From f8bdc53e4f10f10e3072022e33f1c6a08ca72e9a Mon Sep 17 00:00:00 2001
From: supriyo-biswas <supriyo.biswas.96@gmail.com>
Date: Sat, 25 Jun 2022 18:17:27 +0530
Subject: [PATCH] net: prevent /32 ipv4 mask from matching all ips

Fixes: https://github.com/nodejs/node/issues/43360

PR-URL: https://github.com/nodejs/node/pull/43381
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
---
 src/node_sockaddr.cc            |  4 ++--
 test/parallel/test-blocklist.js | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/node_sockaddr.cc b/src/node_sockaddr.cc
index f6afaaac4f3d66..d29414302b7d28 100644
--- a/src/node_sockaddr.cc
+++ b/src/node_sockaddr.cc
@@ -215,7 +215,7 @@ bool in_network_ipv4(
     const SocketAddress& ip,
     const SocketAddress& net,
     int prefix) {
-  uint32_t mask = ((1 << prefix) - 1) << (32 - prefix);
+  uint32_t mask = ((1ull << prefix) - 1) << (32 - prefix);
 
   const sockaddr_in* ip_in =
       reinterpret_cast<const sockaddr_in*>(ip.data());
@@ -293,7 +293,7 @@ bool in_network_ipv6_ipv4(
   if (prefix == 32)
     return compare_ipv4_ipv6(net, ip) == SocketAddress::CompareResult::SAME;
 
-  uint32_t m = ((1 << prefix) - 1) << (32 - prefix);
+  uint32_t m = ((1ull << prefix) - 1) << (32 - prefix);
 
   const sockaddr_in6* ip_in =
       reinterpret_cast<const sockaddr_in6*>(ip.data());
diff --git a/test/parallel/test-blocklist.js b/test/parallel/test-blocklist.js
index 51f19e07bc649c..ddd9a4e4957279 100644
--- a/test/parallel/test-blocklist.js
+++ b/test/parallel/test-blocklist.js
@@ -272,3 +272,13 @@ const util = require('util');
   const ret = util.inspect(blockList, { depth: null });
   assert(ret.includes('rules: []'));
 }
+
+{
+  // Test for https://github.com/nodejs/node/issues/43360
+  const blocklist = new BlockList();
+  blocklist.addSubnet('1.1.1.1', 32, 'ipv4');
+
+  assert(blocklist.check('1.1.1.1'));
+  assert(!blocklist.check('1.1.1.2'));
+  assert(!blocklist.check('2.3.4.5'));
+}