diff --git a/pkg/vf/virtio.go b/pkg/vf/virtio.go index 38cec7a9..59712c8d 100644 --- a/pkg/vf/virtio.go +++ b/pkg/vf/virtio.go @@ -202,7 +202,7 @@ func (dev *VirtioRng) AddToVirtualMachineConfig(vmConfig *VirtualMachineConfigur // https://developer.apple.com/documentation/virtualization/running_linux_in_a_virtual_machine?language=objc#:~:text=Configure%20the%20Serial%20Port%20Device%20for%20Standard%20In%20and%20Out func setRawMode(f *os.File) error { // Get settings for terminal - attr, _ := unix.IoctlGetTermios(int(f.Fd()), unix.TIOCGETA) + attr, _ := unix.IoctlGetTermios(int(f.Fd()), unix.TIOCGETA) //#nosec G115 // Put stdin into raw mode, disabling local echo, input canonicalization, // and CR-NL mapping. @@ -216,7 +216,7 @@ func setRawMode(f *os.File) error { attr.Cc[syscall.VTIME] = 0 // reflects the changed settings - return unix.IoctlSetTermios(int(f.Fd()), unix.TIOCSETA, attr) + return unix.IoctlSetTermios(int(f.Fd()), unix.TIOCSETA, attr) //#nosec G115 } func (dev *VirtioSerial) toVz() (*vz.VirtioConsoleDeviceSerialPortConfiguration, error) { diff --git a/pkg/vf/virtionet.go b/pkg/vf/virtionet.go index 72fd73c2..f2aefb69 100644 --- a/pkg/vf/virtionet.go +++ b/pkg/vf/virtionet.go @@ -64,10 +64,10 @@ func (dev *VirtioNet) connectUnixPath() error { return err } err = rawConn.Control(func(fd uintptr) { - if err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUF, 1*1024*1024); err != nil { + if err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUF, 1*1024*1024); err != nil { //#nosec G115 return } - if err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUF, 4*1024*1024); err != nil { + if err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUF, 4*1024*1024); err != nil { //#nosec G115 return } }) diff --git a/pkg/vf/vsock.go b/pkg/vf/vsock.go index 26f9963f..9e3db33e 100644 --- a/pkg/vf/vsock.go +++ b/pkg/vf/vsock.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "io" + "math" "net" "net/url" "strconv" @@ -19,13 +20,17 @@ func ExposeVsock(vm *VirtualMachine, port uint, vsockPath string, listen bool) ( } func ConnectVsockSync(vm *VirtualMachine, port uint) (net.Conn, error) { + if port > math.MaxUint32 { + return nil, fmt.Errorf("Port number (%d) is too high", port) + } + socketDevices := vm.SocketDevices() if len(socketDevices) != 1 { return nil, fmt.Errorf("VM has too many/not enough virtio-vsock devices (%d)", len(socketDevices)) } vsockDevice := socketDevices[0] - conn, err := vsockDevice.Connect(uint32(port)) + conn, err := vsockDevice.Connect(uint32(port)) //#nosec G115 -- 'port' is checked against MaxUint32 if err != nil { // we can't `return vsockDevice.Connect()` directly, see https://go.dev/doc/faq#nil_error // checking the return value for nil won't work as expected if we don't do this @@ -84,7 +89,7 @@ func listenVsock(vm *VirtualMachine, port uint, vsockPath string) (io.Closer, er } switch parsed.Scheme { case "vsock": - port, err := strconv.Atoi(parsed.Port()) + port, err := strconv.ParseUint(parsed.Port(), 10, 32) if err != nil { return nil, err } @@ -92,7 +97,7 @@ func listenVsock(vm *VirtualMachine, port uint, vsockPath string) (io.Closer, er if len(socketDevices) != 1 { return nil, fmt.Errorf("VM has too many/not enough virtio-vsock devices (%d)", len(socketDevices)) } - return socketDevices[0].Listen(uint32(port)) + return socketDevices[0].Listen(uint32(port)) //#nosec G115 -- strconv.ParseUint(.., .., 32) guarantees no overflow default: return nil, fmt.Errorf("unexpected scheme '%s'", parsed.Scheme) }