Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-40377

when maxIncomingConnectionsOverride contains invalid CIDR block, allows connections from any CIDR block

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 4.0.6
    • Component/s: Security
    • None

      With this configuration file:

      net:
          maxIncomingConnections: 5
          maxIncomingConnectionsOverride: ["11.11.11.11/1"] 
      

      the expected behavior is that only a client with an IP address of 11.11.11.11/1 should be able to overrride maxIncomingConnections. However, with the IP address set as such in the conf file anyone can connect to the mongod instance after the maxIncomingConnection limit is reached. Furthermore, the number of available connections become negative. This was tested as follows in the mongo shell:

      > db.serverStatus().connections
      { "current" : 6, "available" : -1, "totalCreated" : 6 }
      

      Changing the CIDR block address to a valid one, for example:

      net:
          maxIncomingConnections: 5
          maxIncomingConnectionsOverride: ["192.168.100.14/24"]

      works as expected, i.e., it blocks incoming connection once the limit is reached.

      My mongod version is:

      mongod --version
      db version v4.0.6
      git version: caa42a1f75a56c7643d0b68d3880444375ec42e3
      allocator: system
      modules: none
      build environment:
          distarch: x86_64
          target_arch: x86_64

            Assignee:
            Unassigned Unassigned
            Reporter:
            clyde.bazile@mongodb.com Clyde Bazile III (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: