Restrict netmask of CIDR to avoid DHCP resync
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
High
|
Unassigned | ||
neutron |
Fix Released
|
High
|
watanabe.isao | ||
Icehouse |
Incomplete
|
Undecided
|
Unassigned | ||
Juno |
Incomplete
|
Undecided
|
Unassigned | ||
Kilo |
Fix Released
|
High
|
Akihiro Motoki |
Bug Description
If any tenant creates a subnet with a netmask of 31 or 32 in IPv4,
IP addresses of network will fail to be generated, and that
will cause constant resyncs and neutron-dhcp-agent malfunction.
[Example operation 1]
- Create subnet from CLI, with CIDR /31 (CIDR /32 has the same result).
$ neutron subnet-create net 192.168.0.0/31 --name sub
Created a new subnet:
+------
| Field | Value |
+------
| allocation_pools | |
| cidr | 192.168.0.0/31 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.0.1 |
| host_routes | |
| id | 42a91f59-
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | sub |
| network_id | 65cc6b46-
| subnetpool_id | |
| tenant_id | 4ffb89e718d346b
+------
[Example operation 2]
- Create subnet from API, with cidr /32 (CIDR /31 has the same result).
$ curl -i -X POST -H "content-
8143cda-
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
Content-Length: 410
X-Openstack-
Date: Thu, 16 Apr 2015 19:21:20 GMT
{"subnet": {"name": "badsub", "enable_dhcp": true, "network_id": "88143cda-
[Example operation 3]
- Create subnet from API, with empty allocation_pools.
$ curl -i -X POST -H "content-
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
Content-Length: 410
X-Openstack-
Date: Thu, 16 Apr 2015 19:18:21 GMT
{"subnet": {"name": "badsub", "enable_dhcp": true, "network_id": "88143cda-
[Trace log]
2015-04-17 04:23:27.907 16641 DEBUG oslo_messaging.
2015-04-17 04:23:27.979 16641 ERROR neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
2015-04-17 04:23:27.979 16641 TRACE neutron.
Changed in neutron: | |
assignee: | nobody → watanabe.isao (watanabe.isao) |
description: | updated |
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
assignee: | watanabe.isao (watanabe.isao) → Kyle Mestery (mestery) |
Changed in neutron: | |
assignee: | Kyle Mestery (mestery) → Andrew Boik (drewboik) |
Changed in neutron: | |
assignee: | nobody → watanabe.isao (watanabe.isao) |
description: | updated |
Changed in ossa: | |
importance: | Undecided → High |
status: | Incomplete → Confirmed |
no longer affects: | neutron/kilo |
Changed in neutron: | |
milestone: | kilo-rc2 → none |
tags: | removed: kilo-backport-potential kilo-rc-potential |
Changed in neutron: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → 7.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.