Overview

File sblim-cim-client2.hashdos.patch of Package sblim-cim-client2

--- src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java.orig	2012-12-19 17:56:43.107129204 +0100
+++ src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java	2012-12-19 18:01:12.916641090 +0100
@@ -14,11 +14,13 @@
  * -------------------------------------------------------------------------------
  * 1720707    2007-05-17  ebak         Conventional Node factory for CIM-XML SAX parser
  * 2003590    2008-06-30  blaschke-oss Change licensing from CPL to EPL
+ * 3498482    2012-03-09  blaschke-oss Red Hat: Possible XML Hash DoS in sblim
  */
 
 package org.sblim.cimclient.internal.cimxml.sax;
 
 import java.util.HashMap;
+import java.util.Random;
 
 import org.sblim.cimclient.internal.cimxml.sax.node.*;
 
@@ -51,7 +53,7 @@
 	 *         equals comparisions (==).
 	 */
 	public static String getEnum(String pNodeName) {
-		return (String) NODENAME_HASH.get(pNodeName);
+		return (String) NODENAME_HASH.get(pNodeName + iRandomString);
 	}
 
 	private static HashMap cParserMap;
@@ -431,9 +433,25 @@
 
 	private static final HashMap NODENAME_HASH = new HashMap();
 
+	private static String iRandomString;
+
 	private static void initNodeNameHash(String[] pEnumA) {
+		// Append 8-byte randomly-generated string to keys in HashMap to avert
+		// hash DoS
+		Random generator = new Random(System.currentTimeMillis());
+		byte randomByte[] = new byte[1];
+		StringBuilder randomString = new StringBuilder();
+		while (randomString.length() < 8) {
+			generator.nextBytes(randomByte);
+			if (randomByte[0] > 0) {
+				char ch = (char) randomByte[0];
+				if (!Character.isISOControl(ch)) randomString.append(ch);
+			}
+		}
+		iRandomString = randomString.toString();
+
 		for (int i = 0; i < pEnumA.length; i++)
-			NODENAME_HASH.put(pEnumA[i], pEnumA[i]);
+			NODENAME_HASH.put(pEnumA[i] + iRandomString, pEnumA[i]);
 	}
 
 	static {
openSUSE Build Service is sponsored by
Places