From d400d9a5ecb588586c3b9a11f69dda006caed39c Mon Sep 17 00:00:00 2001
From: Nate Brown <nbrown.us@gmail.com>
Date: Tue, 7 Oct 2025 17:11:26 -0500
Subject: [PATCH] HostInfo.remoteCidr should only be populated with the entire
 vpn ip address issued in the certificate

---
 hostmap.go      |  3 +--
 hostmap_test.go | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/hostmap.go b/hostmap.go
index 9731b01..b9bdd4c 100644
--- a/hostmap.go
+++ b/hostmap.go
@@ -714,8 +714,7 @@ func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate) {
 		//TODO: IPV6-WORK what to do when ip is invalid?
 		nip, _ := netip.AddrFromSlice(ip.IP)
 		nip = nip.Unmap()
-		bits, _ := ip.Mask.Size()
-		remoteCidr.Insert(netip.PrefixFrom(nip, bits), struct{}{})
+		remoteCidr.Insert(netip.PrefixFrom(nip, nip.BitLen()), struct{}{})
 	}
 
 	for _, n := range c.Details.Subnets {
diff --git a/hostmap_test.go b/hostmap_test.go
index 6eb8751..7f19fe4 100644
--- a/hostmap_test.go
+++ b/hostmap_test.go
@@ -1,9 +1,11 @@
 package nebula
 
 import (
+	"net"
 	"net/netip"
 	"testing"
 
+	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/config"
 	"github.com/slackhq/nebula/test"
 	"github.com/stretchr/testify/assert"
@@ -87,6 +89,40 @@ func TestHostMap_MakePrimary(t *testing.T) {
 	assert.Nil(t, h2.next)
 }
 
+func TestHostInfo_CreateRemoteCIDR(t *testing.T) {
+	h := HostInfo{}
+	c := &cert.NebulaCertificate{
+		Details: cert.NebulaCertificateDetails{
+			Ips: []*net.IPNet{
+				{
+					IP:   net.IPv4(1, 2, 3, 4),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			},
+		},
+	}
+
+	// remoteCidr should be empty with only 1 ip address present in the certificate
+	h.CreateRemoteCIDR(c)
+	assert.Empty(t, h.remoteCidr)
+
+	// remoteCidr should be populated if there is also a subnet in the certificate
+	c.Details.Subnets = []*net.IPNet{
+		{
+			IP:   net.IPv4(9, 2, 3, 4),
+			Mask: net.IPv4Mask(255, 255, 255, 0),
+		},
+	}
+	h.CreateRemoteCIDR(c)
+	assert.NotEmpty(t, h.remoteCidr)
+	_, ok := h.remoteCidr.Lookup(netip.MustParseAddr("1.2.3.0"))
+	assert.False(t, ok, "An ip address within the certificates network should not be found")
+	_, ok = h.remoteCidr.Lookup(netip.MustParseAddr("1.2.3.4"))
+	assert.True(t, ok, "An exact ip address match should be found")
+	_, ok = h.remoteCidr.Lookup(netip.MustParseAddr("9.2.3.4"))
+	assert.True(t, ok, "An ip address within the subnets should be found")
+}
+
 func TestHostMap_DeleteHostInfo(t *testing.T) {
 	l := test.NewLogger()
 	hm := newHostMap(