[Sblim-commit] jsr48-client/src/org/sblim/cimclient/internal/util WBEMConfiguration.java, 1.44, 1.45 Util.java, 1.4, 1.5 WBEMConfigurationDefaults.java, 1.31, 1.32

[Dave B. <bla...@us...>]

Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util
In directory vz-cvs-3.sog:/tmp/cvs-serv26355/src/org/sblim/cimclient/internal/util

Modified Files:
	WBEMConfiguration.java Util.java 
	WBEMConfigurationDefaults.java 
Log Message:
3572993 parseDouble("2.2250738585072012e-308") DoS vulnerability

Index: WBEMConfigurationDefaults.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/WBEMConfigurationDefaults.java,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -d -r1.31 -r1.32
--- WBEMConfigurationDefaults.java	10 Sep 2012 10:18:43 -0000	1.31
+++ WBEMConfigurationDefaults.java	15 Nov 2012 14:46:05 -0000	1.32
@@ -36,6 +36,7 @@
  * 3492224    2012-02-23  blaschke-oss Need two different timeouts for Socket connections
  * 3521157    2012-05-10  blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
  * 3536399    2012-08-25  hellerda     Add client/listener peer authentication properties
+ * 3572993    2012-10-01  blaschke-oss parseDouble("2.2250738585072012e-308") DoS vulnerability
  */
 
 package org.sblim.cimclient.internal.util;
@@ -291,4 +292,9 @@
 	 */
 	public static final String SSL_LISTENER_PEER_VERIFICATION = "ignore";
 
+	/**
+	 * VERIFY_JAVA_LANG_DOUBLE_STRINGS
+	 */
+	public static final String VERIFY_JAVA_LANG_DOUBLE_STRINGS = "true";
+
 }

Index: Util.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/Util.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- Util.java	5 Mar 2009 16:59:21 -0000	1.4
+++ Util.java	15 Nov 2012 14:46:05 -0000	1.5
@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2006, 2009
+ * (C) Copyright IBM Corp. 2006, 2012
  *
  * THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE 
  * ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE 
@@ -15,10 +15,13 @@
  * 1565892    2006-10-18  ebak         Make SBLIM client JSR48 compliant
  * 2003590    2008-06-30  blaschke-oss Change licensing from CPL to EPL
  * 2524131    2009-01-21  raman_arora  Upgrade client to JDK 1.5 (Phase 1)
+ * 3572993    2012-10-01  blaschke-oss parseDouble("2.2250738585072012e-308") DoS vulnerability
  */
 
 package org.sblim.cimclient.internal.util;
 
+import java.math.BigDecimal;
+
 /**
  * Class Util is responsible for storing commonly used static methods.
  */
@@ -42,4 +45,33 @@
 		return dstBuf.toString();
 	}
 
+	/*
+	 * Sun bug 4421494 identifies a range of <code>java.lang.Double</code>
+	 * values that will hang the JVM due to an error in
+	 * <code>FloatingDecimal.doubleValue()</code> that results in an infinite
+	 * loop. The range is defined as (<code>lowBadDouble</code>,
+	 * <code>hiBadDouble</code>).
+	 */
+	private static final BigDecimal lowBadDouble = new BigDecimal(
+			"2.225073858507201136057409796709131975934E-308");
+
+	private static final BigDecimal hiBadDouble = new BigDecimal(
+			"2.225073858507201259573821257020768020078E-308");
+
+	/**
+	 * isBadDoubleString checks if passed string could hang JVM.
+	 * 
+	 * @param s
+	 *            A string to be converted to a Double.
+	 * @return <code>true</code> if double is in range of bad values,
+	 *         <code>false</code> otherwise.
+	 */
+	public static boolean isBadDoubleString(String s) {
+		BigDecimal val = new BigDecimal(s);
+		BigDecimal min = val.min(lowBadDouble);
+		BigDecimal max = val.max(hiBadDouble);
+
+		// Do not use string if min < value < max
+		return (min.compareTo(val) < 0 && max.compareTo(val) > 0);
+	}
 }

Index: WBEMConfiguration.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/WBEMConfiguration.java,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -d -r1.44 -r1.45
--- WBEMConfiguration.java	10 Sep 2012 10:18:43 -0000	1.44
+++ WBEMConfiguration.java	15 Nov 2012 14:46:04 -0000	1.45
@@ -42,6 +42,7 @@
  * 3521157    2012-05-10  blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
  * 3524050    2012-06-06  blaschke-oss Improve WWW-Authenticate in HTTPClient.java
  * 3536399    2012-08-25  hellerda     Add client/listener peer authentication properties
+ * 3572993    2012-10-01  blaschke-oss parseDouble("2.2250738585072012e-308") DoS vulnerability
  */
 
 package org.sblim.cimclient.internal.util;
@@ -1003,4 +1004,18 @@
 				getProperty(WBEMConfigurationProperties.LISTENER_ADD_SENDER_IP_ADDRESS,
 						WBEMConfigurationDefaults.LISTENER_ADD_SENDER_IP_ADDRESS)).booleanValue();
 	}
+
+	/**
+	 * Returns whether the client will attempt to verify strings passed into the
+	 * <code>java.lang.Double</code> constructor or its <code>parseDouble</code>
+	 * method won't hang the JVM in an infinite loop.
+	 * 
+	 * @return <code>true</code> if the client will attempt to verify strings
+	 *         passed to <code>Double</code>, <code>false</code> otherwise
+	 */
+	public boolean verifyJavaLangDoubleStrings() {
+		return Boolean.valueOf(
+				getProperty(WBEMConfigurationProperties.VERIFY_JAVA_LANG_DOUBLE_STRINGS,
+						WBEMConfigurationDefaults.VERIFY_JAVA_LANG_DOUBLE_STRINGS)).booleanValue();
+	}
 }