Remove dhcp_extra_opt value after first newline character

Passing newline to the dnsmasq may cause security issues, especially
that in case of Neutron that dhcp options' values are controlled by
cloud users.
This patch removes everything what is after first newline character
in the dhcp_extra_opt's values before passing them to dnsmasq.

Closes-Bug: #1939733
Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
changes/46/806746/1
Slawek Kaplonski 1 year ago
parent a2ffbfa552
commit df891f0593
  1. 7
      neutron/agent/linux/dhcp.py
  2. 7
      neutron/tests/unit/agent/linux/test_dhcp.py
  3. 6
      releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml

@ -1322,10 +1322,11 @@ class Dnsmasq(DhcpLocalProcess):
elif not option.isdigit():
option = 'option:%s' % option
if extra_tag:
tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
else:
tags = ('tag:' + tag, '%s' % option)
return ','.join(tags + args)
tags = ['tag:' + tag, '%s' % option]
return ','.join(tags + [v.split("\n", 1)[0] for v in args])
@staticmethod
def _convert_to_literal_addrs(ip_version, ips):

@ -230,6 +230,9 @@ class FakeV6PortExtraOpt(object):
self.extra_dhcp_opts = [
DhcpOpt(opt_name='dns-server',
opt_value='ffea:3ba5:a17a:4ba3::100',
ip_version=constants.IP_VERSION_6),
DhcpOpt(opt_name='malicious-option',
opt_value='aaa\nbbb.ccc\n',
ip_version=constants.IP_VERSION_6)]
@ -2910,7 +2913,9 @@ class TestDnsmasq(TestBase):
exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
'option6:domain-search,openstacklocal\n'
'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
'option6:malicious-option,aaa').lstrip()
dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
dm._output_hosts_file()
dm._output_opts_file()

@ -0,0 +1,6 @@
---
security:
- |
Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
dropping from the dhcp extra option values everything what is after first
newline (``\n``) character before passing them to the dnsmasq.
Loading…
Cancel
Save