From b33e0caf900b6edd23a1ae48264b85e3cdd8b197 Mon Sep 17 00:00:00 2001
From: Daniel Verkamp <daniel.verkamp@intel.com>
Date: Wed, 31 Jan 2018 09:50:35 -0700
Subject: [PATCH] json: fix spdk_json_decode_array() bounds check

The spdk_json_decode_array() function previously tried to check whether
the array would fit into the provided number of output elements
(max_size) before decoding; however, the check was incorrectly comparing
the total number of nested JSON values in the array rather than just the
count of top-level array elements.

Rather than doing the check up front (which can't be done without
modifying the way array lengths are stored in spdk_json_value), just
check if we have reached the end of the 'out' array on each iteration of
the decoding loop.

Fixes GitHub issue #232.

Change-Id: I4d7ce4be022bdf5f726654d0d96277b9d63bd350
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-on: https://review.gerrithub.io/397591
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Dariusz Stojaczyk <dariuszx.stojaczyk@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: <shuhei.matsumoto.xt@hitachi.com>
---
 lib/json/json_util.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/json/json_util.c b/lib/json/json_util.c
index 4a9b5b405..cb9a90140 100644
--- a/lib/json/json_util.c
+++ b/lib/json/json_util.c
@@ -340,20 +340,22 @@ spdk_json_decode_array(const struct spdk_json_val *values, spdk_json_decode_fn d
 {
 	uint32_t i;
 	char *field;
+	char *out_end;
 
 	if (values == NULL || values->type != SPDK_JSON_VAL_ARRAY_BEGIN) {
 		return -1;
 	}
 
-	if (values->len > max_size) {
-		return -1;
-	}
-
 	*out_size = 0;
 	field = out;
+	out_end = field + max_size * stride;
 	for (i = 0; i < values->len;) {
 		const struct spdk_json_val *v = &values[i + 1];
 
+		if (field == out_end) {
+			return -1;
+		}
+
 		if (decode_func(v, field)) {
 			return -1;
 		}