From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:46887)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1SCBUy-0003qT-UG
	for qemu-devel@nongnu.org; Mon, 26 Mar 2012 11:06:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1SCBUo-0004ug-3Q
	for qemu-devel@nongnu.org; Mon, 26 Mar 2012 11:06:20 -0400
Received: from mail-yw0-f45.google.com ([209.85.213.45]:41083)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1SCBUn-0004tz-Rf
	for qemu-devel@nongnu.org; Mon, 26 Mar 2012 11:06:10 -0400
Received: by yhoo21 with SMTP id o21so4805137yho.4
	for <qemu-devel@nongnu.org>; Mon, 26 Mar 2012 08:06:08 -0700 (PDT)
Sender: fluxion <flukshun@gmail.com>
Date: Mon, 26 Mar 2012 10:06:02 -0500
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Message-ID: <20120326150602.GB2884@illuin>
References: <1332417072-20329-1-git-send-email-pbonzini@redhat.com>
	<1332417072-20329-3-git-send-email-pbonzini@redhat.com>
	<20120326111546.3463ca4d@doriath.home>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20120326111546.3463ca4d@doriath.home>
Subject: Re: [Qemu-devel] [PATCH 02/10] qapi: fail hard on stack imbalance
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, eblake@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.vs

On Mon, Mar 26, 2012 at 11:15:46AM -0300, Luiz Capitulino wrote:
> On Thu, 22 Mar 2012 12:51:04 +0100
> Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> > QmpOutputVisitor will segfault if an imbalanced end function is
> > called.  So we can abort in QmpInputVisitor too.
> > 
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > ---
> >  qapi/qmp-input-visitor.c |    5 +----
> >  1 files changed, 1 insertions(+), 4 deletions(-)
> > 
> > diff --git a/qapi/qmp-input-visitor.c b/qapi/qmp-input-visitor.c
> > index e6b6152..b4013cc 100644
> > --- a/qapi/qmp-input-visitor.c
> > +++ b/qapi/qmp-input-visitor.c
> > @@ -77,11 +77,8 @@ static void qmp_input_push(QmpInputVisitor *qiv, const QObject *obj, Error **err
> >  
> >  static void qmp_input_pop(QmpInputVisitor *qiv, Error **errp)
> >  {
> > +    assert(qiv->nb_stack > 0);
> >      qiv->nb_stack--;
> > -    if (qiv->nb_stack < 0) {
> > -        error_set(errp, QERR_BUFFER_OVERRUN);
> > -        return;
> > -    }
> >  }
> 
> Just to confirm: this can't be triggered by malicious clients, right?
> 
> The original series submitted by Michael had this, but I asked him to
> change because I thought clients could trigger it. But by reading the code
> now it seems to me that the end_struct() function is only generated by types
> we know about.
> 

Yah, looked into this as well. I can't see anything outside of a
bug triggering this: even if they did manage to get past the parser and
have some wonky qobject fed to us, the generated visitor code should
still always be balanced, and end_list/end_struct are the only way to
induce a pop so nb_stack should never go below 0. There may be other areas
where we need to watch out for this kind of stuff though.

> >  
> >  static void qmp_input_start_struct(Visitor *v, void **obj, const char *kind,
> 
>