Use standard CIDR -> netmask conversion and disallow 0-bit CIDRs.

2014-12-31 15:47:33 -07:00
parent 86fbde75b2
commit cb09010da5
1 changed files with 3 additions and 9 deletions
--- a/plugins/sudoers/match_addr.c
+++ b/plugins/sudoers/match_addr.c
@@ -132,26 +132,20 @@ addr_matches_if_netmask(const char *n, const char *m)
 		debug_return_bool(false);
 	    }
 	} else {
-	    i = strtonum(m, 0, 32, &errstr);
+	    i = strtonum(m, 1, 32, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv4 netmask %s: %s", m, errstr);
 		debug_return_bool(false);
 	    }
-	    if (i == 0)
-		mask.ip4.s_addr = 0;
-	    else if (i == 32)
-		mask.ip4.s_addr = 0xffffffff;
-	    else
-		mask.ip4.s_addr = 0xffffffff - (1 << (32 - i)) + 1;
-	    mask.ip4.s_addr = htonl(mask.ip4.s_addr);
+	    mask.ip4.s_addr = htonl(0xffffffffU << (32 - i));
 	}
 	addr.ip4.s_addr &= mask.ip4.s_addr;
    }
 #ifdef HAVE_STRUCT_IN6_ADDR
    else {
 	if (inet_pton(AF_INET6, m, &mask.ip6) != 1) {
-	    j = strtonum(m, 0, 128, &errstr);
+	    j = strtonum(m, 1, 128, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv6 netmask %s: %s", m, errstr);