From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 31 Dec 2014 22:47:33 +0000 (-0700)
Subject: Use standard CIDR -> netmask conversion and disallow 0-bit CIDRs.
X-Git-Tag: SUDO_1_8_12^2~59
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cb09010da5f826ade27de5396a364a1be8e44dbd;p=sudo

Use standard CIDR -> netmask conversion and disallow 0-bit CIDRs.
---

diff --git a/plugins/sudoers/match_addr.c b/plugins/sudoers/match_addr.c
index 40488d4e1..2067da3c9 100644
--- a/plugins/sudoers/match_addr.c
+++ b/plugins/sudoers/match_addr.c
@@ -132,26 +132,20 @@ addr_matches_if_netmask(const char *n, const char *m)
 		debug_return_bool(false);
 	    }
 	} else {
-	    i = strtonum(m, 0, 32, &errstr);
+	    i = strtonum(m, 1, 32, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv4 netmask %s: %s", m, errstr);
 		debug_return_bool(false);
 	    }
-	    if (i == 0)
-		mask.ip4.s_addr = 0;
-	    else if (i == 32)
-		mask.ip4.s_addr = 0xffffffff;
-	    else
-		mask.ip4.s_addr = 0xffffffff - (1 << (32 - i)) + 1;
-	    mask.ip4.s_addr = htonl(mask.ip4.s_addr);
+	    mask.ip4.s_addr = htonl(0xffffffffU << (32 - i));
 	}
 	addr.ip4.s_addr &= mask.ip4.s_addr;
     }
 #ifdef HAVE_STRUCT_IN6_ADDR
     else {
 	if (inet_pton(AF_INET6, m, &mask.ip6) != 1) {
-	    j = strtonum(m, 0, 128, &errstr);
+	    j = strtonum(m, 1, 128, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv6 netmask %s: %s", m, errstr);