The EDNS0 client-subnet code didn't work correctly for addresses that

were not a multiple of 8 bits.

Instead of preserving the required number of high-order bits, it
cleared that number of low-order bits.  Thanks to Brian Wellington for
discovering this and providing the correct code.

diff --git a/dns/edns.py b/dns/edns.py
index 5660f7bb7a1ef0b0debcad4f1ceecc64f9209e74..57dd256a44a7aee8b65b526b2c1110a2ad6a5846 100644 (file)
--- a/dns/edns.py
+++ b/dns/edns.py
@@ -195,7 +195,8 @@ class ECSOption(Option):
         self.addrdata = addrdata[:nbytes]
         nbits = srclen % 8
         if nbits != 0:
-            last = struct.pack('B', ord(self.addrdata[-1:]) & (0xff << nbits))
+            last = struct.pack('B',
+                               ord(self.addrdata[-1:]) & (0xff << (8 - nbits)))
             self.addrdata = self.addrdata[:-1] + last
 
     def to_text(self):

diff --git a/tests/test_edns.py b/tests/test_edns.py
index 0b4dad44a91f3793a5691b81078310c257720a8f..e84d83b4271b6570ab4fe5b91bd964bd5f39762a 100644 (file)
--- a/tests/test_edns.py
+++ b/tests/test_edns.py
@@ -54,6 +54,13 @@ class OptionTestCase(unittest.TestCase):
         data = io.getvalue()
         self.assertEqual(data, b'\x00\x01\x18\x00\x01\x02\x03')
 
+    def testECSOption25(self):
+        opt = dns.edns.ECSOption('1.2.3.255', 25)
+        io = BytesIO()
+        opt.to_wire(io)
+        data = io.getvalue()
+        self.assertEqual(data, b'\x00\x01\x19\x00\x01\x02\x03\x80')
+
     def testECSOption_v6(self):
         opt = dns.edns.ECSOption('2001:4b98::1')
         io = BytesIO()