External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-01 20:05:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

json: even stricter trailing garbage detection

Browse Source 
Since older yajl ignores trailing garbage, a client can cause
problems by intentionally ending the wrapper array early. Since
we already track nesting, it's not too much harder to reject
invalid nesting pops.

* src/util/virjson. (_virJSONParser): Add field.
(virJSONValueFromString): Set witness.
(virJSONParserHandleEndArray): Use it to catch abuse.
* tests/jsontest.c (mymain): Test it.

Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Eric Blake 2015-06-22 15:01:15 -06:00 committed by Michal Privoznik
parent 7cd991b74c
commit 7e191fd939
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/util/virjson.c
View File

@ -64,6 +64,7 @@ struct _virJSONParser {
virJSONValuePtr head;
virJSONParserStatePtr state;
size_t nstate;
int wrap;
};
@ -1556,7 +1557,7 @@ virJSONParserHandleEndArray(void *ctx)
VIR_DEBUG("parser=%p", parser);
if (!parser->nstate)
if (!(parser->nstate - parser->wrap))
return 0;
state = &(parser->state[parser->nstate-1]);
@ -1591,7 +1592,7 @@ virJSONValuePtr
virJSONValueFromString(const char *jsonstring)
{
yajl_handle hand;
virJSONParser parser = { NULL, NULL, 0 };
virJSONParser parser = { NULL, NULL, 0, 0 };
virJSONValuePtr ret = NULL;
int rc;
size_t len = strlen(jsonstring);
@ -1627,8 +1628,10 @@ virJSONValueFromString(const char *jsonstring)
rc = yajl_parse(hand, (const unsigned char *)jsonstring, len);
# else
rc = yajl_parse(hand, (const unsigned char *)"[", 1);
parser.wrap = 1;
if (VIR_YAJL_STATUS_OK(rc))
rc = yajl_parse(hand, (const unsigned char *)jsonstring, len);
parser.wrap = 0;
if (VIR_YAJL_STATUS_OK(rc))
rc = yajl_parse(hand, (const unsigned char *)"]", 1);
# endif

1
tests/jsontest.c
View File

@ -421,6 +421,7 @@ mymain(void)
DO_TEST_PARSE_FAIL("comments", "[ /* nope */\n1 // not this either\n]");
DO_TEST_PARSE_FAIL("trailing garbage", "[] []");
DO_TEST_PARSE_FAIL("list without array", "1, 1");
DO_TEST_PARSE_FAIL("parser abuse", "1] [2");
DO_TEST_PARSE_FAIL("object with numeric keys", "{ 1:1, 2:1, 3:2 }");
DO_TEST_PARSE_FAIL("unterminated object", "{ \"1\":1, \"2\":1, \"3\":2");