diff --git a/include/util/taoserror.h b/include/util/taoserror.h
index c5dd418b73..257fa67fbf 100644
--- a/include/util/taoserror.h
+++ b/include/util/taoserror.h
@@ -247,6 +247,9 @@ int32_t* taosGetErrno();
 #define TSDB_CODE_MND_AUTH_FAILURE              TAOS_DEF_ERROR_CODE(0, 0x0357)
 #define TSDB_CODE_MND_USER_NOT_AVAILABLE        TAOS_DEF_ERROR_CODE(0, 0x0358)
 #define TSDB_CODE_MND_PRIVILEDGE_EXIST          TAOS_DEF_ERROR_CODE(0, 0x0359)
+#define TSDB_CODE_MND_USER_HOST_EXIST           TAOS_DEF_ERROR_CODE(0, 0x035A)
+#define TSDB_CODE_MND_USER_HOST_NOT_EXIST       TAOS_DEF_ERROR_CODE(0, 0x035B)
+#define TSDB_CODE_MND_TOO_MANY_USER_HOST       TAOS_DEF_ERROR_CODE(0, 0x035C)
 
 // mnode-stable-part1
 #define TSDB_CODE_MND_STB_ALREADY_EXIST         TAOS_DEF_ERROR_CODE(0, 0x0360)
diff --git a/include/util/tdef.h b/include/util/tdef.h
index aca4774ba5..91133a05f8 100644
--- a/include/util/tdef.h
+++ b/include/util/tdef.h
@@ -202,7 +202,7 @@ typedef enum ELogicConditionType {
 #define TSDB_DB_NAME_LEN              65
 #define TSDB_DB_FNAME_LEN             (TSDB_ACCT_ID_LEN + TSDB_DB_NAME_LEN + TSDB_NAME_DELIMITER_LEN)
 #define TSDB_PRIVILEDGE_CONDITION_LEN 48 * 1024
-#define TSDB_PRIVILEDGE_HOST_LEN      24 * 1024
+#define TSDB_PRIVILEDGE_HOST_LEN      48 * 1024
 
 #define TSDB_FUNC_NAME_LEN       65
 #define TSDB_FUNC_COMMENT_LEN    1024 * 1024
diff --git a/source/dnode/mnode/impl/src/mndUser.c b/source/dnode/mnode/impl/src/mndUser.c
index 4943328b43..841ba68198 100644
--- a/source/dnode/mnode/impl/src/mndUser.c
+++ b/source/dnode/mnode/impl/src/mndUser.c
@@ -437,7 +437,7 @@ static void ipRangeToStr(SIpV4Range *range, char *buf) {
   }
   return;
 }
-static bool isDefualtRange(SIpV4Range *pRange) {
+static bool isDefaultRange(SIpV4Range *pRange) {
   static SIpV4Range val = {.ip = 16777343, .mask = 32};
   return pRange->ip == val.ip && pRange->mask == val.mask;
 }
@@ -446,7 +446,7 @@ static int32_t ipRangeListToStr(SIpV4Range *range, int32_t num, char *buf) {
   for (int i = 0; i < num; i++) {
     char        tbuf[36] = {0};
     SIpV4Range *pRange = &range[i];
-    if (isDefualtRange(pRange)) continue;
+    if (isDefaultRange(pRange)) continue;
 
     ipRangeToStr(&range[i], tbuf);
     len += sprintf(buf + len, "%s,", tbuf);
@@ -1663,12 +1663,14 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
   }
 
   if (alterReq.alterType == TSDB_ALTER_USER_ADD_WHITE_LIST) {
-    taosMemoryFree(newUser.pIpWhiteList);
+    taosMemoryFreeClear(newUser.pIpWhiteList);
 
     int32_t num = pUser->pIpWhiteList->num + alterReq.numIpRanges;
 
