Commit b33e0caf authored Jan 31, 2018 by Daniel Verkamp

json: fix spdk_json_decode_array() bounds check



The spdk_json_decode_array() function previously tried to check whether
the array would fit into the provided number of output elements
(max_size) before decoding; however, the check was incorrectly comparing
the total number of nested JSON values in the array rather than just the
count of top-level array elements.

Rather than doing the check up front (which can't be done without
modifying the way array lengths are stored in spdk_json_value), just
check if we have reached the end of the 'out' array on each iteration of
the decoding loop.

Fixes GitHub issue #232.

Change-Id: I4d7ce4be022bdf5f726654d0d96277b9d63bd350
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-on: https://review.gerrithub.io/397591


Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Dariusz Stojaczyk <dariuszx.stojaczyk@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by:  <shuhei.matsumoto.xt@hitachi.com>

parent 2b574ec2

lib/json/json_util.c

+6 −4

Original line number	Diff line number	Diff line
		@@ -340,20 +340,22 @@ spdk_json_decode_array(const struct spdk_json_val *values, spdk_json_decode_fn d
		{
		uint32_t i;
		char *field;
		char *out_end;

		if (values == NULL \|\| values->type != SPDK_JSON_VAL_ARRAY_BEGIN) {
		return -1;
		}

		if (values->len > max_size) {
		return -1;
		}

		*out_size = 0;
		field = out;
		out_end = field + max_size * stride;
		for (i = 0; i < values->len;) {
		const struct spdk_json_val *v = &values[i + 1];

		if (field == out_end) {
		return -1;
		}

		if (decode_func(v, field)) {
		return -1;
		}