Skip to content

Commit 64e3690

Browse files
committed
Patch to address the following issues:
* CVE-2013-6371: hash collision denial of service * CVE-2013-6370: buffer overflow if size_t is larger than int
1 parent 784534a commit 64e3690

11 files changed

+691
-13
lines changed

Diff for: Makefile.am

+4-2
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,8 @@ libjson_cinclude_HEADERS = \
2323
json_tokener.h \
2424
json_util.h \
2525
linkhash.h \
26-
printbuf.h
26+
printbuf.h \
27+
random_seed.h
2728

2829
#libjsonx_includedir = $(libdir)/json-c-@VERSION@
2930
#
@@ -41,7 +42,8 @@ libjson_c_la_SOURCES = \
4142
json_tokener.c \
4243
json_util.c \
4344
linkhash.c \
44-
printbuf.c
45+
printbuf.c \
46+
random_seed.c
4547

4648

4749
distclean-local:

Diff for: Makefile.am.inc

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
1-
AM_CFLAGS = -Wall -Werror -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT
1+
AM_CFLAGS = -Wall -Werror -Wno-error=deprecated-declarations -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT
22

Diff for: config.h.in

+6
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
/* config.h.in. Generated from configure.ac by autoheader. */
22

3+
/* Enable RDRANR Hardware RNG Hash Seed */
4+
#undef ENABLE_RDRAND
5+
36
/* Define if .gnu.warning accepts long strings. */
47
#undef HAS_GNU_WARNING_LONG
58

@@ -32,6 +35,9 @@
3235
/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
3336
#undef HAVE_DOPRNT
3437

38+
/* Define to 1 if you have the <endian.h> header file. */
39+
#undef HAVE_ENDIAN_H
40+
3541
/* Define to 1 if you have the <fcntl.h> header file. */
3642
#undef HAVE_FCNTL_H
3743

Diff for: configure.ac

+15-1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,20 @@ AM_INIT_AUTOMAKE
77

88
AC_PROG_MAKE_SET
99

10+
AC_ARG_ENABLE(rdrand,
11+
AS_HELP_STRING([--enable-rdrand],
12+
[Enable RDRAND Hardware RNG Hash Seed generation on supported x86/x64 platforms.]),
13+
[if test x$enableval = xyes; then
14+
enable_rdrand=yes
15+
AC_DEFINE(ENABLE_RDRAND, 1, [Enable RDRANR Hardware RNG Hash Seed])
16+
fi])
17+
18+
if test "x$enable_rdrand" = "xyes"; then
19+
AC_MSG_RESULT([RDRAND Hardware RNG Hash Seed enabled on supported x86/x64 platforms])
20+
else
21+
AC_MSG_RESULT([RDRAND Hardware RNG Hash Seed disabled. Use --enable-rdrand to enable])
22+
fi
23+
1024
# Checks for programs.
1125

1226
# Checks for libraries.
@@ -16,7 +30,7 @@ AM_PROG_CC_C_O
1630
AC_CONFIG_HEADER(config.h)
1731
AC_CONFIG_HEADER(json_config.h)
1832
AC_HEADER_STDC
19-
AC_CHECK_HEADERS(fcntl.h limits.h strings.h syslog.h unistd.h [sys/cdefs.h] [sys/param.h] stdarg.h locale.h)
33+
AC_CHECK_HEADERS(fcntl.h limits.h strings.h syslog.h unistd.h [sys/cdefs.h] [sys/param.h] stdarg.h locale.h endian.h)
2034
AC_CHECK_HEADER(inttypes.h,[AC_DEFINE([JSON_C_HAVE_INTTYPES_H],[1],[Public define for json_inttypes.h])])
2135

2236
# Checks for typedefs, structures, and compiler characteristics.

Diff for: json_object.h

+10-2
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,14 @@
1313
#ifndef _json_object_h_
1414
#define _json_object_h_
1515

16+
#ifdef __GNUC__
17+
#define THIS_FUNCTION_IS_DEPRECATED(func) func __attribute__ ((deprecated))
18+
#elif defined(_MSC_VER)
19+
#define THIS_FUNCTION_IS_DEPRECATED(func) __declspec(deprecated) func
20+
#else
21+
#define THIS_FUNCTION_IS_DEPRECATED(func) func
22+
#endif
23+
1624
#include "json_inttypes.h"
1725

1826
#ifdef __cplusplus
@@ -279,8 +287,8 @@ extern void json_object_object_add(struct json_object* obj, const char *key,
279287
* @returns the json_object associated with the given field name
280288
* @deprecated Please use json_object_object_get_ex
281289
*/
282-
extern struct json_object* json_object_object_get(struct json_object* obj,
283-
const char *key);
290+
THIS_FUNCTION_IS_DEPRECATED(extern struct json_object* json_object_object_get(struct json_object* obj,
291+
const char *key));
284292

285293
/** Get the json_object associated with a given object field.
286294
*

Diff for: json_tokener.c

+11
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ static const char* json_tokener_errors[] = {
8181
"object value separator ',' expected",
8282
"invalid string sequence",
8383
"expected comment",
84+
"buffer size overflow"
8485
};
8586

8687
const char *json_tokener_error_desc(enum json_tokener_error jerr)
@@ -243,6 +244,16 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
243244
tok->char_offset = 0;
244245
tok->err = json_tokener_success;
245246

247+
/* this interface is presently not 64-bit clean due to the int len argument
248+
and the internal printbuf interface that takes 32-bit int len arguments
249+
so the function limits the maximum string size to INT32_MAX (2GB).
250+
If the function is called with len == -1 then strlen is called to check
251+
the string length is less than INT32_MAX (2GB) */
252+
if ((len < -1) || (len == -1 && strlen(str) > INT32_MAX)) {
253+
tok->err = json_tokener_error_size;
254+
return NULL;
255+
}
256+
246257
while (PEEK_CHAR(c, tok)) {
247258

248259
redo_char:

Diff for: json_tokener.h

+7-1
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ enum json_tokener_error {
3333
json_tokener_error_parse_object_key_sep,
3434
json_tokener_error_parse_object_value_sep,
3535
json_tokener_error_parse_string,
36-
json_tokener_error_parse_comment
36+
json_tokener_error_parse_comment,
37+
json_tokener_error_size
3738
};
3839

3940
enum json_tokener_state {
@@ -163,6 +164,11 @@ extern void json_tokener_set_flags(struct json_tokener *tok, int flags);
163164
* responsible for calling json_tokener_parse_ex with an appropriate str
164165
* parameter starting with the extra characters.
165166
*
167+
* This interface is presently not 64-bit clean due to the int len argument
168+
* so the function limits the maximum string size to INT32_MAX (2GB).
169+
* If the function is called with len == -1 then strlen is called to check
170+
* the string length is less than INT32_MAX (2GB)
171+
*
166172
* Example:
167173
* @code
168174
json_object *jobj = NULL;

0 commit comments

Comments
 (0)