Summary

The client side bson_validate() implemented by libbson has no recursion limit, making its stack usage vulnerable to exhaustion by invalid documents. Affects only clients that read BSON documents from untrusted sources. (Server-side validation normally prevents these deeply nested docs from being stored.)

Environment

1.28.0 and master, tested on Linux (WSL2) but problem is not platform-specific.

How to Reproduce

Attached a load generator based on the test from https://jira.mongodb.org/browse/CDRIVER-5796

The script will crash with a default 8MB stack. Requires a little over 800MB of stack space to validate a 16MB document made from nested arrays.

This script uses the PHP driver, and it does need a connection to mongod although it won't actually store anything successfully. It repeatedly tries to insert a document that fails server-side validation after using a large amount of stack space and a moderate amount of CPU time on the client. A debugger can be attached to take measurements of the stack frame size and stack depth. On x86_64, each array recursion level costs 400 bytes on the stack, right at 100x larger than a minimal stack containing only frame pointers.

Additional Background

I don't think we have a clear broadly applicable specification for the allowed BSON recursion depth and how/where it should be enforced; that would be good to establish.