Guarded subnets must stay allowed
Just after the host reservation lookup the query classes can be cleared and evaluated again with the host reservation classes. During this it is possible to have a selected subnet with a guard (client-class) which finished to not be allowed (i.e. the guard client class is no longer in the query classes). The whole code assumes the selected subnet is allowed so it can lead to very incorrect behavior.
The fix is easy: just unconditionally add again the guard class (the class add method puts its argument once in the classes: if it is already in them the method does nothing).
Or alternatively make all possible branches to handle this case: the selected subnet is no longer allowed so can be used only in a shared network and a new "start" subnet must be found.