# HG changeset patch
# User andrew
# Date 1318550129 -3600
# Node ID 4d9e4fb8af09151f6bdcc393f76701d2ae4e7a4c
# Parent  953de8c7bccb9d8d40a661be1058a23d45b15cd6
7055902, CVE-2011-3521: IIOP deserialization code execution

diff -r 953de8c7bccb -r 4d9e4fb8af09 src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java
--- a/src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java	Wed Sep 28 23:12:47 2011 +0100
+++ b/src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java	Fri Oct 14 00:55:29 2011 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2243,6 +2243,10 @@
                 }
 
                 try {
+                    Class fieldCl = fields[i].getClazz();
+                    if (objectValue != null && !fieldCl.isInstance(objectValue)) {
+                        throw new IllegalArgumentException();
+                    }
                     bridge.putObject( o, fields[i].getFieldID(), objectValue ) ;
                     // reflective code: fields[i].getField().set( o, objectValue ) ;
                 } catch (IllegalArgumentException e) {
@@ -2553,6 +2557,10 @@
     {
         try {
             Field fld = c.getDeclaredField( fieldName ) ;
+            Class fieldCl = fld.getType();
+            if(v != null && !fieldCl.isInstance(v)) {
+                throw new Exception();
+            }
             long key = bridge.objectFieldOffset( fld ) ;
             bridge.putObject( o, key, v ) ;
         } catch (Exception e) {