-
Roland Shoemaker authored
This change makes sure that we are properly checking the ignored field recursion depth in decIgnoreOpFor consistently. This prevents stack exhaustion when attempting to decode a message that contains an extremely deeply nested struct which is ignored. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue. Updates #69139 Fixes #69145 Fixes CVE-2024-34156 Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440 Reviewed-by:
Russ Cox <rsc@google.com> Reviewed-by:
Damien Neil <dneil@google.com> (cherry picked from commit 9f2ea73c5f2a7056b7da5d579a485a7216f4b20a) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1581 Commit-Queue: Roland Shoemaker <bracewell@google.com> Reviewed-by:
Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/611176 Reviewed-by:
Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by:
Michael Pratt <mpratt@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Roland Shoemaker authoredThis change makes sure that we are properly checking the ignored field recursion depth in decIgnoreOpFor consistently. This prevents stack exhaustion when attempting to decode a message that contains an extremely deeply nested struct which is ignored. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue. Updates #69139 Fixes #69145 Fixes CVE-2024-34156 Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440 Reviewed-by:
Code owners
Assign users and groups as approvers for specific file changes. Learn more.