From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 23 Aug 2023 03:13:44 +0000 (+0900)
Subject: nspawn: check validity of the internal interface name only explicitly specified
X-Git-Tag: v255-rc1~649
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=927e20fa4976c7b68c95814f3706cd4e89ac28c8;p=thirdparty%2Fsystemd.git

nspawn: check validity of the internal interface name only explicitly specified

Follow-up for 2f091b1b49543aade4aad9ec3b35b3665abac3e7.

Fixes #28844.
---

diff --git a/src/nspawn/nspawn-network.c b/src/nspawn/nspawn-network.c
index 89b50026db3..b83e472245c 100644
--- a/src/nspawn/nspawn-network.c
+++ b/src/nspawn/nspawn-network.c
@@ -774,20 +774,22 @@ static int network_iface_pair_parse(const char* iftype, char ***l, const char *p
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                "%s, interface name not valid: %s", iftype, a);
 
-                if (isempty(interface)) {
-                        if (ifprefix)
-                                b = strjoin(ifprefix, a);
-                        else
-                                b = strdup(a);
-                } else
+                /* Here, we only check the validity of the specified second name. If it is not specified,
+                 * the copied or prefixed name should be already valid, except for its length. If it is too
+                 * long, then it will be shortened later. */
+                if (!isempty(interface)) {
+                        if (!ifname_valid(interface))
+                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                                       "%s, interface name not valid: %s", iftype, interface);
+
                         b = strdup(interface);
+                } else if (ifprefix)
+                        b = strjoin(ifprefix, a);
+                else
+                        b = strdup(a);
                 if (!b)
                         return log_oom();
 
-                if (!ifname_valid(b))
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                               "%s, interface name not valid: %s", iftype, b);
-
                 r = strv_consume_pair(l, TAKE_PTR(a), TAKE_PTR(b));
                 if (r < 0)
                         return log_oom();
diff --git a/test/units/testsuite-13.nspawn.sh b/test/units/testsuite-13.nspawn.sh
index 9bcdec9298a..8d7a2e92ab0 100755
--- a/test/units/testsuite-13.nspawn.sh
+++ b/test/units/testsuite-13.nspawn.sh
@@ -341,7 +341,7 @@ testcase_nspawn_settings() {
     rm -f "/etc/systemd/nspawn/$container.nspawn"
     mkdir -p "$root/tmp" "$root"/opt/{tmp,inaccessible,also-inaccessible}
 
-    for dev in sd-host-only sd-shared{1,2} sd-macvlan{1,2} sd-ipvlan{1,2}; do
+    for dev in sd-host-only sd-shared{1,2} sd-macvlan{1,2} sd-macvlanloong sd-ipvlan{1,2} sd-ipvlanlooong; do
         ip link add "$dev" type dummy
     done
     udevadm settle
@@ -395,8 +395,8 @@ VirtualEthernet=yes
 VirtualEthernetExtra=my-fancy-veth1
 VirtualEthernetExtra=fancy-veth2:my-fancy-veth2
 Interface=sd-shared1 sd-shared2:sd-shared2
-MACVLAN=sd-macvlan1 sd-macvlan2:my-macvlan2
-IPVLAN=sd-ipvlan1 sd-ipvlan2:my-ipvlan2
+MACVLAN=sd-macvlan1 sd-macvlan2:my-macvlan2 sd-macvlanloong
+IPVLAN=sd-ipvlan1 sd-ipvlan2:my-ipvlan2 sd-ipvlanlooong
 Zone=sd-zone0
 Port=80
 Port=81:8181