[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 48/58] json: Enforce token count and size limits more
From: |
Markus Armbruster |
Subject: |
[Qemu-devel] [PULL 48/58] json: Enforce token count and size limits more tightly |
Date: |
Fri, 24 Aug 2018 21:31:56 +0200 |
Token count and size limits exist to guard against excessive heap
usage. We check them only after we created the token on the heap.
That's assigning a cowboy to the barn to lasso the horse after it has
bolted. Close the barn door instead: check before we create the
token.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
---
qobject/json-streamer.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 674dfe6e85..810aae521f 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -20,7 +20,7 @@
#define MAX_TOKEN_SIZE (64ULL << 20)
#define MAX_TOKEN_COUNT (2ULL << 20)
-#define MAX_NESTING (1ULL << 10)
+#define MAX_NESTING (1 << 10)
static void json_message_free_token(void *token, void *opaque)
{
@@ -71,6 +71,23 @@ void json_message_process_token(JSONLexer *lexer, GString
*input,
break;
}
+ /*
+ * Security consideration, we limit total memory allocated per object
+ * and the maximum recursion depth that a message can force.
+ */
+ if (parser->token_size + input->len + 1 > MAX_TOKEN_SIZE) {
+ error_setg(&err, "JSON token size limit exceeded");
+ goto out_emit;
+ }
+ if (g_queue_get_length(parser->tokens) + 1 > MAX_TOKEN_COUNT) {
+ error_setg(&err, "JSON token count limit exceeded");
+ goto out_emit;
+ }
+ if (parser->bracket_count + parser->brace_count > MAX_NESTING) {
+ error_setg(&err, "JSON nesting depth limit exceeded");
+ goto out_emit;
+ }
+
token = g_malloc(sizeof(JSONToken) + input->len + 1);
token->type = type;
memcpy(token->str, input->str, input->len);
@@ -91,23 +108,6 @@ void json_message_process_token(JSONLexer *lexer, GString
*input,
goto out_emit;
}
- /*
- * Security consideration, we limit total memory allocated per object
- * and the maximum recursion depth that a message can force.
- */
- if (parser->token_size > MAX_TOKEN_SIZE) {
- error_setg(&err, "JSON token size limit exceeded");
- goto out_emit;
- }
- if (g_queue_get_length(parser->tokens) > MAX_TOKEN_COUNT) {
- error_setg(&err, "JSON token count limit exceeded");
- goto out_emit;
- }
- if (parser->bracket_count + parser->brace_count > MAX_NESTING) {
- error_setg(&err, "JSON nesting depth limit exceeded");
- goto out_emit;
- }
-
return;
out_emit:
--
2.17.1
- [Qemu-devel] [PULL 55/58] json: Keep interpolation state in JSONParserContext, (continued)
- [Qemu-devel] [PULL 55/58] json: Keep interpolation state in JSONParserContext, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 44/58] json: Fix latent parser aborts at end of input, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 51/58] json: Make JSONToken opaque outside json-parser.c, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 41/58] json: Replace %I64d, %I64u by %PRId64, %PRIu64, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 38/58] json: Treat unwanted interpolation as lexical error, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 56/58] json: Improve safety of qobject_from_jsonf_nofail() & friends, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 53/58] json: Clean up headers, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 46/58] json: Assert json_parser_parse() consumes all tokens on success, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 47/58] qjson: Have qobject_from_json() & friends reject empty and blank, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 50/58] json: Unbox tokens queue in JSONMessageParser, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 48/58] json: Enforce token count and size limits more tightly,
Markus Armbruster <=
- [Qemu-devel] [PULL 49/58] json: Streamline json_message_process_token(), Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 54/58] tests/drive_del-test: Fix harmless JSON interpolation bug, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 43/58] qjson: Fix qobject_from_json() & friends for multiple values, Markus Armbruster, 2018/08/24
- [Qemu-devel] [PULL 52/58] qobject: Drop superfluous includes of qemu-common.h, Markus Armbruster, 2018/08/24
- Re: [Qemu-devel] [PULL 00/58] QObject patches for 2018-08-24, Peter Maydell, 2018/08/25