[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v1][ 07/14] json-streamer: limit the maximum recursi
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH v1][ 07/14] json-streamer: limit the maximum recursion depth and maximum token count |
Date: |
Wed, 1 Jun 2011 12:14:53 -0500 |
From: Anthony Liguori <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
---
json-streamer.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/json-streamer.c b/json-streamer.c
index 549e9b7..6b9af63 100644
--- a/json-streamer.c
+++ b/json-streamer.c
@@ -18,6 +18,9 @@
#include "json-lexer.h"
#include "json-streamer.h"
+#define MAX_TOKEN_SIZE (64ULL << 20)
+#define MAX_NESTING (1ULL << 10)
+
static void json_message_process_token(JSONLexer *lexer, QString *token,
JSONTokenType type, int x, int y)
{
JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
@@ -49,6 +52,8 @@ static void json_message_process_token(JSONLexer *lexer,
QString *token, JSONTok
qdict_put(dict, "x", qint_from_int(x));
qdict_put(dict, "y", qint_from_int(y));
+ parser->token_size += token->length;
+
qlist_append(parser->tokens, dict);
if (parser->brace_count < 0 ||
@@ -60,6 +65,17 @@ static void json_message_process_token(JSONLexer *lexer,
QString *token, JSONTok
parser->emit(parser, parser->tokens);
QDECREF(parser->tokens);
parser->tokens = qlist_new();
+ } else if (parser->token_size > MAX_TOKEN_SIZE ||
+ parser->bracket_count > MAX_NESTING ||
+ parser->brace_count > MAX_NESTING) {
+ /* Security consideration, we limit total memory allocated per object
+ * and the maximum recursion depth that a message can force.
+ */
+ parser->brace_count = 0;
+ parser->bracket_count = 0;
+ parser->emit(parser, parser->tokens);
+ QDECREF(parser->tokens);
+ parser->tokens = qlist_new();
}
}
@@ -70,6 +86,7 @@ void json_message_parser_init(JSONMessageParser *parser,
parser->brace_count = 0;
parser->bracket_count = 0;
parser->tokens = qlist_new();
+ parser->token_size = 0;
json_lexer_init(&parser->lexer, json_message_process_token);
}
--
1.7.0.4
- [Qemu-devel] [PATCH v1][ 05/14] json-streamer: allow recovery after bad input, (continued)
- [Qemu-devel] [PATCH v1][ 05/14] json-streamer: allow recovery after bad input, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 12/14] json-lexer: make lexer error-recovery more deterministic, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 02/14] QError: Introduce qerror_format(), Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 13/14] json-streamer: add handling for JSON_ERROR token/state, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 10/14] json-lexer: reset the lexer state on an invalid token, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 01/14] QError: Introduce qerror_format_desc(), Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 04/14] json-parser: propagate error from parser, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 08/14] json-streamer: make sure to reset token_size after emitting a token list, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 06/14] json-lexer: limit the maximum size of a given token, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 07/14] json-streamer: limit the maximum recursion depth and maximum token count,
Michael Roth <=
- [Qemu-devel] [PATCH v1][ 14/14] json-parser: add handling for NULL token list, Michael Roth, 2011/06/01
- [Qemu-devel] [PATCH v1][ 11/14] json-lexer: fix flushing logic to not always go to error state, Michael Roth, 2011/06/01