mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
qemu: qapi: Limit traversal depth for QAPI schema queries
Implicitly the query depth is limited by the length of the QAPI schema query, but 'alternate' and 'array' QAPI meta-types don't consume a part of the query string thus a loop on such types would get our traversal code stuck in an infinite loop. Prevent this from happening by limiting the nesting depth to 1000. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
9f90a4bfb4
commit
10c532274b
@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext {
|
|||||||
virHashTablePtr schema;
|
virHashTablePtr schema;
|
||||||
char **queries;
|
char **queries;
|
||||||
virJSONValuePtr returnType;
|
virJSONValuePtr returnType;
|
||||||
|
size_t depth;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
virQEMUQAPISchemaTraverseContextValidateDepth(struct virQEMUQAPISchemaTraverseContext *ctxt)
|
||||||
|
{
|
||||||
|
if (ctxt->depth++ > 1000) {
|
||||||
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||||
|
_("possible loop in QMP schema"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt,
|
virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt,
|
||||||
char **queries,
|
char **queries,
|
||||||
@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName,
|
|||||||
const char *metatype;
|
const char *metatype;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
|
if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0)
|
||||||
|
return -2;
|
||||||
|
|
||||||
if (!(cur = virHashLookup(ctxt->schema, baseName)))
|
if (!(cur = virHashLookup(ctxt->schema, baseName)))
|
||||||
return -2;
|
return -2;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user