[SERVER-40376] when maxIncomingConnectionsOverride contains invalid CIDR block, allows connections from any CIDR block Created: 28/Mar/19  Updated: 27/Oct/23  Resolved: 08/Apr/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Clyde Bazile III (Inactive) Assignee: Mark Benvenuto
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Cloners
clones SERVER-40377 when maxIncomingConnectionsOverride c... Closed
Related
related to SERVER-34986 CIDR Block That is Exempt from maxConns Closed
Tested
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Security 2019-04-08
Participants:

 Description   

With this configuration file:

net:
    maxIncomingConnections: 5
    maxIncomingConnectionsOverride: ["11.11.11.11/1"] 

the expected behavior is that only a client with an IP address of 11.11.11.11/1 should be able to overrride maxIncomingConnections. However, with the IP address set as such in the conf file anyone can connect to the mongod instance after the maxIncomingConnection limit is reached. Furthermore, the number of available connections become negative. This was tested as follows in the mongo shell:

> db.serverStatus().connections
{ "current" : 6, "available" : -1, "totalCreated" : 6 }

Changing the CIDR block address to a valid one, for example:

net:
    maxIncomingConnections: 5
    maxIncomingConnectionsOverride: ["192.168.100.14/24"]

works as expected, i.e., it blocks incoming connection once the limit is reached.

My mongod version is:

mongod --version
db version v4.0.6
git version: caa42a1f75a56c7643d0b68d3880444375ec42e3
allocator: system
modules: none
build environment:
    distarch: x86_64
    target_arch: x86_64



 Comments   
Comment by Mark Benvenuto [ 08/Apr/19 ]

I am closing this as by design since there have two comments on this ticket that clarify how CIDR ranges work. You can reopen the ticket if you have any more questions.

Comment by Mira Carey [ 01/Apr/19 ]

The number after the slash in cidr notation is the number of leading 1 bits in the subnet mask. I.e. smaller numbers match larger sets of hosts. If you're looking for a single host cidr match, you want /32, not /1

I.e. 11.11.11.11/32 matches only 11.11.11.11

Comment by Mark Benvenuto [ 28/Mar/19 ]

The CIDR range "11.11.11.11/1" says to accept almost any IP address (i.e. 0.0.0.0 - 127.255.255.255). It is a valid CIDR range.

Generated at Thu Feb 08 04:54:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.