Skip to content

openshiftcluster_validatestatic.go: missing array bounds check causes panic #4129

New issue
New issue
Open
Open
openshiftcluster_validatestatic.go: missing array bounds check causes panic#4129
@stevekuznetsov

Description

@stevekuznetsov
stevekuznetsov
opened on Mar 3, 2025

There are many accesses to p.IngressProfiles[0] in OpenShift cluster validation, like:

ARO-RP/pkg/api/v20231122/openshiftcluster_validatestatic.go

Lines 101 to 103 in 9d59d46

if err := sv.validateNetworkProfile(path+".networkProfile", &p.NetworkProfile, p.APIServerProfile.Visibility, p.IngressProfiles[0].Visibility); err != nil {
return err
}

When that slice is empty, we get a panic:

Panic Trace 
panic: runtime.boundsError{x:0, y:0, signed:true, code:0x0}
goroutine 1179265 [running]:
runtime/debug.Stack()
	/usr/lib/golang/src/runtime/debug/stack.go:24 +0x5e
github.com/Azure/ARO-RP/pkg/frontend/middleware.Panic.func1.1()
	/__w/1/s/ARO-RP/pkg/frontend/middleware/panic.go:20 +0xbe
panic({0x6aea2a0?, 0xc00070c438?})
	/usr/lib/golang/src/runtime/panic.go:770 +0x132
github.com/Azure/ARO-RP/pkg/api/v20231122.openShiftClusterStaticValidator.validateProperties({{0xc0007837c0, 0xb}, {0xc00007818c, 0x15}, 0x0, {0xc00c37c000, 0xaa}, {{0xc00c37c00f, 0x24}, {0xc00c37c043, ...}, ...}}, ...)
	/__w/1/s/ARO-RP/pkg/api/v20231122/openshiftcluster_validatestatic.go:101 +0xbbf
github.com/Azure/ARO-RP/pkg/api/v20231122.openShiftClusterStaticValidator.validate({{0xc0007837c0, 0xb}, {0xc00007818c, 0x15}, 0x0, {0xc00c37c000, 0xaa}, {{0xc00c37c00f, 0x24}, {0xc00c37c043, ...}, ...}}, ...)
	/__w/1/s/ARO-RP/pkg/api/v20231122/openshiftcluster_validatestatic.go:81 +0x268
github.com/Azure/ARO-RP/pkg/api/v20231122.openShiftClusterStaticValidator.Static({{0xc0007837c0, 0xb}, {0xc00007818c, 0x15}, 0x0, {0xc00c37c000, 0xaa}, {{0xc00c37c00f, 0x24}, {0xc00c37c043, ...}, ...}}, ...)
	/__w/1/s/ARO-RP/pkg/api/v20231122/openshiftcluster_validatestatic.go:55 +0x1d6
github.com/Azure/ARO-RP/pkg/frontend.(*frontend).ValidateNewCluster(0xc000ab1408, {0x7e9fa18, 0xc00ad0d3e0}, 0xc0018e95e0, 0xc00132cd88, {0x7e42e00, 0xc000798480}, {0x6085500, 0xc000077c20}, {0xc00c37c000, ...})
	/__w/1/s/ARO-RP/pkg/frontend/openshiftcluster_putorpatch.go:402 +0x11a
github.com/Azure/ARO-RP/pkg/frontend.(*frontend)._putOrPatchOpenShiftCluster(0xc000ab1408, {0x7e9fa18, _}, _, {{0xc000b42a80, 0x240, 0x380}, 0xc00053c7e0, 0xc001ffaff0, {0xc00c37c000, ...}, ...})
	/__w/1/s/ARO-RP/pkg/frontend/openshiftcluster_putorpatch.go:223 +0x122d
github.com/Azure/ARO-RP/pkg/frontend.(*frontend).putOrPatchOpenShiftCluster.func1()
	/__w/1/s/ARO-RP/pkg/frontend/openshiftcluster_putorpatch.go:87 +0x5b
github.com/Azure/ARO-RP/pkg/database/cosmosdb.RetryOnPreconditionFailed(0xc000e58718)
	/__w/1/s/ARO-RP/pkg/database/cosmosdb/zz_generated_cosmosdb.go:58 +0x64
github.com/Azure/ARO-RP/pkg/frontend.(*frontend).putOrPatchOpenShiftCluster(0xc000ab1408, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/pkg/frontend/openshiftcluster_putorpatch.go:85 +0x65a
net/http.HandlerFunc.ServeHTTP(0x6431060?, {0x7e77a48?, 0xc001daccc0?}, 0x7e1ae10?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc000f0a600, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:444 +0x207
net/http.HandlerFunc.ServeHTTP(0xc000e4e8c0?, {0x7e77a48?, 0xc001daccc0?}, 0xc000e4e8a0?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc000f0a600, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:73 +0x32f
github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:316 +0x1bb
net/http.HandlerFunc.ServeHTTP(0x6425420?, {0x7e77a48?, 0xc001daccc0?}, 0xa?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.ApiVersionValidator.ValidateAPIVersion-fm.ApiVersionValidator.ValidateAPIVersion.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/validate_api.go:28 +0x119
net/http.HandlerFunc.ServeHTTP(0xc0008ae500?, {0x7e77a48?, 0xc001daccc0?}, 0xc00fb3b140?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*ChainHandler).ServeHTTP(0x6431060?, {0x7e77a48?, 0xc001daccc0?}, 0x7e1ae10?)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/chain.go:31 +0x26
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc000f0a540, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:444 +0x207
net/http.HandlerFunc.ServeHTTP(0x0?, {0x7e77a48?, 0xc001daccc0?}, 0x0?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc000f0a540, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:73 +0x32f
github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:316 +0x1bb
net/http.HandlerFunc.ServeHTTP(0x6431060?, {0x7e77a48?, 0xc001daccc0?}, 0xc00c33a640?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc000f0a480, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:444 +0x207
net/http.HandlerFunc.ServeHTTP(0xc000e4ed00?, {0x7e77a48?, 0xc001daccc0?}, 0xc000e4ece0?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc000f0a480, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:73 +0x32f
github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:316 +0x1bb
