Merge pull request #117 from aboch/pt

Protect internal data in CreateOptionPortMapping

libnetwork/drivers/bridge/link.go

@@ -69,7 +69,7 @@ func linkContainers(action, parentIP, childIP string, ports []netutils.PortBindi
 		return InvalidLinkIPAddrError(childIP)
 	}
 
-	chain := iptables.Chain{Name: "DOCKER", Bridge: bridge}
+	chain := iptables.Chain{Name: DockerChain, Bridge: bridge}
 	for _, port := range ports {
 		err := chain.Link(nfAction, ip1, ip2, int(port.Port), port.Proto.String())
 		if !ignoreErrors && err != nil {

libnetwork/endpoint.go

@@ -486,13 +486,18 @@ func JoinOptionUseDefaultSandbox() EndpointOption {
 // ports option to be passed to network.CreateEndpoint() method.
 func CreateOptionPortMapping(portBindings []netutils.PortBinding) EndpointOption {
 	return func(ep *endpoint) {
-		// Store endpoint label
-		ep.generic[options.PortMap] = portBindings
-		// Extract exposed ports as this is the only concern of libnetwork endpoint
-		ep.exposedPorts = make([]netutils.TransportPort, 0, len(portBindings))
+		// Extract and store exposed ports as this is the only concern of libnetwork endpoint
+		// Store a copy of the bindings as generic data to pass to the driver
+		pbs := make([]netutils.PortBinding, 0, len(portBindings))
+		exp := make([]netutils.TransportPort, 0, len(portBindings))
+
 		for _, b := range portBindings {
-			ep.exposedPorts = append(ep.exposedPorts, netutils.TransportPort{Proto: b.Proto, Port: b.Port})
+			pbs = append(pbs, b.GetCopy())
+			exp = append(exp, netutils.TransportPort{Proto: b.Proto, Port: b.Port})
 		}
+
+		ep.generic[options.PortMap] = pbs
+		ep.exposedPorts = exp
 	}
 }