[gentoo-commits] gentoo-x86 commit in sys-cluster/neutron/files: neutron-2014.1.1-CVE-2014-3555.patch

Thu, 17 Jul 2014 02:19:28 -0700 

prometheanfire    14/07/17 09:17:53

  Added:                neutron-2014.1.1-CVE-2014-3555.patch
  Log:
  fix for CVE-2014-3555
  
  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 
0x2471eb3e40ac5ac3)

Revision  Changes    Path
1.1                  
sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch?rev=1.1&content-type=text/plain

Index: neutron-2014.1.1-CVE-2014-3555.patch
===================================================================
diff --git a/neutron/extensions/allowedaddresspairs.py 
b/neutron/extensions/allowedaddresspairs.py
index 96512f3..1283da4 100644
--- a/neutron/extensions/allowedaddresspairs.py
+++ b/neutron/extensions/allowedaddresspairs.py
@@ -16,6 +16,15 @@ import webob.exc
 
 from neutron.api.v2 import attributes as attr
 from neutron.common import exceptions as nexception
+from oslo.config import cfg
+
+allowed_address_pair_opts = [
+    #TODO(limao): use quota framework when it support quota for attributes
+    cfg.IntOpt('max_allowed_address_pair', default=10,
+               help=_("Maximum number of allowed address pairs")),
+]
+
+cfg.CONF.register_opts(allowed_address_pair_opts)
 
 
 class AllowedAddressPairsMissingIP(nexception.InvalidInput):
@@ -36,8 +45,17 @@ class 
AddressPairMatchesPortFixedIPAndMac(nexception.InvalidInput):
     message = _("Port's Fixed IP and Mac Address match an address pair entry.")
 
 
+class AllowedAddressPairExhausted(nexception.BadRequest):
+    message = _("The number of allowed address pair "
+                "exceeds the maximum %(quota)s.")
+
+
 def _validate_allowed_address_pairs(address_pairs, valid_values=None):
     unique_check = {}
+    if len(address_pairs) > cfg.CONF.max_allowed_address_pair:
+        raise AllowedAddressPairExhausted(
+            quota=cfg.CONF.max_allowed_address_pair)
+
     for address_pair in address_pairs:
         # mac_address is optional, if not set we use the mac on the port
         if 'mac_address' in address_pair:
diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py 
b/neutron/tests/unit/test_extension_allowedaddresspairs.py
index 826768f..70eb1e3 100644
--- a/neutron/tests/unit/test_extension_allowedaddresspairs.py
+++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py
@@ -22,6 +22,7 @@ from neutron.extensions import allowedaddresspairs as 
addr_pair
 from neutron.extensions import portsecurity as psec
 from neutron.manager import NeutronManager
 from neutron.tests.unit import test_db_plugin
+from oslo.config import cfg
 
 DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_allowedaddresspairs.'
                    'AllowedAddressPairTestPlugin')
@@ -163,6 +164,28 @@ class 
TestAllowedAddressPairs(AllowedAddressPairDBTestCase):
                           'ip_address': '10.0.0.1'}]
         self._create_port_with_address_pairs(address_pairs, 400)
 
+    def test_more_than_max_allowed_address_pair(self):
+        cfg.CONF.set_default('max_allowed_address_pair', 3)
+        address_pairs = [{'mac_address': '00:00:00:00:00:01',
+                          'ip_address': '10.0.0.1'},
+                         {'mac_address': '00:00:00:00:00:02',
+                          'ip_address': '10.0.0.2'},
+                         {'mac_address': '00:00:00:00:00:03',
+                          'ip_address': '10.0.0.3'},
+                         {'mac_address': '00:00:00:00:00:04',
+                          'ip_address': '10.0.0.4'}]
+        self._create_port_with_address_pairs(address_pairs, 400)
+
+    def test_equal_to_max_allowed_address_pair(self):
+        cfg.CONF.set_default('max_allowed_address_pair', 3)
+        address_pairs = [{'mac_address': '00:00:00:00:00:01',
+                          'ip_address': '10.0.0.1'},
+                         {'mac_address': '00:00:00:00:00:02',
+                          'ip_address': '10.0.0.2'},
+                         {'mac_address': '00:00:00:00:00:03',
+                          'ip_address': '10.0.0.3'}]
+        self._create_port_with_address_pairs(address_pairs, 201)
+
     def test_create_port_extra_args(self):
         address_pairs = [{'mac_address': '00:00:00:00:00:01',
                           'ip_address': '10.0.0.1',
@@ -174,8 +197,10 @@ class 
TestAllowedAddressPairs(AllowedAddressPairDBTestCase):
             res = self._create_port(self.fmt, net['network']['id'],
                                     arg_list=(addr_pair.ADDRESS_PAIRS,),
                                     allowed_address_pairs=address_pairs)
-            self.deserialize(self.fmt, res)
+            port = self.deserialize(self.fmt, res)
             self.assertEqual(res.status_int, ret_code)
+            if ret_code == 201:
+                self._delete('ports', port['port']['id'])
 
     def test_update_add_address_pairs(self):
         with self.network() as net:

Reply via email to