From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:60381)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lcapitulino@redhat.com>) id 1SCAsi-0008CW-5O
	for qemu-devel@nongnu.org; Mon, 26 Mar 2012 10:26:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lcapitulino@redhat.com>) id 1SCAsd-0007we-AL
	for qemu-devel@nongnu.org; Mon, 26 Mar 2012 10:26:47 -0400
Received: from mx1.redhat.com ([209.132.183.28]:52781)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lcapitulino@redhat.com>) id 1SCAsd-0007wU-2f
	for qemu-devel@nongnu.org; Mon, 26 Mar 2012 10:26:43 -0400
Date: Mon, 26 Mar 2012 11:15:46 -0300
From: Luiz Capitulino <lcapitulino@redhat.com>
Message-ID: <20120326111546.3463ca4d@doriath.home>
In-Reply-To: <1332417072-20329-3-git-send-email-pbonzini@redhat.com>
References: <1332417072-20329-1-git-send-email-pbonzini@redhat.com>
	<1332417072-20329-3-git-send-email-pbonzini@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 02/10] qapi: fail hard on stack imbalance
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: mdroth@linux.vnet.ibm.com, eblake@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.vs

On Thu, 22 Mar 2012 12:51:04 +0100
Paolo Bonzini <pbonzini@redhat.com> wrote:

> QmpOutputVisitor will segfault if an imbalanced end function is
> called.  So we can abort in QmpInputVisitor too.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  qapi/qmp-input-visitor.c |    5 +----
>  1 files changed, 1 insertions(+), 4 deletions(-)
> 
> diff --git a/qapi/qmp-input-visitor.c b/qapi/qmp-input-visitor.c
> index e6b6152..b4013cc 100644
> --- a/qapi/qmp-input-visitor.c
> +++ b/qapi/qmp-input-visitor.c
> @@ -77,11 +77,8 @@ static void qmp_input_push(QmpInputVisitor *qiv, const QObject *obj, Error **err
>  
>  static void qmp_input_pop(QmpInputVisitor *qiv, Error **errp)
>  {
> +    assert(qiv->nb_stack > 0);
>      qiv->nb_stack--;
> -    if (qiv->nb_stack < 0) {
> -        error_set(errp, QERR_BUFFER_OVERRUN);
> -        return;
> -    }
>  }

Just to confirm: this can't be triggered by malicious clients, right?

The original series submitted by Michael had this, but I asked him to
change because I thought clients could trigger it. But by reading the code
now it seems to me that the end_struct() function is only generated by types
we know about.

>  
>  static void qmp_input_start_struct(Visitor *v, void **obj, const char *kind,