If socket path specified is relative to ovs_rundir(),
append the directory name to in unix_open and punix_open.
Freed the new newly allocated strings.
Also included the change in bridge.c to relax the whitelist
check, only if there is no /.
Signed-off-by: Pavithra Ramesh <param...@vmware.com>
---
lib/stream-unix.c | 27 +++++++++++++++++++++++----
vswitchd/bridge.c | 6 ++++--
2 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/lib/stream-unix.c b/lib/stream-unix.c
index 6ed7648..3e2503f 100644
--- a/lib/stream-unix.c
+++ b/lib/stream-unix.c
@@ -29,6 +29,7 @@
#include "packets.h"
#include "poll-loop.h"
#include "socket-util.h"
+#include "dirs.h"
#include "util.h"
#include "stream-provider.h"
#include "stream-fd.h"
@@ -42,15 +43,23 @@ static int
unix_open(const char *name, char *suffix, struct stream **streamp,
uint8_t dscp OVS_UNUSED)
{
- const char *connect_path = suffix;
+ char *new_path = NULL;
+ char *connect_path = suffix;
int fd;
+ if (suffix[0] != '/') {
+ /* Absolute path was not specified */
+ new_path = xasprintf("%s/%s", ovs_rundir(), suffix);
+ connect_path = new_path;
+ }
fd = make_unix_socket(SOCK_STREAM, true, NULL, connect_path);
if (fd < 0) {
VLOG_DBG("%s: connection failed (%s)", connect_path, strerror(-fd));
+ free(new_path);
return -fd;
}
+ free(new_path);
return new_fd_stream(name, fd, check_connection_completion(fd), streamp);
}
@@ -77,10 +86,18 @@ punix_open(const char *name OVS_UNUSED, char *suffix,
struct pstream **pstreamp, uint8_t dscp OVS_UNUSED)
{
int fd, error;
+ char *new_path = NULL;
+ char *bind_path = suffix;
- fd = make_unix_socket(SOCK_STREAM, true, suffix, NULL);
+ if (suffix[0] != '/') {
+ /* Absolute path was not specified */
+ new_path = xasprintf("%s/%s", ovs_rundir(), suffix);
+ bind_path = new_path;
+ }
+ fd = make_unix_socket(SOCK_STREAM, true, bind_path, NULL);
if (fd < 0) {
- VLOG_ERR("%s: binding failed: %s", suffix, strerror(errno));
+ VLOG_ERR("%s: binding failed: %s", bind_path, strerror(errno));
+ free(new_path);
return errno;
}
@@ -88,11 +105,13 @@ punix_open(const char *name OVS_UNUSED, char *suffix,
error = errno;
VLOG_ERR("%s: listen: %s", name, strerror(error));
close(fd);
+ free(new_path);
return error;
}
return new_fd_pstream(name, fd, punix_accept, NULL,
- xstrdup(suffix), pstreamp);
+ new_path ? new_path : xstrdup(bind_path),
+ pstreamp);
}
static int
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index f5a4366..fdd7c64 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -2799,8 +2799,10 @@ bridge_configure_remotes(struct bridge *br,
if (!strncmp(c->target, "unix:", 5)) {
/* Connect to a listening socket */
whitelist = xasprintf("unix:%s/", ovs_rundir());
- if (!equal_pathnames(c->target, whitelist,
- strlen(whitelist))) {
+ if (strchr(c->target, '/') &&
+ !equal_pathnames(c->target, whitelist,
+ strlen(whitelist))) {
+ /* Absolute path specified, but not in ovs_rundir */
VLOG_ERR_RL(&rl, "bridge %s: Not connecting to socket "
"controller \"%s\" due to possibility for "
"remote exploit. Instead, specify socket "
--
1.7.0.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
