Fix IPFamilyOf to notice bad *net.IPNets

danwinship · danwinship · commit d170acb93151 · 2025-07-28T05:44:11.000-04:00
A manually-constructed IPNet could have a Mask that doesn't match its
IP (in which case .String() would return "&lt;nil&gt;" and .Contains() would
always return false). So treat that as IPFamilyUnknown.
diff --git a/net/v2/ipfamily.go b/net/v2/ipfamily.go
@@ -117,10 +117,16 @@ func IPFamilyOfString(ip string) IPFamily {
 
 // IPFamilyOfCIDR returns the IP family of cidr.
 func IPFamilyOfCIDR(cidr *net.IPNet) IPFamily {
-	if cidr == nil {
-		return IPFamilyUnknown
+	if cidr != nil {
+		family := IPFamilyOf(cidr.IP)
+		// An IPv6 CIDR must have a 128-bit mask. An IPv4 CIDR must have a
+		// 32- or 128-bit mask. (Any other mask length is invalid.)
+		_, masklen := cidr.Mask.Size()
+		if masklen == 128 || (family == IPv4 && masklen == 32) {
+			return family
+		}
 	}
-	return IPFamilyOf(cidr.IP)
+	return IPFamilyUnknown
 }
 
 // IPFamilyOfCIDRString returns the IP family of cidr.
diff --git a/net/v2/ips_test.go b/net/v2/ips_test.go
@@ -669,18 +669,12 @@ var badTestCIDRs = []testCIDR{
 		ipnets: []*net.IPNet{
 			{IP: net.IP{192, 168, 0, 0}, Mask: net.IPMask{255, 0, 255, 0}},
 		},
-
-		// IPFamilyOfCIDR only looks at IP and doesn't notice that Mask is invalid
-		skipFamily: true,
 	},
 	{
 		desc: "IPNet containing IPv6 IP and IPv4 Mask is invalid",
 		ipnets: []*net.IPNet{
 			{IP: net.IP{0x20, 0x01, 0x0D, 0xB8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, Mask: net.CIDRMask(24, 32)},
 		},
-
-		// IPFamilyOfCIDR only looks at IP and doesn't notice that Mask is invalid
-		skipFamily: true,
 	},
 	{
 		desc:   "the zero netip.Prefix is invalid",
@@ -702,19 +696,13 @@ var badTestCIDRs = []testCIDR{
 		prefixes: []netip.Prefix{
 			netip.PrefixFrom(netip.IPv4Unspecified(), -1),
 		},
-
-		// IPFamilyOf only looks at IP and doesn't notice that Mask is invalid
-		skipFamily: true,
 	},
 	{
 		desc:   "Prefix containing a too-long length is invalid",
 		family: IPv4,
 		prefixes: []netip.Prefix{
 			netip.PrefixFrom(netip.IPv4Unspecified(), 64),
 		},
-
-		// IPFamilyOf only looks at IP and doesn't notice that Mask is invalid
-		skipFamily: true,
 	},
 }
 
