From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48139) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZzRsF-0004r3-DB for qemu-devel@nongnu.org; Thu, 19 Nov 2015 11:15:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZzRsC-0007uM-7p for qemu-devel@nongnu.org; Thu, 19 Nov 2015 11:15:51 -0500 Received: from mx1.redhat.com ([209.132.183.28]:38867) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZzRsC-0007uG-1K for qemu-devel@nongnu.org; Thu, 19 Nov 2015 11:15:48 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 9C094E7095 for ; Thu, 19 Nov 2015 16:15:47 +0000 (UTC) References: <1447946948-12489-1-git-send-email-armbru@redhat.com> From: Eric Blake Message-ID: <564DF5AD.2040002@redhat.com> Date: Thu, 19 Nov 2015 09:15:41 -0700 MIME-Version: 1.0 In-Reply-To: <1447946948-12489-1-git-send-email-armbru@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9EWk54hvevsF0S8h6aEV4PQaranaoT3eg" Subject: Re: [Qemu-devel] [PATCH v2 0/4] json-streamer: Fix up code to limit nesting and size List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Markus Armbruster , qemu-devel@nongnu.org Cc: lcapitulino@redhat.com This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9EWk54hvevsF0S8h6aEV4PQaranaoT3eg Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/19/2015 08:29 AM, Markus Armbruster wrote: > Ugh, I almost dropped this on the floor. I think it should go into > 2.5, and I plan to take it through my tree. If you disagree, please > speak up. It sounds like a bug fix to me (avoiding core dumps due to user-triggerable input) and on that ground, qualifies for hard freeze in my books. >=20 > We limit nesting depth and input size to defend against input > triggering excessive heap or stack memory use (commit 29c75dd > json-streamer: limit the maximum recursion depth and maximum token > count). This limiting is flawed in multiple ways. Fix it up some. >=20 > Not yet fixed: this JSON parser is an absurd memory hog; see last > patch. >=20 > v2: > * Trivially rebased, R-bys retained > * PATCH 3: Fix a nearby comment typo [Eric] > * PATCH 4: Simplify make_nest() slightly > * PATCH 5: Commit message tweaked Hmm, when the series is only 4/4, changes to PATCH 5 are suspect :) At any rate, the changes look correct, and minor enough that keeping my R-b was the right thing to do. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --9EWk54hvevsF0S8h6aEV4PQaranaoT3eg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJWTfWtAAoJEKeha0olJ0NqWpUH/idKbz7vrkppzZnwifv8LNAh jlFao3D8A0fLedn6ZkkrP/85FF71E26tTw6Sbnvyk/0EPRCBE1rJ+8lIx55T0GRC +5t6FAodHA0ob3cB7FN6mBHgYmwFG7XJmBSVfBOg3jYdBtrNQs/mph4HitRMkJu/ VRVTxSleuhz+WiGawqVimiG2oGzBvakWfQsofQ9hqO1TJCqj/2USK0h0PL4Q6ZAn 2ONxetqsuV4Mn8uJ9PaBsjA8PIh+qKKjkPMkfh44jKvnz77U4/phzOFhkkdB6bnV enG30wq8Oh0YYB0bU9+Mf2l9Y9bMhTjLQRy8P+L58g8ov0aUHvmyc8s7UIezm4s= =CdWS -----END PGP SIGNATURE----- --9EWk54hvevsF0S8h6aEV4PQaranaoT3eg--