Bug 905708 - virSocketAddrIsPrivate function incorrectly identifies 172.31.2.1 as a publicly routable address
Summary: virSocketAddrIsPrivate function incorrectly identifies 172.31.2.1 as a public...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-30 01:19 UTC by subscribe
Modified: 2013-01-30 15:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-30 15:58:38 UTC
Embargoed:


Attachments (Terms of Use)

Description subscribe 2013-01-30 01:19:52 UTC
Description of problem:

An error in /src/util/virsocketaddr.c prevents starting default network when it has an address of 172.31.2.1

Version-Release number of selected component (if applicable):

Vendor: OpenSUSE
Version: 12.2 Tumbleweed
Component: libvirt-1.0.1-4.1.x86_64.rpm (dated Jan 24th 2013)
Component: dnsmasq-2.61-2.1.3.x86_64.rpm 
How reproducible:

Consistently reproducible.

Steps to Reproduce:
1. virsh net-edit default
2. change <ip address='192.168.122.1' netmask='255.255.255.0'>
   to <ip address='172.31.2.1' netmask='255.255.255.0'>
3. virsh net-start default
  
Actual results:

error: Failed to start network default
error: unsupported configuration: Publicly routable address 172.31.2.1 is prohibited. The version of dnsmasq on this host (2.61) doesn't support the bind-dynamic option, which is required for safe operation on a publicly routable subnet (see CVE-2012-3411). You must either upgrade dnsmasq, or use a private/local subnet range for this network (as described in RFC1918/RFC3484/RFC4193)

Expected results:

Network should be started without error as 172.31.2.1 is a legal private address with the 172.16/12 range.

Additional info:

From https://www.redhat.com/archives/libvir-list/2012-November/msg00944.html

The comments underneath virSocketAddrIsPrivate: state "For IPv4, private addresses are in the range of 192.168.0.0/16, 172.16.0.0/16, or 10.0.0.0/8" but the correct range per the RFC is 172.16.0.0 - 172.31.255.255  (172.16/12 prefix)

Comment 1 Jiri Denemark 2013-01-30 15:58:38 UTC
Thanks for reporting this issue. It is now fixed upstream by

commit 6405713f2ab9243db7d856914aaefbd4f9747daa
Author: Jiri Denemark <jdenemar>
Date:   Wed Jan 30 12:01:01 2013 +0100

    util: Fix mask for 172.16.0.0 private address range
    
    https://bugzilla.redhat.com/show_bug.cgi?id=905708
    
    Only the first 12 bits should be set in the mask for this range. All
    addresses between 172.16.0.0 and 172.31.255.255 are private.


Note You need to log in before you can comment on or make changes to this bug.