Patch to address the following issues:

* CVE-2013-6371: hash collision denial of service * CVE-2013-6370: buffer overflow if size_t is larger than int
StatiXOS · Apr 9, 2014 · 64e3690 · 64e3690
1 parent 784534a
commit 64e3690
Show file tree

Hide file tree

Showing 11 changed files with 691 additions and 13 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -23,7 +23,8 @@ libjson_cinclude_HEADERS = \
 	json_tokener.h \
 	json_util.h \
 	linkhash.h \
-	printbuf.h
+	printbuf.h \
+	random_seed.h
 
 #libjsonx_includedir = $(libdir)/json-c-@VERSION@
 #
@@ -41,7 +42,8 @@ libjson_c_la_SOURCES = \
 	json_tokener.c \
 	json_util.c \
 	linkhash.c \
-	printbuf.c
+	printbuf.c \
+	random_seed.c
 
 
 distclean-local:

diff --git a/Makefile.am.inc b/Makefile.am.inc
@@ -1,2 +1,2 @@
-AM_CFLAGS = -Wall -Werror -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT
+AM_CFLAGS = -Wall -Werror -Wno-error=deprecated-declarations -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT
 
diff --git a/config.h.in b/config.h.in
@@ -1,5 +1,8 @@
 /* config.h.in.  Generated from configure.ac by autoheader.  */
 
+/* Enable RDRANR Hardware RNG Hash Seed */
+#undef ENABLE_RDRAND
+
 /* Define if .gnu.warning accepts long strings. */
 #undef HAS_GNU_WARNING_LONG
 
@@ -32,6 +35,9 @@
 /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
 #undef HAVE_DOPRNT
 
+/* Define to 1 if you have the <endian.h> header file. */
+#undef HAVE_ENDIAN_H
+
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 

diff --git a/configure.ac b/configure.ac
@@ -7,6 +7,20 @@ AM_INIT_AUTOMAKE
 
 AC_PROG_MAKE_SET
 
+AC_ARG_ENABLE(rdrand,
+ AS_HELP_STRING([--enable-rdrand],
+   [Enable RDRAND Hardware RNG Hash Seed generation on supported x86/x64 platforms.]),
+[if test x$enableval = xyes; then
+  enable_rdrand=yes
+  AC_DEFINE(ENABLE_RDRAND, 1, [Enable RDRANR Hardware RNG Hash Seed])
+fi])
+
+if test "x$enable_rdrand" = "xyes"; then
+  AC_MSG_RESULT([RDRAND Hardware RNG Hash Seed enabled on supported x86/x64 platforms])
+else
+  AC_MSG_RESULT([RDRAND Hardware RNG Hash Seed disabled. Use --enable-rdrand to enable])
+fi
+
 # Checks for programs.
 
 # Checks for libraries.
@@ -16,7 +30,7 @@ AM_PROG_CC_C_O
 AC_CONFIG_HEADER(config.h)
 AC_CONFIG_HEADER(json_config.h)
 AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h limits.h strings.h syslog.h unistd.h [sys/cdefs.h] [sys/param.h] stdarg.h locale.h)
+AC_CHECK_HEADERS(fcntl.h limits.h strings.h syslog.h unistd.h [sys/cdefs.h] [sys/param.h] stdarg.h locale.h endian.h)
 AC_CHECK_HEADER(inttypes.h,[AC_DEFINE([JSON_C_HAVE_INTTYPES_H],[1],[Public define for json_inttypes.h])])
 
 # Checks for typedefs, structures, and compiler characteristics.

diff --git a/json_object.h b/json_object.h
@@ -13,6 +13,14 @@
 #ifndef _json_object_h_
 #define _json_object_h_
 
+#ifdef __GNUC__
+#define THIS_FUNCTION_IS_DEPRECATED(func) func __attribute__ ((deprecated))
+#elif defined(_MSC_VER)
+#define THIS_FUNCTION_IS_DEPRECATED(func) __declspec(deprecated) func
+#else
+#define THIS_FUNCTION_IS_DEPRECATED(func) func
+#endif
+
 #include "json_inttypes.h"
 
 #ifdef __cplusplus
@@ -279,8 +287,8 @@ extern void json_object_object_add(struct json_object* obj, const char *key,
  * @returns the json_object associated with the given field name
  * @deprecated Please use json_object_object_get_ex
  */
-extern struct json_object* json_object_object_get(struct json_object* obj,
-						  const char *key);
+THIS_FUNCTION_IS_DEPRECATED(extern struct json_object* json_object_object_get(struct json_object* obj,
+						  const char *key));
 
 /** Get the json_object associated with a given object field.  
  *

diff --git a/json_tokener.c b/json_tokener.c
@@ -81,6 +81,7 @@ static const char* json_tokener_errors[] = {
   "object value separator ',' expected",
   "invalid string sequence",
   "expected comment",
+  "buffer size overflow"
 };
 
 const char *json_tokener_error_desc(enum json_tokener_error jerr)
@@ -243,6 +244,16 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
   tok->char_offset = 0;
   tok->err = json_tokener_success;
 
+  /* this interface is presently not 64-bit clean due to the int len argument
+     and the internal printbuf interface that takes 32-bit int len arguments
+     so the function limits the maximum string size to INT32_MAX (2GB).
+     If the function is called with len == -1 then strlen is called to check
+     the string length is less than INT32_MAX (2GB) */
+  if ((len < -1) || (len == -1 && strlen(str) > INT32_MAX)) {
+    tok->err = json_tokener_error_size;
+    return NULL;
+  }
+
   while (PEEK_CHAR(c, tok)) {
 
   redo_char:

diff --git a/json_tokener.h b/json_tokener.h
@@ -33,7 +33,8 @@ enum json_tokener_error {
   json_tokener_error_parse_object_key_sep,
   json_tokener_error_parse_object_value_sep,
   json_tokener_error_parse_string,
-  json_tokener_error_parse_comment
+  json_tokener_error_parse_comment,
+  json_tokener_error_size
 };
 
 enum json_tokener_state {
@@ -163,6 +164,11 @@ extern void json_tokener_set_flags(struct json_tokener *tok, int flags);
  * responsible for calling json_tokener_parse_ex with an appropriate str
  * parameter starting with the extra characters.
  *
+ * This interface is presently not 64-bit clean due to the int len argument
+ * so the function limits the maximum string size to INT32_MAX (2GB).
+ * If the function is called with len == -1 then strlen is called to check
+ * the string length is less than INT32_MAX (2GB)
+ *
  * Example:
  * @code
 json_object *jobj = NULL;
Original file line number	Diff line number	Diff line change
		@@ -1,2 +1,2 @@
		AM_CFLAGS = -Wall -Werror -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT
		AM_CFLAGS = -Wall -Werror -Wno-error=deprecated-declarations -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT