[ovs-dev] [PATCH] remove restriction on socket name

Ben Pfaff blp at nicira.com
Tue Jan 15 00:57:48 UTC 2013 

On Mon, Jan 14, 2013 at 03:37:43PM -0800, Pavithra Ramesh wrote:
> Following patch removes restriction on the listening socket name that gets configured as bridge controller. 
> Currently, we only connect to sockets in a specific directory with the name of the bridge. 
> This patch removes the restriction on the bridge name (but keep the directory restriction). 

Please try to keep the lines of the commit message to about 75
columns.  Above, the lines are as wide as 108 columns.

> Issue: 14029 

We usually write these as "Bug #14029." or "Feature #14029." as
appropriate in OVS commit messages.

> Change-Id: I81a1d2b17bf4c66acc6933ec2fa48391e67e8126 

Open vSwitch doesn't use Gerrit, so the commit messages should not
include a Change-Id.

The patch got corrupted.  All leading white space was missing.  See
below:

> diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c 
> index 348faef..7c610cb 100644 
> --- a/vswitchd/bridge.c 
> +++ b/vswitchd/bridge.c 
> @@ -2792,21 +2792,32 @@ bridge_configure_remotes(struct bridge *br, 
> static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); 
> char *whitelist; 
> 
> - whitelist = xasprintf("unix:%s/%s.controller", 
> + /* Target is a listening socket */ 
> + if (!strncmp(c->target, "unix:", 5)) { 
> + whitelist = xasprintf("unix:%s/", 
> + ovs_rundir()); 
> + if(strncmp(c->target, whitelist, strlen(whitelist))) { 
> + goto error; 
> + } 
> + 
> + } else { 
> + whitelist = xasprintf("punix:%s/%s.controller", 
> + ovs_rundir(), br->name); 
> + if (!equal_pathnames(c->target, whitelist)) { 
> + /* Prevent remote ovsdb-server users from accessing arbitrary 
> + * Unix domain sockets and overwriting arbitrary local 
> + * files. */ 
> + error: 
> + VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket " 
> + "controller \"%s\" due to possibility for remote " 
> + "exploit. Instead, specify whitelisted \"%s\" or " 
> + "connect to \"unix:%s/%s.mgmt\" (which is always " 
> + "available without special configuration).", 
> + br->name, c->target, whitelist, 
> ovs_rundir(), br->name); 
> - if (!equal_pathnames(c->target, whitelist)) { 
> - /* Prevent remote ovsdb-server users from accessing arbitrary 
> - * Unix domain sockets and overwriting arbitrary local 
> - * files. */ 
> - VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket " 
> - "controller \"%s\" due to possibility for remote " 
> - "exploit. Instead, specify whitelisted \"%s\" or " 
> - "connect to \"unix:%s/%s.mgmt\" (which is always " 
> - "available without special configuration).", 
> - br->name, c->target, whitelist, 
> - ovs_rundir(), br->name); 
> - free(whitelist); 
> - continue; 
> + free(whitelist); 
> + continue; 
> + } 
> } 
> 
> free(whitelist); 
> -- 
> 1.7.0.4 
> 

> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

More information about the dev mailing list