Re: [Qemu-devel] QMP accepts double dict keys

[Dr. David Alan Gilbert]

* Eric Blake (address@hidden) wrote:
> On 12/3/18 1:48 PM, Markus Armbruster wrote:
> > Eric Blake <address@hidden> writes:
> > 
> > > On 12/3/18 10:30 AM, Max Reitz wrote:
> > > > Hi,
> > > > 
> > > > QMP accepts double keys in dicts without complaining.  The value it is
> > > > using is apparently the last one specified:
> > > 
> > > JSON says it is undefined what happens when a client passes double
> > > keys. We are probably best off if we teach our parser to be strict and
> > > reject doubled keys in QMP as invalid.
> > 
> > Not bug-compatible.  Do we care?
> 
> I don't think so. Such a client was already invoking undefined behavior.
> Relying on first- or last-past-the-post to win is not portable, since JSON
> parsers are allowed to use hash tables with non-deterministic lookups. I
> think erroring out is nicer than silently accepting one thing, especially if
> that might have been different than what the client (incorrectly) expected.
> I'm not even sure that we would want a deprecation period.

Agreed, because it's the type of thing that ends up being potentially
dangerous, since if you had some form of security check that was looking
at QMP messages it might check one version of the field and not the
other.

Dave

> > 
> > > Hmm - can a client abuse QMP with duplicate keys to cause qemu to leak
> > > memory?
> > 
> > No.  parse_pair() inserts with qdict_put_obj(), which replaces the old
> > value without leaking it.
> 
> Good to know.
> 
> > > > 
> > > > Another test case is iotest 229 which specifies both mode=absolute-paths
> > > > and mode=existing (it wants the latter).
> 
> We'll have to fix such broken clients, of course. If it is just our iotests
> (and not libvirt), I'm less worried about the change in behavior.
> 
> -- 
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.           +1-919-301-3266
> Virtualization:  qemu.org | libvirt.org
> 
--
Dr. David Alan Gilbert / address@hidden / Manchester, UK