From 6068b202c68556d8b383cd03c1835d50a7317f10 Mon Sep 17 00:00:00 2001
From: Yong Tang <yong.tang.github@outlook.com>
Date: Mon, 22 Aug 2016 21:52:56 -0700
Subject: [PATCH 1/2] Validate `--ip` and `--ip6` for `docker create`

This fix tries to fix the issue raised in 25863 where `--ip` value
is not validated for `docker create`. As a result, the IP address
passed by `--ip` is not used for `docker create` (ignored silently).

This fix adds validation in the daemon so that `--ip` and  `--ip6`
are properly validated for `docker create`.

An integration test has been added to cover the changes.

This fix fixes 25863.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: c7045eb93523df76feb9f3e00540e69471a1855e
Component: engine
---
 components/engine/daemon/create.go              | 17 ++++++++++++++++-
 .../docker_cli_network_unix_test.go             | 17 +++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/components/engine/daemon/create.go b/components/engine/daemon/create.go
index 5f1b631791..e06a9a1a25 100644
--- a/components/engine/daemon/create.go
+++ b/components/engine/daemon/create.go
@@ -2,6 +2,7 @@ package daemon
 
 import (
 	"fmt"
+	"net"
 	"strings"
 
 	"github.com/Sirupsen/logrus"
@@ -244,8 +245,22 @@ func (daemon *Daemon) mergeAndVerifyConfig(config *containertypes.Config, img *i
 }
 
 // Checks if the client set configurations for more than one network while creating a container
+// Also checks if the IPAMConfig is valid
 func (daemon *Daemon) verifyNetworkingConfig(nwConfig *networktypes.NetworkingConfig) error {
-	if nwConfig == nil || len(nwConfig.EndpointsConfig) <= 1 {
+	if nwConfig == nil || len(nwConfig.EndpointsConfig) == 0 {
+		return nil
+	}
+	if len(nwConfig.EndpointsConfig) == 1 {
+		for _, v := range nwConfig.EndpointsConfig {
+			if v.IPAMConfig != nil {
+				if v.IPAMConfig.IPv4Address != "" && net.ParseIP(v.IPAMConfig.IPv4Address).To4() == nil {
+					return errors.NewBadRequestError(fmt.Errorf("invalid IPv4 address: %s", v.IPAMConfig.IPv4Address))
+				}
+				if v.IPAMConfig.IPv6Address != "" && net.ParseIP(v.IPAMConfig.IPv6Address).To16() == nil {
+					return errors.NewBadRequestError(fmt.Errorf("invalid IPv6 address: %s", v.IPAMConfig.IPv6Address))
+				}
+			}
+		}
 		return nil
 	}
 	l := make([]string, 0, len(nwConfig.EndpointsConfig))
diff --git a/components/engine/integration-cli/docker_cli_network_unix_test.go b/components/engine/integration-cli/docker_cli_network_unix_test.go
index eb75e998f3..a03c8aa406 100644
--- a/components/engine/integration-cli/docker_cli_network_unix_test.go
+++ b/components/engine/integration-cli/docker_cli_network_unix_test.go
@@ -1717,3 +1717,20 @@ func (s *DockerNetworkSuite) TestDockerNetworkFlagAlias(c *check.C) {
 	output, status, _ = dockerCmdWithError("run", "--rm", "--network=user", "--net-alias=foo", "--network-alias=bar", "busybox", "true")
 	c.Assert(status, checker.Equals, 0, check.Commentf("unexpected status code %d (%s)", status, output))
 }
+
+func (s *DockerNetworkSuite) TestDockerNetworkValidateIP(c *check.C) {
+	_, _, err := dockerCmdWithError("network", "create", "--ipv6", "--subnet=172.28.0.0/16", "--subnet=2001:db8:1234::/64", "mynet")
+	c.Assert(err, check.IsNil)
+	assertNwIsAvailable(c, "mynet")
+
+	_, _, err = dockerCmdWithError("run", "-d", "--name", "mynet0", "--net=mynet", "--ip", "172.28.99.88", "--ip6", "2001:db8:1234::9988", "busybox", "top")
+	c.Assert(err, check.IsNil)
+	c.Assert(waitRun("mynet0"), check.IsNil)
+	verifyIPAddressConfig(c, "mynet0", "mynet", "172.28.99.88", "2001:db8:1234::9988")
+	verifyIPAddresses(c, "mynet0", "mynet", "172.28.99.88", "2001:db8:1234::9988")
+
+	_, _, err = dockerCmdWithError("run", "--net=mynet", "--ip", "mynet_ip", "--ip6", "2001:db8:1234::9999", "busybox", "top")
+	c.Assert(err.Error(), checker.Contains, "invalid IPv4 address")
+	_, _, err = dockerCmdWithError("run", "--net=mynet", "--ip", "172.28.99.99", "--ip6", "mynet_ip6", "busybox", "top")
+	c.Assert(err.Error(), checker.Contains, "invalid IPv6 address")
+}

From 7045275ed80a378b8a376f903e5f39fe803c5651 Mon Sep 17 00:00:00 2001
From: Yong Tang <yong.tang.github@outlook.com>
Date: Thu, 25 Aug 2016 10:06:05 -0700
Subject: [PATCH 2/2] Update documentation for validation of `--ip` and `ip6`.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 5118dd2992aef27890203b7e8eb62fc5f507d931
Component: engine
---
 components/engine/docs/reference/api/docker_remote_api.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/components/engine/docs/reference/api/docker_remote_api.md b/components/engine/docs/reference/api/docker_remote_api.md
index 66b5c16942..70c4595ab0 100644
--- a/components/engine/docs/reference/api/docker_remote_api.md
+++ b/components/engine/docs/reference/api/docker_remote_api.md
@@ -121,6 +121,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 * `GET /containers/json` now accepts `removing` as a valid value for the `status` filter.
 * `DELETE /volumes/(name)` now accepts a `force` query parameter to force removal of volumes that were already removed out of band by the volume driver plugin.
 * `POST /containers/create/` and `POST /containers/(name)/update` now validates restart policies.
+* `POST /containers/create` now validates IPAMConfig in NetworkingConfig, and returns error for invalid IPv4 and IPv6 addresses (`--ip` and `--ip6` in `docker create/run`).
 
 ### v1.24 API changes