[Sblim-commit] jsr48-client/src/org/sblim/cimclient/internal/cimxml/sax NodeFactory.java, 1.1.2.5, 1.1.2.6

[Dave B. <bla...@us...>]

Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/cimxml/sax
In directory vz-cvs-3.sog:/tmp/cvs-serv3730/src/org/sblim/cimclient/internal/cimxml/sax

Modified Files:
      Tag: Experimental
	NodeFactory.java 
Log Message:
3498482 - Red Hat: Possible XML Hash DoS in sblim

Index: NodeFactory.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java,v
retrieving revision 1.1.2.5
retrieving revision 1.1.2.6
diff -u -d -r1.1.2.5 -r1.1.2.6
--- NodeFactory.java	2 Sep 2009 20:25:52 -0000	1.1.2.5
+++ NodeFactory.java	10 Mar 2012 22:55:30 -0000	1.1.2.6
@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2006, 2009
+ * (C) Copyright IBM Corp. 2006, 2012
  *
  * THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE 
  * ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE 
@@ -15,13 +15,15 @@
  * 1720707    2007-05-17  ebak         Conventional Node factory for CIM-XML SAX parser
  * 2003590    2008-06-30  blaschke-oss Change licensing from CPL to EPL
  * 2524131    2009-01-21  raman_arora  Upgrade client to JDK 1.5 (Phase 1)
- * 2531371    2009-02-10  raman_arora  Upgrade client to JDK 1.5 (Phase 2) 
+ * 2531371    2009-02-10  raman_arora  Upgrade client to JDK 1.5 (Phase 2)
  * 2845211    2009-08-27  raman_arora  Pull Enumeration Feature (SAX Parser)
+ * 3498482    2012-03-09  blaschke-oss Red Hat: Possible XML Hash DoS in sblim
  */
 
 package org.sblim.cimclient.internal.cimxml.sax;
 
 import java.util.HashMap;
+import java.util.Random;
 
 import org.sblim.cimclient.internal.cimxml.sax.node.*;
 
@@ -54,7 +56,7 @@
 	 *         equals comparisons (==).
 	 */
 	public static String getEnum(String pNodeName) {
-		return NODENAME_HASH.get(pNodeName);
+		return NODENAME_HASH.get(pNodeName + iRandomString);
 	}
 
 	private static HashMap<String, FactoryEntry> cParserMap;
@@ -440,9 +442,25 @@
 
 	private static final HashMap<String, String> NODENAME_HASH = new HashMap<String, String>();
 
+	private static String iRandomString;
+
 	private static void initNodeNameHash(String[] pEnumA) {
+		// Append 8-byte randomly-generated string to keys in HashMap to avert
+		// hash DoS
+		Random generator = new Random(System.currentTimeMillis());
+		byte randomByte[] = new byte[1];
+		StringBuilder randomString = new StringBuilder();
+		while (randomString.length() < 8) {
+			generator.nextBytes(randomByte);
+			if (randomByte[0] > 0) {
+				char ch = (char) randomByte[0];
+				if (!Character.isISOControl(ch)) randomString.append(ch);
+			}
+		}
+		iRandomString = randomString.toString();
+
 		for (int i = 0; i < pEnumA.length; i++)
-			NODENAME_HASH.put(pEnumA[i], pEnumA[i]);
+			NODENAME_HASH.put(pEnumA[i] + iRandomString, pEnumA[i]);
 	}
 
 	static {