File sblim-cim-client2.hashdos.patch of Package sblim-cim-client2.openSUSE_12.1_Update
### Eclipse Workspace Patch 1.0
#P jsr48-client-hd
Index: src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java
===================================================================
--- src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java.orig
+++ src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java
@@ -17,11 +17,13 @@
* 2524131 2009-01-21 raman_arora Upgrade client to JDK 1.5 (Phase 1)
* 2531371 2009-02-10 raman_arora Upgrade client to JDK 1.5 (Phase 2)
* 2845211 2009-08-27 raman_arora Pull Enumeration Feature (SAX Parser)
+ * 3498482 2012-03-09 blaschke-oss Red Hat: Possible XML Hash DoS in sblim
*/
package org.sblim.cimclient.internal.cimxml.sax;
import java.util.HashMap;
+import java.util.Random;
import org.sblim.cimclient.internal.cimxml.sax.node.*;
@@ -54,7 +56,7 @@ public class NodeFactory implements Node
* equals comparisons (==).
*/
public static String getEnum(String pNodeName) {
- return NODENAME_HASH.get(pNodeName);
+ return NODENAME_HASH.get(pNodeName + iRandomString);
}
private static HashMap<String, FactoryEntry> cParserMap;
@@ -440,9 +442,25 @@ public class NodeFactory implements Node
private static final HashMap<String, String> NODENAME_HASH = new HashMap<String, String>();
+ private static String iRandomString;
+
private static void initNodeNameHash(String[] pEnumA) {
+ // Append 8-byte randomly-generated string to keys in HashMap to avert
+ // hash DoS
+ Random generator = new Random(System.currentTimeMillis());
+ byte randomByte[] = new byte[1];
+ StringBuilder randomString = new StringBuilder();
+ while (randomString.length() < 8) {
+ generator.nextBytes(randomByte);
+ if (randomByte[0] > 0) {
+ char ch = (char) randomByte[0];
+ if (!Character.isISOControl(ch)) randomString.append(ch);
+ }
+ }
+ iRandomString = randomString.toString();
+
for (int i = 0; i < pEnumA.length; i++)
- NODENAME_HASH.put(pEnumA[i], pEnumA[i]);
+ NODENAME_HASH.put(pEnumA[i] + iRandomString, pEnumA[i]);
}
static {
