Use standard CIDR -> netmask conversion and disallow 0-bit CIDRs.

diff --git a/plugins/sudoers/match_addr.c b/plugins/sudoers/match_addr.c
index 40488d4e1d598b43ec8fb84597bfcbe718f250eb..2067da3c9bee197b25e14cdb7d0b34c3e4b757ce 100644 (file)
--- a/plugins/sudoers/match_addr.c
+++ b/plugins/sudoers/match_addr.c
@@ -132,26 +132,20 @@ addr_matches_if_netmask(const char *n, const char *m)
                debug_return_bool(false);
            }
        } else {
-           i = strtonum(m, 0, 32, &errstr);
+           i = strtonum(m, 1, 32, &errstr);
            if (errstr != NULL) {
                sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
                    "IPv4 netmask %s: %s", m, errstr);
                debug_return_bool(false);
            }
-           if (i == 0)
-               mask.ip4.s_addr = 0;
-           else if (i == 32)
-               mask.ip4.s_addr = 0xffffffff;
-           else
-               mask.ip4.s_addr = 0xffffffff - (1 << (32 - i)) + 1;
-           mask.ip4.s_addr = htonl(mask.ip4.s_addr);
+           mask.ip4.s_addr = htonl(0xffffffffU << (32 - i));
        }
        addr.ip4.s_addr &= mask.ip4.s_addr;
     }
 #ifdef HAVE_STRUCT_IN6_ADDR
     else {
        if (inet_pton(AF_INET6, m, &mask.ip6) != 1) {
-           j = strtonum(m, 0, 128, &errstr);
+           j = strtonum(m, 1, 128, &errstr);
            if (errstr != NULL) {
                sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
                    "IPv6 netmask %s: %s", m, errstr);