Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-40376

when maxIncomingConnectionsOverride contains invalid CIDR block, allows connections from any CIDR block

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
      None
    • v4.0, v3.6, v3.4
    • Security 2019-04-08

      With this configuration file: 

      net:
    maxIncomingConnections: 5
    maxIncomingConnectionsOverride: ["11.11.11.11/1"]

      the expected behavior is that only a client with an IP address of 11.11.11.11/1 should be able to overrride maxIncomingConnections. However, with the IP address set as such in the conf file anyone can connect to the mongod instance after the maxIncomingConnection limit is reached. Furthermore, the number of available connections become negative. This was tested as follows in the mongo shell: 

      > db.serverStatus().connections
{ "current" : 6, "available" : -1, "totalCreated" : 6 }

      Changing the CIDR block address to a valid one, for example: 

      net:
    maxIncomingConnections: 5
    maxIncomingConnectionsOverride: ["192.168.100.14/24"]

      works as expected, i.e., it blocks incoming connection once the limit is reached.

      My mongod version is: 

      mongod --version
db version v4.0.6
git version: caa42a1f75a56c7643d0b68d3880444375ec42e3
allocator: system
modules: none
build environment:
    distarch: x86_64
    target_arch: x86_64

            Assignee:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Reporter:
            clyde.bazile@mongodb.com Clyde Bazile III (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: