Bug 1949632 - MAC address validation passes on invalid MAC addresses (dropped hex digits) [osp-16.2]
Summary: MAC address validation passes on invalid MAC addresses (dropped hex digits) [...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-neutron-lib
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z2
: 16.2 (Train on RHEL 8.4)
Assignee: Rodolfo Alonso
QA Contact: Eran Kuris
URL:
Whiteboard:
: 1951228 (view as bug list)
Depends On:
Blocks: 2023244
TreeView+ depends on / blocked
 
Reported: 2021-04-14 17:26 UTC by nacurry
Modified: 2022-03-23 22:10 UTC (History)
9 users (show)

Fixed In Version: python-neutron-lib-1.29.1-2.20210623080523.4ef4b71.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1974655 2023240 (view as bug list)
Environment:
Last Closed: 2022-03-23 22:10:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1926273 0 None None None 2021-04-27 13:52:10 UTC
OpenStack gerrit 788300 0 None MERGED Modify "port.mac_address" API definition 2021-06-22 09:01:00 UTC
OpenStack gerrit 789831 0 None NEW Sanitize MAC addresses 2021-06-29 11:25:20 UTC
Red Hat Issue Tracker OSP-2974 0 None None None 2021-11-15 09:56:25 UTC
Red Hat Product Errata RHBA-2022:1001 0 None None None 2022-03-23 22:10:32 UTC

Description nacurry 2021-04-14 17:26:50 UTC 
Description of problem:

[1] `openstack port create` allows creation of MAC addresses with missing digits (ex: 11:22:33:4:5:66)

[2] This is due to reliance on netaddr upstream, which presumably has these loose standards due to limited legacy cases where leading zeroes may (incorrectly) be dropped.

[3] I have submitted a pull request to clean this up, and if desired create a loose validation separately from the primary MAC validation, but I'm not sure I did a good job, and if I did, it doesn't solve the immediate problem.

[4] Here is the code in neutron-lib that appears to be calling netaddr

After creating the port, it's possible to use to build an instance, causing the instance to in some cases remain stuck in BUILD.  I will create a BZ for this issue as well.

Version-Release number of selected component (if applicable):
Current OSP16.x
Current python-netaddr

How reproducible:
Every time.

Steps to Reproduce:
1. authenticate as admin or user
2. create port, specifying a MAC address with a missing character

Actual results:
It creates the port, no complaints.

Expected results:
Port creation should fail.

Additional info:
[1]
(ess1612) [stack@undercloud-0 ~]$ openstack port create --mac-address 40:28:00:00:2:06 --network admin-tenant-overlay test-port-bad-mac_user

[2]
netaddr/strategy/eui48.py
#-----------------------------------------------------------------------------
#: Regular expressions to match all supported MAC address formats.
RE_MAC_FORMATS = ( 
    #   2 bytes x 6 (UNIX, Windows, EUI-48)
    '^' + ':'.join(['([0-9A-F]{1,2})'] * 6) + '$',
    '^' + '-'.join(['([0-9A-F]{1,2})'] * 6) + '$',

    #   4 bytes x 3 (Cisco)
    '^' + ':'.join(['([0-9A-F]{1,4})'] * 3) + '$',
    '^' + '-'.join(['([0-9A-F]{1,4})'] * 3) + '$',
    '^' + r'\.'.join(['([0-9A-F]{1,4})'] * 3) + '$',

    #   6 bytes x 2 (PostgreSQL)
    '^' + '-'.join(['([0-9A-F]{5,6})'] * 2) + '$',
    '^' + ':'.join(['([0-9A-F]{5,6})'] * 2) + '$',

    #   12 bytes (bare, no delimiters)
    '^(' + ''.join(['[0-9A-F]'] * 12) + ')$',
    '^(' + ''.join(['[0-9A-F]'] * 11) + ')$',
)

[3]https://github.com/netaddr/netaddr/pull/229

[4]
neutron_lib/api/validators/__init__.py
 366 def validate_mac_address(data, valid_values=None):
 367     """Validate data is a MAC address.
 368 
 369     :param data: The data to validate.
 370     :param valid_values: Not used!
 371     :returns: None if the data is a valid MAC address, otherwise a human
 372         readable message as to why validation failed.
 373     """
 374     try:
 375         valid_mac = netaddr.valid_mac(validate_no_whitespace(data))
 376     except Exception:
 377         valid_mac = False
 378 
 379     if valid_mac:
 380         valid_mac = (netaddr.EUI(data) not in
 381                      map(netaddr.EUI, constants.INVALID_MAC_ADDRESSES))
 382     # TODO(arosen): The code in this file should be refactored
 383     # so it catches the correct exceptions. validate_no_whitespace
 384     # raises AttributeError if data is None.
 385     if not valid_mac:
 386         msg = _("'%s' is not a valid MAC address") % data
 387         LOG.debug(msg)
 388         return msg
Comment 1 Rodolfo Alonso 2021-04-27 08:52:10 UTC 
*** Bug 1951228 has been marked as a duplicate of this bug. ***
Comment 12 errata-xmlrpc 2022-03-23 22:10:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.2), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1001
Note You need to log in before you can comment on or make changes to this bug.