kolan
/
Overlay
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Overlay/sys-cluster/nova/files/2012.2.4-CVE-2013-4185.patch

102 lines
4.4 KiB
Diff
Raw Blame History

From d4ee081c5c0a5132781235177c430ebcf72b0b0b Mon Sep 17 00:00:00 2001
From: Vishvananda Ishaya <vishvananda@gmail.com>
Date: Fri, 19 Jul 2013 10:23:59 -0700
Subject: [PATCH] Use cached nwinfo for secgroup rules
This stops a potential DOS with source security groups by using the
db cached version of the network info instead of calling out to
the network api multiple times.
Fixes bug 1184041
Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6
(cherry picked from commit 85aac04704350566d6b06aa7a3b99649946c672c)
---
nova/db/sqlalchemy/api.py | 2 ++
nova/tests/test_libvirt.py | 4 +++-
nova/tests/test_xenapi.py | 5 +++--
nova/virt/firewall.py | 12 +++---------
4 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 7fcc4f8..6d3b139 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -3649,6 +3649,8 @@ def security_group_rule_get_by_security_group(context, security_group_id,
return _security_group_rule_get_query(context, session=session).\
filter_by(parent_group_id=security_group_id).\
options(joinedload_all('grantee_group.instances.instance_type')).\
+ options(joinedload('grantee_group.instances.'
+ 'info_cache')).\
all()
diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
index b26a006..e956eb0 100644
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -3240,7 +3240,9 @@ class IptablesFirewallTestCase(test.TestCase):
from nova.network import linux_net
linux_net.iptables_manager.execute = fake_iptables_execute
- _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model)
+ from nova.compute import utils as compute_utils
+ self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+ lambda instance: network_model)
network_info = network_model.legacy()
self.fw.prepare_instance_filter(instance_ref, network_info)
diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
index 0cf69d6..7a8f9b4 100644
--- a/nova/tests/test_xenapi.py
+++ b/nova/tests/test_xenapi.py
@@ -1690,8 +1690,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase):
network_model = fake_network.fake_get_instance_nw_info(self.stubs,
1, spectacular=True)
- fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs,
- lambda *a, **kw: network_model)
+ from nova.compute import utils as compute_utils
+ self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+ lambda instance: network_model)
network_info = network_model.legacy()
self.fw.prepare_instance_filter(instance_ref, network_info)
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index a093a35..7c22c86 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -17,10 +17,10 @@
# License for the specific language governing permissions and limitations
# under the License.
+from nova.compute import utils as compute_utils
from nova import context
from nova import db
from nova import flags
-from nova import network
from nova.network import linux_net
from nova.openstack.common import cfg
from nova.openstack.common import importutils
@@ -405,15 +405,9 @@ class IptablesFirewallDriver(FirewallDriver):
fw_rules += [' '.join(args)]
else:
if rule['grantee_group']:
- # FIXME(jkoelker) This needs to be ported up into
- # the compute manager which already
- # has access to a nw_api handle,
- # and should be the only one making
- # making rpc calls.
- nw_api = network.API()
for instance in rule['grantee_group']['instances']:
- nw_info = nw_api.get_instance_nw_info(ctxt,
- instance)
+ nw_info = compute_utils.get_nw_info_for_instance(
+ instance)
ips = [ip['address']
for ip in nw_info.fixed_ips()
--
1.8.1.5
Reference in New Issue View Git Blame Copy Permalink