[ovs-dev] [PATCH] stream-unix: append ovs_rundir to socket

[Pavithra Ramesh]

Incorporated Ben's comments.

If socket path specified is relative to ovs_rundir(),
append the directory name to in unix_open and punix_open.

Also included the change in bridge.c to relax the whitelist
check, only if there is no /.

Signed-off-by: Pavithra Ramesh <paramesh at vmware.com>
---
 lib/stream-unix.c |   20 ++++++++++++++++++--
 vswitchd/bridge.c |    6 ++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/lib/stream-unix.c b/lib/stream-unix.c
index 6ed7648..53e603d 100644
--- a/lib/stream-unix.c
+++ b/lib/stream-unix.c
@@ -29,6 +29,7 @@
 #include "packets.h"
 #include "poll-loop.h"
 #include "socket-util.h"
+#include "dirs.h"
 #include "util.h"
 #include "stream-provider.h"
 #include "stream-fd.h"
@@ -42,15 +43,23 @@ static int
 unix_open(const char *name, char *suffix, struct stream **streamp,
           uint8_t dscp OVS_UNUSED)
 {
-    const char *connect_path = suffix;
+    char *new_path = NULL;
+    char *connect_path = suffix;
     int fd;
 
+    if (suffix[0] != '/') {
+        /* Absolute path was not specified */
+        new_path = xasprintf("%s/%s", ovs_rundir(), suffix);
+        connect_path = new_path;
+    }
     fd = make_unix_socket(SOCK_STREAM, true, NULL, connect_path);
     if (fd < 0) {
         VLOG_DBG("%s: connection failed (%s)", connect_path, strerror(-fd));
+        free(new_path);        
         return -fd;
     }
 
+    free(new_path);        
     return new_fd_stream(name, fd, check_connection_completion(fd), streamp);
 }
 
@@ -77,8 +86,15 @@ punix_open(const char *name OVS_UNUSED, char *suffix,
            struct pstream **pstreamp, uint8_t dscp OVS_UNUSED)
 {
     int fd, error;
+    char *new_path = NULL;
+    char *connect_path = suffix;
 
-    fd = make_unix_socket(SOCK_STREAM, true, suffix, NULL);
+    if (suffix[0] != '/') {
+        /* Absolute path was not specified */
+        new_path = xasprintf("%s/%s", ovs_rundir(), suffix);
+        connect_path = new_path;
+    }
+    fd = make_unix_socket(SOCK_STREAM, true, connect_path, NULL);
     if (fd < 0) {
         VLOG_ERR("%s: binding failed: %s", suffix, strerror(errno));
         return errno;
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index f5a4366..fdd7c64 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -2799,8 +2799,10 @@ bridge_configure_remotes(struct bridge *br,
             if (!strncmp(c->target, "unix:", 5)) {
                 /* Connect to a listening socket */
                 whitelist = xasprintf("unix:%s/", ovs_rundir());
-                if (!equal_pathnames(c->target, whitelist,
-                                     strlen(whitelist))) {
+                if (strchr(c->target, '/') &&
+                   !equal_pathnames(c->target, whitelist,
+                     strlen(whitelist))) {
+                    /* Absolute path specified, but not in ovs_rundir */
                     VLOG_ERR_RL(&rl, "bridge %s: Not connecting to socket "
                                   "controller \"%s\" due to possibility for "
                                   "remote exploit.  Instead, specify socket "
-- 
1.7.0.4