On Mon, Jan 14, 2013 at 03:37:43PM -0800, Pavithra Ramesh wrote:
> Following patch removes restriction on the listening socket name that gets
> configured as bridge controller.
> Currently, we only connect to sockets in a specific directory with the name
> of the bridge.
> This patch removes the restriction on the bridge name (but keep the directory
> restriction).
Please try to keep the lines of the commit message to about 75
columns. Above, the lines are as wide as 108 columns.
> Issue: 14029
We usually write these as "Bug #14029." or "Feature #14029." as
appropriate in OVS commit messages.
> Change-Id: I81a1d2b17bf4c66acc6933ec2fa48391e67e8126
Open vSwitch doesn't use Gerrit, so the commit messages should not
include a Change-Id.
The patch got corrupted. All leading white space was missing. See
below:
> diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
> index 348faef..7c610cb 100644
> --- a/vswitchd/bridge.c
> +++ b/vswitchd/bridge.c
> @@ -2792,21 +2792,32 @@ bridge_configure_remotes(struct bridge *br,
> static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
> char *whitelist;
>
> - whitelist = xasprintf("unix:%s/%s.controller",
> + /* Target is a listening socket */
> + if (!strncmp(c->target, "unix:", 5)) {
> + whitelist = xasprintf("unix:%s/",
> + ovs_rundir());
> + if(strncmp(c->target, whitelist, strlen(whitelist))) {
> + goto error;
> + }
> +
> + } else {
> + whitelist = xasprintf("punix:%s/%s.controller",
> + ovs_rundir(), br->name);
> + if (!equal_pathnames(c->target, whitelist)) {
> + /* Prevent remote ovsdb-server users from accessing arbitrary
> + * Unix domain sockets and overwriting arbitrary local
> + * files. */
> + error:
> + VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
> + "controller \"%s\" due to possibility for remote "
> + "exploit. Instead, specify whitelisted \"%s\" or "
> + "connect to \"unix:%s/%s.mgmt\" (which is always "
> + "available without special configuration).",
> + br->name, c->target, whitelist,
> ovs_rundir(), br->name);
> - if (!equal_pathnames(c->target, whitelist)) {
> - /* Prevent remote ovsdb-server users from accessing arbitrary
> - * Unix domain sockets and overwriting arbitrary local
> - * files. */
> - VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
> - "controller \"%s\" due to possibility for remote "
> - "exploit. Instead, specify whitelisted \"%s\" or "
> - "connect to \"unix:%s/%s.mgmt\" (which is always "
> - "available without special configuration).",
> - br->name, c->target, whitelist,
> - ovs_rundir(), br->name);
> - free(whitelist);
> - continue;
> + free(whitelist);
> + continue;
> + }
> }
>
> free(whitelist);
> --
> 1.7.0.4
>
> _______________________________________________
> dev mailing list
> [email protected]
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
