[lxc-devel] [lxd/master] Validate proxy addresses
stgraber on Github
lxc-bot at linuxcontainers.org
Thu Apr 18 19:32:41 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190418/db6bf6b9/attachment.bin>
-------------- next part --------------
From 44f9679e08025435a7b5590bc2409ae43000c650 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 18 Apr 2019 14:43:16 +0100
Subject: [PATCH 1/2] lxd: Rename parseAddr to proxyParseAddr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container.go | 4 ++--
lxd/container_lxc.go | 4 ++--
lxd/main_forkproxy.go | 6 +++---
lxd/main_forkproxy_test.go | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/lxd/container.go b/lxd/container.go
index 3bafd25006..9911367403 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -506,12 +506,12 @@ func containerValidDevices(cluster *db.Cluster, devices types.Devices, profile b
return fmt.Errorf("Proxy device entry is missing the required \"connect\" property")
}
- listenAddr, err := parseAddr(m["listen"])
+ listenAddr, err := proxyParseAddr(m["listen"])
if err != nil {
return err
}
- connectAddr, err := parseAddr(m["connect"])
+ connectAddr, err := proxyParseAddr(m["connect"])
if err != nil {
return err
}
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 11d2271e8c..e3120a4651 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -7269,12 +7269,12 @@ func (c *containerLXC) insertProxyDevice(devName string, m types.Device) error {
}
func (c *containerLXC) doNat(proxy string, device types.Device) error {
- listenAddr, err := parseAddr(device["listen"])
+ listenAddr, err := proxyParseAddr(device["listen"])
if err != nil {
return err
}
- connectAddr, err := parseAddr(device["connect"])
+ connectAddr, err := proxyParseAddr(device["connect"])
if err != nil {
return err
}
diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index 51b1eb7fbf..37b27f79b7 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -464,13 +464,13 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error {
}
listenAddr := args[1]
- lAddr, err := parseAddr(listenAddr)
+ lAddr, err := proxyParseAddr(listenAddr)
if err != nil {
return err
}
connectAddr := args[3]
- cAddr, err := parseAddr(connectAddr)
+ cAddr, err := proxyParseAddr(connectAddr)
if err != nil {
return err
}
@@ -1047,7 +1047,7 @@ func parsePortRange(r string) (int64, int64, error) {
return base, size, nil
}
-func parseAddr(addr string) (*proxyAddress, error) {
+func proxyParseAddr(addr string) (*proxyAddress, error) {
// Split into <protocol> and <address>
fields := strings.SplitN(addr, ":", 2)
diff --git a/lxd/main_forkproxy_test.go b/lxd/main_forkproxy_test.go
index 34ae853497..fd3bb9027e 100644
--- a/lxd/main_forkproxy_test.go
+++ b/lxd/main_forkproxy_test.go
@@ -167,7 +167,7 @@ func TestParseAddr(t *testing.T) {
for i, tt := range tests {
log.Printf("Running test #%d: %s", i, tt.name)
- addr, err := parseAddr(tt.address)
+ addr, err := proxyParseAddr(tt.address)
if tt.shouldFail {
require.Error(t, err)
require.Nil(t, addr)
From 4298974c25844be131211447cefd1e8c279aebb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 18 Apr 2019 14:48:39 +0100
Subject: [PATCH 2/2] lxd/proxy: Validate the addresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #5677
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/main_forkproxy.go | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index 37b27f79b7..6e253d2a66 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -1072,6 +1072,14 @@ func proxyParseAddr(addr string) (*proxyAddress, error) {
return nil, err
}
+ // Validate that it's a valid address
+ if shared.StringInSlice(newProxyAddr.connType, []string{"udp", "tcp"}) {
+ err := networkValidAddress(address)
+ if err != nil {
+ return nil, err
+ }
+ }
+
// Split <ports> into individual ports and port ranges
ports := strings.SplitN(port, ",", -1)
for _, p := range ports {
More information about the lxc-devel
mailing list