diff options
author | Guy Harris <guy@alum.mit.edu> | 2019-09-02 19:08:36 -0700 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2019-09-03 02:25:41 +0000 |
commit | 6b28772660ce673e1c9a30dbcea6a06bdcd2a3c7 (patch) | |
tree | a75e39f51e188183eb1ef16182249be48ce11c3a /wsutil | |
parent | 66b868d8d1763a7f3a1e290dc7e188a102c791d1 (diff) |
Strengthen the JSON validator.
jsmn_parse() is handed a buffer and a count of octets in the buffer; it
treats either running out of octets, as specified by the count, *OR*
seeing a NUL as meaning "end of JSON string".
That means that a buffer, of arbitrary size, the first octet of which is
zero is a null string and considered valid JSON.
That is clearly bogus; it messes up both tests for JSON files *and*,
potentially, heuristic checks for JSON in packet payloads.
Bug: 16031
Change-Id: I5ee78b613df3358f19787f2ce28ddc883368f03d
Reviewed-on: https://code.wireshark.org/review/34438
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'wsutil')
-rw-r--r-- | wsutil/wsjson.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/wsutil/wsjson.c b/wsutil/wsjson.c index 96145af81f..087c510894 100644 --- a/wsutil/wsjson.c +++ b/wsutil/wsjson.c @@ -36,6 +36,18 @@ json_validate(const guint8 *buf, const size_t len) if (!t) return FALSE; + /* + * Make sure the first octet isn't a NUL; otherwise, the parser will + * immediately stop parsing and not validate anything after that, + * so it'll just think it was handed an empty string. + * + * XXX - should we check for NULs anywhere in the buffer? + */ + if (buf[0] == '\0') { + g_log(LOG_DOMAIN_MAIN, G_LOG_LEVEL_DEBUG, "jsmn: invalid character inside JSON string"); + return FALSE; + } + jsmn_init(&p); rcode = jsmn_parse(&p, buf, len, t, max_tokens); if (rcode < 0) { |