From: Anthony Liguori <aliguori@us.ibm.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Anthony Liguori <aliguori@us.ibm.com>,
Markus Armbruster <armbru@redhat.com>,
Michael D Roth <mdroth@us.ibm.com>,
Luiz Capitulino <lcapitulino@redhat.com>
Subject: [Qemu-devel] [PATCH 09/11] json-lexer: limit the maximum size of a given token
Date: Fri, 11 Mar 2011 15:00:47 -0600 [thread overview]
Message-ID: <1299877249-13433-10-git-send-email-aliguori@us.ibm.com> (raw)
In-Reply-To: <1299877249-13433-1-git-send-email-aliguori@us.ibm.com>
This is a security consideration. We don't want a client to cause an arbitrary
amount of memory to be allocated in QEMU. For now, we use a limit of 64MB
which should be large enough for any reasonably sized token.
This is important for parsing JSON from untrusted sources.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
diff --git a/json-lexer.c b/json-lexer.c
index 834d7af..3462c89 100644
--- a/json-lexer.c
+++ b/json-lexer.c
@@ -18,6 +18,8 @@
#include "qemu-common.h"
#include "json-lexer.h"
+#define MAX_TOKEN_SIZE (64ULL << 20)
+
/*
* \"([^\\\"]|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*\"
* '([^\\']|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*'
@@ -312,6 +314,17 @@ static int json_lexer_feed_char(JSONLexer *lexer, char ch)
}
lexer->state = new_state;
} while (!char_consumed);
+
+ /* Do not let a single token grow to an arbitrarily large size,
+ * this is a security consideration.
+ */
+ if (lexer->token->length > MAX_TOKEN_SIZE) {
+ lexer->emit(lexer, lexer->token, lexer->state, lexer->x, lexer->y);
+ QDECREF(lexer->token);
+ lexer->token = qstring_new();
+ lexer->state = IN_START;
+ }
+
return 0;
}
--
1.7.0.4
next prev parent reply other threads:[~2011-03-11 21:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-11 21:00 [Qemu-devel] [00/11] QAPI Round 0 (JSON improvements) Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 01/11] Add hard build dependency on glib Anthony Liguori
2011-03-12 8:09 ` [Qemu-devel] " Paolo Bonzini
2011-03-12 14:52 ` Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 02/11] qerror: expose a function to format an error Anthony Liguori
2011-03-11 21:08 ` [Qemu-devel] " Anthony Liguori
2011-03-14 19:17 ` Luiz Capitulino
2011-03-14 19:27 ` Anthony Liguori
2011-03-14 19:37 ` Luiz Capitulino
2011-03-14 19:45 ` Anthony Liguori
2011-03-14 20:22 ` Luiz Capitulino
2011-03-14 20:41 ` Anthony Liguori
2011-03-14 20:48 ` Luiz Capitulino
2011-03-14 21:03 ` Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 03/11] add a generic Error object Anthony Liguori
2011-03-12 11:05 ` Blue Swirl
2011-03-12 14:51 ` Anthony Liguori
2011-03-14 19:18 ` [Qemu-devel] " Luiz Capitulino
2011-03-14 19:34 ` Anthony Liguori
2011-03-14 19:57 ` Luiz Capitulino
2011-03-11 21:00 ` [Qemu-devel] [PATCH 04/11] qerror: split out the reporting bits of QError Anthony Liguori
2011-03-14 19:18 ` [Qemu-devel] " Luiz Capitulino
2011-03-14 19:24 ` Anthony Liguori
2011-03-14 19:30 ` Luiz Capitulino
2011-03-14 20:30 ` Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 05/11] qerror: add new error message for invalid enum values Anthony Liguori
2011-03-14 19:19 ` [Qemu-devel] " Luiz Capitulino
2011-03-11 21:00 ` [Qemu-devel] [PATCH 06/11] qerror: add JSON parsing error message Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 07/11] json: propagate error from parser Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 08/11] json-lexer: reset the lexer state on an invalid token Anthony Liguori
2011-03-14 19:22 ` [Qemu-devel] " Luiz Capitulino
2011-03-14 19:43 ` Anthony Liguori
2011-03-14 20:12 ` Luiz Capitulino
2011-03-14 20:30 ` Anthony Liguori
2011-03-14 20:43 ` Luiz Capitulino
2011-03-11 21:00 ` Anthony Liguori [this message]
2011-03-14 19:25 ` [Qemu-devel] Re: [PATCH 09/11] json-lexer: limit the maximum size of a given token Luiz Capitulino
2011-03-14 20:18 ` Anthony Liguori
2011-03-14 20:33 ` Luiz Capitulino
2011-03-11 21:00 ` [Qemu-devel] [PATCH 10/11] json-streamer: limit the maximum recursion depth and maximum token count Anthony Liguori
2011-03-11 23:16 ` Michael Roth
2011-03-12 15:03 ` Anthony Liguori
2011-03-11 21:00 ` [Qemu-devel] [PATCH 11/11] json-parser: detect premature EOI Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1299877249-13433-10-git-send-email-aliguori@us.ibm.com \
--to=aliguori@us.ibm.com \
--cc=armbru@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=mdroth@us.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).