Skip to content

Commit

Permalink
net: prevent /32 ipv4 mask from matching all ips
Browse files Browse the repository at this point in the history
Fixes: #43360
  • Loading branch information
supriyo-biswas committed Jun 15, 2022
1 parent 3987d6b commit 292d933
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/node_sockaddr.cc
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,10 @@ bool in_network_ipv4(
const SocketAddress& ip,
const SocketAddress& net,
int prefix) {
uint32_t mask = ((1 << prefix) - 1) << (32 - prefix);
if (prefix == 32)
return compare_ipv4(ip, net) == SocketAddress::CompareResult::SAME;

uint32_t mask = ((1ull << prefix) - 1) << (32 - prefix);

const sockaddr_in* ip_in =
reinterpret_cast<const sockaddr_in*>(ip.data());
Expand Down Expand Up @@ -293,7 +296,7 @@ bool in_network_ipv6_ipv4(
if (prefix == 32)
return compare_ipv4_ipv6(net, ip) == SocketAddress::CompareResult::SAME;

uint32_t m = ((1 << prefix) - 1) << (32 - prefix);
uint32_t m = ((1ull << prefix) - 1) << (32 - prefix);

const sockaddr_in6* ip_in =
reinterpret_cast<const sockaddr_in6*>(ip.data());
Expand Down
10 changes: 10 additions & 0 deletions test/parallel/test-blocklist.js
Original file line number Diff line number Diff line change
Expand Up @@ -272,3 +272,13 @@ const util = require('util');
const ret = util.inspect(blockList, { depth: null });
assert(ret.includes('rules: []'));
}

{
// Test for https://github.com/nodejs/node/issues/43360
const blocklist = new BlockList();
blocklist.addSubnet('1.1.1.1', 32, 'ipv4');

assert(blocklist.check('1.1.1.1'));
assert(!blocklist.check('1.1.1.2'));
assert(!blocklist.check('2.3.4.5'));
}

0 comments on commit 292d933

Please sign in to comment.