lib BUGFIX check value size limits

Use uint64_t for bit sizes and check all
sizes for overflows.

Fixes #2497

Author: michalvasko

src/json.c

@@ -4,7 +4,7 @@
  * @author Michal Vasko <mvasko@cesnet.cz>
  * @brief Generic JSON format parser for libyang
  *
- * Copyright (c) 2020 - 2023 CESNET, z.s.p.o.
+ * Copyright (c) 2020 - 2026 CESNET, z.s.p.o.
  *
  * This source code is licensed under BSD 3-Clause License (the "License").
  * You may not use this file except in compliance with the License.
@@ -106,7 +106,7 @@ lyjson_skip_ws(struct lyjson_ctx *jsonctx)
  * @param[in] dynamic Whether @p value is dynamically-allocated.
  */
 static void
-lyjson_ctx_set_value(struct lyjson_ctx *jsonctx, const char *value, size_t value_len, ly_bool dynamic)
+lyjson_ctx_set_value(struct lyjson_ctx *jsonctx, const char *value, uint32_t value_len, ly_bool dynamic)
 {
     assert(jsonctx);
 
@@ -127,11 +127,18 @@ lyjson_ctx_set_value(struct lyjson_ctx *jsonctx, const char *value, size_t value
 static LY_ERR
 lyjson_string(struct lyjson_ctx *jsonctx)
 {
+#define ADD_CHECK_OVERFLOW_GOTO(var, num, err_label) \
+        if (var + num < var) { \
+            LOGVAL(jsonctx->ctx, NULL, LYVE_SYNTAX, "JSON value too long."); \
+            goto err_label; \
+        } \
+        var += num;
+
     const char *in = jsonctx->in->current, *start, *c;
     char *buf = NULL;
-    size_t offset;   /* read offset in input buffer */
-    size_t len;      /* length of the output string (write offset in output buffer) */
-    size_t size = 0; /* size of the output buffer */
+    uint32_t offset;   /* read offset in input buffer */
+    uint32_t len;      /* length of the output string (write offset in output buffer) */
+    uint32_t size = 0; /* size of the output buffer */
     uint64_t start_line, orig_line;
     uint32_t u, value;
     uint8_t i;
@@ -160,7 +167,7 @@ lyjson_string(struct lyjson_ctx *jsonctx)
              * we will need 4 bytes at most since we support only the predefined
              * (one-char) entities and character references */
             if (len + offset + 4 >= size) {
-                size_t increment;
+                uint32_t increment;
 
                 for (increment = LYJSON_STRING_BUF_STEP; len + offset + 4 >= size + increment; increment += LYJSON_STRING_BUF_STEP) {}
                 buf = ly_realloc(buf, size + increment);
@@ -212,7 +219,7 @@ lyjson_string(struct lyjson_ctx *jsonctx)
                 break;
             case 'u':
                 /* Basic Multilingual Plane character \uXXXX */
-                offset++;
+                ADD_CHECK_OVERFLOW_GOTO(offset, 1, error);
                 for (value = i = 0; i < 4; i++) {
                     if (!in[offset + i]) {
                         LOGVAL(jsonctx->ctx, NULL, LYVE_SYNTAX, "Invalid basic multilingual plane character \"%s\".", c);
@@ -233,7 +240,8 @@ lyjson_string(struct lyjson_ctx *jsonctx)
                 goto error;
             }
 
-            offset += i;   /* add read escaped characters */
+            /* add read escaped characters */
+            ADD_CHECK_OVERFLOW_GOTO(offset, i, error);
             LY_CHECK_ERR_GOTO(ly_pututf8(&buf[len], value, &u),
                     LOGVAL(jsonctx->ctx, NULL, LYVE_SYNTAX, "Invalid character reference \"%.*s\" (0x%08" PRIx32 ").",
                     (int)(&in[offset] - c), c, value),
@@ -258,7 +266,7 @@ lyjson_string(struct lyjson_ctx *jsonctx)
                 buf[len + offset] = '\0';
             }
             len += offset;
-            ++offset;
+            ADD_CHECK_OVERFLOW_GOTO(offset, 1, error);
             in += offset;
             goto success;
 
@@ -274,7 +282,7 @@ lyjson_string(struct lyjson_ctx *jsonctx)
                     error);
 
