Avoid potential DoS with high compression

Signed-off-by: Sergio Arroutbi <[email protected]>
latchset · May 9, 2024 · d97b3bc · d97b3bc
1 parent 76ec70b
commit d97b3bc
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/lib/jwe.c b/lib/jwe.c
@@ -28,6 +28,8 @@
 
 #include <unistd.h>
 
+#define MAX_COMPRESSED_SIZE (256*1024)
+
 static bool
 jwe_hdr_set_new(json_t *jwe, const char *name, json_t *value)
 {
@@ -357,6 +359,11 @@ jose_jwe_dec(jose_cfg_t *cfg, const json_t *jwe, const json_t *rcp,
 {
     json_auto_t *cek = NULL;
 
+    if (ptl && *ptl > MAX_COMPRESSED_SIZE) {
+        jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_DENIED, "Maximum decompression size reached");
+        return NULL;
+    }
+
     cek = jose_jwe_dec_jwk(cfg, jwe, rcp, jwk);
     if (!cek)
         return NULL;

diff --git a/tests/api_jwe.c b/tests/api_jwe.c
@@ -18,6 +18,7 @@
 #include <jose/jose.h>
 #include <assert.h>
 #include <string.h>
+#include "long_string.h"
 
 static bool
 dec(json_t *jwe, json_t *jwk)
@@ -43,6 +44,15 @@ dec(json_t *jwe, json_t *jwk)
     return ret;
 }
 
+static char* get_string(uint32_t length, char fill) {
+    assert(length);
+    char* c = (char*)malloc(length*sizeof(char));
+    for (uint32_t i=0; i<length; i++) {
+        c[i] = fill;
+    }
+    return c;
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -98,5 +108,13 @@ main(int argc, char *argv[])
     assert(dec(jwe, set1));
     assert(dec(jwe, set2));
 
+    char* long_str_300k = get_string(300000, 'a');
+    json_decref(jwe);
+    assert((jwe = json_object()));
+    assert(jose_jwe_enc(NULL, jwe, NULL, jwke, long_str_300k, 300000));
+    assert(!dec(jwe, jwke));
+    free(long_str_300k);
+    json_decref(jwe);
+
     return EXIT_SUCCESS;
 }