projects / openvswitch / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 986b77c) | patch
Don't accept unix: connections, etc. in OpenFlow controller discovery.
authorBen Pfaff <blp@nicira.com>
Thu, 11 Jun 2009 20:02:33 +0000 (13:02 -0700)
committerBen Pfaff <blp@nicira.com>
Thu, 11 Jun 2009 20:02:33 +0000 (13:02 -0700)
commit12fb742b6f0a08590f9ef8d246cd3f57e87b57de
tree8f736afd822b76d915ef70a29e16424b1d35197btree | snapshot
parent986b77c0991375db253ca600ba532098108f7be8commit | diff
Don't accept unix: connections, etc. in OpenFlow controller discovery.

The controller discovery code has always had the capability to whitelist
only certain types of controller locations.  Until now, we have only taken
advantage of this when SSL is enabled (so that all OpenFlow connections are
authenticated with SSL if SSL is configured).

However, it occurs to me that making the section of connections entirely
unrestricted is too permissive.  An attacker could make the vswitch connect
to an arbitrary Unix domain socket, for example.  I don't have a
description of how this is an exploitable security vulnerability, but it
seems entirely too lax.

So: this commit changes the default to allowing only TCP connections to
controller in the non-SSL case.
secchan/discovery.c diff | blob | history
secchan/main.c diff | blob | history
secchan/secchan.8.in diff | blob | history
utilities/ovs-discover.8.in diff | blob | history
utilities/ovs-discover.c diff | blob | history
vswitchd/ovs-vswitchd.conf.5.in diff | blob | history
Unnamed repository; edit this file to name it for gitweb.