Implicitly the query depth is limited by the length of the QAPI schema
query, but 'alternate' and 'array' QAPI meta-types don't consume a part
of the query string thus a loop on such types would get our traversal
code stuck in an infinite loop. Prevent this from happening by limiting
the nesting depth to 1000.
Signed-off-by: Peter Krempa <pkre...@redhat.com>
---
src/qemu/qemu_qapi.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/qemu/qemu_qapi.c b/src/qemu/qemu_qapi.c
index 0226d6c659..93fcae0d44 100644
--- a/src/qemu/qemu_qapi.c
+++ b/src/qemu/qemu_qapi.c
@@ -74,9 +74,23 @@ struct virQEMUQAPISchemaTraverseContext {
virHashTablePtr schema;
char **queries;
virJSONValuePtr returnType;
+ size_t depth;
};
+static int
+virQEMUQAPISchemaTraverseContextValidateDepth(struct
virQEMUQAPISchemaTraverseContext *ctxt)
+{
+ if (ctxt->depth++ > 1000) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("possible loop in QMP schema"));
+ return -1;
+ }
+
+ return 0;
+}
+
+
static void
virQEMUQAPISchemaTraverseContextInit(struct virQEMUQAPISchemaTraverseContext
*ctxt,
char **queries,
@@ -329,6 +343,9 @@ virQEMUQAPISchemaTraverse(const char *baseName,
const char *metatype;
size_t i;
+ if (virQEMUQAPISchemaTraverseContextValidateDepth(ctxt) < 0)
+ return -2;
+
if (!(cur = virHashLookup(ctxt->schema, baseName)))
return -2;
--
2.21.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
