34b321
From ba9229d280e035872ac2258873c1b9f34cc8c4a9 Mon Sep 17 00:00:00 2001
34b321
From: Markus Armbruster <armbru@redhat.com>
34b321
Date: Wed, 27 Jul 2016 07:35:01 +0200
34b321
Subject: [PATCH 03/16] qjson: Don't crash when input exceeds nesting limit
34b321
34b321
RH-Author: Markus Armbruster <armbru@redhat.com>
34b321
Message-id: <1469604913-12442-5-git-send-email-armbru@redhat.com>
34b321
Patchwork-id: 71472
34b321
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 03/15] qjson: Don't crash when input exceeds nesting limit
34b321
Bugzilla: 1276036
34b321
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
34b321
RH-Acked-by: John Snow <jsnow@redhat.com>
34b321
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
34b321
34b321
We limit nesting depth and input size to defend against input
34b321
triggering excessive heap or stack memory use (commit 29c75dd
34b321
json-streamer: limit the maximum recursion depth and maximum token
34b321
count).  However, when the nesting limit is exceeded,
34b321
parser_context_peek_token()'s assertion fails.
34b321
34b321
Broken in commit 65c0f1e "json-parser: don't replicate tokens at each
34b321
level of recursion".
34b321
34b321
To reproduce stuff 1025 open braces or brackets into QMP.
34b321
34b321
Fix by taking the error exit instead of the normal one.
34b321
34b321
Reported-by: Eric Blake <eblake@redhat.com>
34b321
Signed-off-by: Markus Armbruster <armbru@redhat.com>
34b321
Reviewed-by: Eric Blake <eblake@redhat.com>
34b321
Message-Id: <1448486613-17634-3-git-send-email-armbru@redhat.com>
34b321
(cherry picked from commit 0753113a26bb8c77f951b1ea91fd4f36d099c37a)
34b321
Signed-off-by: Markus Armbruster <armbru@redhat.com>
34b321
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
34b321
---
34b321
 qobject/json-streamer.c | 5 +++--
34b321
 1 file changed, 3 insertions(+), 2 deletions(-)
34b321
34b321
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
34b321
index dced2c7..2bd22a7 100644
34b321
--- a/qobject/json-streamer.c
34b321
+++ b/qobject/json-streamer.c
34b321
@@ -68,13 +68,14 @@ static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTok
34b321
         /* Security consideration, we limit total memory allocated per object
34b321
          * and the maximum recursion depth that a message can force.
34b321
          */
34b321
-        goto out_emit;
34b321
+        goto out_emit_bad;
34b321
     }
34b321
 
34b321
     return;
34b321
 
34b321
 out_emit_bad:
34b321
-    /* clear out token list and tell the parser to emit and error
34b321
+    /*
34b321
+     * Clear out token list and tell the parser to emit an error
34b321
      * indication by passing it a NULL list
34b321
      */
34b321
     QDECREF(parser->tokens);
34b321
-- 
34b321
1.8.3.1
34b321