fix: protect uint32 conversion

See the following for more details: https://github.com/cloudnativelabs/kube-router/security/code-scanning?query=ref%3Arefs%2Fpull%2F1065%2Fmerge+tool%3ACodeQL
cloudnativelabs · Apr 14, 2021 · ef827d3 · ef827d3
1 parent 1816886
commit ef827d3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/pkg/controllers/routing/bgp_policies.go b/pkg/controllers/routing/bgp_policies.go
@@ -3,6 +3,7 @@ package routing
 import (
 	"context"
 	"errors"
+	"fmt"
 	"reflect"
 	"strconv"
 	"strings"
@@ -71,7 +72,10 @@ func (nrc *NetworkRoutingController) addPodCidrDefinedSet() error {
 		return err
 	}
 	if currentDefinedSet == nil {
-		cidrLen, _ := strconv.Atoi(strings.Split(nrc.podCidr, "/")[1])
+		cidrLen, err := strconv.Atoi(strings.Split(nrc.podCidr, "/")[1])
+		if err != nil || cidrLen < 0 || cidrLen > 32 {
+			return fmt.Errorf("the pod CIDR IP given is not a proper mask: %d", cidrLen)
+		}
 		podCidrDefinedSet := &gobgpapi.DefinedSet{
 			DefinedType: gobgpapi.DefinedType_PREFIX,
 			Name:        "podcidrdefinedset",

diff --git a/pkg/controllers/routing/network_routes_controller.go b/pkg/controllers/routing/network_routes_controller.go
@@ -440,9 +440,12 @@ func (nrc *NetworkRoutingController) advertisePodRoute() error {
 
 	cidrStr := strings.Split(nrc.podCidr, "/")
 	subnet := cidrStr[0]
-	cidrLen, _ := strconv.Atoi(cidrStr[1])
+	cidrLen, err := strconv.Atoi(cidrStr[1])
+	if err != nil || cidrLen < 0 || cidrLen > 32 {
+		return fmt.Errorf("the pod CIDR IP given is not a proper mask: %d", cidrLen)
+	}
 	if nrc.isIpv6 {
-		klog.V(2).Infof("Advertising route: '%s/%s via %s' to peers", subnet, strconv.Itoa(cidrLen), nrc.nodeIP.String())
+		klog.V(2).Infof("Advertising route: '%s/%d via %s' to peers", subnet, cidrLen, nrc.nodeIP.String())
 
 		v6Family := &gobgpapi.Family{
 			Afi:  gobgpapi.Family_AFI_IP6,
@@ -472,7 +475,7 @@ func (nrc *NetworkRoutingController) advertisePodRoute() error {
 		}
 	} else {
 
-		klog.V(2).Infof("Advertising route: '%s/%s via %s' to peers", subnet, strconv.Itoa(cidrLen), nrc.nodeIP.String())
+		klog.V(2).Infof("Advertising route: '%s/%d via %s' to peers", subnet, cidrLen, nrc.nodeIP.String())
 		nlri, _ := ptypes.MarshalAny(&gobgpapi.IPAddressPrefix{
 			PrefixLen: uint32(cidrLen),
 			Prefix:    cidrStr[0],