[libvirt] [PATCHv2] network: check for invalid forward delay time
When spanning tree protocol is allowed in bridge settings, forward delay value is set as well (default is 0 if omitted). Until now, there was no check for delay value validity. Delay makes sense only as a positive numerical value. Note: However, even if you provide positive numerical value, brctl utility only uses values from range <2,30>, so the number provided can be modified (kernel most likely) to fall within this range. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1125764 --- docs/schemas/network.rng | 2 +- src/conf/network_conf.c | 38 +++++++++++++++++++++++--------------- src/util/virxml.c | 2 +- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng index 0e7da89..ab41814 100644 --- a/docs/schemas/network.rng +++ b/docs/schemas/network.rng @@ -62,7 +62,7 @@ <optional> <attribute name="delay"> - <data type="integer"/> + <data type="unsignedLong"/> </attribute> </optional> diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 9571ee1..e9ea746 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -2003,7 +2003,7 @@ static virNetworkDefPtr virNetworkDefParseXML(xmlXPathContextPtr ctxt) { virNetworkDefPtr def; - char *tmp; + char *tmp = NULL; char *stp = NULL; xmlNodePtr *ipNodes = NULL; xmlNodePtr *routeNodes = NULL; @@ -2037,7 +2037,6 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) } } else { if (virUUIDParse(tmp, def->uuid) < 0) { - VIR_FREE(tmp); virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("malformed uuid element")); goto error; @@ -2078,8 +2077,16 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) stp = virXPathString("string(./bridge[1]/@stp)", ctxt); def->stp = (stp && STREQ(stp, "off")) ? false : true; - if (virXPathULong("string(./bridge[1]/@delay)", ctxt, &def->delay) < 0) - def->delay = 0; + tmp = virXPathString("string(./bridge[1]/@delay)", ctxt); + if (tmp) { + if (virStrToLong_ulp(tmp, NULL, 10, &def->delay) < 0) { + virReportError(VIR_ERR_XML_ERROR, + _("Invalid delay value in network '%s'"), + def->name); + goto error; + } + } + VIR_FREE(tmp); tmp = virXPathString("string(./mac[1]/@address)", ctxt); if (tmp) { @@ -2087,14 +2094,12 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) virReportError(VIR_ERR_XML_ERROR, _("Invalid bridge mac address '%s' in network '%s'"), tmp, def->name); - VIR_FREE(tmp); goto error; } if (virMacAddrIsMulticast(&def->mac)) { virReportError(VIR_ERR_XML_ERROR, _("Invalid multicast bridge mac address '%s' in network '%s'"), tmp, def->name); - VIR_FREE(tmp); goto error; } VIR_FREE(tmp); @@ -2126,9 +2131,9 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) goto error; /* parse each portgroup */ for (i = 0; i < nPortGroups; i++) { - int ret = virNetworkPortGroupParseXML(&def->portGroups[i], - portGroupNodes[i], ctxt); - if (ret < 0) + if (virNetworkPortGroupParseXML(&def->portGroups[i], + portGroupNodes[i], + ctxt) < 0) goto error; def->nPortGroups++; } @@ -2147,9 +2152,10 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) goto error; /* parse each addr */ for (i = 0; i < nIps; i++) { - int ret = virNetworkIPDefParseXML(def->name, ipNodes[i], - ctxt, &def->ips[i]); - if (ret < 0) + if (virNetworkIPDefParseXML(def->name, + ipNodes[i], + ctxt, + &def->ips[i]) < 0) goto error; def->nips++; } @@ -2168,9 +2174,10 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) goto error; /* parse each definition */ for (i = 0; i < nRoutes; i++) { - int ret = virNetworkRouteDefParseXML(def->name, routeNodes[i], - ctxt, &def->routes[i]); - if (ret < 0) + if (virNetworkRouteDefParseXML(def->name, + routeNodes[i], + ctxt, + &def->routes[i]) < 0) goto error; def->nroutes++; } @@ -2289,6 +2296,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) return def; error: + VIR_FREE(tmp); VIR_FREE(routeNodes); VIR_FREE(stp); virNetworkDefFree(def); diff --git a/src/util/virxml.c b/src/util/virxml.c index cc4a85c..a91da05 100644 --- a/src/util/virxml.c +++ b/src/util/virxml.c @@ -420,7 +420,7 @@ virXPathULongLong(const char *xpath, } /** - * virXPathULongLong: + * virXPathLongLong: * @xpath: the XPath string to evaluate * @ctxt: an XPath context * @value: the returned long long value -- 1.9.3
On Mon, Sep 15, 2014 at 10:42:15AM +0200, Erik Skultety wrote:
When spanning tree protocol is allowed in bridge settings, forward delay value is set as well (default is 0 if omitted). Until now, there was no check for delay value validity. Delay makes sense only as a positive numerical value.
Note: However, even if you provide positive numerical value, brctl utility only uses values from range <2,30>, so the number provided can be modified (kernel most likely) to fall within this range.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1125764 --- docs/schemas/network.rng | 2 +- src/conf/network_conf.c | 38 +++++++++++++++++++++++--------------- src/util/virxml.c | 2 +- 3 files changed, 25 insertions(+), 17 deletions(-)
[...]
diff --git a/src/util/virxml.c b/src/util/virxml.c index cc4a85c..a91da05 100644 --- a/src/util/virxml.c +++ b/src/util/virxml.c @@ -420,7 +420,7 @@ virXPathULongLong(const char *xpath, }
/** - * virXPathULongLong: + * virXPathLongLong: * @xpath: the XPath string to evaluate * @ctxt: an XPath context * @value: the returned long long value -- 1.9.3
This hunk should be in separate patch (and the VIR_FREE(tmp) cleanups could be too), so I pushed this one separately as a trivial (and kept those VIR_FREE(tmp) cleanups). ACK to the rest, pushed too. Martin
participants (2)
-
Erik Skultety -
Martin Kletzander