Bug 905708

Summary: virSocketAddrIsPrivate function incorrectly identifies 172.31.2.1 as a publicly routable address
Product: [Community] Virtualization Tools Reporter: subscribe
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: dyasny, jdenemar
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-30 15:58:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description subscribe 2013-01-30 01:19:52 UTC 
Description of problem:

An error in /src/util/virsocketaddr.c prevents starting default network when it has an address of 172.31.2.1

Version-Release number of selected component (if applicable):

Vendor: OpenSUSE
Version: 12.2 Tumbleweed
Component: libvirt-1.0.1-4.1.x86_64.rpm (dated Jan 24th 2013)
Component: dnsmasq-2.61-2.1.3.x86_64.rpm 
How reproducible:

Consistently reproducible.

Steps to Reproduce:
1. virsh net-edit default
2. change <ip address='192.168.122.1' netmask='255.255.255.0'>
   to <ip address='172.31.2.1' netmask='255.255.255.0'>
3. virsh net-start default
  
Actual results:

error: Failed to start network default
error: unsupported configuration: Publicly routable address 172.31.2.1 is prohibited. The version of dnsmasq on this host (2.61) doesn't support the bind-dynamic option, which is required for safe operation on a publicly routable subnet (see CVE-2012-3411). You must either upgrade dnsmasq, or use a private/local subnet range for this network (as described in RFC1918/RFC3484/RFC4193)

Expected results:

Network should be started without error as 172.31.2.1 is a legal private address with the 172.16/12 range.

Additional info:

From https://www.redhat.com/archives/libvir-list/2012-November/msg00944.html

The comments underneath virSocketAddrIsPrivate: state "For IPv4, private addresses are in the range of 192.168.0.0/16, 172.16.0.0/16, or 10.0.0.0/8" but the correct range per the RFC is 172.16.0.0 - 172.31.255.255  (172.16/12 prefix)
Comment 1 Jiri Denemark 2013-01-30 15:58:38 UTC 
Thanks for reporting this issue. It is now fixed upstream by

commit 6405713f2ab9243db7d856914aaefbd4f9747daa
Author: Jiri Denemark <jdenemar>
Date:   Wed Jan 30 12:01:01 2013 +0100

    util: Fix mask for 172.16.0.0 private address range
    
    https://bugzilla.redhat.com/show_bug.cgi?id=905708
    
    Only the first 12 bits should be set in the mask for this range. All
    addresses between 172.16.0.0 and 172.31.255.255 are private.