[libvirt] [PATCH] network: verify proper address family in updates to <host> and <range>

Mon Jan 19 22:04:01 UTC 2015

By specifying parentIndex in a call to virNetworkUpdate(), it was
possible to direct libvirt to add a dhcp range or static host of a
non-matching address family to the <dhcp> element of an <ip>. For
example, given:

 <ip address='192.168.122.1' netmask='255.255.255.0'/>
 <ip family='ipv6' address='2001:db6:ca3:45::1' prefix='64'/>

you could provide a static host entry with an IPv4 address, and
specify that it be added to the 2nd <ip> element (index 1):

  virsh net-update default add ip-dhcp-host --parent-index 1 \
  '<host mac="52:54:00:00:00:01" ip="192.168.122.45"/>'

This would be happily added with no error (and no concern of any
possible future consequences).

This patch checks that any dhcp range or host element being added to a
network ip's <dhcp> subelement has addresses of the same family as the
ip element they are being added to.

This problem was noticed when looking at the reproduction case for
https://bugzilla.redhat.com/show_bug.cgi?id=1182486 (but is not a
solution to that bug).
---
 src/conf/network_conf.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 23ec369..15501ec 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1,7 +1,7 @@
 /*
  * network_conf.c: network XML handling
  *
- * Copyright (C) 2006-2014 Red Hat, Inc.
+ * Copyright (C) 2006-2015 Red Hat, Inc.
  * Copyright (C) 2006-2008 Daniel P. Berrange
  *
  * This library is free software; you can redistribute it and/or
@@ -3285,6 +3285,14 @@ virNetworkDefUpdateIPDHCPHost(virNetworkDefPtr def,
                                       &host, partialOkay) < 0)
         goto cleanup;
 
+    if (VIR_SOCKET_ADDR_FAMILY(&ipdef->address)
+        != VIR_SOCKET_ADDR_FAMILY(&host.ip)) {
+        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                       _("the address family of a host entry IP must match "
+                         "the address family of the dhcp element's parent"));
+        goto cleanup;
+    }
+
     if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) {
 
         /* search for the entry with this (ip|mac|name),
@@ -3422,6 +3430,14 @@ virNetworkDefUpdateIPDHCPRange(virNetworkDefPtr def,
     if (virSocketAddrRangeParseXML(def->name, ctxt->node, &range) < 0)
         goto cleanup;
 
+    if (VIR_SOCKET_ADDR_FAMILY(&ipdef->address)
+        != VIR_SOCKET_ADDR_FAMILY(&range.start)) {
+        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                       _("the address family of a dhcp range must match "
+                         "the address family of the dhcp element's parent"));
+        goto cleanup;
+    }
+
     /* check if an entry with same name/address/ip already exists */
     for (i = 0; i < ipdef->nranges; i++) {
         if (virSocketAddrEqual(&range.start, &ipdef->ranges[i].start) &&
-- 
1.9.3


