aboutsummaryrefslogtreecommitdiff
path: root/qobject/json-streamer.c
diff options
context:
space:
mode:
authorMarkus Armbruster <armbru@redhat.com>2015-11-25 22:23:23 +0100
committerMarkus Armbruster <armbru@redhat.com>2015-11-26 09:18:04 +0100
commit0753113a26bb8c77f951b1ea91fd4f36d099c37a (patch)
tree3b487f57d8f3fb14e322154efb89bd57bc4fca67 /qobject/json-streamer.c
parent4f2d31fbc0bfdf41feea7d1be49f4f7ffa005534 (diff)
downloadqemu-0753113a26bb8c77f951b1ea91fd4f36d099c37a.zip
qemu-0753113a26bb8c77f951b1ea91fd4f36d099c37a.tar.gz
qemu-0753113a26bb8c77f951b1ea91fd4f36d099c37a.tar.bz2
qjson: Don't crash when input exceeds nesting limit
We limit nesting depth and input size to defend against input triggering excessive heap or stack memory use (commit 29c75dd json-streamer: limit the maximum recursion depth and maximum token count). However, when the nesting limit is exceeded, parser_context_peek_token()'s assertion fails. Broken in commit 65c0f1e "json-parser: don't replicate tokens at each level of recursion". To reproduce stuff 1025 open braces or brackets into QMP. Fix by taking the error exit instead of the normal one. Reported-by: Eric Blake <eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <1448486613-17634-3-git-send-email-armbru@redhat.com>
Diffstat (limited to 'qobject/json-streamer.c')
-rw-r--r--qobject/json-streamer.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index dced2c7..2bd22a7 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -68,13 +68,14 @@ static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTok
/* Security consideration, we limit total memory allocated per object
* and the maximum recursion depth that a message can force.
*/
- goto out_emit;
+ goto out_emit_bad;
}
return;
out_emit_bad:
- /* clear out token list and tell the parser to emit and error
+ /*
+ * Clear out token list and tell the parser to emit an error
* indication by passing it a NULL list
*/
QDECREF(parser->tokens);