On Fri, Sep 06, 2019 at 10:33:15AM +0200, Peter Krempa wrote:
> Implicitly the query depth is limited by the length of the QAPI schema
> query, but 'alternate' and 'array' QAPI meta-types don't consume a part
> of the query string thus a loop on such types would get our traversal
> code stuck in an infinite loop. Prevent this from happening by limiting
> the nesting depth to 1000.
I'm not too clear on what 'depth' is applying to here ? Is this
the level of nesting in the JSON compound types we're following,
or is it something else ?
I ask because YAJL limits JSON nesting to only 128. So 1000 is
almost an order of magnitude larger.
>
> Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
> ---
> src/qemu/qemu_qapi.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/src/qemu/qemu_qapi.c b/src/qemu/qemu_qapi.c
> index 0226d6c659..93fcae0d44 100644
> --- a/src/qemu/qemu_qapi.c
> +++ b/src/qemu/qemu_qapi.c
> @@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext {
> virHashTablePtr schema;
> char **queries;
> virJSONValuePtr returnType;
> + size_t depth;
> };
>
>
> +static int
> +virQEMUQAPISchemaTraverseContextValidateDepth(struct virQEMUQAPISchemaTraverseContext *ctxt)
> +{
> + if (ctxt->depth++ > 1000) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("possible loop in QMP schema"));
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +
> static void
> virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt,
> char **queries,
> @@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName,
> const char *metatype;
> size_t i;
>
> + if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0)
> + return -2;
> +
> if (!(cur = virHashLookup(ctxt->schema, baseName)))
> return -2;
>
> --
> 2.21.0
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
