xdoc.LoadXml(reader.ReadToEnd()) How to best rewrite that code

I am working with some VB .net windows forms code that has recently gone through a code Audit. I need expert help on how best to fix this code. Here is the error message displayed by the auditing software


Denial of service (Input Validation and Representation, Semantic)

The call to ReadToEnd() at SMTException.vb line 70 might allow an attacker to crash the program or otherwise make it unavailable to legitimate users.



I think what the audit message is telling me, is that at line 88 if there is no data then the LoadXml method would fail, causing the application to
crash. So can someone show me how to rewrite the code below to prevent the denial of service attack?

85 Dim s As Stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("SMTErrMsg.xml")
86 Dim xdoc As New XmlDocument()
87 Dim reader As New StreamReader(s)

88 xdoc.LoadXml(reader.ReadToEnd())
LVL 2
brgdotnetcontractorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
The problem is that the XML may be for example malformed, then your LoadXml call throws an exception. Which you don't handle. Thus a "denial of service" is possible, cause the entire program may crash.

The rule is: never trust any input.

But here we have an exception. The input is a well known, static ressource. To ensure its integrity, it's sufficient to sign the assembly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brgdotnetcontractorAuthor Commented:
So how would you rewrite that line of code? What you say makes sense in a way, however I still don't know how I should rewrite that line of code. Thanks for your help. If you don't know, then possibly another expert can help me out.
0
ste5anSenior DeveloperCommented:
As I said, I would not rewrite it. I would use a signed assembly.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

brgdotnetcontractorAuthor Commented:
Thank you ste5an. If I am not allowed to sign the assembly (ex:because my manager does not like that approach).
Is there another approach that I can take?

I thought about this approach, but I am not sure that it is legitimate.
85 Dim reader As New StreamReader(s)
86 If reader not null Then
88 xdoc.LoadXml(reader.ReadToEnd())
89 End If
0
ste5anSenior DeveloperCommented:
No. The problem is that the content may be malformed. Thus you need to add an exception handling block around the LoadXml().
0
brgdotnetcontractorAuthor Commented:
Thank you Sir. I will try it out. It might be a day before I get back with you. I will also try your first solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.