Remove dhcp_extra_opt value after first newline character

Passing newline to the dnsmasq may cause security issues, especially that in case of Neutron that dhcp options' values are controlled by cloud users. This patch removes everything what is after first newline character in the dhcp_extra_opt's values before passing them to dnsmasq. Closes-Bug: #1939733 Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
2021-08-31 15:43:11 +02:00 · 2021-08-31 15:43:11 +02:00 · df891f0593
parent a2ffbfa552
commit df891f0593
3 changed files with 16 additions and 4 deletions
--- a/neutron/agent/linux/dhcp.py
+++ b/neutron/agent/linux/dhcp.py
@ -1322,10 +1322,11 @@ class Dnsmasq(DhcpLocalProcess):
        elif not option.isdigit():
            option = 'option:%s' % option
        if extra_tag:
-            tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
+            tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
        else:
-            tags = ('tag:' + tag, '%s' % option)
-        return ','.join(tags + args)
+            tags = ['tag:' + tag, '%s' % option]
+
+        return ','.join(tags + [v.split("\n", 1)[0] for v in args])

    @staticmethod
    def _convert_to_literal_addrs(ip_version, ips):
--- a/neutron/tests/unit/agent/linux/test_dhcp.py
+++ b/neutron/tests/unit/agent/linux/test_dhcp.py
@ -230,6 +230,9 @@ class FakeV6PortExtraOpt(object):
        self.extra_dhcp_opts = [
            DhcpOpt(opt_name='dns-server',
                    opt_value='ffea:3ba5:a17a:4ba3::100',
+                    ip_version=constants.IP_VERSION_6),
+            DhcpOpt(opt_name='malicious-option',
+                    opt_value='aaa\nbbb.ccc\n',
                    ip_version=constants.IP_VERSION_6)]


@ -2910,7 +2913,9 @@ class TestDnsmasq(TestBase):
        exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
                        'option6:domain-search,openstacklocal\n'
                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
-                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
+                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
+                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
+                        'option6:malicious-option,aaa').lstrip()
        dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
        dm._output_hosts_file()
        dm._output_opts_file()
--- a/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
+++ b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
+    dropping from the dhcp extra option values everything what is after first
+    newline (``\n``) character before passing them to the dnsmasq.