From 91c476dcc5cd2192d0c43ca51a1b258b9c331fc4 Mon Sep 17 00:00:00 2001 From: huangpengtao Date: Sun, 30 Aug 2015 10:43:50 +0800 Subject: [PATCH] Check ICMP codes in range [0,255] ICMP allows codes between 0 and 255, this change adds a check for codes range min value. DocImpact APIImpact Closes-Bug: #1486300 Change-Id: Ic7a49458448fad16447b914bb15742515661a851 --- neutron/db/securitygroups_db.py | 2 +- neutron/tests/api/test_security_groups_negative.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py index e04634e94..7fe30c861 100644 --- a/neutron/db/securitygroups_db.py +++ b/neutron/db/securitygroups_db.py @@ -438,7 +438,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): elif ip_proto == constants.PROTO_NUM_ICMP: for attr, field in [('port_range_min', 'type'), ('port_range_max', 'code')]: - if rule[attr] is not None and rule[attr] > 255: + if rule[attr] is not None and not (0 <= rule[attr] <= 255): raise ext_sg.SecurityGroupInvalidIcmpValue( field=field, attr=attr, value=rule[attr]) if (rule['port_range_min'] is None and diff --git a/neutron/tests/api/test_security_groups_negative.py b/neutron/tests/api/test_security_groups_negative.py index 347b18be1..2e40d7a86 100644 --- a/neutron/tests/api/test_security_groups_negative.py +++ b/neutron/tests/api/test_security_groups_negative.py @@ -148,6 +148,7 @@ class NegativeSecGroupTest(base.BaseSecGroupTest): # Create rule for icmp protocol with invalid ports states = [(1, 256, 'Invalid value for ICMP code'), + (-1, 25, 'Invalid value'), (None, 6, 'ICMP type (port-range-min) is missing'), (300, 1, 'Invalid value for ICMP type')] for pmin, pmax, msg in states: -- 2.45.2