Re: [Qemu-devel] [PATCH 3/4] check-qjson: Add test for JSON nesting depth limit

Thu, 29 Oct 2015 09:38:50 -0700 

On 10/29/2015 06:44 AM, Markus Armbruster wrote:
> This would have prevented the regression mentioned in the previous
> commit.
> 
> Signed-off-by: Markus Armbruster <arm...@redhat.com>
> ---
>  tests/check-qjson.c | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)

Better late than never.

> +++ b/tests/check-qjson.c
> @@ -1484,6 +1484,34 @@ static void unterminated_literal(void)
>      g_assert(obj == NULL);
>  }
>  
> +static char *make_nest(char *buf, size_t cnt)
> +{
> +    int i;
> +
> +    for (i = 0; i < cnt - 1; i++) {
> +        buf[i] = '[';
> +        buf[2 * cnt - i - 1] = ']';
> +    }
> +    buf[cnt - 1] = '{';
> +    buf[cnt] = '}';
> +    buf[2 * cnt] = 0;
> +    return buf;
> +}

So buf must be at least 2*cnt+1 bytes long.  (Function is static, so
lack of comments don't hurt too badly).  For a cnt of 3 (buffer size at
least 7), this creates "[[{}]]".  Larger cnt adds more outer [] pairs.
The mixed content proves that patch 1/4 covers the combined limit of []
and {} when counting nesting.

Minor optimization - make the for loop bound be 'i < cnt - 2', so you
aren't writing [] in the middle just to rewrite it to {} after the loop
(works as long as caller never passes cnt == 1, which happens to be the
case).

> +
> +static void limits_nesting(void)
> +{
> +    enum { max_nesting = 1024 }; /* see qobject/json-streamer.c */
> +    char buf[2 * (max_nesting + 1) + 1];
> +    QObject *obj;
> +
> +    obj = qobject_from_json(make_nest(buf, max_nesting));
> +    g_assert(obj != NULL);
> +    qobject_decref(obj);

Proves that we can hit our max,

> +
> +    obj = qobject_from_json(make_nest(buf, max_nesting + 1));
> +    g_assert(obj == NULL);

and that we gracefully diagnose one beyond max.

> +}
> +
>  int main(int argc, char **argv)
>  {
>      g_test_init(&argc, &argv, NULL);
> @@ -1519,6 +1547,7 @@ int main(int argc, char **argv)
>      g_test_add_func("/errors/invalid_array_comma", invalid_array_comma);
>      g_test_add_func("/errors/invalid_dict_comma", invalid_dict_comma);
>      g_test_add_func("/errors/unterminated/literal", unterminated_literal);
> +    g_test_add_func("/errors/limits/nesting", limits_nesting);
>  
>      return g_test_run();
>  }
> 

Reviewed-by: Eric Blake <ebl...@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to