[v3.32] Fix typha panic on invalid CIDRs in network policies#12371
Open
caseydavenport wants to merge 1 commit intoprojectcalico:release-v3.32from
Open
[v3.32] Fix typha panic on invalid CIDRs in network policies#12371caseydavenport wants to merge 1 commit intoprojectcalico:release-v3.32from
caseydavenport wants to merge 1 commit intoprojectcalico:release-v3.32from
Conversation
caseydavenport
added
docs-not-required
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a Typha crash path caused by invalid CIDR strings making it through rule conversion, resulting in nil entries that could trigger a nil pointer dereference when rules are stringified/logged.
Changes:
- Update
NormalizeIPNetsto skip unparseable CIDR/IP strings instead of emitting nil entries. - Add a regression test that reproduces the invalid-CIDR scenario and asserts no panic plus correct filtering.
- Harden
model.Rule.String()formatting to tolerate nil net entries (avoid nil deref in logging).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
libcalico-go/lib/backend/syncersv1/updateprocessors/rules.go |
Filters invalid CIDRs out of destination net lists during API v3 → backend rule conversion. |
libcalico-go/lib/backend/syncersv1/updateprocessors/rules_test.go |
Adds regression coverage for invalid CIDR handling and ensures Rule.String() won’t panic. |
libcalico-go/lib/backend/model/rule.go |
Makes Rule.String() robust against nil *net.IPNet entries when joining CIDRs. |
Comment on lines
272
to
274
| // NormalizeIPNets converts an []*IPNet to a slice of networks by ensuring the IP addresses | ||
| // are correctly masked. | ||
| // are correctly masked. Unparseable CIDRs are skipped. | ||
| func NormalizeIPNets(nets []string) []*cnet.IPNet { |
There was a problem hiding this comment.
The doc comment for NormalizeIPNets is now inaccurate/misleading: the function takes a slice of CIDR/IP strings (not an []*IPNet) and returns a normalized slice, skipping unparseable entries. Suggest updating the comment to match the actual parameter/return types to avoid confusion for future callers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.