From e2c627332f86e357b06773208feb5e235b53e307 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 28 May 2014 12:51:06 +0200
Subject: [PATCH] limit alias/ipset name length to 64 characters

---
 src/PVE/Firewall.pm | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1787637..3b6b245 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -74,6 +74,10 @@ PVE::JSONSchema::register_standard_option('pve-fw-loglevel' => {
 my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
 my $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
 
+my $max_alias_name_length = 64;
+my $max_ipset_name_length = 64;
+
+
 PVE::JSONSchema::register_standard_option('pve-security-group-name', {
     description => "Security Group name.",
     type => 'string',
@@ -739,7 +743,7 @@ sub local_network {
     return $__local_network;
 }
 
-my $max_ipset_name_length = 27;
+my $max_iptables_ipset_name_length = 27;
 
 sub compute_ipset_chain_name {
     my ($vmid, $ipset_name) = @_;
@@ -749,7 +753,7 @@ sub compute_ipset_chain_name {
     my $id = "$vmid-${ipset_name}";
 
    
-    if ((length($id) + 6) > $max_ipset_name_length) {
+    if ((length($id) + 6) > $max_iptables_ipset_name_length) {
 	$id = PVE::Tools::fnv31a_hex($id);
     }
 
@@ -759,8 +763,15 @@ sub compute_ipset_chain_name {
 sub parse_address_list {
     my ($str) = @_;
 
-    return if $str =~ m/^(\+)(\S+)$/; # ipset ref
-    return if $str =~ m/^${ip_alias_pattern}$/;
+    if ($str =~ m/^(\+)(\S+)$/) { # ipset ref
+	die "ipset name too long\n" if length($str) > ($max_ipset_name_length + 1);
+	return;
+    }
+
+    if ($str =~ m/^${ip_alias_pattern}$/) {
+	die "alias name too long\n" if length($str) > $max_alias_name_length;
+	return;
+    }
 
     my $count = 0;
     my $iprange = 0;
-- 
2.39.2