From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NzZwr-0000Tm-7H
	for qemu-devel@nongnu.org; Wed, 07 Apr 2010 14:25:57 -0400
Received: from [140.186.70.92] (port=43721 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NzZwo-0000MG-Pm
	for qemu-devel@nongnu.org; Wed, 07 Apr 2010 14:25:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <lcapitulino@redhat.com>) id 1NzZwN-0003h3-Ot
	for qemu-devel@nongnu.org; Wed, 07 Apr 2010 14:25:29 -0400
Received: from mx1.redhat.com ([209.132.183.28]:8653)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <lcapitulino@redhat.com>) id 1NzZwN-0003gZ-Gc
	for qemu-devel@nongnu.org; Wed, 07 Apr 2010 14:25:27 -0400
Received: from int-mx08.intmail.prod.int.phx2.redhat.com
	(int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o37IPQUe021232
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Wed, 7 Apr 2010 14:25:27 -0400
From: Luiz Capitulino <lcapitulino@redhat.com>
Date: Wed,  7 Apr 2010 15:25:10 -0300
Message-Id: <1270664710-3948-5-git-send-email-lcapitulino@redhat.com>
In-Reply-To: <1270664710-3948-1-git-send-email-lcapitulino@redhat.com>
References: <1270664710-3948-1-git-send-email-lcapitulino@redhat.com>
Subject: [Qemu-devel] [PATCH 4/4] QMP: Check "arguments" member's type
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: armbru@redhat.com

Otherwise the following input crashes QEMU:

{ "execute": "migrate", "arguments": "tcp:0:4446" }

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 monitor.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/monitor.c b/monitor.c
index cd350d6..91d7da5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4522,6 +4522,9 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
     obj = qdict_get(input, "arguments");
     if (!obj) {
         args = qdict_new();
+    } else if (qobject_type(obj) != QTYPE_QDICT) {
+        qerror_report(QERR_QMP_BAD_INPUT_OBJECT_MEMBER, "arguments", "object");
+        goto err_input;
     } else {
         args = qobject_to_qdict(obj);
         QINCREF(args);
-- 
1.7.0.4.297.g6555b1