neutron

Trailing whitespaces pass IP address validation

Bug #1393329 reported by Hironori Shiina on 2014-11-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Low	Hironori Shiina	neutron 2015.1.0 "kilo"

Bug Description

API attributes validation doesn't detect a trailing CR code.

By the following operations, a CR code causes a serious trouble.
1. Create files in Windows (newline characters are CR+LF) for heat.

template.yaml
---------------------
:
parameters:
  subnet_secure_allocation_start:
    type: string
    description: Allocation of the secure subnet.
:
resources:
  swift_network_secure:
    type: OS::Neutron::Net
    properties:
      name: { get_param: network_secure_name }

  swift_ctl_subnet_secure:
    type: OS::Neutron::Subnet
    depends_on: swift_network_secure
    properties:
      cidr: { get_param: subnet_secure_cidr }
      name: { get_param: subnet_secure_name }
      network_id: { get_resource: swift_network_secure }
      gateway_ip: { get_param: subnet_secure_gateway_ip }
      allocation_pools: [{"end": {get_param: subnet_secure_allocation_end},"start": {get_param: subnet_secure_allocation_start}}]
:
---------------------

param.txt
-------------------------------
availability_zone=xxx;...;subnet_secure_allocation_end=172.16.16.250;subnet_secure_allocation_start=172.16.16.240
-------------------------------

2. Execute 'heat stack-create' command with these files.
$ heat stack-create -f template.yaml -P `cat param.txt` stack_name

Then, 'subnet_secure_allocation_start', or the last parameter of param.txt contains a trailing CR code.
This parameter is given to neutron as a start IP address of allocation_pools.
The trailing CR code passes IP address validation and causes ovs-agent to crash.

The CR code was accepted.
$ neutron subnet-show xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| allocation_pools | {"start": "172.16.16.240\r", "end": "172.16.16.250"} |

The error occurred in ovs-agent.
--------------------------------------
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent RuntimeError:
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'iptables-restore', '-c']
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Exit code: 2
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Stdout: ''
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Stderr: "iptables-restore v1.4.7: host/network `172.16.16.240\r' notfound\nError occurred at line: 220\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
--------------------------------------

It is critical that a tenant user's operation mistake affects whole system.
We think the validation should reject parameters with trailing CR codes.

See original description

Tags:

Hironori Shiina (shiina-hironori) on 2014-11-17

Changed in neutron:
assignee:	nobody → Hironori Shiina (shiina-hironori)

Eugene Nikanorov (enikanorov) on 2014-11-17

tags:	added: api
Changed in neutron:
importance:	Undecided → Low
status:	New → Confirmed

Hironori Shiina (shiina-hironori) on 2014-11-26

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-26: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/137288

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-27: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/137288
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7af435ca40aa222c3f164a3750e8f11694fdcfc6
Submitter: Jenkins
Branch: master

commit 7af435ca40aa222c3f164a3750e8f11694fdcfc6
Author: Hironori Shiina <email address hidden>
Date: Wed Nov 26 13:41:06 2014 +0900

Reject trailing whitespaces in IP address

    Trailing whitespaces in IP address or CIDR pass API validation. These
    whitespaces sometimes cause serious troubles. For instance, a trailing
    CR code in allocation pools cause an ovs-agent to crash when calling
    iptables. In this case, a tenant user's operation mistake affects whole
    system.

    By modifying _validate_no_whitespace() to reject data with whitespaces
    in the beginning and the end, the IP address and CIDR validation
    detects invalid attributes. The MAC address validation already rejects
    these whitespaces.

Change-Id: Id4589236cfd44c2fd5956c5ab4ab6871381a0c34
Closes-Bug: #1393329

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-12-18

Changed in neutron:
milestone:	none → kilo-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in neutron:
milestone:	kilo-1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.