[ovs-dev] [PATCH] Remove restriction on socket name

paramesh Mon, 14 Jan 2013 18:55:33 -0800

From: Pavithra Ramesh <param...@vmware.com>

Following patch removes restriction on the listening socket name that gets 
configured as bridge controller.
Currently, we only connect to sockets in a specific directory with the name of 
the bridge.
This patch removes the restriction on the bridge name (but keep the directory 
restriction).
Bug #14029
---
 vswitchd/bridge.c |   39 +++++++++++++++++++++++++--------------
 1 files changed, 25 insertions(+), 14 deletions(-)


diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 348faef..7c610cb 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -2792,21 +2792,32 @@ bridge_configure_remotes(struct bridge *br,
             static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
             char *whitelist;
 
-            whitelist = xasprintf("unix:%s/%s.controller",
+            /* Target is a listening socket */
+            if (!strncmp(c->target, "unix:", 5)) {
+               whitelist = xasprintf("unix:%s/",
+                                     ovs_rundir());
+               if(strncmp(c->target, whitelist, strlen(whitelist))) {
+                  goto error;
+               }
+   
+            } else {
+               whitelist = xasprintf("punix:%s/%s.controller",
+                                     ovs_rundir(), br->name);
+               if (!equal_pathnames(c->target, whitelist)) {
+                   /* Prevent remote ovsdb-server users from accessing 
arbitrary
+                    * Unix domain sockets and overwriting arbitrary local
+                    * files. */
+                   error:
+                      VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain 
socket "
+                                  "controller \"%s\" due to possibility for 
remote "
+                                  "exploit.  Instead, specify whitelisted 
\"%s\" or "
+                                  "connect to \"unix:%s/%s.mgmt\" (which is 
always "
+                                  "available without special configuration).",
+                                  br->name, c->target, whitelist,
                                   ovs_rundir(), br->name);
-            if (!equal_pathnames(c->target, whitelist)) {
-                /* Prevent remote ovsdb-server users from accessing arbitrary
-                 * Unix domain sockets and overwriting arbitrary local
-                 * files. */
-                VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
-                            "controller \"%s\" due to possibility for remote "
-                            "exploit.  Instead, specify whitelisted \"%s\" or "
-                            "connect to \"unix:%s/%s.mgmt\" (which is always "
-                            "available without special configuration).",
-                            br->name, c->target, whitelist,
-                            ovs_rundir(), br->name);
-                free(whitelist);
-                continue;
+                   free(whitelist);
+                   continue;
+               }
             }
 
             free(whitelist);
-- 
1.7.0.4

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH] Remove restriction on socket name

Reply via email to