Reported by a Support customer: https://support.isc.org/Ticket/Display.html?id=13626

name: Bug report about: Kea 1.4.0 P1

kea-dhcp4 API accepts the creation of reservations for non-existent subnet-IDs and/or for out-of-subnet ip addresses, tested with mysql backend for hosts. To reproduce:

1. create a new subnet 192.0.0.0/24, with subnet id 999

REQUEST: { "arguments": { "subnet4": [ { "id": 999, "match-client-id": true, "option-data": [ { "always-send": false, "code": 3, "csv-format": false, "data": "c0000001", "name": "routers", "space": "dhcp4" } ], "pools": [ { "pool": "192.0.0.2-192.0.0.254" } ], "rebind-timer": 2970, "relay": { "ip-addresses": [ "192.0.0.1" ] }, "renew-timer": 1800, "reservation-mode": "all", "subnet": "192.0.0.0/24", "valid-lifetime": 3600 } ] }, "command": "subnet4-add", "service": [ "dhcp4" ] }

RESPONSE: [ { "arguments": { "subnets": [ { "id": 999, "subnet": "192.0.0.0/24" } ] }, "result": 0, "text": "IPv4 subnet added" } ]

2. create a reservation for out-of-subnet address using 1.2.3.4 as IP and 999 as subnet-id

REQUEST: { "arguments": { "reservation": { "hw-address": "ca:fe:ca:fe:ca:fe", "ip-address": "1.2.3.4", "subnet-id": 999 } }, "command": "reservation-add", "service": [ "dhcp4" ] }

RESPONSE: [ { "result": 0, "text": "Host added." } ]

3. create a reservation for a non-existent subnet-id using 192.0.0.10 as IP and 123 as subnet-id

REQUEST: { "arguments": { "reservation": { "hw-address": "fa:ce:fa:ce:fa:ce", "ip-address": "192.0.0.10", "subnet-id": 123 } }, "command": "reservation-add", "service": [ "dhcp4" ] }

RESPONSE: [ { "result": 0, "text": "Host added." } ]

4. verify the presence of both reservations in the "hosts" table