Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Fri, 3 May 2024 13:21:39 +0000 (09:21 -0400)
committer	Gopher Robot <gobot@golang.org>
	Thu, 5 Sep 2024 16:42:09 +0000 (16:42 +0000)
commit	08c84420bc40d1cd5eb71b85cbe3a36f707bdb3f
tree	20e77ed5980b4168c4cee131c1703040afb4f4ae	tree
parent	dd2019528b669908f8ccc0c327a64d0e07fc2a1b	commit \| diff

encoding/gob: cover missed cases when checking ignore depth

This change makes sure that we are properly checking the ignored field
recursion depth in decIgnoreOpFor consistently. This prevents stack
exhaustion when attempting to decode a message that contains an
extremely deeply nested struct which is ignored.

Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)
for reporting this issue.

Fixes #69139
Fixes CVE-2024-34156

Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611239
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>

src/encoding/gob/decode.go		diff \| blob \| history
src/encoding/gob/decoder.go		diff \| blob \| history
src/encoding/gob/gobencdec_test.go		diff \| blob \| history