net/http.HandlerFunc.ServeHTTP(0x6431060?, {0x7e77a48?, 0xc001daccc0?}, 0xc001424c00?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc000f0a420, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:444 +0x207
net/http.HandlerFunc.ServeHTTP(0xc000ddce80?, {0x7e77a48?, 0xc001daccc0?}, 0xc000ddce60?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc000f0a420, {0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:73 +0x32f
github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:316 +0x1bb
net/http.HandlerFunc.ServeHTTP(0xc00031d6c0?, {0x7e77a48?, 0xc001daccc0?}, 0x7067d379c5c0?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.AuthMiddleware.Authenticate-fm.AuthMiddleware.Authenticate.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecfc0)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/authenticated.go:35 +0x12c
net/http.HandlerFunc.ServeHTTP(0x7e9fa18?, {0x7e77a48?, 0xc001daccc0?}, 0x7e1ac68?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.SystemData.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ecd80)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/systemdata.go:31 +0x29a
net/http.HandlerFunc.ServeHTTP(0x7e9fa18?, {0x7e77a48?, 0xc001daccc0?}, 0x7e1acf0?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.Body.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ec6c0?)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/body.go:35 +0x15e
net/http.HandlerFunc.ServeHTTP(0xc00c37c00f?, {0x7e77a48?, 0xc001daccc0?}, 0xc001114000?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.ValidateMiddleware.Validate-fm.ValidateMiddleware.Validate.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ec6c0)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/validate.go:101 +0x3b7
net/http.HandlerFunc.ServeHTTP(0xc00ad0d080?, {0x7e77a48?, 0xc001daccc0?}, 0xc?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.Headers.func1({0x7e77a48, 0xc001daccc0}, 0xc0014ec6c0)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/headers.go:28 +0x372
net/http.HandlerFunc.ServeHTTP(0x0?, {0x7e77a48?, 0xc001daccc0?}, 0x7069380aa5b8?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.Panic.func1({0x7e77a48?, 0xc001daccc0?}, 0x2563401?)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/panic.go:27 +0x78
net/http.HandlerFunc.ServeHTTP(0x61b2be0?, {0x7e77a48?, 0xc001daccc0?}, 0x0?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.MetricsMiddleware.Metrics-fm.MetricsMiddleware.Metrics.func1({0x7e77a48, 0xc001dacc60}, 0xc0014ec6c0)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/metrics.go:30 +0x11a
net/http.HandlerFunc.ServeHTTP(0xc0007ec070?, {0x7e77a48?, 0xc001dacc60?}, 0x16?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/Azure/ARO-RP/pkg/frontend/middleware.LogMiddleware.Log-fm.LogMiddleware.Log.func1({0x7e76e48, 0xc001372e00}, 0xc0014ec360)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/log.go:170 +0xfda
net/http.HandlerFunc.ServeHTTP(0xc00ad0d140?, {0x7e76e48?, 0xc001372e00?}, 0x437ff1d?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5/middleware.CleanPath.func1({0x7e76e48, 0xc001372e00}, 0xc0014ec360)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/middleware/clean_path.go:26 +0xf7
net/http.HandlerFunc.ServeHTTP(0xc00012aaa0?, {0x7e76e48?, 0xc001372e00?}, 0xc00fb3b140?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*ChainHandler).ServeHTTP(0x6431060?, {0x7e76e48?, 0xc001372e00?}, 0xc00c37c000?)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/chain.go:31 +0x26
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc000f0a300, {0x7e76e48, 0xc001372e00}, 0xc0014ec360)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:444 +0x207
net/http.HandlerFunc.ServeHTTP(0xc00c37c000?, {0x7e76e48?, 0xc001372e00?}, 0xc0014ec360?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5/middleware.CleanPath.func1({0x7e76e48, 0xc001372e00}, 0xc0014ec360)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/middleware/clean_path.go:26 +0xf7
net/http.HandlerFunc.ServeHTTP(0x7e9fa18?, {0x7e76e48?, 0xc001372e00?}, 0xaa65d60?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc000f0a300, {0x7e76e48, 0xc001372e00}, 0xc0014ec240)
	/__w/1/s/ARO-RP/vendor/github.com/go-chi/chi/v5/mux.go:90 +0x2ee
github.com/Azure/ARO-RP/pkg/frontend.(*frontend).Run.Lowercase.func3({0x7e76e48, 0xc001372e00}, 0xc0014ec120)
	/__w/1/s/ARO-RP/pkg/frontend/middleware/lowercase.go:17 +0xf9
net/http.HandlerFunc.ServeHTTP(0x24cd085?, {0x7e76e48?, 0xc001372e00?}, 0xc001372e01?)
	/usr/lib/golang/src/net/http/server.go:2171 +0x29
net/http.serverHandler.ServeHTTP({0x7e52a70?}, {0x7e76e48?, 0xc001372e00?}, 0x6?)
	/usr/lib/golang/src/net/http/server.go:3142 +0x8e
net/http.(*conn).serve(0xc001600090, {0x7e9fa18, 0xc000f9ba70})
	/usr/lib/golang/src/net/http/server.go:2044 +0x5e8
created by net/http.(*Server).Serve in goroutine 364
	/usr/lib/golang/src/net/http/server.go:3290 +0x4b4

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions