yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25807
[Bug 1393329] Re: Trailing whitespaces pass IP address validation
** Changed in: neutron
Status: Fix Committed => Fix Released
** Changed in: neutron
Milestone: None => kilo-1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1393329
Title:
Trailing whitespaces pass IP address validation
Status in OpenStack Neutron (virtual network service):
Fix Released
Bug description:
API attributes validation doesn't detect a trailing CR code.
By the following operations, a CR code causes a serious trouble.
1. Create files in Windows (newline characters are CR+LF) for heat.
template.yaml
---------------------
:
parameters:
subnet_secure_allocation_start:
type: string
description: Allocation of the secure subnet.
:
resources:
swift_network_secure:
type: OS::Neutron::Net
properties:
name: { get_param: network_secure_name }
swift_ctl_subnet_secure:
type: OS::Neutron::Subnet
depends_on: swift_network_secure
properties:
cidr: { get_param: subnet_secure_cidr }
name: { get_param: subnet_secure_name }
network_id: { get_resource: swift_network_secure }
gateway_ip: { get_param: subnet_secure_gateway_ip }
allocation_pools: [{"end": {get_param: subnet_secure_allocation_end},"start": {get_param: subnet_secure_allocation_start}}]
:
---------------------
param.txt
-------------------------------
availability_zone=xxx;...;subnet_secure_allocation_end=172.16.16.250;subnet_secure_allocation_start=172.16.16.240
-------------------------------
2. Execute 'heat stack-create' command with these files.
$ heat stack-create -f template.yaml -P `cat param.txt` stack_name
Then, 'subnet_secure_allocation_start', or the last parameter of param.txt contains a trailing CR code.
This parameter is given to neutron as a start IP address of allocation_pools.
The trailing CR code passes IP address validation and causes ovs-agent to crash.
The CR code was accepted.
$ neutron subnet-show xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| allocation_pools | {"start": "172.16.16.240\r", "end": "172.16.16.250"} |
The error occurred in ovs-agent.
--------------------------------------
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent RuntimeError:
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'iptables-restore', '-c']
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Exit code: 2
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Stdout: ''
2014-11-05 12:35:32.046 16862 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Stderr: "iptables-restore v1.4.7: host/network `172.16.16.240\r' notfound\nError occurred at line: 220\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
--------------------------------------
It is critical that a tenant user's operation mistake affects whole system.
We think the validation should reject parameters with trailing CR codes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1393329/+subscriptions
References
