NotificationsYou must be signed in to change notification settings
Fork32k
Star67.2k

gh-128840: Limit the number of parts in IPv6 address parsing#128841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

gpshead merged 9 commits intopython:mainfromsethmlarson:ipv6-address-parts

May 24, 2025

Merged

gh-128840: Limit the number of parts in IPv6 address parsing#128841

gpshead merged 9 commits intopython:mainfromsethmlarson:ipv6-address-parts

May 24, 2025

+22 −2

Conversation

Copy link

Contributor

sethmlarson commentedJan 14, 2025•
edited
Loading

See:#128840

cc@nessita

Issue:IPv6 address parsing doesn't limit buffer size #128840

pythonGH-128840: Limit the number of parts in IPv6 address parsing

115bec4

sethmlarson added the type-securityA security issue label

Jan 14, 2025

bedevere-appbot mentioned this pull request

Jan 14, 2025

IPv6 address parsing doesn't limit buffer size#128840

Open

bedevere-appbot added the awaiting review label

Jan 14, 2025

sethmlarson added2 commits

January 14, 2025 11:19

Add news entry

0afa538

Fix location of new test case

3e055b4

MarkusH approved these changes

Jan 14, 2025

View reviewed changes

bedevere-appbot added awaiting core review and removed awaiting review labels

Jan 14, 2025

nessita approved these changes

Jan 14, 2025

View reviewed changes

Copy link

nessita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Looks great, thank you@sethmlarson!

sethmlarson requested a review fromserhiy-storchaka

January 14, 2025 19:41

gpshead added needs backport to 3.9

only security fixes

needs backport to 3.10

only security fixes

needs backport to 3.11

only security fixes

needs backport to 3.12

only security fixes

needs backport to 3.13bugs and security fixes labels

Jan 14, 2025

serhiy-storchaka reviewed

Jan 14, 2025

View reviewed changes

Misc/NEWS.d/next/Security/2025-01-14-11-19-07.gh-issue-128840.M1doZW.rst OutdatedShow resolvedHide resolved

Update with more descriptive news

e659287

Copy link

lazysegtree commentedJan 15, 2025•
edited
Loading

@sethmlarson How does this fix prevents a potential denial-of-service ?

This prevents excessive memory consumption and potential
denial-of-service when parsing a large IPv6 address.

In the case when we end up withip_str with extra:, all this fix causes is that the list created in the split call is shorter (Reduced memory usage, and Less CPU instruction due to prevention of additional append calls to the allocated list).
Even if this fix is not there, program will just consume a bit more memory and a bit more cpu (as@serhiy-storchaka already pointed out, "proportional memory already spent on the input string and proportional time was already spent on reading and decoding it").

And, It should not be labelled "Type-Security" .

Copy link

lazysegtree commentedJan 15, 2025

Point to note : this PR is relevant to issue -#128840 , but it doesn't entirely fix the issue.
The issue is

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length.

This fix just limits the number of: in the address, not the entire address length. A string like this would still be relavant to the issue, and would not be fixed by this.

'0000::' + '0'*(10**4)

And, a complete fix would maybe add a check in_ip_int_from_string method for length ofip_str to be less than or equal to39 (0000:0000:0000:0000:0000:0000:0000:0000)

This check could come in the__init__ method ofIPv6Address class, but that might not be the best place for it.