[lxc-devel] [lxd/master] Validate proxy addresses

stgraber on Github lxc-bot at linuxcontainers.org
Thu Apr 18 19:32:41 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190418/db6bf6b9/attachment.bin>
-------------- next part --------------
From 44f9679e08025435a7b5590bc2409ae43000c650 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 18 Apr 2019 14:43:16 +0100
Subject: [PATCH 1/2] lxd: Rename parseAddr to proxyParseAddr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container.go           | 4 ++--
 lxd/container_lxc.go       | 4 ++--
 lxd/main_forkproxy.go      | 6 +++---
 lxd/main_forkproxy_test.go | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lxd/container.go b/lxd/container.go
index 3bafd25006..9911367403 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -506,12 +506,12 @@ func containerValidDevices(cluster *db.Cluster, devices types.Devices, profile b
 				return fmt.Errorf("Proxy device entry is missing the required \"connect\" property")
 			}
 
-			listenAddr, err := parseAddr(m["listen"])
+			listenAddr, err := proxyParseAddr(m["listen"])
 			if err != nil {
 				return err
 			}
 
-			connectAddr, err := parseAddr(m["connect"])
+			connectAddr, err := proxyParseAddr(m["connect"])
 			if err != nil {
 				return err
 			}
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 11d2271e8c..e3120a4651 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -7269,12 +7269,12 @@ func (c *containerLXC) insertProxyDevice(devName string, m types.Device) error {
 }
 
 func (c *containerLXC) doNat(proxy string, device types.Device) error {
-	listenAddr, err := parseAddr(device["listen"])
+	listenAddr, err := proxyParseAddr(device["listen"])
 	if err != nil {
 		return err
 	}
 
-	connectAddr, err := parseAddr(device["connect"])
+	connectAddr, err := proxyParseAddr(device["connect"])
 	if err != nil {
 		return err
 	}
diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index 51b1eb7fbf..37b27f79b7 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -464,13 +464,13 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error {
 	}
 
 	listenAddr := args[1]
-	lAddr, err := parseAddr(listenAddr)
+	lAddr, err := proxyParseAddr(listenAddr)
 	if err != nil {
 		return err
 	}
 
 	connectAddr := args[3]
-	cAddr, err := parseAddr(connectAddr)
+	cAddr, err := proxyParseAddr(connectAddr)
 	if err != nil {
 		return err
 	}
@@ -1047,7 +1047,7 @@ func parsePortRange(r string) (int64, int64, error) {
 	return base, size, nil
 }
 
-func parseAddr(addr string) (*proxyAddress, error) {
+func proxyParseAddr(addr string) (*proxyAddress, error) {
 	// Split into <protocol> and <address>
 	fields := strings.SplitN(addr, ":", 2)
 
diff --git a/lxd/main_forkproxy_test.go b/lxd/main_forkproxy_test.go
index 34ae853497..fd3bb9027e 100644
--- a/lxd/main_forkproxy_test.go
+++ b/lxd/main_forkproxy_test.go
@@ -167,7 +167,7 @@ func TestParseAddr(t *testing.T) {
 
 	for i, tt := range tests {
 		log.Printf("Running test #%d: %s", i, tt.name)
-		addr, err := parseAddr(tt.address)
+		addr, err := proxyParseAddr(tt.address)
 		if tt.shouldFail {
 			require.Error(t, err)
 			require.Nil(t, addr)

From 4298974c25844be131211447cefd1e8c279aebb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 18 Apr 2019 14:48:39 +0100
Subject: [PATCH 2/2] lxd/proxy: Validate the addresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #5677

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/main_forkproxy.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index 37b27f79b7..6e253d2a66 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -1072,6 +1072,14 @@ func proxyParseAddr(addr string) (*proxyAddress, error) {
 		return nil, err
 	}
 
+	// Validate that it's a valid address
+	if shared.StringInSlice(newProxyAddr.connType, []string{"udp", "tcp"}) {
+		err := networkValidAddress(address)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// Split <ports> into individual ports and port ranges
 	ports := strings.SplitN(port, ",", -1)
 	for _, p := range ports {

More information about the lxc-devel mailing list