Skip to content

Fix: Denial of Service (Stack Overflow & O(N^2) CPU) in OptionConverter #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
OxBat wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix: Denial of Service (Stack Overflow & O(N^2) CPU) in OptionConverter #590

OxBat wants to merge 2 commits into from

Conversation

@OxBat
Copy link

@OxBat OxBat commented Jan 27, 2026

Summary

I identified a Denial of Service vulnerability in OptionConverter::substVars.
The component handles variable substitution (e.g., ${key}) recursively.

The Issues:

  1. Stack Overflow (Crash): substVarsSafely is recursive but had no depth limit. A configuration with deeply nested variables (e.g., 20,000 levels) caused a Segmentation Fault.
  2. Algorithmic Complexity (Freeze): The cycle detection logic used a linked list (LogStringChain) that required traversing the parent chain at every step, resulting in O(N^2) complexity.

The Fix:
I refactored the internal substVarsSafely function:

  1. Replaced the custom LogStringChain linked list with a std::vector<LogString> for history tracking (faster lookup).
  2. Added a MAX_SUBST_DEPTH (20). If recursion exceeds this depth, it stops and logs a warning, preventing the crash.

@OxBat
Fix Denial of Service in OptionConverter (Recursion Limit & Algorithm…
46153d6 
…ic Complexity)

The variable substitution logic lacked a recursion depth limit, leading to
Stack Overflow crashes with deeply nested variables.
The cycle detection was also implemented using a linked list with O(N^2) complexity.
This patch replaces the linked list with a std::vector and enforces a recursion depth limit of 20.
@rm5248
Copy link
Contributor

rm5248 commented Jan 29, 2026

can you add a unit test to ensure that this is working correctly? This unit test can be added to the already existing optioncovertertestcase.cpp

@rm5248
Copy link
Contributor

rm5248 commented Jan 29, 2026

there's actually already a test case for recursive:

logging-log4cxx/src/test/cpp/helpers/optionconvertertestcase.cpp

Line 149 in 28a443e

void varSubstRecursiveReferenceTest()

Why is that test not failing, or is that test not properly catching the problem that this is fixing?

@OxBat
add unit test for recursion depth limit
7a376ce 
Added a test to ensure recursion stops at the defined depth limit.
@OxBat
Copy link
Author

OxBat commented Jan 29, 2026

The existing test only catches circular dependencies (loops). My fix targets stack overflows caused by deep recursion without loops.

I just added varSubstDepthLimitTest to cover this specific case (it builds a chain of 25 items to ensure we stop gracefully at the limit).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OxBat @rm5248