On Fri, Sep 06, 2019 at 10:33:15AM +0200, Peter Krempa wrote:
Implicitly the query depth is limited by the length of the QAPI
schema
query, but 'alternate' and 'array' QAPI meta-types don't consume a
part
of the query string thus a loop on such types would get our traversal
code stuck in an infinite loop. Prevent this from happening by limiting
the nesting depth to 1000.
I'm not too clear on what 'depth' is applying to here ? Is this
the level of nesting in the JSON compound types we're following,
or is it something else ?
I ask because YAJL limits JSON nesting to only 128. So 1000 is
almost an order of magnitude larger.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_qapi.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/qemu/qemu_qapi.c b/src/qemu/qemu_qapi.c
index 0226d6c659..93fcae0d44 100644
--- a/src/qemu/qemu_qapi.c
+++ b/src/qemu/qemu_qapi.c
@@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext {
virHashTablePtr schema;
char **queries;
virJSONValuePtr returnType;
+ size_t depth;
};
+static int
+virQEMUQAPISchemaTraverseContextValidateDepth(struct virQEMUQAPISchemaTraverseContext
*ctxt)
+{
+ if (ctxt->depth++ > 1000) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("possible loop in QMP schema"));
+ return -1;
+ }
+
+ return 0;
+}
+
+
static void
virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt,
char **queries,
@@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName,
const char *metatype;
size_t i;
+ if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0)
+ return -2;
+
if (!(cur = virHashLookup(ctxt->schema, baseName)))
return -2;
--
2.21.0
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|