Check ICMP codes in range [0,255]

ICMP allows codes between 0 and 255, this change
adds a check for codes range min value.

DocImpact
APIImpact

Closes-Bug: #1486300

Change-Id: Ic7a49458448fad16447b914bb15742515661a851

diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index e04634e94e517ae5fc1653f1b5fd54d92c43fef6..7fe30c86142647eddc7768540900481137d5117b 100644 (file)
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -438,7 +438,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         elif ip_proto == constants.PROTO_NUM_ICMP:
             for attr, field in [('port_range_min', 'type'),
                                 ('port_range_max', 'code')]:
-                if rule[attr] is not None and rule[attr] > 255:
+                if rule[attr] is not None and not (0 <= rule[attr] <= 255):
                     raise ext_sg.SecurityGroupInvalidIcmpValue(
                         field=field, attr=attr, value=rule[attr])
             if (rule['port_range_min'] is None and

diff --git a/neutron/tests/api/test_security_groups_negative.py b/neutron/tests/api/test_security_groups_negative.py
index 347b18be17e8f7f33e3a487ea0bec6174bb31d60..2e40d7a862c894eeb0be7215177f812a0e09bdc9 100644 (file)
--- a/neutron/tests/api/test_security_groups_negative.py
+++ b/neutron/tests/api/test_security_groups_negative.py
@@ -148,6 +148,7 @@ class NegativeSecGroupTest(base.BaseSecGroupTest):
 
         # Create rule for icmp protocol with invalid ports
         states = [(1, 256, 'Invalid value for ICMP code'),
+                  (-1, 25, 'Invalid value'),
                   (None, 6, 'ICMP type (port-range-min) is missing'),
                   (300, 1, 'Invalid value for ICMP type')]
         for pmin, pmax, msg in states: