Bug #117950 Grant statements using netmasks don't support subnets other than those ending with a decimal 0
Submitted: 11 Apr 13:46 Modified: 15 Apr 13:02
Reporter: KB Benton Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:8.4.4 OS:Any (OL9)
Assigned to: CPU Architecture:Any (OL9.5)
Tags: CIDR, grants netmask connect

[11 Apr 13:46] KB Benton 
Description:
When using / notation to specify a subnet mask, MySQL seems to properly decode /255.0.0.0, /255.255.0.0, /255.255.255.0 and of course /255.255.255.255. It does not seem to properly decode values between such as /255.255.252.0 or /255.255.255.248. As it states in the manual (https://dev.mysql.com/doc/refman/8.4/en/account-names.html), it clearly documents support for classful subnets, but doesn't discuss subnets between the four classful subnets.

How to repeat:
On the server:

mysql> CREATE USER 'foo'@'10.1.2.80/255.255.255.248' IDENTIFIED BY 'bar' ;
mysql> GRANT ALL on baz.* TO 'foo'@'10.1.2.80/255.255.255.248' ;

On a client inside the netmask specified above (not just the exact match, but additional hosts within the mask like 10.1.2.83)

$ mysql -p -u foo -e 'show grants'
Password: bar
MySQL Error 1045: Access denied for user 'foo'@'10.1.2.83' (using password: YES)

Suggested fix:
Verify that all the possible subnet masks and CIDR notations work as expected, not just /8 (255.0.0.0), /16 (255.255.0.0), /24 (255.255.255.0) and /32 (255.255.255.255)
[11 Apr 14:08] KB Benton 
This bug report was found to be in error. Please close as WONTFIX.
[15 Apr 13:02] MySQL Verification Team 
Hello KB Benton,

Thank you for the update.
Closing the report for now.

Regards,
Ashwini Patil