mirror of
https://github.com/libvirt/libvirt.git
synced 2025-01-06 14:13:27 -06:00
qemu: qapi: Limit traversal depth for QAPI schema queries
Implicitly the query depth is limited by the length of the QAPI schema query, but 'alternate' and 'array' QAPI meta-types don't consume a part of the query string thus a loop on such types would get our traversal code stuck in an infinite loop. Prevent this from happening by limiting the nesting depth to 1000. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
9f90a4bfb4
commit
10c532274b
@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext {
|
||||
virHashTablePtr schema;
|
||||
char **queries;
|
||||
virJSONValuePtr returnType;
|
||||
size_t depth;
|
||||
};
|
||||
|
||||
|
||||
static int
|
||||
virQEMUQAPISchemaTraverseContextValidateDepth(struct virQEMUQAPISchemaTraverseContext *ctxt)
|
||||
{
|
||||
if (ctxt->depth++ > 1000) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||
_("possible loop in QMP schema"));
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext *ctxt,
|
||||
char **queries,
|
||||
@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName,
|
||||
const char *metatype;
|
||||
size_t i;
|
||||
|
||||
if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0)
|
||||
return -2;
|
||||
|
||||
if (!(cur = virHashLookup(ctxt->schema, baseName)))
|
||||
return -2;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user