From 7d6458b7e094206c0a2db9c969e88961bc9db729 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 6 Oct 2023 13:05:39 +0200
Subject: [PATCH] Netmask: Normalize subnet masks coming from a string

Until now we only normalized too large masks when constructed from a
`ComboAddress` object and a separate mask, but not from a string.
---
 pdns/iputils.hh         |  8 ++++----
 pdns/test-iputils_hh.cc | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/pdns/iputils.hh b/pdns/iputils.hh
index 459167e97b..1aa0a0b518 100644
--- a/pdns/iputils.hh
+++ b/pdns/iputils.hh
@@ -483,22 +483,22 @@ public:
   Netmask(const ComboAddress& network, uint8_t bits=0xff): d_network(network)
   {
     d_network.sin4.sin_port = 0;
-    setBits(network.isIPv4() ? std::min(bits, static_cast<uint8_t>(32)) : std::min(bits, static_cast<uint8_t>(128)));
+    setBits(bits);
   }
 
   Netmask(const sockaddr_in* network, uint8_t bits = 0xff): d_network(network)
   {
     d_network.sin4.sin_port = 0;
-    setBits(std::min(bits, static_cast<uint8_t>(32)));
+    setBits(bits);
   }
   Netmask(const sockaddr_in6* network, uint8_t bits = 0xff): d_network(network)
   {
     d_network.sin4.sin_port = 0;
-    setBits(std::min(bits, static_cast<uint8_t>(128)));
+    setBits(bits);
   }
   void setBits(uint8_t value)
   {
-    d_bits = value;
+    d_bits = d_network.isIPv4() ? std::min(value, static_cast<uint8_t>(32U)) : std::min(value, static_cast<uint8_t>(128U));
 
     if (d_bits < 32) {
       d_mask = ~(0xFFFFFFFF >> d_bits);
diff --git a/pdns/test-iputils_hh.cc b/pdns/test-iputils_hh.cc
index a299fed6e8..da21868b06 100644
--- a/pdns/test-iputils_hh.cc
+++ b/pdns/test-iputils_hh.cc
@@ -264,6 +264,24 @@ BOOST_AUTO_TEST_CASE(test_Netmask) {
   BOOST_CHECK(all < empty);
   BOOST_CHECK(empty > full);
   BOOST_CHECK(full < empty);
+
+  /* invalid (too large) mask */
+  {
+    Netmask invalidMaskV4("192.0.2.1/33");
+    BOOST_CHECK_EQUAL(invalidMaskV4.getBits(), 32U);
+    BOOST_CHECK(invalidMaskV4.getNetwork() == ComboAddress("192.0.2.1"));
+    Netmask invalidMaskV6("fe80::92fb:a6ff:fe4a:51da/129");
+    BOOST_CHECK_EQUAL(invalidMaskV6.getBits(), 128U);
+    BOOST_CHECK(invalidMaskV6.getNetwork() == ComboAddress("fe80::92fb:a6ff:fe4a:51da"));
+  }
+  {
+    Netmask invalidMaskV4(ComboAddress("192.0.2.1"), 33);
+    BOOST_CHECK_EQUAL(invalidMaskV4.getBits(), 32U);
+    BOOST_CHECK(invalidMaskV4.getNetwork() == ComboAddress("192.0.2.1"));
+    Netmask invalidMaskV6(ComboAddress("fe80::92fb:a6ff:fe4a:51da"), 129);
+    BOOST_CHECK_EQUAL(invalidMaskV6.getBits(), 128U);
+    BOOST_CHECK(invalidMaskV6.getNetwork() == ComboAddress("fe80::92fb:a6ff:fe4a:51da"));
+  }
 }
 
 static std::string NMGOutputToSorted(const std::string& str)
-- 
2.47.2