From 10c532274b39468639dd2b63269a137cdf824175 Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Mon, 12 Aug 2019 18:31:44 +0200 Subject: [PATCH] qemu: qapi: Limit traversal depth for QAPI schema queries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implicitly the query depth is limited by the length of the QAPI schema query, but 'alternate' and 'array' QAPI meta-types don't consume a part of the query string thus a loop on such types would get our traversal code stuck in an infinite loop. Prevent this from happening by limiting the nesting depth to 1000. Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrangé --- src/qemu/qemu_qapi.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/qemu/qemu_qapi.c b/src/qemu/qemu_qapi.c index 0226d6c659..93fcae0d44 100644 --- a/src/qemu/qemu_qapi.c +++ b/src/qemu/qemu_qapi.c @@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext { virHashTablePtr schema; char **queries; virJSONValuePtr returnType; + size_t depth; }; +static int +virQEMUQAPISchemaTraverseContextValidateDepth(struct virQEMUQAPISchemaTraverseContext *ctxt) +{ + if (ctxt->depth++ > 1000) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("possible loop in QMP schema")); + return -1; + } + + return 0; +} + + static void virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt, char **queries, @@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName, const char *metatype; size_t i; + if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0) + return -2; + if (!(cur = virHashLookup(ctxt->schema, baseName))) return -2;