New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Internal parsing of tagged arrays can lead to stack overflow #185
Comments
Yes, I can see how this could be problematic. JSON parser had a similar potential case for sub-tree copying fixed recently. I'll have to think of a good way to handle this: simple depth counter could work, given that tags shouldn't really need to nest deeply. Or perhaps changing handling to use iteration & stack instead. Thank you for reporting this issue. |
Looked at possible solution and I think I know how to handle this as there is only one codepath (special tag handling for another use case does not use recursive calls). |
Great news! Yes that was my observation too, only one code path was involved. Thanks for taking this on. |
@padolph thank you for reporting it! One of those things that are obvious in hindsight, but not before :) |
Ok so end result is bit messy, due to necessary nesting ( |
It is very easy to craft CBOR tagged array data that causes a java.lang.StackOverflowError. Because the CBOR implementation of JsonParser.nextToken() recurses internally when it encounters tagged array data, there is very little the application programmer can do to protect against this exception. Suggest rethinking the recursive approach, or at least capping the max recursion depth.
For CBOR parsers that process untrusted data, this creates a serious DOS vulnerability. Most likely any CBOR parser implemented using Jackson is vulnerable to this problem.
Here is code that generates (nonsensical) CBOR data that crashes the JVM with a StackOverflowError. I am currently using jackson-dataformat-cbor-2.9.9
This program will try many values of array recursion depth until the JVM crashes. On my laptop this happens around 'level' 10000.
The text was updated successfully, but these errors were encountered: