Manual backport of PR 21251 to 1.15.x (#21620)

manual backport of pr 21251 to release 1.15.x
hashicorp · Aug 19, 2024 · 760a2b8 · 760a2b8
1 parent ef6e2a6
commit 760a2b8
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 10 deletions.
diff --git a/agent/xds/response.go b/agent/xds/response.go
@@ -53,16 +53,19 @@ func makePipeAddress(path string, mode uint32) *envoy_core_v3.Address {
 }
 
 func makeAddress(ip string, port int) *envoy_core_v3.Address {
-	return &envoy_core_v3.Address{
-		Address: &envoy_core_v3.Address_SocketAddress{
-			SocketAddress: &envoy_core_v3.SocketAddress{
-				Address: ip,
-				PortSpecifier: &envoy_core_v3.SocketAddress_PortValue{
-					PortValue: uint32(port),
+	if port >= 0 && port <= 65535 {
+		return &envoy_core_v3.Address{
+			Address: &envoy_core_v3.Address_SocketAddress{
+				SocketAddress: &envoy_core_v3.SocketAddress{
+					Address: ip,
+					PortSpecifier: &envoy_core_v3.SocketAddress_PortValue{
+						PortValue: uint32(port),
+					},
 				},
 			},
-		},
+		}
 	}
+	return nil
 }
 
 func makeUint32Value(n int) *wrapperspb.UInt32Value {

diff --git a/agent/xds/testing.go b/agent/xds/testing.go
@@ -125,15 +125,15 @@ func stringToEnvoyVersion(vs string) (*envoy_type_v3.SemanticVersion, bool) {
 		return nil, false
 	}
 
-	major, err := strconv.Atoi(parts[0])
+	major, err := strconv.ParseUint(parts[0], 10, 32)
 	if err != nil {
 		return nil, false
 	}
-	minor, err := strconv.Atoi(parts[1])
+	minor, err := strconv.ParseUint(parts[1], 10, 32)
 	if err != nil {
 		return nil, false
 	}
-	patch, err := strconv.Atoi(parts[2])
+	patch, err := strconv.ParseUint(parts[2], 10, 32)
 	if err != nil {
 		return nil, false
 	}

diff --git a/api/api.go b/api/api.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"math"
 	"net"
 	"net/http"
 	"net/url"
@@ -1138,6 +1139,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
 	if err != nil {
 		return fmt.Errorf("Failed to parse X-Consul-LastContact: %v", err)
 	}
+	if last > math.MaxInt64 {
+		return fmt.Errorf("X-Consul-LastContact Header value is out of range: %d", last)
+	}
 	q.LastContact = time.Duration(last) * time.Millisecond
 
 	// Parse the X-Consul-KnownLeader
@@ -1179,6 +1183,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
 		if err != nil {
 			return fmt.Errorf("Failed to parse Age Header: %v", err)
 		}
+		if age > math.MaxInt64 {
+			return fmt.Errorf("Age Header value is out of range: %d", last)
+		}
 		q.CacheAge = time.Duration(age) * time.Second
 	}