Don't accept unix: connections, etc. in OpenFlow controller discovery.

The controller discovery code has always had the capability to whitelist
only certain types of controller locations.  Until now, we have only taken
advantage of this when SSL is enabled (so that all OpenFlow connections are
authenticated with SSL if SSL is configured).

However, it occurs to me that making the section of connections entirely
unrestricted is too permissive.  An attacker could make the vswitch connect
to an arbitrary Unix domain socket, for example.  I don't have a
description of how this is an exploitable security vulnerability, but it
seems entirely too lax.

So: this commit changes the default to allowing only TCP connections to
controller in the non-SSL case.

diff --git a/secchan/discovery.c b/secchan/discovery.c
index 06de6f07c36f1953f852ec15c12f8cb1dfb9ec2a..92d0d928b361aa36fd3bc5e0fabcce711ba63fa3 100644 (file)
--- a/secchan/discovery.c
+++ b/secchan/discovery.c
@@ -168,7 +168,7 @@ discovery_set_accept_controller_re(struct discovery *d, const char *re_)
     int error;
     char *re;
 
-    re = (!re_ ? xstrdup(vconn_ssl_is_configured() ? "^ssl:.*" : ".*")
+    re = (!re_ ? xstrdup(vconn_ssl_is_configured() ? "^ssl:.*" : "^tcp:.*")
           : re_[0] == '^' ? xstrdup(re_) : xasprintf("^%s", re_));
     regex = xmalloc(sizeof *regex);
     error = regcomp(regex, re, REG_NOSUB | REG_EXTENDED);

diff --git a/secchan/main.c b/secchan/main.c
index ca385766c80bea45d8cca08f3068964513e72257..c9cfc64e957fffa7d9ecdb23e851fab633b11992 100644 (file)
--- a/secchan/main.c
+++ b/secchan/main.c
@@ -497,7 +497,8 @@ parse_options(int argc, char *argv[], struct ofsettings *s)
 
     /* Set accept_controller_regex. */
     if (!s->accept_controller_re) {
-        s->accept_controller_re = vconn_ssl_is_configured() ? "^ssl:.*" : ".*";
+        s->accept_controller_re
+            = vconn_ssl_is_configured() ? "^ssl:.*" : "^tcp:.*";
     }
 
     /* Mode of operation. */

diff --git a/secchan/secchan.8.in b/secchan/secchan.8.in
index b40842a965a597890338703ee22b7bdc2f5a25a0..bbab7fba6f3c66811e2176a9a4e404005da89d23 100644 (file)
--- a/secchan/secchan.8.in
+++ b/secchan/secchan.8.in
@@ -182,8 +182,8 @@ names match the regular expression will be accepted.
 The default regular expression is \fBssl:.*\fR (meaning that only SSL
 controller connections will be accepted) when any of the SSL
 configuration options \fB--private-key\fR, \fB--certificate\fR, or
-\fB--ca-cert\fR is specified.  The default is \fB.*\fR otherwise
-(meaning that any controller will be accepted).
+\fB--ca-cert\fR is specified.  The default is \fB^tcp:.*\fR otherwise
+(meaning that only TCP controller connections will be accepted).
 
 The \fIregex\fR is implicitly anchored at the beginning of the
 controller location string, as if it begins with \fB^\fR.

diff --git a/utilities/ovs-discover.8.in b/utilities/ovs-discover.8.in
index d38ce9ee772d00bd62176959b89b80a6b178d320..eb83a5f87a2a894e5d85dc98f67e5868b3205467 100644 (file)
--- a/utilities/ovs-discover.8.in
+++ b/utilities/ovs-discover.8.in
@@ -28,15 +28,16 @@ itself to the background.
 .SH OPTIONS
 .TP
 \fB--accept-vconn=\fIregex\fR
-By default, \fBovs\-discover\fR accepts any controller location
-advertised over DHCP.  With this option, only controllers whose names
-match POSIX extended regular expression \fIregex\fR will be accepted.
-Specifying \fBssl:.*\fR for \fIregex\fR, for example, would cause only
-SSL controller connections to be accepted.
+With this option, only controllers whose names match POSIX extended
+regular expression \fIregex\fR will be accepted.  Specifying
+\fBssl:.*\fR for \fIregex\fR, for example, would cause only SSL
+controller connections to be accepted.
 
 The \fIregex\fR is implicitly anchored at the beginning of the
 controller location string, as if it begins with \fB^\fR.
 
+When this option is not given, the default \fIregex\fR is
+\fBtcp:.*\fR.
 .TP
 \fB--exit-without-bind\fR
 By default, \fBovs\-discover\fR binds the network device that receives

diff --git a/utilities/ovs-discover.c b/utilities/ovs-discover.c
index b664321ff392d400b827d2d047524ed4fcbc7d23..f47edc7215033d057859f04f041076c10edd3028 100644 (file)
--- a/utilities/ovs-discover.c
+++ b/utilities/ovs-discover.c
@@ -48,7 +48,7 @@ static int n_ifaces;
 
 /* --accept-vconn: Regular expression specifying the class of controller vconns
  * that we will accept during autodiscovery. */
-static const char *accept_controller_re = ".*";
+static const char *accept_controller_re = "tcp:.*";
 static regex_t accept_controller_regex;
 
 /* --exit-without-bind: Exit after discovering the controller, without binding

diff --git a/vswitchd/ovs-vswitchd.conf.5.in b/vswitchd/ovs-vswitchd.conf.5.in
index 81e007fbb39e5c37bccbdafb1b21d0be3dee9093..de0d6ea2f3b6cdaeef7cac93462b562ca7a9f878 100644 (file)
--- a/vswitchd/ovs-vswitchd.conf.5.in
+++ b/vswitchd/ovs-vswitchd.conf.5.in
@@ -410,8 +410,8 @@ the regular expression will be accepted.
 .IP
 The default regular expression is \fBssl:.*\fR, meaning that only SSL
 controller connections will be accepted, when SSL is configured (see
-\fBSSL Configuration\fR), and \fB.*\fR otherwise, meaning that any
-controller will be accepted.
+\fBSSL Configuration\fR), and \fBtcp:.*\fR otherwise, meaning that only
+TCP controller connections will be accepted.
 .IP
 The regular expression is implicitly anchored at the beginning of the
 controller location string, as if it begins with \fB^\fR.