7055902: Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability
Reviewed-by: coffeys
--- a/corba/src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java Tue Jul 19 11:03:26 2011 -0700
+++ b/corba/src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java Tue Aug 09 05:39:54 2011 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -2243,6 +2243,10 @@
}
try {
+ Class fieldCl = fields[i].getClazz();
+ if (objectValue != null && !fieldCl.isInstance(objectValue)) {
+ throw new IllegalArgumentException();
+ }
bridge.putObject( o, fields[i].getFieldID(), objectValue ) ;
// reflective code: fields[i].getField().set( o, objectValue ) ;
} catch (IllegalArgumentException e) {
@@ -2553,6 +2557,10 @@
{
try {
Field fld = c.getDeclaredField( fieldName ) ;
+ Class fieldCl = fld.getType();
+ if(v != null && !fieldCl.isInstance(v)) {
+ throw new Exception();
+ }
long key = bridge.objectFieldOffset( fld ) ;
bridge.putObject( o, key, v ) ;
} catch (Exception e) {