[ovs-dev] [PATCH] remove restriction on socket name
Pavithra Ramesh
paramesh at vmware.com
Mon Jan 14 23:37:43 UTC 2013
Following patch removes restriction on the listening socket name that gets configured as bridge controller.
Currently, we only connect to sockets in a specific directory with the name of the bridge.
This patch removes the restriction on the bridge name (but keep the directory restriction).
Issue: 14029
Change-Id: I81a1d2b17bf4c66acc6933ec2fa48391e67e8126
---
vswitchd/bridge.c | 39 +++++++++++++++++++++++++--------------
1 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 348faef..7c610cb 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -2792,21 +2792,32 @@ bridge_configure_remotes(struct bridge *br,
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
char *whitelist;
- whitelist = xasprintf("unix:%s/%s.controller",
+ /* Target is a listening socket */
+ if (!strncmp(c->target, "unix:", 5)) {
+ whitelist = xasprintf("unix:%s/",
+ ovs_rundir());
+ if(strncmp(c->target, whitelist, strlen(whitelist))) {
+ goto error;
+ }
+
+ } else {
+ whitelist = xasprintf("punix:%s/%s.controller",
+ ovs_rundir(), br->name);
+ if (!equal_pathnames(c->target, whitelist)) {
+ /* Prevent remote ovsdb-server users from accessing arbitrary
+ * Unix domain sockets and overwriting arbitrary local
+ * files. */
+ error:
+ VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
+ "controller \"%s\" due to possibility for remote "
+ "exploit. Instead, specify whitelisted \"%s\" or "
+ "connect to \"unix:%s/%s.mgmt\" (which is always "
+ "available without special configuration).",
+ br->name, c->target, whitelist,
ovs_rundir(), br->name);
- if (!equal_pathnames(c->target, whitelist)) {
- /* Prevent remote ovsdb-server users from accessing arbitrary
- * Unix domain sockets and overwriting arbitrary local
- * files. */
- VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
- "controller \"%s\" due to possibility for remote "
- "exploit. Instead, specify whitelisted \"%s\" or "
- "connect to \"unix:%s/%s.mgmt\" (which is always "
- "available without special configuration).",
- br->name, c->target, whitelist,
- ovs_rundir(), br->name);
- free(whitelist);
- continue;
+ free(whitelist);
+ continue;
+ }
}
free(whitelist);
--
1.7.0.4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20130114/50fd8a15/attachment-0003.html>
More information about the dev
mailing list