From cb09010da5f826ade27de5396a364a1be8e44dbd Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 31 Dec 2014 15:47:33 -0700
Subject: [PATCH] Use standard CIDR -> netmask conversion and disallow 0-bit
 CIDRs.

---
 plugins/sudoers/match_addr.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/plugins/sudoers/match_addr.c b/plugins/sudoers/match_addr.c
index 40488d4e1..2067da3c9 100644
--- a/plugins/sudoers/match_addr.c
+++ b/plugins/sudoers/match_addr.c
@@ -132,26 +132,20 @@ addr_matches_if_netmask(const char *n, const char *m)
 		debug_return_bool(false);
 	    }
 	} else {
-	    i = strtonum(m, 0, 32, &errstr);
+	    i = strtonum(m, 1, 32, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv4 netmask %s: %s", m, errstr);
 		debug_return_bool(false);
 	    }
-	    if (i == 0)
-		mask.ip4.s_addr = 0;
-	    else if (i == 32)
-		mask.ip4.s_addr = 0xffffffff;
-	    else
-		mask.ip4.s_addr = 0xffffffff - (1 << (32 - i)) + 1;
-	    mask.ip4.s_addr = htonl(mask.ip4.s_addr);
+	    mask.ip4.s_addr = htonl(0xffffffffU << (32 - i));
 	}
 	addr.ip4.s_addr &= mask.ip4.s_addr;
     }
 #ifdef HAVE_STRUCT_IN6_ADDR
     else {
 	if (inet_pton(AF_INET6, m, &mask.ip6) != 1) {
-	    j = strtonum(m, 0, 128, &errstr);
+	    j = strtonum(m, 1, 128, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv6 netmask %s: %s", m, errstr);
-- 
2.40.0