             /* character is ok, continue */
-            offset += u;
+            ADD_CHECK_OVERFLOW_GOTO(offset, u, error);
             break;
         }
     }
@@ -438,7 +446,7 @@ lyjson_exp_number_copy_num_part(const char *num, uint32_t num_len, char *dec_poi
  */
 static LY_ERR
 lyjson_exp_number(const struct ly_ctx *ctx, const char *in, const char *exponent, uint64_t total_len, char **res,
-        size_t *res_len)
+        uint32_t *res_len)
 {
 
 #define MAYBE_WRITE_MINUS(ARRAY, INDEX, FLAG) \
@@ -630,7 +638,14 @@ lyjson_exp_number(const struct ly_ctx *ctx, const char *in, const char *exponent
 static LY_ERR
 lyjson_number(struct lyjson_ctx *jsonctx)
 {
-    size_t offset = 0, num_len;
+#define ADD_CHECK_OVERFLOW_RET(var, num, ret) \
+        if (var + num < var) { \
+            LOGVAL(jsonctx->ctx, NULL, LYVE_SYNTAX, "JSON value too long."); \
+            return ret; \
+        } \
+        var += num;
+
+    uint32_t offset = 0, num_len;
     const char *in = jsonctx->in->current, *exponent = NULL;
     uint8_t minus = 0;
     char *num;
@@ -645,7 +660,7 @@ lyjson_number(struct lyjson_ctx *jsonctx)
     } else if (isdigit(in[offset])) {
         ++offset;
         while (isdigit(in[offset])) {
-            ++offset;
+            ADD_CHECK_OVERFLOW_RET(offset, 1, LY_EINVAL);
         }
     } else {
 invalid_character:
@@ -658,26 +673,26 @@ lyjson_number(struct lyjson_ctx *jsonctx)
     }
 
     if (in[offset] == '.') {
-        ++offset;
+        ADD_CHECK_OVERFLOW_RET(offset, 1, LY_EINVAL);
         if (!isdigit(in[offset])) {
             goto invalid_character;
         }
         while (isdigit(in[offset])) {
-            ++offset;
+            ADD_CHECK_OVERFLOW_RET(offset, 1, LY_EINVAL);
         }
     }
 
     if ((in[offset] == 'e') || (in[offset] == 'E')) {
         exponent = &in[offset];
-        ++offset;
+        ADD_CHECK_OVERFLOW_RET(offset, 1, LY_EINVAL);
         if ((in[offset] == '+') || (in[offset] == '-')) {
-            ++offset;
+            ADD_CHECK_OVERFLOW_RET(offset, 1, LY_EINVAL);
         }
         if (!isdigit(in[offset])) {
             goto invalid_character;
         }
         while (isdigit(in[offset])) {
-            ++offset;
+            ADD_CHECK_OVERFLOW_RET(offset, 1, LY_EINVAL);
         }
     }
 

src/json.h

@@ -4,7 +4,7 @@
  * @author Michal Vasko <mvasko@cesnet.cz>
  * @brief Generic JSON format parser routines.
  *
- * Copyright (c) 2020 - 2023 CESNET, z.s.p.o.
+ * Copyright (c) 2020 - 2026 CESNET, z.s.p.o.
  *
  * This source code is licensed under BSD 3-Clause License (the "License").
  * You may not use this file except in compliance with the License.
@@ -69,14 +69,14 @@ struct lyjson_ctx {
     struct ly_set status;   /* stack of ::LYJSON_PARSER_STATUS values corresponding to the JSON items being processed */
 
     const char *value;      /* ::LYJSON_STRING, ::LYJSON_NUMBER, ::LYJSON_OBJECT_NAME */
-    size_t value_len;       /* ::LYJSON_STRING, ::LYJSON_NUMBER, ::LYJSON_OBJECT_NAME */
+    uint32_t value_len;     /* ::LYJSON_STRING, ::LYJSON_NUMBER, ::LYJSON_OBJECT_NAME */
     ly_bool dynamic;        /* ::LYJSON_STRING, ::LYJSON_NUMBER, ::LYJSON_OBJECT_NAME */
 
     struct {
         enum LYJSON_PARSER_STATUS status;
         uint32_t status_count;
         const char *value;
-        size_t value_len;
+        uint32_t value_len;
         ly_bool dynamic;
         const char *input;
     } backup;

src/parser_common.c

@@ -203,13 +203,13 @@ lyd_parser_check_schema(struct lyd_ctx *lydctx, const struct lysc_node *snode)
 
