All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Marc-André Lureau" <marcandre.lureau@gmail.com>
To: P J P <ppandit@redhat.com>
Cc: "Fermín J. Serna" <fjserna@gmail.com>,
	"Daniel P . Berrange" <berrange@redhat.com>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	"Michael Roth" <mdroth@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH v2] qga: check length of command-line & environment variables
Date: Wed, 29 May 2019 13:47:11 +0200	[thread overview]
Message-ID: <CAJ+F1C+xhBeoVqoE4aPgLqquq7rNKbZTtNSHe73FFgMyDCUzyw@mail.gmail.com> (raw)
In-Reply-To: <nycvar.YSQ.7.76.1905291448250.16122@xnncv>

Hi

On Wed, May 29, 2019 at 11:38 AM P J P <ppandit@redhat.com> wrote:
>
>   Hello Marc,
>
> +-- On Thu, 23 May 2019, Marc-André Lureau wrote --+
> | I don't see how you could exploit this today.
> |
> | QMP parser has MAX_TOKEN_COUNT (2ULL << 20).
>
> I see, didn't realise that. I tried to reproduce it and
>
>    {"error": {"class": "GenericError", "desc": "JSON token count limit exceeded"}}
>
> got above error around ~1048570 tokens; Much earlier than 0x200000(=2097152)
> as defined by MAX_TOKEN_COUNT. I guess multiple packets are being merged to
> form the incoming command and there is a glitch in there.
>
> | We could have "assert(count < MAX_TOKEN_COUNT)" in the loop, if it helps.
>
> No, assert() doesn't seem good.

assert() is good if it's a programming error: that is if it should
never happen at run-time.
It's a decent way to document the code.

>
> I think same limit will apply to commands coming via QAPIs as well?

What do you mean? If the generated API is used internally by QEMU?
(it's not, but in this case there would be no limit)

-- 
Marc-André Lureau


  reply	other threads:[~2019-05-29 11:49 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-19  8:48 [Qemu-devel] [PATCH v2] qga: check length of command-line & environment variables P J P
2019-05-20 18:22 ` Daniel Henrique Barboza
2019-05-22 13:34 ` Marc-André Lureau
2019-05-23  7:53   ` P J P
2019-05-23 12:05     ` Marc-André Lureau
2019-05-29  9:38       ` P J P
2019-05-29 11:47         ` Marc-André Lureau [this message]
2019-05-29 14:35           ` P J P
2019-05-29 14:44             ` Marc-André Lureau
2019-05-29 17:40               ` P J P

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJ+F1C+xhBeoVqoE4aPgLqquq7rNKbZTtNSHe73FFgMyDCUzyw@mail.gmail.com \
    --to=marcandre.lureau@gmail.com \
    --cc=berrange@redhat.com \
    --cc=fjserna@gmail.com \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.