Bug 44135 - bad subnet number/mask combination fails dhcpd
bad subnet number/mask combination fails dhcpd
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - DHCP
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-3-errata
Assigned To: Florian Best
Philipp Hahn
:
: 37149 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-29 15:16 CEST by Philipp Hahn
Modified: 2020-01-15 16:59 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019112221000702
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-03-29 15:16:56 CEST
When a DHCP (shared) subnet is created, care must be taken to zero out all host bits; otherwise dhcpd fails to start:

> dhcpd: LDAP line 11: subnet 172.17.42.1 netmask 255.255.0.0: bad subnet number/mask combination.
> dhcpd: }subnet 172.17.42.1 netmask 255.255.0.0

As the subnet address cannot be changed afterwards, the full LDAP hierarchy must be deleted and re-added by hand.

assert ipaddr.IPv4Network('%(subnet)s/%(subnetmask)s' % udm.info).network == ipaddr.IPv4Address('%(subnet)s' % udm.info)
Comment 1 Philipp Hahn univentionstaff 2017-04-07 12:39:33 CEST
*** Bug 37149 has been marked as a duplicate of this bug. ***
Comment 2 Christian Völker univentionstaff 2019-11-25 16:30:00 CET
Happened for a customer. Having no clue how to troubleshoot.

Can be found only on second view. UMC should either not allow to add such (sub)networks or zero out the non-masked values.

Nov 25 16:26:50 master dhcpd[34640]: LDAP line 11: subnet 192.168.142.0 netmask 255.255.0.0: bad subnet number/mask combination.
Nov 25 16:26:50 master dhcpd[34640]: subnet 192.168.142.0 netmask 255.255.0.0
Nov 25 16:26:50 master dhcpd[34640]:                                        ^
Nov 25 16:26:50 master dhcpd[34640]: LDAP: cannot parse dhcpService entry 'cn=multi.ucs,cn=dhcp,dc=multi,dc=ucs'
Nov 25 16:26:50 master dhcpd[34640]: Configuration file errors encountered -- exiting
Comment 3 Philipp Hahn univentionstaff 2019-12-11 16:14:07 CET
server/confpars.c

> 2821 »·······»·······parse_warn (cfile,
> 2822 »·······»·······   "subnet %s netmask %s: bad subnet number/mask combination.",
> 2823 »·······»·······»·······    piaddr (subnet -> net), maskstr);

This is only a warning

> 2825 »·······»·······subnet_dereference (&subnet, MDL);

but the broken declaration is removed and the server probably fails as the last subnet declaration was removed, which is invalid.

A simple fix here would be to mask out any host bits by using subnet_number() if host_addr() returns any set host bits:

@ server/confpars.c
- 2825 »·······»·······subnet_dereference (&subnet, MDL);                                                                                                                                                                                                                        
- 2826 »·······»·······skip_to_semi (cfile);
- 2827 »·······»·······return;
+ 2825 »·······»·······subnet -> net = subnet_number(subnet -> net, subnet -> netmask);

Untested!
Comment 4 Florian Best univentionstaff 2019-12-13 15:38:04 CET
Basis for a UDM patch in git:fbest/44135-dhcp-bad-subnet-number-mask-combination
→ use the ready() method for consistency checks
Comment 5 Florian Best univentionstaff 2019-12-20 10:21:54 CET
univention-directory-manager-modules (14.0.14-22)
cdde67c8c829 | Bug #44135: prevent adding DHCP (sub)nets which break the dhcpd configuration

univention-directory-manager-modules.yaml
6cf9cf50e0b1 | YAML Bug #44135
Comment 6 Florian Best univentionstaff 2019-12-20 10:23:47 CET
ucs-test (9.0.3-133)
102aeb34eb6c | Bug #44135: add tests/65_udm-dhcp/62_dhcp_subnets_invalid_values
Comment 7 Philipp Hahn univentionstaff 2020-01-06 18:47:46 CET
OK: errata-announce -V --only univention-directory-manager-modules.yaml
FIXED: univention-directory-manager-modules.yaml 5107cd9298

OK: apt install -t apt univention-directory-manager-tools python-univention-directory-manager
OK: 1.2.3.0/8 -> rejected
OK: 1.2.3.0/24 -> accepted
OK: 1.2.3.0/25 + 1.2.3.10…127 -> rejected
OK: 1.2.3.0/24 + 1.2.3.10…253 -> accepted
~FAIL: subnetmask can be changed after creating the network; the pool definitions thus can become invalid if the pools are no longer contained in the subnet.

OK: cdde67c8c82950edbd8eeb9e6aba41bac80518fb udm
OK: 102aeb34eb6c ucs-test
OK: python 62_dhcp_subnets_invalid_values
Comment 8 Erik Damrose univentionstaff 2020-01-15 16:59:53 CET
<http://errata.software-univention.de/ucs/4.4/421.html>