementations to enable incrementally growing and filling the containers.
  • Documentation was updated to reflect the new API.

@jandupej jandupej self-assigned this Sep 30, 2024
Copy link
Member

@chwarr chwarr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've sent you some comments over IM about the Linux build that I, alas, cannot share here.

@jandupej
Copy link
Contributor Author

jandupej commented Oct 1, 2024

I've sent you some comments over IM about the Linux build that I, alas, cannot share here.

I fixed the gcc/clang build issues.

@jandupej jandupej merged commit c0fdc49 into master Oct 2, 2024
1 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants