[ovs-dev] [PATCH] remove restriction on socket name

Pavithra Ramesh paramesh at vmware.com
Mon Jan 14 23:37:43 UTC 2013


Following patch removes restriction on the listening socket name that gets configured as bridge controller. 
Currently, we only connect to sockets in a specific directory with the name of the bridge. 
This patch removes the restriction on the bridge name (but keep the directory restriction). 
Issue: 14029 

Change-Id: I81a1d2b17bf4c66acc6933ec2fa48391e67e8126 
--- 
vswitchd/bridge.c | 39 +++++++++++++++++++++++++-------------- 
1 files changed, 25 insertions(+), 14 deletions(-) 

diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c 
index 348faef..7c610cb 100644 
--- a/vswitchd/bridge.c 
+++ b/vswitchd/bridge.c 
@@ -2792,21 +2792,32 @@ bridge_configure_remotes(struct bridge *br, 
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); 
char *whitelist; 

- whitelist = xasprintf("unix:%s/%s.controller", 
+ /* Target is a listening socket */ 
+ if (!strncmp(c->target, "unix:", 5)) { 
+ whitelist = xasprintf("unix:%s/", 
+ ovs_rundir()); 
+ if(strncmp(c->target, whitelist, strlen(whitelist))) { 
+ goto error; 
+ } 
+ 
+ } else { 
+ whitelist = xasprintf("punix:%s/%s.controller", 
+ ovs_rundir(), br->name); 
+ if (!equal_pathnames(c->target, whitelist)) { 
+ /* Prevent remote ovsdb-server users from accessing arbitrary 
+ * Unix domain sockets and overwriting arbitrary local 
+ * files. */ 
+ error: 
+ VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket " 
+ "controller \"%s\" due to possibility for remote " 
+ "exploit. Instead, specify whitelisted \"%s\" or " 
+ "connect to \"unix:%s/%s.mgmt\" (which is always " 
+ "available without special configuration).", 
+ br->name, c->target, whitelist, 
ovs_rundir(), br->name); 
- if (!equal_pathnames(c->target, whitelist)) { 
- /* Prevent remote ovsdb-server users from accessing arbitrary 
- * Unix domain sockets and overwriting arbitrary local 
- * files. */ 
- VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket " 
- "controller \"%s\" due to possibility for remote " 
- "exploit. Instead, specify whitelisted \"%s\" or " 
- "connect to \"unix:%s/%s.mgmt\" (which is always " 
- "available without special configuration).", 
- br->name, c->target, whitelist, 
- ovs_rundir(), br->name); 
- free(whitelist); 
- continue; 
+ free(whitelist); 
+ continue; 
+ } 
} 

free(whitelist); 
-- 
1.7.0.4 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20130114/50fd8a15/attachment-0003.html>


More information about the dev mailing list