gh-128840: Limit the number of parts in IPv6 address parsing by sethmlarson · Pull Request #128841 · python/cpython

sethmlarson · 2025-01-14T17:14:16Z

See: #128840

cc @nessita

Issue: IPv6 address parsing doesn't limit buffer size #128840

nessita

Looks great, thank you @sethmlarson!

Misc/NEWS.d/next/Security/2025-01-14-11-19-07.gh-issue-128840.M1doZW.rst

lazysegtree · 2025-01-15T07:23:51Z

@sethmlarson How does this fix prevents a potential denial-of-service ?

This prevents excessive memory consumption and potential
denial-of-service when parsing a large IPv6 address.

In the case when we end up with ip_str with extra :, all this fix causes is that the list created in the split call is shorter (Reduced memory usage, and Less CPU instruction due to prevention of additional append calls to the allocated list).
Even if this fix is not there, program will just consume a bit more memory and a bit more cpu (as @serhiy-storchaka already pointed out, "proportional memory already spent on the input string and proportional time was already spent on reading and decoding it").

And, It should not be labelled "Type-Security" .

lazysegtree · 2025-01-15T07:44:08Z

Point to note : this PR is relevant to issue - #128840 , but it doesn't entirely fix the issue.
The issue is

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length.

This fix just limits the number of : in the address, not the entire address length. A string like this would still be relavant to the issue, and would not be fixed by this.

'0000::' + '0'*(10**4)

And, a complete fix would maybe add a check in _ip_int_from_string method for length of ip_str to be less than or equal to 39 (0000:0000:0000:0000:0000:0000:0000:0000)

This check could come in the __init__ method of IPv6Address class, but that might not be the best place for it.

Misc/NEWS.d/next/Security/2025-01-14-11-19-07.gh-issue-128840.M1doZW.rst

sethmlarson · 2025-01-15T16:53:15Z

@lazysegtree I've made the updates to limit total number of characters in addition to number of splits.

hugovk · 2025-01-17T16:27:05Z

(Updated from main to fix the unrelated docs CI failure.)

serhiy-storchaka

LGTM. 👍

python-cla-bot · 2025-04-18T09:30:45Z

All commit authors signed the Contributor License Agreement.

miss-islington-app · 2025-05-24T02:57:16Z

Thanks @sethmlarson for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

…ythonGH-128841) pythonGH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app · 2025-05-24T02:57:24Z

GH-134610 is a backport of this pull request to the 3.14 branch.

…ythonGH-128841) pythonGH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app · 2025-05-24T02:57:29Z

GH-134611 is a backport of this pull request to the 3.13 branch.

bedevere-app · 2025-05-24T02:57:32Z

GH-134612 is a backport of this pull request to the 3.12 branch.

…ythonGH-128841) pythonGH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app · 2025-05-24T02:57:37Z

GH-134613 is a backport of this pull request to the 3.11 branch.

…ythonGH-128841) pythonGH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app · 2025-05-24T02:57:41Z

GH-134614 is a backport of this pull request to the 3.10 branch.

…ythonGH-128841) pythonGH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

bedevere-app · 2025-05-24T02:57:45Z

GH-134615 is a backport of this pull request to the 3.9 branch.

…H-128841) (#134610) gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) GH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-128841) (#134611) gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) GH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-128841) (#134612) gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) GH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-128841) (GH-134613) Limit length of IP address string to 39 (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-128841) (GH-134614) Limit length of IP address string to 39 (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-128841) (GH-134615) Limit length of IP address string to 39 (cherry picked from commit 47f1161) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

…ythonGH-128841) pythonGH-128840: Limit the number of parts in IPv6 address parsing Limit length of IP address string to 39 --------- Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>

pythonGH-128840: Limit the number of parts in IPv6 address parsing

115bec4

sethmlarson added the type-security A security issue label Jan 14, 2025

bedevere-app bot mentioned this pull request Jan 14, 2025

IPv6 address parsing doesn't limit buffer size #128840

Closed

bedevere-app bot added the awaiting review label Jan 14, 2025

sethmlarson added 2 commits January 14, 2025 11:19

Add news entry

0afa538

Fix location of new test case

3e055b4

MarkusH approved these changes Jan 14, 2025

View reviewed changes

bedevere-app bot added awaiting core review and removed awaiting review labels Jan 14, 2025

nessita approved these changes Jan 14, 2025

View reviewed changes

sethmlarson requested a review from serhiy-storchaka January 14, 2025 19:41

gpshead added needs backport to 3.9 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jan 14, 2025

serhiy-storchaka reviewed Jan 14, 2025

View reviewed changes

Misc/NEWS.d/next/Security/2025-01-14-11-19-07.gh-issue-128840.M1doZW.rst Outdated Show resolved Hide resolved

Update with more descriptive news

e659287

serhiy-storchaka reviewed Jan 15, 2025

View reviewed changes

Misc/NEWS.d/next/Security/2025-01-14-11-19-07.gh-issue-128840.M1doZW.rst Outdated Show resolved Hide resolved

Limit length of IP address string to 39

e1e6917

Merge branch 'main' into ipv6-address-parts

2fde355

Merge branch 'main' into ipv6-address-parts

d7ddf61

serhiy-storchaka approved these changes Apr 14, 2025

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Apr 14, 2025

gpshead enabled auto-merge (squash) May 24, 2025 02:36

gpshead merged commit 47f1161 into python:main May 24, 2025
39 checks passed

bedevere-app bot removed the awaiting merge label May 24, 2025

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label May 24, 2025

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label May 24, 2025

bedevere-app bot removed the needs backport to 3.12 only security fixes label May 24, 2025

bedevere-app bot removed the needs backport to 3.11 only security fixes label May 24, 2025

bedevere-app bot removed the needs backport to 3.10 only security fixes label May 24, 2025

bedevere-app bot removed the needs backport to 3.9 label May 24, 2025

Uh oh!

Conversation

sethmlarson commented Jan 14, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nessita left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

lazysegtree commented Jan 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lazysegtree commented Jan 15, 2025

Uh oh!

Uh oh!

sethmlarson commented Jan 15, 2025

Uh oh!

hugovk commented Jan 17, 2025

Uh oh!

serhiy-storchaka left a comment

Choose a reason for hiding this comment

Uh oh!

python-cla-bot bot commented Apr 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

miss-islington-app bot commented May 24, 2025

Uh oh!

bedevere-app bot commented May 24, 2025

Uh oh!

bedevere-app bot commented May 24, 2025

Uh oh!

bedevere-app bot commented May 24, 2025

Uh oh!

bedevere-app bot commented May 24, 2025

Uh oh!

bedevere-app bot commented May 24, 2025

Uh oh!

bedevere-app bot commented May 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

sethmlarson commented Jan 14, 2025 •

edited

Loading

lazysegtree commented Jan 15, 2025 •

edited

Loading

python-cla-bot bot commented Apr 18, 2025 •

edited

Loading