From 57eb21eb48d76798f0c990c839df148301e9cb0e Mon Sep 17 00:00:00 2001
Message-Id: <57eb21eb48d76798f0c990c839df148301e9cb0e@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Wed, 19 Feb 2020 15:10:10 +0100
Subject: [PATCH] virStorageSourceParseBackingJSON: Prevent arbitrary nesting
 with format drivers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since we parse attributes for 'raw' which is a format driver and thus
has nested 'file' structure we must prevent that this isn't nested
arbitrarily.

Add a flag for the function which allows parsing of 'format' type
drivers only on the first pass.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit fd70f1b4d324361bb9a708762631690aca043178)

https://bugzilla.redhat.com/show_bug.cgi?id=1791788
Message-Id: <b5ed395d736eb8570467e2eafb44288d77d416e7.1582120424.git.pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/util/virstoragefile.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
index dd05de188f..b02fad92b6 100644
--- a/src/util/virstoragefile.c
+++ b/src/util/virstoragefile.c
@@ -3052,7 +3052,8 @@ virStorageSourceParseBackingColon(virStorageSourcePtr src,
 static int
 virStorageSourceParseBackingJSONInternal(virStorageSourcePtr src,
                                          virJSONValuePtr json,
-                                         const char *jsonstr);
+                                         const char *jsonstr,
+                                         bool allowformat);
 
 
 static int
@@ -3531,7 +3532,7 @@ virStorageSourceParseBackingJSONRaw(virStorageSourcePtr src,
         return -1;
     }
 
-    return virStorageSourceParseBackingJSONInternal(src, file, jsonstr);
+    return virStorageSourceParseBackingJSONInternal(src, file, jsonstr, false);
 }
 
 
@@ -3606,7 +3607,8 @@ static const struct virStorageSourceJSONDriverParser jsonParsers[] = {
 static int
 virStorageSourceParseBackingJSONInternal(virStorageSourcePtr src,
                                          virJSONValuePtr json,
-                                         const char *jsonstr)
+                                         const char *jsonstr,
+                                         bool allowformat)
 {
     const char *drvname;
     size_t i;
@@ -3619,8 +3621,17 @@ virStorageSourceParseBackingJSONInternal(virStorageSourcePtr src,
     }
 
     for (i = 0; i < G_N_ELEMENTS(jsonParsers); i++) {
-        if (STREQ(drvname, jsonParsers[i].drvname))
-            return jsonParsers[i].func(src, json, jsonstr, jsonParsers[i].opaque);
+        if (STRNEQ(drvname, jsonParsers[i].drvname))
+            continue;
+
+        if (jsonParsers[i].formatdriver && !allowformat) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("JSON backing volume definition '%s' must not have nested format drivers"),
+                           jsonstr);
+            return -1;
+        }
+
+        return jsonParsers[i].func(src, json, jsonstr, jsonParsers[i].opaque);
     }
 
     virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -3655,7 +3666,7 @@ virStorageSourceParseBackingJSON(virStorageSourcePtr src,
     if (!file)
         file = deflattened;
 
-    return virStorageSourceParseBackingJSONInternal(src, file, json);
+    return virStorageSourceParseBackingJSONInternal(src, file, json, true);
 }
 
 
-- 
2.25.0