273c75eb1b
"certain XML parsers/servers are affected by the same, or similar, flaw as the hash table collisions CPU usage denial of service. Sending a specially crafted message to an XML service can result in longer processing time, which could lead to a denial of service. It is reported that this attack on XML can be applied on different XML nodes (such as entities, element attributes, namespaces, various elements in the XML security, etc.)."
95 lines
2.4 KiB
Plaintext
95 lines
2.4 KiB
Plaintext
$OpenBSD: patch-hash_c,v 1.1 2012/02/23 09:39:00 sthen Exp $
|
|
|
|
CVE-2012-0841
|
|
http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
|
|
|
|
--- hash.c.orig Tue Oct 12 07:25:32 2010
|
|
+++ hash.c Wed Feb 22 19:02:10 2012
|
|
@@ -3,7 +3,7 @@
|
|
*
|
|
* Reference: Your favorite introductory book on algorithms
|
|
*
|
|
- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard.
|
|
+ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard.
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
@@ -21,6 +21,22 @@
|
|
#include "libxml.h"
|
|
|
|
#include <string.h>
|
|
+#ifdef HAVE_STDLIB_H
|
|
+#include <stdlib.h>
|
|
+#endif
|
|
+#ifdef HAVE_TIME_H
|
|
+#include <time.h>
|
|
+#endif
|
|
+
|
|
+/*
|
|
+ * Following http://www.ocert.org/advisories/ocert-2011-003.html
|
|
+ * it seems that having hash randomization might be a good idea
|
|
+ * when using XML with untrusted data
|
|
+ */
|
|
+#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
|
|
+#define HASH_RANDOMIZATION
|
|
+#endif
|
|
+
|
|
#include <libxml/parser.h>
|
|
#include <libxml/hash.h>
|
|
#include <libxml/xmlmemory.h>
|
|
@@ -31,6 +47,10 @@
|
|
|
|
/* #define DEBUG_GROW */
|
|
|
|
+#ifdef HASH_RANDOMIZATION
|
|
+static int hash_initialized = 0;
|
|
+#endif
|
|
+
|
|
/*
|
|
* A single entry in the hash table
|
|
*/
|
|
@@ -53,6 +73,9 @@ struct _xmlHashTable {
|
|
int size;
|
|
int nbElems;
|
|
xmlDictPtr dict;
|
|
+#ifdef HASH_RANDOMIZATION
|
|
+ int random_seed;
|
|
+#endif
|
|
};
|
|
|
|
/*
|
|
@@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, const xmlChar
|
|
unsigned long value = 0L;
|
|
char ch;
|
|
|
|
+#ifdef HASH_RANDOMIZATION
|
|
+ value = table->random_seed;
|
|
+#endif
|
|
if (name != NULL) {
|
|
value += 30 * (*name);
|
|
while ((ch = *name++) != 0) {
|
|
@@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table,
|
|
unsigned long value = 0L;
|
|
char ch;
|
|
|
|
+#ifdef HASH_RANDOMIZATION
|
|
+ value = table->random_seed;
|
|
+#endif
|
|
if (prefix != NULL)
|
|
value += 30 * (*prefix);
|
|
else
|
|
@@ -156,6 +185,13 @@ xmlHashCreate(int size) {
|
|
table->table = xmlMalloc(size * sizeof(xmlHashEntry));
|
|
if (table->table) {
|
|
memset(table->table, 0, size * sizeof(xmlHashEntry));
|
|
+#ifdef HASH_RANDOMIZATION
|
|
+ if (!hash_initialized) {
|
|
+ srand(time(NULL));
|
|
+ hash_initialized = 1;
|
|
+ }
|
|
+ table->random_seed = rand();
|
|
+#endif
|
|
return(table);
|
|
}
|
|
xmlFree(table);
|