On Mon, 20 Apr 2026 18:01:08 GMT, Chris Plummer <[email protected]> wrote:
> If an invalid JDWP command set number or command number is sent to the debug > agent, it can result in branching to an unknown location, usually resulting > in a crash. See first comment for details. > > Tested with CI tier1, tier2 svc, and tier5 svc. > > --------- > - [x] I confirm that I make this contribution in accordance with the [OpenJDK > Interim AI Policy](https://openjdk.org/legal/ai). The function debugDispatch_getHandler() is responsible for fetching the command handler. CommandHandler debugDispatch_getHandler(int cmdSetNum, int cmdNum, const char **cmdSetName_p, const char **cmdName_p) It indexes into an array of command sets using the cmdSetNum passed in, which produces an array of command handlers for that command set. It then indexes into the array of command handlers using the cmdNum passed in. debugDispatch_getHandler() only checks if the cmdSetNum or cmdNum is too high. It does not check if it is negative or 0. if (cmdSetNum > JDWP_HIGHEST_COMMAND_SET) { return NULL; } ... if (cmdNum > cmd_set->num_cmds) { *cmdName_p = "<Invalid Command>"; return NULL; ... return cmd_set->cmds[cmdNum - 1].cmd_handler; Unless NULL is returned, the caller just blindly calls the function pointer returned, which might be garbage: func = debugDispatch_getHandler(cmd->cmdSet, cmd->cmd, &cmdSetName, &cmdName); if (func == NULL) { outStream_setError(&out, JDWP_ERROR(NOT_IMPLEMENTED)); } else { /* Call the command handler */ replyToSender = func(&in, &out); } debugDispatch_getHandler() needs lower bounds checks. ------------- PR Comment: https://git.openjdk.org/jdk/pull/30827#issuecomment-4283154312
