|
|
9ae3a8 |
From ba9229d280e035872ac2258873c1b9f34cc8c4a9 Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Markus Armbruster <armbru@redhat.com>
|
|
|
9ae3a8 |
Date: Wed, 27 Jul 2016 07:35:01 +0200
|
|
|
9ae3a8 |
Subject: [PATCH 03/16] qjson: Don't crash when input exceeds nesting limit
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Markus Armbruster <armbru@redhat.com>
|
|
|
9ae3a8 |
Message-id: <1469604913-12442-5-git-send-email-armbru@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: 71472
|
|
|
9ae3a8 |
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 03/15] qjson: Don't crash when input exceeds nesting limit
|
|
|
9ae3a8 |
Bugzilla: 1276036
|
|
|
9ae3a8 |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: John Snow <jsnow@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
We limit nesting depth and input size to defend against input
|
|
|
9ae3a8 |
triggering excessive heap or stack memory use (commit 29c75dd
|
|
|
9ae3a8 |
json-streamer: limit the maximum recursion depth and maximum token
|
|
|
9ae3a8 |
count). However, when the nesting limit is exceeded,
|
|
|
9ae3a8 |
parser_context_peek_token()'s assertion fails.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Broken in commit 65c0f1e "json-parser: don't replicate tokens at each
|
|
|
9ae3a8 |
level of recursion".
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
To reproduce stuff 1025 open braces or brackets into QMP.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Fix by taking the error exit instead of the normal one.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Reported-by: Eric Blake <eblake@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
|
9ae3a8 |
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
|
9ae3a8 |
Message-Id: <1448486613-17634-3-git-send-email-armbru@redhat.com>
|
|
|
9ae3a8 |
(cherry picked from commit 0753113a26bb8c77f951b1ea91fd4f36d099c37a)
|
|
|
9ae3a8 |
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
qobject/json-streamer.c | 5 +++--
|
|
|
9ae3a8 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
|
|
|
9ae3a8 |
index dced2c7..2bd22a7 100644
|
|
|
9ae3a8 |
--- a/qobject/json-streamer.c
|
|
|
9ae3a8 |
+++ b/qobject/json-streamer.c
|
|
|
9ae3a8 |
@@ -68,13 +68,14 @@ static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTok
|
|
|
9ae3a8 |
/* Security consideration, we limit total memory allocated per object
|
|
|
9ae3a8 |
* and the maximum recursion depth that a message can force.
|
|
|
9ae3a8 |
*/
|
|
|
9ae3a8 |
- goto out_emit;
|
|
|
9ae3a8 |
+ goto out_emit_bad;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
return;
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
out_emit_bad:
|
|
|
9ae3a8 |
- /* clear out token list and tell the parser to emit and error
|
|
|
9ae3a8 |
+ /*
|
|
|
9ae3a8 |
+ * Clear out token list and tell the parser to emit an error
|
|
|
9ae3a8 |
* indication by passing it a NULL list
|
|
|
9ae3a8 |
*/
|
|
|
9ae3a8 |
QDECREF(parser->tokens);
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.8.3.1
|
|
|
9ae3a8 |
|