 LY_ERR
 lyd_parser_create_term(struct lyd_ctx *lydctx, const struct lysc_node *schema, const struct lyd_node *lnode,
-        const void *value, uint32_t value_bits_len, ly_bool *dynamic, LY_VALUE_FORMAT format, void *prefix_data,
+        const void *value, uint64_t value_size_bits, ly_bool *dynamic, LY_VALUE_FORMAT format, void *prefix_data,
         uint32_t hints, struct lyd_node **node)
 {
     ly_bool incomplete;
     ly_bool store_only = (lydctx->parse_opts & LYD_PARSE_STORE_ONLY) == LYD_PARSE_STORE_ONLY ? 1 : 0;
 
-    LY_CHECK_RET(lyd_create_term(schema, lnode, value, value_bits_len, 1, store_only, dynamic, format, prefix_data,
+    LY_CHECK_RET(lyd_create_term(schema, lnode, value, value_size_bits, 1, store_only, dynamic, format, prefix_data,
             hints, &incomplete, node));
 
     if (incomplete && !(lydctx->parse_opts & LYD_PARSE_ONLY)) {
@@ -220,7 +220,7 @@ lyd_parser_create_term(struct lyd_ctx *lydctx, const struct lysc_node *schema, c
 
 LY_ERR
 lyd_parser_create_meta(struct lyd_ctx *lydctx, struct lyd_node *parent, struct lyd_meta **meta, const struct lys_module *mod,
-        const char *name, uint32_t name_len, const void *value, uint32_t value_size_bits, ly_bool *dynamic, LY_VALUE_FORMAT format,
+        const char *name, uint32_t name_len, const void *value, uint64_t value_size_bits, ly_bool *dynamic, LY_VALUE_FORMAT format,
         void *prefix_data, uint32_t hints, const struct lysc_node *ctx_node, const struct lyd_node *lnode)
 {
     LY_ERR rc = LY_SUCCESS;

src/parser_internal.h

@@ -371,7 +371,7 @@ LY_ERR lyd_parser_check_schema(struct lyd_ctx *lydctx, const struct lysc_node *s
  * @return LY_ERR value if an error occurred.
  */
 LY_ERR lyd_parser_create_term(struct lyd_ctx *lydctx, const struct lysc_node *schema, const struct lyd_node *lnode,
-        const void *value, uint32_t value_size_bits, ly_bool *dynamic, LY_VALUE_FORMAT format, void *prefix_data,
+        const void *value, uint64_t value_size_bits, ly_bool *dynamic, LY_VALUE_FORMAT format, void *prefix_data,
         uint32_t hints, struct lyd_node **node);
 
 /**
@@ -394,7 +394,7 @@ LY_ERR lyd_parser_create_term(struct lyd_ctx *lydctx, const struct lysc_node *sc
  * @return LY_ERR value.
  */
 LY_ERR lyd_parser_create_meta(struct lyd_ctx *lydctx, struct lyd_node *parent, struct lyd_meta **meta,
-        const struct lys_module *mod, const char *name, uint32_t name_len, const void *value, uint32_t value_size_bits,
+        const struct lys_module *mod, const char *name, uint32_t name_len, const void *value, uint64_t value_size_bits,
         ly_bool *dynamic, LY_VALUE_FORMAT format, void *prefix_data, uint32_t hints, const struct lysc_node *ctx_node,
         const struct lyd_node *lnode);
 

src/parser_json.c

@@ -104,11 +104,11 @@ lyjson_ctx_give_dynamic_value(struct lyjson_ctx *jsonctx, char **dst)
  * @param[out] is_meta_p Pointer to the metadata flag, set to 1 if the member-name contains \@, 0 otherwise.
  */
 static void
-lydjson_parse_name(const char *value, size_t value_len, const char **name_p, size_t *name_len_p, const char **prefix_p,
-        size_t *prefix_len_p, ly_bool *is_meta_p)
+lydjson_parse_name(const char *value, uint32_t value_len, const char **name_p, uint32_t *name_len_p, const char **prefix_p,
+        uint32_t *prefix_len_p, ly_bool *is_meta_p)
 {
     const char *name, *prefix = NULL;
-    size_t name_len, prefix_len = 0;
+    uint32_t name_len, prefix_len = 0;
     ly_bool is_meta = 0;
 
