Ubuntu
iproute2 package

"ip addr add" permits illegal labels

Bug #1662620 reported by Nahuel Greco
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iproute2 (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Won't Fix
Low
Christian Ehrhardt 

Bug Description

[Impact]

 * The filter on label names does not match the intention
   by upstream nor the description in the man page

 * Fix by backporting upstream fix that strengthens the check

[Test Plan]

Bad case:
root@b:~# ip addr add 1.1.1.1 label test1 dev eth0
"dev" (eth0) must match "label" (test1).
root@b:~# ip addr add 1.1.1.1 label eth0-test dev eth0
root@b:~# ip addr show dev eth0 | grep test
    inet 1.1.1.1/32 scope global eth0-test

With the fix it should look like:
root@i:~# ip addr add 1.1.1.1 label test1 dev eth0
"label" (test1) must match "dev" (eth0) or be prefixed by "dev" with a colon.
root@i:~# ip addr add 1.1.1.1 label eth0-test dev eth0
"label" (eth0-test) must match "dev" (eth0) or be prefixed by "dev" with a colon.
root@i:~# ip addr show dev eth0 | grep test

[Where problems could occur]

 * While the fix indeed "corrects" behavior I must say that if someone
   relied on the non-intended behavior it would now break e.g. his
   scripting or automation.

[Other Info]

 * It was too easy to fix and too long dormant to ignore it further,
   but if the SRU team says this is too much regression risk relative to
   the gain we will mark it Won't Fix based on that decision.

---

ip-address(8) manpage states:

  label NAME
    Each address may be tagged with a label string. In order to preserve compatibility with Linux-2.0 net aliases, this string must coincide with the name of the device or must be prefixed with the device name followed by colon.

But you can omit the colon, "ip addr add" is ONLY checking the label is prefixed with the device:

# ip addr add 1.1.1.1 label test1 dev eth0
"dev" (eth0) must match "label" (test1).

# ip addr add 1.1.1.2 label eth0-test2 dev eth0

# ip addr add 1.1.1.3 label eth0:test3 dev eth0

Now ifconfig becomes confused about eth0-test2:

# ifconfig eth0-test2
eth0-test2: error fetching interface information: Device not found

# ifconfig eth0:test3
eth0:test3 Link encap:Ethernet HWaddr b0:d5:cc:fe:1d:7c
          inet addr:1.1.1.3 Bcast:0.0.0.0 Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:171

And daemons like ntpd also log errors about the interface with the illegal label:

ntpd[7570]: eth0-test3: getting interface flags: No such device
  ## => many of this error per minute until:
ntpd[7570]: Too many errors. Shutting up.

So, I think ip addr show disallow adding address with illegal (as stated by his own documentation) labels, it must also check for the colon following the dev name.

Version: 4.3.0-1ubuntu3

See original description
Tags: server-todo
Joshua Powers (powersj)
Changed in iproute2 (Ubuntu):
status: New → Triaged
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
I come by trying to clear out a few old bugs that might still need to be resolved (or can be closed by now).

Even though this one seems to be forgotten by everyone so far it has been fixed.

Bionic (affected)
root@b:~# ip addr add 1.1.1.1 label test1 dev eth0
"dev" (eth0) must match "label" (test1).
root@b:~# ip addr add 1.1.1.1 label eth0-test dev eth0
root@b:~# ip addr show dev eth0 | grep test
    inet 1.1.1.1/32 scope global eth0-test

Impish (fixed)
root@i:~# ip addr add 1.1.1.1 label test1 dev eth0
"label" (test1) must match "dev" (eth0) or be prefixed by "dev" with a colon.
root@i:~# ip addr add 1.1.1.1 label eth0-test dev eth0
"label" (eth0-test) must match "dev" (eth0) or be prefixed by "dev" with a colon.
root@i:~# ip addr show dev eth0 | grep test

This was effectively fixed by
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=cad73425d8813

Which is in since v4.18.0

That version is in >=20.04 as well as in 18.04-backports.

 iproute2 | 3.12.0-2 | trusty | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 iproute2 | 3.12.0-2ubuntu1.2 | trusty-updates | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 iproute2 | 4.3.0-1ubuntu3 | xenial | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 iproute2 | 4.3.0-1ubuntu3.16.04.5 | xenial-updates | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 iproute2 | 4.15.0-2ubuntu1 | bionic | source, amd64, arm64, armhf, i386, ppc64el, s390x
 iproute2 | 4.15.0-2ubuntu1.1 | bionic-security | source, amd64, arm64, armhf, i386, ppc64el, s390x
 iproute2 | 4.15.0-2ubuntu1.3 | bionic-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x
 iproute2 | 4.18.0-1ubuntu2~ubuntu18.04.1 | bionic-backports | source, amd64, arm64, armhf, i386, ppc64el, s390x
 iproute2 | 5.5.0-1ubuntu1 | focal | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 iproute2 | 5.10.0-4ubuntu1 | hirsute | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
 iproute2 | 5.10.0-4ubuntu1 | impish | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

Thereby the active release that still is affected is Bionic (unless you use bionic-backports which already have 4.18).

I think to fix this in bionic is only prio-low since it is mostly a cosmetic.
Since it is fixed in newer releases there isn't more work to be done to drive this to conclusion for future releases.

@Nahuel - I can only beg your pardon that this was dormant for so long :-/

Changed in iproute2 (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → Low
Changed in iproute2 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Not sure if it will pass build, review or be acceptable as SRU since it is so low impact.
But the fix was so trivial that after all this time I'd feel bad to keep it as-is.

So I've prepared an MP to fix it
https://code.launchpad.net/~paelzer/ubuntu/+source/iproute2/+git/iproute2/+merge/409821

And a PPA with a test build
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4676/+packages

tags: added: server-todo
Changed in iproute2 (Ubuntu Bionic):
assignee: nobody → Christian Ehrhardt  (paelzer)
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

SRU template added

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Reviewed and tested - uploading to Bionic-unapproved for a check by the SRU Team.

Revision history for this message
Chris Halse Rogers (raof) wrote :

Hm. It's not clear what the actual user impact of this is?

Reading from the original description, it seems that if a user uses an invalid label to set one address and *also* uses a valid label to set another address *then* tools can be confused?

“Our parser is actually more lenient than the manpage states” on its own is definitely not SRU-worthy, but if it breaks other tools then maybe?

On the other hand, from the bug it looks like if you *don't* mix valid and invalid labels then everything actually works? So this would potentially be breaking currently working setups?

I think we need more information before determining whether this should be accepted as an SRU.

Changed in iproute2 (Ubuntu Bionic):
status: Triaged → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Chris for having a look.

> On the other hand, from the bug it looks like if you *don't* mix valid and invalid labels
> then everything actually works? So this would potentially be breaking currently working setups?

Yes while having that echoing in my head for a while I think you are right. We would have the chance to disrupt working setups, so I beg your pardon and would step back marking it won't fix.

Changed in iproute2 (Ubuntu Bionic):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.