From 292d933a5c8cafbe0d058727d3e68817909beaec Mon Sep 17 00:00:00 2001
From: Supriyo Biswas <supriyo.biswas.96@gmail.com>
Date: Sat, 11 Jun 2022 13:19:35 +0000
Subject: [PATCH 1/2] net: prevent /32 ipv4 mask from matching all ips

Fixes: https://github.com/nodejs/node/issues/43360
---
 src/node_sockaddr.cc            |  7 +++++--
 test/parallel/test-blocklist.js | 10 ++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/node_sockaddr.cc b/src/node_sockaddr.cc
index f6afaaac4f3d66..c98a7d2518176e 100644
--- a/src/node_sockaddr.cc
+++ b/src/node_sockaddr.cc
@@ -215,7 +215,10 @@ bool in_network_ipv4(
     const SocketAddress& ip,
     const SocketAddress& net,
     int prefix) {
-  uint32_t mask = ((1 << prefix) - 1) << (32 - prefix);
+  if (prefix == 32)
+    return compare_ipv4(ip, net) == SocketAddress::CompareResult::SAME;
+
+  uint32_t mask = ((1ull << prefix) - 1) << (32 - prefix);
 
   const sockaddr_in* ip_in =
       reinterpret_cast<const sockaddr_in*>(ip.data());
@@ -293,7 +296,7 @@ bool in_network_ipv6_ipv4(
   if (prefix == 32)
     return compare_ipv4_ipv6(net, ip) == SocketAddress::CompareResult::SAME;
 
-  uint32_t m = ((1 << prefix) - 1) << (32 - prefix);
+  uint32_t m = ((1ull << prefix) - 1) << (32 - prefix);
 
   const sockaddr_in6* ip_in =
       reinterpret_cast<const sockaddr_in6*>(ip.data());
diff --git a/test/parallel/test-blocklist.js b/test/parallel/test-blocklist.js
index 51f19e07bc649c..ddd9a4e4957279 100644
--- a/test/parallel/test-blocklist.js
+++ b/test/parallel/test-blocklist.js
@@ -272,3 +272,13 @@ const util = require('util');
   const ret = util.inspect(blockList, { depth: null });
   assert(ret.includes('rules: []'));
 }
+
+{
+  // Test for https://github.com/nodejs/node/issues/43360
+  const blocklist = new BlockList();
+  blocklist.addSubnet('1.1.1.1', 32, 'ipv4');
+
+  assert(blocklist.check('1.1.1.1'));
+  assert(!blocklist.check('1.1.1.2'));
+  assert(!blocklist.check('2.3.4.5'));
+}

From d7dd5db6202cd8e5ab5cf88d0084de7b116bf913 Mon Sep 17 00:00:00 2001
From: supriyo-biswas <supriyo.biswas.96@gmail.com>
Date: Thu, 16 Jun 2022 19:35:54 +0530
Subject: [PATCH 2/2] Update src/node_sockaddr.cc

Co-authored-by: Ben Noordhuis <info@bnoordhuis.nl>
---
 src/node_sockaddr.cc | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/node_sockaddr.cc b/src/node_sockaddr.cc
index c98a7d2518176e..d29414302b7d28 100644
--- a/src/node_sockaddr.cc
+++ b/src/node_sockaddr.cc
@@ -215,9 +215,6 @@ bool in_network_ipv4(
     const SocketAddress& ip,
     const SocketAddress& net,
     int prefix) {
-  if (prefix == 32)
-    return compare_ipv4(ip, net) == SocketAddress::CompareResult::SAME;
-
   uint32_t mask = ((1ull << prefix) - 1) << (32 - prefix);
 
   const sockaddr_in* ip_in =