mirror of https://github.com/hashicorp/consul
security: resolve incorrect type conversions (#21251)
* security: resolve incorrect type conversions * add changelog * fix more incorrect type conversionspull/21260/merge
parent
cb7ae646da
commit
68a7648d14
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
core: Fix multiple incorrect type conversion for potential overflows
|
||||
```
|
|
@ -175,6 +175,10 @@ func (r V2ConsulRegistrator) createWorkloadFromMember(member serf.Member, parts
|
|||
workloadMeta["grpc_tls_port"] = strconv.Itoa(parts.ExternalGRPCTLSPort)
|
||||
}
|
||||
|
||||
if parts.Port < 0 || parts.Port > 65535 {
|
||||
return nil, fmt.Errorf("invalid port: %d", parts.Port)
|
||||
}
|
||||
|
||||
workload := &pbcatalog.Workload{
|
||||
Addresses: []*pbcatalog.WorkloadAddress{
|
||||
{Host: member.Addr.String(), Ports: []string{consulPortNameServer}},
|
||||
|
|
|
@ -301,14 +301,17 @@ func (s *Converter) filterSubsetEndpoints(subset *structs.ServiceResolverSubset,
|
|||
|
||||
// used in clusters.go
|
||||
func makeHostPortEndpoint(host string, port int) *pbproxystate.Endpoint {
|
||||
return &pbproxystate.Endpoint{
|
||||
Address: &pbproxystate.Endpoint_HostPort{
|
||||
HostPort: &pbproxystate.HostPortAddress{
|
||||
Host: host,
|
||||
Port: uint32(port),
|
||||
if port >= 0 && port <= 65535 {
|
||||
return &pbproxystate.Endpoint{
|
||||
Address: &pbproxystate.Endpoint_HostPort{
|
||||
HostPort: &pbproxystate.HostPortAddress{
|
||||
Host: host,
|
||||
Port: uint32(port),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func makeUnixSocketEndpoint(path string) *pbproxystate.Endpoint {
|
||||
|
|
|
@ -764,17 +764,20 @@ func makeListenerWithDefault(opts makeListenerOpts) *pbproxystate.Listener {
|
|||
// // Since access logging is non-essential for routing, warn and move on
|
||||
// opts.logger.Warn("error generating access log xds", err)
|
||||
//}
|
||||
return &pbproxystate.Listener{
|
||||
Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port),
|
||||
//AccessLog: accessLog,
|
||||
BindAddress: &pbproxystate.Listener_HostPort{
|
||||
HostPort: &pbproxystate.HostPortAddress{
|
||||
Host: opts.addr,
|
||||
Port: uint32(opts.port),
|
||||
if opts.port >= 0 && opts.port <= 65535 {
|
||||
return &pbproxystate.Listener{
|
||||
Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port),
|
||||
//AccessLog: accessLog,
|
||||
BindAddress: &pbproxystate.Listener_HostPort{
|
||||
HostPort: &pbproxystate.HostPortAddress{
|
||||
Host: opts.addr,
|
||||
Port: uint32(opts.port),
|
||||
},
|
||||
},
|
||||
},
|
||||
Direction: opts.direction,
|
||||
Direction: opts.direction,
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func makePipeListener(opts makeListenerOpts) *pbproxystate.Listener {
|
||||
|
|
|
@ -53,16 +53,19 @@ func MakePipeAddress(path string, mode uint32) *envoy_core_v3.Address {
|
|||
}
|
||||
|
||||
func MakeAddress(ip string, port int) *envoy_core_v3.Address {
|
||||
return &envoy_core_v3.Address{
|
||||
Address: &envoy_core_v3.Address_SocketAddress{
|
||||
SocketAddress: &envoy_core_v3.SocketAddress{
|
||||
Address: ip,
|
||||
PortSpecifier: &envoy_core_v3.SocketAddress_PortValue{
|
||||
PortValue: uint32(port),
|
||||
if port >= 0 && port <= 65535 {
|
||||
return &envoy_core_v3.Address{
|
||||
Address: &envoy_core_v3.Address_SocketAddress{
|
||||
SocketAddress: &envoy_core_v3.SocketAddress{
|
||||
Address: ip,
|
||||
PortSpecifier: &envoy_core_v3.SocketAddress_PortValue{
|
||||
PortValue: uint32(port),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func MakeUint32Value(n int) *wrapperspb.UInt32Value {
|
||||
|
|
|
@ -125,15 +125,15 @@ func stringToEnvoyVersion(vs string) (*envoy_type_v3.SemanticVersion, bool) {
|
|||
return nil, false
|
||||
}
|
||||
|
||||
major, err := strconv.Atoi(parts[0])
|
||||
major, err := strconv.ParseUint(parts[0], 10, 32)
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
minor, err := strconv.Atoi(parts[1])
|
||||
minor, err := strconv.ParseUint(parts[1], 10, 32)
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
patch, err := strconv.Atoi(parts[2])
|
||||
patch, err := strconv.ParseUint(parts[2], 10, 32)
|
||||
if err != nil {
|
||||
return nil, false
|
||||
}
|
||||
|
|
|
@ -10,6 +10,7 @@ import (
|
|||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"math"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
@ -1181,6 +1182,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
|
|||
if err != nil {
|
||||
return fmt.Errorf("Failed to parse X-Consul-LastContact: %v", err)
|
||||
}
|
||||
if last > math.MaxInt64 {
|
||||
return fmt.Errorf("X-Consul-LastContact Header value is out of range: %d", last)
|
||||
}
|
||||
q.LastContact = time.Duration(last) * time.Millisecond
|
||||
|
||||
// Parse the X-Consul-KnownLeader
|
||||
|
@ -1222,6 +1226,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
|
|||
if err != nil {
|
||||
return fmt.Errorf("Failed to parse Age Header: %v", err)
|
||||
}
|
||||
if age > math.MaxInt64 {
|
||||
return fmt.Errorf("Age Header value is out of range: %d", last)
|
||||
}
|
||||
q.CacheAge = time.Duration(age) * time.Second
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue