Add port validator to ensure configurable ports are valid

luolanzone · luolanzone · commit 6f629531469e · 2025-03-03T17:51:38.000+08:00
Signed-off-by: Lan Luo &lt;lan.luo@broadcom.com&gt;
diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go
@@ -430,13 +430,13 @@ func (o *Options) setK8sNodeDefaultOptions() {
 	if o.config.AntreaProxy.DefaultLoadBalancerMode == "" {
 		o.config.AntreaProxy.DefaultLoadBalancerMode = config.LoadBalancerModeNAT.String()
 	}
-	if o.config.ClusterMembershipPort == 0 {
+	if !isValidPort(o.config.ClusterMembershipPort) {
 		o.config.ClusterMembershipPort = apis.AntreaAgentClusterMembershipPort
 	}
 	if o.config.EnablePrometheusMetrics == nil {
 		o.config.EnablePrometheusMetrics = ptr.To(true)
 	}
-	if o.config.WireGuard.Port == 0 {
+	if !isValidPort(o.config.WireGuard.Port) {
 		o.config.WireGuard.Port = apis.WireGuardListenPort
 	}
 
@@ -534,6 +534,9 @@ func (o *Options) validateK8sNodeOptions() error {
 		o.config.TunnelType != ovsconfig.GRETunnel && o.config.TunnelType != ovsconfig.STTTunnel {
 		return fmt.Errorf("tunnel type %s is invalid", o.config.TunnelType)
 	}
+	if !isValidPort(int(o.config.TunnelPort)) {
+		return fmt.Errorf("tunnel port %s is invalid", o.config.TunnelPort)
+	}
 	ok, encryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.TrafficEncryptionMode)
 	if !ok {
 		return fmt.Errorf("TrafficEncryptionMode %s is unknown", o.config.TrafficEncryptionMode)
diff --git a/cmd/antrea-agent/util.go b/cmd/antrea-agent/util.go
@@ -79,3 +79,11 @@ func parsePortRange(portRangeStr string) (start, end int, err error) {
 
 	return start, end, nil
 }
+
+// isValidPort checks if the given port number is within the valid range of 1 to 65535.
+func isValidPort(port int) bool {
+	if port < 1 || port > 65535 {
+		return false
+	}
+	return true
+}
diff --git a/cmd/antrea-agent/util_test.go b/cmd/antrea-agent/util_test.go
@@ -122,3 +122,34 @@ func TestParsePortRange(t *testing.T) {
 		})
 	}
 }
+
+func TestIsValidPort(t *testing.T) {
+	tests := []struct {
+		name     string
+		port     int
+		expected bool
+	}{
+		{
+			name:     "invalid port 0",
+			port:     0,
+			expected: false,
+		},
+		{
+			name:     "invalid port 70000",
+			port:     70000,
+			expected: false,
+		},
+		{
+			name:     "valid port",
+			port:     65500,
+			expected: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := isValidPort(tc.port)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -430,13 +430,13 @@ func (o *Options) setK8sNodeDefaultOptions() {`
`430`	`430`	`if o.config.AntreaProxy.DefaultLoadBalancerMode == "" {`
`431`	`431`	`o.config.AntreaProxy.DefaultLoadBalancerMode = config.LoadBalancerModeNAT.String()`
`432`	`432`	`}`
`433`		`- if o.config.ClusterMembershipPort == 0 {`
	`433`	`+ if !isValidPort(o.config.ClusterMembershipPort) {`
`434`	`434`	`o.config.ClusterMembershipPort = apis.AntreaAgentClusterMembershipPort`
`435`	`435`	`}`
`436`	`436`	`if o.config.EnablePrometheusMetrics == nil {`
`437`	`437`	`o.config.EnablePrometheusMetrics = ptr.To(true)`
`438`	`438`	`}`
`439`		`- if o.config.WireGuard.Port == 0 {`
	`439`	`+ if !isValidPort(o.config.WireGuard.Port) {`
`440`	`440`	`o.config.WireGuard.Port = apis.WireGuardListenPort`
`441`	`441`	`}`
`442`	`442`
`@@ -534,6 +534,9 @@ func (o *Options) validateK8sNodeOptions() error {`
`534`	`534`	`o.config.TunnelType != ovsconfig.GRETunnel && o.config.TunnelType != ovsconfig.STTTunnel {`
`535`	`535`	`return fmt.Errorf("tunnel type %s is invalid", o.config.TunnelType)`
`536`	`536`	`}`
	`537`	`+ if !isValidPort(int(o.config.TunnelPort)) {`
	`538`	`+ return fmt.Errorf("tunnel port %s is invalid", o.config.TunnelPort)`
	`539`	`+ }`
`537`	`540`	`ok, encryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.TrafficEncryptionMode)`
`538`	`541`	`if !ok {`
`539`	`542`	`return fmt.Errorf("TrafficEncryptionMode %s is unknown", o.config.TrafficEncryptionMode)`