github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

security: resolve incorrect type conversions (#21251) 

* security: resolve incorrect type conversions

* add changelog

* fix more incorrect type conversions
pull/21260/merge
Deniz Onur Duzgun 2024-06-04 17:55:53 -04:00 committed by GitHub
parent cb7ae646da
commit 68a7648d14
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/21251.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: Fix multiple incorrect type conversion for potential overflows
```

4
agent/consul/leader_registrator_v2.go
View File

@ -175,6 +175,10 @@ func (r V2ConsulRegistrator) createWorkloadFromMember(member serf.Member, parts
workloadMeta["grpc_tls_port"] = strconv.Itoa(parts.ExternalGRPCTLSPort) workloadMeta["grpc_tls_port"] = strconv.Itoa(parts.ExternalGRPCTLSPort)
} }
if parts.Port < 0 || parts.Port > 65535 {
return nil, fmt.Errorf("invalid port: %d", parts.Port)
}
workload := &pbcatalog.Workload{ workload := &pbcatalog.Workload{
Addresses: []*pbcatalog.WorkloadAddress{ Addresses: []*pbcatalog.WorkloadAddress{
{Host: member.Addr.String(), Ports: []string{consulPortNameServer}}, {Host: member.Addr.String(), Ports: []string{consulPortNameServer}},

15
agent/xds/proxystateconverter/endpoints.go
View File

@ -301,14 +301,17 @@ func (s *Converter) filterSubsetEndpoints(subset *structs.ServiceResolverSubset,
// used in clusters.go // used in clusters.go
func makeHostPortEndpoint(host string, port int) *pbproxystate.Endpoint { func makeHostPortEndpoint(host string, port int) *pbproxystate.Endpoint {
return &pbproxystate.Endpoint{ if port >= 0 && port <= 65535 {
Address: &pbproxystate.Endpoint_HostPort{ return &pbproxystate.Endpoint{
HostPort: &pbproxystate.HostPortAddress{ Address: &pbproxystate.Endpoint_HostPort{
Host: host, HostPort: &pbproxystate.HostPortAddress{
Port: uint32(port), Host: host,
Port: uint32(port),
},
}, },
}, }
} }
return nil
} }
func makeUnixSocketEndpoint(path string) *pbproxystate.Endpoint { func makeUnixSocketEndpoint(path string) *pbproxystate.Endpoint {

21
agent/xds/proxystateconverter/listeners.go
View File

@ -764,17 +764,20 @@ func makeListenerWithDefault(opts makeListenerOpts) *pbproxystate.Listener {
// // Since access logging is non-essential for routing, warn and move on // // Since access logging is non-essential for routing, warn and move on
// opts.logger.Warn("error generating access log xds", err) // opts.logger.Warn("error generating access log xds", err)
//} //}
return &pbproxystate.Listener{ if opts.port >= 0 && opts.port <= 65535 {
Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port), return &pbproxystate.Listener{
//AccessLog: accessLog, Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port),
BindAddress: &pbproxystate.Listener_HostPort{ //AccessLog: accessLog,
HostPort: &pbproxystate.HostPortAddress{ BindAddress: &pbproxystate.Listener_HostPort{
Host: opts.addr, HostPort: &pbproxystate.HostPortAddress{
Port: uint32(opts.port), Host: opts.addr,
Port: uint32(opts.port),
},
}, },
}, Direction: opts.direction,
Direction: opts.direction, }
} }
return nil
} }
func makePipeListener(opts makeListenerOpts) *pbproxystate.Listener { func makePipeListener(opts makeListenerOpts) *pbproxystate.Listener {

17
agent/xds/response/response.go
View File

@ -53,16 +53,19 @@ func MakePipeAddress(path string, mode uint32) *envoy_core_v3.Address {
} }
func MakeAddress(ip string, port int) *envoy_core_v3.Address { func MakeAddress(ip string, port int) *envoy_core_v3.Address {
return &envoy_core_v3.Address{ if port >= 0 && port <= 65535 {
Address: &envoy_core_v3.Address_SocketAddress{ return &envoy_core_v3.Address{
SocketAddress: &envoy_core_v3.SocketAddress{ Address: &envoy_core_v3.Address_SocketAddress{
Address: ip, SocketAddress: &envoy_core_v3.SocketAddress{
PortSpecifier: &envoy_core_v3.SocketAddress_PortValue{ Address: ip,
PortValue: uint32(port), PortSpecifier: &envoy_core_v3.SocketAddress_PortValue{
PortValue: uint32(port),
},
}, },
}, },
}, }
} }
return nil
} }
func MakeUint32Value(n int) *wrapperspb.UInt32Value { func MakeUint32Value(n int) *wrapperspb.UInt32Value {

6
agent/xds/testing.go
View File

@ -125,15 +125,15 @@ func stringToEnvoyVersion(vs string) (*envoy_type_v3.SemanticVersion, bool) {
return nil, false return nil, false
} }
major, err := strconv.Atoi(parts[0]) major, err := strconv.ParseUint(parts[0], 10, 32)
if err != nil { if err != nil {
return nil, false return nil, false
} }
minor, err := strconv.Atoi(parts[1]) minor, err := strconv.ParseUint(parts[1], 10, 32)
if err != nil { if err != nil {
return nil, false return nil, false
} }
patch, err := strconv.Atoi(parts[2]) patch, err := strconv.ParseUint(parts[2], 10, 32)
if err != nil { if err != nil {
return nil, false return nil, false
} }

7
api/api.go
View File

@ -10,6 +10,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
"math"
"net" "net"
"net/http" "net/http"
"net/url" "net/url"
@ -1181,6 +1182,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
if err != nil { if err != nil {
return fmt.Errorf("Failed to parse X-Consul-LastContact: %v", err) return fmt.Errorf("Failed to parse X-Consul-LastContact: %v", err)
} }
if last > math.MaxInt64 {
return fmt.Errorf("X-Consul-LastContact Header value is out of range: %d", last)
}
q.LastContact = time.Duration(last) * time.Millisecond q.LastContact = time.Duration(last) * time.Millisecond
// Parse the X-Consul-KnownLeader // Parse the X-Consul-KnownLeader
@ -1222,6 +1226,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
if err != nil { if err != nil {
return fmt.Errorf("Failed to parse Age Header: %v", err) return fmt.Errorf("Failed to parse Age Header: %v", err)
} }
if age > math.MaxInt64 {
return fmt.Errorf("Age Header value is out of range: %d", last)
}
q.CacheAge = time.Duration(age) * time.Second q.CacheAge = time.Duration(age) * time.Second
} }