diff --git a/felix/fv/pktgen/pktgen.go b/felix/fv/pktgen/pktgen.go index e4b0461f362..781f52f8f80 100644 --- a/felix/fv/pktgen/pktgen.go +++ b/felix/fv/pktgen/pktgen.go @@ -15,6 +15,7 @@ package main import ( + "math" "net" "strconv" @@ -60,6 +61,9 @@ func main() { if err != nil { log.WithError(err).Fatal("IP id not a number") } + if id > math.MaxUint16 || id < 0 { + log.Fatal("IP id should be between 0 and 65535") + } ipID = uint16(id) } @@ -69,6 +73,9 @@ func main() { if err != nil { log.WithError(err).Fatal("source port not a number") } + if p > math.MaxUint16 || p < 0 { + log.Fatal("source port should be between 0 and 65535") + } sport = uint16(p) } @@ -78,6 +85,9 @@ func main() { if err != nil { log.WithError(err).Fatal("destination port not a number") } + if p > math.MaxUint16 || p < 0 { + log.Fatal("destination port should be between 0 and 65535") + } dport = uint16(p) } diff --git a/felix/ipsets/ipset_defs.go b/felix/ipsets/ipset_defs.go index 671ac9b1c0b..eb798678ed0 100644 --- a/felix/ipsets/ipset_defs.go +++ b/felix/ipsets/ipset_defs.go @@ -22,6 +22,7 @@ import ( "strings" "fmt" + "math" "strconv" cprometheus "github.com/projectcalico/calico/libcalico-go/lib/prometheus" @@ -153,6 +154,9 @@ func (t IPSetType) CanonicaliseMember(member string) ipSetMember { if err != nil { log.WithField("member", member).WithError(err).Panic("Bad port") } + if port > math.MaxUint16 || port < 0 { + log.WithField("member", member).Panic("Bad port range (should be between 0 and 65535)") + } // Return a dedicated struct for V4 or V6. This slightly reduces occupancy over storing // the address as an interface by storing one fewer interface headers. That is worthwhile // because we store many IP set members. diff --git a/libcalico-go/lib/testutils/createRule.go b/libcalico-go/lib/testutils/createRule.go index 489979704bf..7ba1e8206d1 100644 --- a/libcalico-go/lib/testutils/createRule.go +++ b/libcalico-go/lib/testutils/createRule.go @@ -16,6 +16,7 @@ package testutils import ( "log" + "math" "net" "strconv" @@ -34,6 +35,9 @@ func CreateRule(ipv, icmpType, icmpCode int, proto, cidrStr, tag, selector, inAc if err != nil { protocol = numorstring.ProtocolFromString(proto) } else { + if i > math.MaxUint8 || i < 0 { + log.Printf("i = %v should be between 0 and 255 \n", i) + } protocol = numorstring.ProtocolFromInt(uint8(i)) }