     SIpWhiteList *pNew = taosMemoryCalloc(1, sizeof(SIpWhiteList) + sizeof(SIpV4Range) * num);
     int32_t       idx = pUser->pIpWhiteList->num;
+
+    bool exist = false;
     memcpy(pNew->pIpRange, pUser->pIpWhiteList->pIpRange, sizeof(SIpV4Range) * idx);
     for (int i = 0; i < alterReq.numIpRanges; i++) {
       SIpV4Range *range = &(alterReq.pIpRanges[i]);
@@ -1677,17 +1679,32 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
         memcpy(&pNew->pIpRange[idx], range, sizeof(SIpV4Range));
         idx++;
         continue;
+      } else {
+        exist = true;
       }
     }
+    if (exist) {
+      taosMemoryFree(pNew);
+      terrno = TSDB_CODE_MND_USER_HOST_EXIST;
+      code = terrno;
+      goto _OVER;
+    }
     pNew->num = idx;
     newUser.pIpWhiteList = pNew;
     newUser.ipWhiteListVer = pUser->ipWhiteListVer + 1;
+
+    if (pNew->num >= TSDB_PRIVILEDGE_HOST_LEN / 24) {
+      terrno = TSDB_CODE_MND_TOO_MANY_USER_HOST;
+      code = terrno;
+      goto _OVER;
+    }
   }
   if (alterReq.alterType == TSDB_ALTER_USER_DROP_WHITE_LIST) {
-    taosMemoryFree(newUser.pIpWhiteList);
+    taosMemoryFreeClear(newUser.pIpWhiteList);
 
     int32_t       num = pUser->pIpWhiteList->num;
     SIpWhiteList *pNew = taosMemoryCalloc(1, sizeof(SIpWhiteList) + sizeof(SIpV4Range) * num);
+    bool          noexist = true;
 
     if (pUser->pIpWhiteList->num > 0) {
       int idx = 0;
@@ -1696,7 +1713,7 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
         bool        found = false;
         for (int j = 0; j < alterReq.numIpRanges; j++) {
           SIpV4Range *range = &alterReq.pIpRanges[j];
-          if (isIpRangeEqual(oldRange, range)) {
+          if (!isDefaultRange(range) && isIpRangeEqual(oldRange, range)) {
             found = true;
             break;
           }
@@ -1705,6 +1722,9 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
           memcpy(&pNew->pIpRange[idx], oldRange, sizeof(SIpV4Range));
           idx++;
         }
+        if (found == true) {
+          noexist = false;
+        }
       }
       pNew->num = idx;
       newUser.pIpWhiteList = pNew;
@@ -1715,6 +1735,11 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
       newUser.pIpWhiteList = pNew;
       newUser.ipWhiteListVer = pUser->ipWhiteListVer + 1;
     }
+    if (noexist) {
+      terrno = TSDB_CODE_MND_USER_HOST_NOT_EXIST;
+      code = terrno;
+      goto _OVER;
+    }
   }
 
   code = mndAlterUser(pMnode, pUser, &newUser, pReq);
diff --git a/source/util/src/terror.c b/source/util/src/terror.c
index 90079d387e..0b014fb31f 100644
--- a/source/util/src/terror.c
+++ b/source/util/src/terror.c
@@ -194,6 +194,9 @@ TAOS_DEFINE_ERROR(TSDB_CODE_MND_TOO_MANY_USERS,           "Too many users")
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_ALTER_OPER,       "Invalid alter operation")
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_AUTH_FAILURE,             "Authentication failure")
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_PRIVILEDGE_EXIST,         "User already have this priviledge")
+TAOS_DEFINE_ERROR(TSDB_CODE_MND_USER_HOST_EXIST,          "Host already exist in ip white list")
+TAOS_DEFINE_ERROR(TSDB_CODE_MND_USER_HOST_NOT_EXIST,      "Host not exist in ip white list")
+TAOS_DEFINE_ERROR(TSDB_CODE_MND_TOO_MANY_USER_HOST,       "Too many host in ip white list")
 
 //mnode-stable-part1
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_STB_ALREADY_EXIST,        "STable already exists")