9ae3a8
From ba9229d280e035872ac2258873c1b9f34cc8c4a9 Mon Sep 17 00:00:00 2001
9ae3a8
From: Markus Armbruster <armbru@redhat.com>
9ae3a8
Date: Wed, 27 Jul 2016 07:35:01 +0200
9ae3a8
Subject: [PATCH 03/16] qjson: Don't crash when input exceeds nesting limit
9ae3a8
9ae3a8
RH-Author: Markus Armbruster <armbru@redhat.com>
9ae3a8
Message-id: <1469604913-12442-5-git-send-email-armbru@redhat.com>
9ae3a8
Patchwork-id: 71472
9ae3a8
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 03/15] qjson: Don't crash when input exceeds nesting limit
9ae3a8
Bugzilla: 1276036
9ae3a8
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
RH-Acked-by: John Snow <jsnow@redhat.com>
9ae3a8
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
9ae3a8
9ae3a8
We limit nesting depth and input size to defend against input
9ae3a8
triggering excessive heap or stack memory use (commit 29c75dd
9ae3a8
json-streamer: limit the maximum recursion depth and maximum token
9ae3a8
count).  However, when the nesting limit is exceeded,
9ae3a8
parser_context_peek_token()'s assertion fails.
9ae3a8
9ae3a8
Broken in commit 65c0f1e "json-parser: don't replicate tokens at each
9ae3a8
level of recursion".
9ae3a8
9ae3a8
To reproduce stuff 1025 open braces or brackets into QMP.
9ae3a8
9ae3a8
Fix by taking the error exit instead of the normal one.
9ae3a8
9ae3a8
Reported-by: Eric Blake <eblake@redhat.com>
9ae3a8
Signed-off-by: Markus Armbruster <armbru@redhat.com>
9ae3a8
Reviewed-by: Eric Blake <eblake@redhat.com>
9ae3a8
Message-Id: <1448486613-17634-3-git-send-email-armbru@redhat.com>
9ae3a8
(cherry picked from commit 0753113a26bb8c77f951b1ea91fd4f36d099c37a)
9ae3a8
Signed-off-by: Markus Armbruster <armbru@redhat.com>
9ae3a8
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
---
9ae3a8
 qobject/json-streamer.c | 5 +++--
9ae3a8
 1 file changed, 3 insertions(+), 2 deletions(-)
9ae3a8
9ae3a8
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
9ae3a8
index dced2c7..2bd22a7 100644
9ae3a8
--- a/qobject/json-streamer.c
9ae3a8
+++ b/qobject/json-streamer.c
9ae3a8
@@ -68,13 +68,14 @@ static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTok
9ae3a8
         /* Security consideration, we limit total memory allocated per object
9ae3a8
          * and the maximum recursion depth that a message can force.
9ae3a8
          */
9ae3a8
-        goto out_emit;
9ae3a8
+        goto out_emit_bad;
9ae3a8
     }
9ae3a8
 
9ae3a8
     return;
9ae3a8
 
9ae3a8
 out_emit_bad:
9ae3a8
-    /* clear out token list and tell the parser to emit and error
9ae3a8
+    /*
9ae3a8
+     * Clear out token list and tell the parser to emit an error
9ae3a8
      * indication by passing it a NULL list
9ae3a8
      */
9ae3a8
     QDECREF(parser->tokens);
9ae3a8
-- 
9ae3a8
1.8.3.1
9ae3a8