Remove dhcp_extra_opt value after first newline character

Passing newline to the dnsmasq may cause security issues, especially that in case of Neutron that dhcp options' values are controlled by cloud users. This patch removes everything what is after first newline character in the dhcp_extra_opt's values before passing them to dnsmasq. Closes-Bug: #1939733 Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
openstack · Aug 31, 2021 · df891f0 · df891f0
1 parent a2ffbfa
commit df891f0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py
@@ -1322,10 +1322,11 @@ def _format_option(self, ip_version, tag, option, *args):
         elif not option.isdigit():
             option = 'option:%s' % option
         if extra_tag:
-            tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
+            tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
         else:
-            tags = ('tag:' + tag, '%s' % option)
-        return ','.join(tags + args)
+            tags = ['tag:' + tag, '%s' % option]
+
+        return ','.join(tags + [v.split("\n", 1)[0] for v in args])
 
     @staticmethod
     def _convert_to_literal_addrs(ip_version, ips):

diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py
@@ -230,6 +230,9 @@ def __init__(self):
         self.extra_dhcp_opts = [
             DhcpOpt(opt_name='dns-server',
                     opt_value='ffea:3ba5:a17a:4ba3::100',
+                    ip_version=constants.IP_VERSION_6),
+            DhcpOpt(opt_name='malicious-option',
+                    opt_value='aaa\nbbb.ccc\n',
                     ip_version=constants.IP_VERSION_6)]
 
 
@@ -2910,7 +2913,9 @@ def test_host_and_opts_file_on_stateless_dhcpv6_network(
         exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
                         'option6:domain-search,openstacklocal\n'
                         'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
-                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
+                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
+                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
+                        'option6:malicious-option,aaa').lstrip()
         dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
         dm._output_hosts_file()
         dm._output_opts_file()

diff --git a/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
+    dropping from the dhcp extra option values everything what is after first
+    newline (``\n``) character before passing them to the dnsmasq.