From ba0e17fb5224489a805db70774271f5d63e2ab96 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 20 Sep 2019 15:06:49 +0200
Subject: conntrackd: incorrect filtering of Address with cidr /0

Set an all zero mask when cidr /0 is specified.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/cidr.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/cidr.c b/src/cidr.c
index 91025b6..6ef85c7 100644
--- a/src/cidr.c
+++ b/src/cidr.c
@@ -24,6 +24,9 @@
 /* returns the netmask in host byte order */
 uint32_t ipv4_cidr2mask_host(uint8_t cidr)
 {
+	if (cidr == 0)
+		return 0;
+
 	return 0xFFFFFFFF << (32 - cidr);
 }
 
@@ -42,10 +45,13 @@ void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res)
 		res[i] = 0xFFFFFFFF;
 		cidr -= 32;
 	}
-	res[i] = 0xFFFFFFFF << (32 - cidr);
-	for (j = i+1; j < 4; j++) {
+	if (cidr == 0)
+		res[i] = 0;
+	else
+		res[i] = 0xFFFFFFFF << (32 - cidr);
+
+	for (j = i + 1; j < 4; j++)
 		res[j] = 0;
-	}
 }
 
 void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res)
-- 
cgit v1.2.3