     name = memchr(value, ':', value_len);
@@ -150,8 +150,8 @@ lydjson_parse_name(const char *value, size_t value_len, const char **name_p, siz
  * @return LY_ERR value.
  */
 static LY_ERR
-lydjson_get_node_prefix(struct lyd_node *node, const char *local_prefix, size_t local_prefix_len, const char **prefix_p,
-        size_t *prefix_len_p)
+lydjson_get_node_prefix(struct lyd_node *node, const char *local_prefix, uint32_t local_prefix_len, const char **prefix_p,
+        uint32_t *prefix_len_p)
 {
     struct lyd_node_opaq *onode;
     const char *module_name = NULL;
@@ -253,8 +253,8 @@ lydjson_data_skip(struct lyjson_ctx *jsonctx)
  * @return LY_ERR on error.
  */
 static LY_ERR
-lydjson_get_snode(struct lyd_json_ctx *lydctx, ly_bool is_attr, const char *prefix, size_t prefix_len, const char *name,
-        size_t name_len, struct lyd_node *parent, const struct lysc_node **snode, struct lysc_ext_instance **ext)
+lydjson_get_snode(struct lyd_json_ctx *lydctx, ly_bool is_attr, const char *prefix, uint32_t prefix_len, const char *name,
+        uint32_t name_len, struct lyd_node *parent, const struct lysc_node **snode, struct lysc_ext_instance **ext)
 {
     LY_ERR r;
     struct lys_module *mod = NULL;
@@ -432,7 +432,7 @@ lydjson_check_list(struct lyd_json_ctx *lydctx, const struct lysc_node *list)
     if (status == LYJSON_OBJECT) {
         do {
             const char *name, *prefix;
-            size_t name_len, prefix_len;
+            uint32_t name_len, prefix_len;
             ly_bool is_attr;
 
             /* match the key */
@@ -589,7 +589,7 @@ lydjson_metadata_finish(struct lyd_json_ctx *lydctx, struct lyd_node **first_p)
         uint64_t match = 0;
         ly_bool is_attr;
         const char *name, *prefix;
-        size_t name_len, prefix_len;
+        uint32_t name_len, prefix_len;
         const struct lysc_node *snode;
 
         if (attr->schema || (meta_container->name.name[0] != '@')) {
@@ -733,7 +733,7 @@ lydjson_meta_attr(struct lyd_json_ctx *lydctx, struct lyd_node *node)
     ly_bool in_parent = 0;
     const char *name, *prefix = NULL;
     char *dynamic_prefname = NULL;
-    size_t name_len, prefix_len = 0;
+    uint32_t name_len, prefix_len = 0;
     struct lys_module *mod;
     const struct ly_ctx *ctx = lydctx->jsonctx->ctx;
     ly_bool is_attr = 0;
@@ -867,7 +867,7 @@ lydjson_meta_attr(struct lyd_json_ctx *lydctx, struct lyd_node *node)
         } else {
             /* create attribute */
             const char *module_name;
-            size_t module_name_len;
+            uint32_t module_name_len;
 
             lydjson_get_node_prefix(node, prefix, prefix_len, &module_name, &module_name_len);
 
@@ -929,12 +929,12 @@ lydjson_meta_attr(struct lyd_json_ctx *lydctx, struct lyd_node *node)
  * @return LY_ERR value.
  */
 static LY_ERR
-lydjson_create_opaq(struct lyd_json_ctx *lydctx, const char *name, size_t name_len, const char *prefix, size_t prefix_len,
+lydjson_create_opaq(struct lyd_json_ctx *lydctx, const char *name, uint32_t name_len, const char *prefix, uint32_t prefix_len,
         struct lyd_node *parent, enum LYJSON_PARSER_STATUS *status_inner_p, struct lyd_node **node_p)
 {
     LY_ERR ret = LY_SUCCESS;
     const char *value = NULL, *module_name;
-    size_t value_len = 0, module_name_len = 0;
+    uint32_t value_len = 0, module_name_len = 0;
     ly_bool dynamic = 0;
     uint32_t type_hint = 0;
 
