Limit depth of data structures to 512

maxmind · Nov 13, 2015 · 62e424b · 62e424b
1 parent 55ebd4f
commit 62e424b
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 8 deletions.
diff --git a/Changes.md b/Changes.md
@@ -5,11 +5,17 @@
   Jan Vcelak.
 * Several segmentation faults found with afl-fuzz were fixed. These were
   caused by missing bounds checking and missing verification of data type.
+* `MMDB_get_entry_data_list` will now fail on data structures with a depth
+  greater than 512 and data structures that are cyclic. This should not
+  affect any known MaxMind DB in production. All databases produced by
+  MaxMind have a depth of less than five.
+
 
 ## 1.1.1 - 2015-07-22
 
 * Added `maxminddb-compat-util.h` as a source file to dist.
 
+
 ## 1.1.0 - 2015-07-21
 
 * Previously, when there was an error in `MMDB_open()`, `errno` would
@@ -30,6 +36,7 @@
 * We no longer install `maxminddb-compat-util.h`. This header was intended for
   internal use only.
 
+
 ## 1.0.4 - 2015-01-02
 
 * If you used a non-integer string as an array index when doing a lookup with

diff --git a/README.md b/README.md
@@ -58,7 +58,7 @@ You can clone this repository and build it by running:
 
     $ git clone --recursive https://github.com/maxmind/libmaxminddb
 
-After cloning, run `./bootstrap` from the `libmaxminddb directory and then
+After cloning, run `./bootstrap` from the `libmaxminddb` directory and then
 follow the instructions for installing from a tarball as described above.
 
 ## On Windows via Visual Studio 2013+

diff --git a/src/maxminddb.c b/src/maxminddb.c
@@ -160,7 +160,8 @@ LOCAL int get_ext_type(int raw_ext_type);
 LOCAL uint32_t get_ptr_from(uint8_t ctrl, uint8_t const *const ptr,
                             int ptr_size);
 LOCAL int get_entry_data_list(MMDB_s *mmdb, uint32_t offset,
-                              MMDB_entry_data_list_s *const entry_data_list);
+                              MMDB_entry_data_list_s *const entry_data_list,
+                              int depth);
 LOCAL float get_ieee754_float(const uint8_t *restrict p);
 LOCAL double get_ieee754_double(const uint8_t *restrict p);
 LOCAL uint32_t get_uint32(const uint8_t *p);
@@ -1469,12 +1470,18 @@ int MMDB_get_entry_data_list(
     if (NULL == *entry_data_list) {
         return MMDB_OUT_OF_MEMORY_ERROR;
     }
-    return get_entry_data_list(start->mmdb, start->offset, *entry_data_list);
+    return get_entry_data_list(start->mmdb, start->offset, *entry_data_list, 0);
 }
 
 LOCAL int get_entry_data_list(MMDB_s *mmdb, uint32_t offset,
-                              MMDB_entry_data_list_s *const entry_data_list)
+                              MMDB_entry_data_list_s *const entry_data_list,
+                              int depth)
 {
+    if (depth >= MAXIMUM_DATA_STRUCTURE_DEPTH) {
+        DEBUG_MSG("reached the maximum data structure depth");
+        return MMDB_INVALID_DATA_ERROR;
+    }
+    depth++;
     CHECKED_DECODE_ONE(mmdb, offset, &entry_data_list->entry_data);
 
     switch (entry_data_list->entry_data.type) {
@@ -1496,7 +1503,8 @@ LOCAL int get_entry_data_list(MMDB_s *mmdb, uint32_t offset,
                 || entry_data_list->entry_data.type == MMDB_DATA_TYPE_MAP) {
 
                 int status =
-                    get_entry_data_list(mmdb, last_offset, entry_data_list);
+                    get_entry_data_list(mmdb, last_offset, entry_data_list,
+                                        depth);
                 if (MMDB_SUCCESS != status) {
                     return status;
                 }
@@ -1517,7 +1525,8 @@ LOCAL int get_entry_data_list(MMDB_s *mmdb, uint32_t offset,
                 }
 
                 int status =
-                    get_entry_data_list(mmdb, array_offset, entry_data_list_to);
+                    get_entry_data_list(mmdb, array_offset, entry_data_list_to,
+                                        depth);
                 if (MMDB_SUCCESS != status) {
                     return status;
                 }
@@ -1545,7 +1554,8 @@ LOCAL int get_entry_data_list(MMDB_s *mmdb, uint32_t offset,
                 }
 
                 int status =
-                    get_entry_data_list(mmdb, offset, entry_data_list_to);
+                    get_entry_data_list(mmdb, offset, entry_data_list_to,
+                                        depth);
                 if (MMDB_SUCCESS != status) {
                     return status;
                 }
@@ -1562,7 +1572,8 @@ LOCAL int get_entry_data_list(MMDB_s *mmdb, uint32_t offset,
                     return MMDB_OUT_OF_MEMORY_ERROR;
                 }
 
-                status = get_entry_data_list(mmdb, offset, entry_data_list_to);
+                status = get_entry_data_list(mmdb, offset, entry_data_list_to,
+                                             depth);
                 if (MMDB_SUCCESS != status) {
                     return status;
                 }