security: resolve incorrect type conversions (#21251)

* security: resolve incorrect type conversions

* add changelog

* fix more incorrect type conversions

.changelog/21251.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix multiple incorrect type conversion for potential overflows
+```

agent/consul/leader_registrator_v2.go

@@ -175,6 +175,10 @@ func (r V2ConsulRegistrator) createWorkloadFromMember(member serf.Member, parts
 		workloadMeta["grpc_tls_port"] = strconv.Itoa(parts.ExternalGRPCTLSPort)
 	}
 
+	if parts.Port < 0 || parts.Port > 65535 {
+		return nil, fmt.Errorf("invalid port: %d", parts.Port)
+	}
+
 	workload := &pbcatalog.Workload{
 		Addresses: []*pbcatalog.WorkloadAddress{
 			{Host: member.Addr.String(), Ports: []string{consulPortNameServer}},

agent/xds/proxystateconverter/endpoints.go

@@ -301,6 +301,7 @@ func (s *Converter) filterSubsetEndpoints(subset *structs.ServiceResolverSubset,
 
 // used in clusters.go
 func makeHostPortEndpoint(host string, port int) *pbproxystate.Endpoint {
+	if port >= 0 && port <= 65535 {
 		return &pbproxystate.Endpoint{
 			Address: &pbproxystate.Endpoint_HostPort{
 				HostPort: &pbproxystate.HostPortAddress{
@@ -309,6 +310,8 @@ func makeHostPortEndpoint(host string, port int) *pbproxystate.Endpoint {
 				},
 			},
 		}
+	}
+	return nil
 }
 
 func makeUnixSocketEndpoint(path string) *pbproxystate.Endpoint {

agent/xds/proxystateconverter/listeners.go

@@ -764,6 +764,7 @@ func makeListenerWithDefault(opts makeListenerOpts) *pbproxystate.Listener {
 	//	// Since access logging is non-essential for routing, warn and move on
 	//	opts.logger.Warn("error generating access log xds", err)
 	//}
+	if opts.port >= 0 && opts.port <= 65535 {
 		return &pbproxystate.Listener{
 			Name: fmt.Sprintf("%s:%s:%d", opts.name, opts.addr, opts.port),
 			//AccessLog:        accessLog,
@@ -775,6 +776,8 @@ func makeListenerWithDefault(opts makeListenerOpts) *pbproxystate.Listener {
 			},
 			Direction: opts.direction,
 		}
+	}
+	return nil
 }
 
 func makePipeListener(opts makeListenerOpts) *pbproxystate.Listener {

agent/xds/response/response.go

@@ -53,6 +53,7 @@ func MakePipeAddress(path string, mode uint32) *envoy_core_v3.Address {
 }
 
 func MakeAddress(ip string, port int) *envoy_core_v3.Address {
+	if port >= 0 && port <= 65535 {
 		return &envoy_core_v3.Address{
 			Address: &envoy_core_v3.Address_SocketAddress{
 				SocketAddress: &envoy_core_v3.SocketAddress{
@@ -63,6 +64,8 @@ func MakeAddress(ip string, port int) *envoy_core_v3.Address {
 				},
 			},
 		}
+	}
+	return nil
 }
 
 func MakeUint32Value(n int) *wrapperspb.UInt32Value {

agent/xds/testing.go

@@ -125,15 +125,15 @@ func stringToEnvoyVersion(vs string) (*envoy_type_v3.SemanticVersion, bool) {
 		return nil, false
 	}
 
-	major, err := strconv.Atoi(parts[0])
+	major, err := strconv.ParseUint(parts[0], 10, 32)
 	if err != nil {
 		return nil, false
 	}
-	minor, err := strconv.Atoi(parts[1])
+	minor, err := strconv.ParseUint(parts[1], 10, 32)
 	if err != nil {
 		return nil, false
 	}
-	patch, err := strconv.Atoi(parts[2])
+	patch, err := strconv.ParseUint(parts[2], 10, 32)
 	if err != nil {
 		return nil, false
 	}

api/api.go

@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"math"
 	"net"
 	"net/http"
 	"net/url"
@@ -1181,6 +1182,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
 	if err != nil {
 		return fmt.Errorf("Failed to parse X-Consul-LastContact: %v", err)
 	}
+	if last > math.MaxInt64 {
+		return fmt.Errorf("X-Consul-LastContact Header value is out of range: %d", last)
+	}
 	q.LastContact = time.Duration(last) * time.Millisecond
 
 	// Parse the X-Consul-KnownLeader
@@ -1222,6 +1226,9 @@ func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
 		if err != nil {
 			return fmt.Errorf("Failed to parse Age Header: %v", err)
 		}
+		if age > math.MaxInt64 {
+			return fmt.Errorf("Age Header value is out of range: %d", last)
+		}
 		q.CacheAge = time.Duration(age) * time.Second
 	}