@@ -987,7 +987,7 @@ lydjson_create_opaq(struct lyd_json_ctx *lydctx, const char *name, size_t name_l
  * @return LY_ERR value.
  */
 static LY_ERR
-lydjson_parse_opaq(struct lyd_json_ctx *lydctx, const char *name, size_t name_len, const char *prefix, size_t prefix_len,
+lydjson_parse_opaq(struct lyd_json_ctx *lydctx, const char *name, uint32_t name_len, const char *prefix, uint32_t prefix_len,
         struct lyd_node *parent, enum LYJSON_PARSER_STATUS *status_p, enum LYJSON_PARSER_STATUS *status_inner_p,
         struct lyd_node **first_p, struct lyd_node **node)
 {
@@ -1084,8 +1084,8 @@ lydjson_parse_opaq(struct lyd_json_ctx *lydctx, const char *name, size_t name_le
  * @return LY_ERR value.
  */
 static LY_ERR
-lydjson_ctx_next_parse_opaq(struct lyd_json_ctx *lydctx, const char *name, size_t name_len, const char *prefix,
-        size_t prefix_len, struct lyd_node *parent, enum LYJSON_PARSER_STATUS *status_p,
+lydjson_ctx_next_parse_opaq(struct lyd_json_ctx *lydctx, const char *name, uint32_t name_len, const char *prefix,
+        uint32_t prefix_len, struct lyd_node *parent, enum LYJSON_PARSER_STATUS *status_p,
         struct lyd_node **first_p, struct lyd_node **node)
 {
     enum LYJSON_PARSER_STATUS status_inner = 0;
@@ -1132,12 +1132,12 @@ lydjson_ctx_next_parse_opaq(struct lyd_json_ctx *lydctx, const char *name, size_
  */
 static LY_ERR
 lydjson_parse_attribute(struct lyd_json_ctx *lydctx, struct lyd_node *attr_node, const struct lysc_node *snode,
-        const char *name, size_t name_len, const char *prefix, size_t prefix_len, struct lyd_node *parent,
+        const char *name, uint32_t name_len, const char *prefix, uint32_t prefix_len, struct lyd_node *parent,
         enum LYJSON_PARSER_STATUS *status_p, struct lyd_node **first_p, struct lyd_node **node_p)
 {
     LY_ERR r;
     const char *opaq_name, *mod_name, *attr_mod = NULL;
-    size_t opaq_name_len, attr_mod_len = 0;
+    uint32_t opaq_name_len, attr_mod_len = 0;
 
     if (!attr_node) {
         /* learn the attribute module name */
@@ -1446,8 +1446,8 @@ lydjson_parse_instance_inner(struct lyd_json_ctx *lydctx, const struct lysc_node
  */
 static LY_ERR
 lydjson_parse_instance(struct lyd_json_ctx *lydctx, struct lyd_node *parent, struct lyd_node **first_p,
-        const struct lysc_node *snode, const struct lysc_ext_instance *ext, const char *name, size_t name_len,
-        const char *prefix, size_t prefix_len, enum LYJSON_PARSER_STATUS *status, struct lyd_node **node)
+        const struct lysc_node *snode, const struct lysc_ext_instance *ext, const char *name, uint32_t name_len,
+        const char *prefix, uint32_t prefix_len, enum LYJSON_PARSER_STATUS *status, struct lyd_node **node)
 {
     LY_ERR r, rc = LY_SUCCESS;
     uint32_t type_hints = 0;
@@ -1467,7 +1467,8 @@ lydjson_parse_instance(struct lyd_json_ctx *lydctx, struct lyd_node *parent, str
 
             /* create terminal node */
             r = lyd_parser_create_term((struct lyd_ctx *)lydctx, snode, parent, lydctx->jsonctx->value,
-                    lydctx->jsonctx->value_len * 8, &lydctx->jsonctx->dynamic, LY_VALUE_JSON, NULL, type_hints, node);
+                    (uint64_t)lydctx->jsonctx->value_len * 8, &lydctx->jsonctx->dynamic, LY_VALUE_JSON, NULL,
+                    type_hints, node);
             LY_DPARSER_ERR_GOTO(r, rc = r, lydctx, cleanup);
 
             /* insert, needs LYD_EXT flag */
@@ -1537,7 +1538,7 @@ lydjson_subtree_r(struct lyd_json_ctx *lydctx, struct lyd_node *parent, struct l
     LY_ERR r, rc = LY_SUCCESS;
     enum LYJSON_PARSER_STATUS status = lyjson_ctx_status(lydctx->jsonctx);
     const char *name, *prefix = NULL, *expected = NULL;
-    size_t name_len, prefix_len = 0;
+    uint32_t name_len, prefix_len = 0;
     ly_bool is_meta = 0;
     const struct lysc_node *snode = NULL;
     struct lysc_ext_instance *ext = NULL;
@@ -2009,7 +2010,7 @@ lydjson_envelope(struct lyjson_ctx *jsonctx, const char *name, const char *modul
     LY_ERR rc = LY_SUCCESS, r;
     enum LYJSON_PARSER_STATUS status = lyjson_ctx_status(jsonctx);
     const char *nam, *prefix;
-    size_t nam_len, prefix_len;
+    uint32_t nam_len, prefix_len;
     ly_bool is_meta;
 
     assert(status == LYJSON_OBJECT);