Skip to content

gh-128840: Limit the number of parts in IPv6 address parsing #128841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
May 24, 2025
Merged

gh-128840: Limit the number of parts in IPv6 address parsing #128841

merged 9 commits into from
May 24, 2025
+22 −2

Conversation

sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Jan 14, 2025
edited
Loading

@sethmlarson sethmlarson added the type-security A security issue label Jan 14, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jan 14, 2025
Open
nessita
nessita approved these changes Jan 14, 2025
View reviewed changes
Copy link

@nessita nessita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you @sethmlarson!

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jan 14, 2025
@lazysegtree
Copy link

lazysegtree commented Jan 15, 2025
edited
Loading

@sethmlarson How does this fix prevents a potential denial-of-service ?

This prevents excessive memory consumption and potential
denial-of-service when parsing a large IPv6 address.

In the case when we end up with ip_str with extra :, all this fix causes is that the list created in the split call is shorter (Reduced memory usage, and Less CPU instruction due to prevention of additional append calls to the allocated list).
Even if this fix is not there, program will just consume a bit more memory and a bit more cpu (as @serhiy-storchaka already pointed out, "proportional memory already spent on the input string and proportional time was already spent on reading and decoding it").

And, It should not be labelled "Type-Security" .

@lazysegtree
Copy link

Point to note : this PR is relevant to issue - #128840 , but it doesn't entirely fix the issue.
The issue is

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length.

This fix just limits the number of : in the address, not the entire address length. A string like this would still be relavant to the issue, and would not be fixed by this.

'0000::' + '0'*(10**4)

And, a complete fix would maybe add a check in _ip_int_from_string method for length of ip_str to be less than or equal to 39 (0000:0000:0000:0000:0000:0000:0000:0000)

This check could come in the __init__ method of IPv6Address class, but that might not be the best place for it.

@sethmlarson
Copy link
Contributor Author

@lazysegtree I've made the updates to limit total number of characters in addition to number of splits.

@hugovk
Copy link
Member

hugovk commented Jan 17, 2025

(Updated from main to fix the unrelated docs CI failure.)

serhiy-storchaka
serhiy-storchaka approved these changes Apr 14, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍

@python-cla-bot
Copy link

python-cla-bot bot commented Apr 18, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@serhiy-storchaka serhiy-storchaka added the needs backport to 3.14 bugs and security fixes label May 8, 2025
@gpshead gpshead self-assigned this May 24, 2025
@gpshead gpshead enabled auto-merge (squash) May 24, 2025 02:36
@gpshead gpshead merged commit 47f1161 into python:main May 24, 2025
39 checks passed
@miss-islington-app
Copy link

Thanks @sethmlarson for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
c2885f9 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented May 24, 2025

GH-134610 is a backport of this pull request to the 3.14 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
67fabcd 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label May 24, 2025
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
9984c3a 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented May 24, 2025

GH-134611 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label May 24, 2025
@bedevere-app
Copy link

bedevere-app bot commented May 24, 2025

GH-134612 is a backport of this pull request to the 3.12 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
d575c30 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label May 24, 2025
@bedevere-app
Copy link

bedevere-app bot commented May 24, 2025

GH-134613 is a backport of this pull request to the 3.11 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
bb72b92 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label May 24, 2025
@bedevere-app
Copy link

bedevere-app bot commented May 24, 2025

GH-134614 is a backport of this pull request to the 3.10 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 24, 2025
@sethmlarson @hugovk
@serhiy-storchaka @gpshead @miss-islington
pythongh-128840: Limit the number of parts in IPv6 address parsing (p…
ea823ab 
…ythonGH-128841)

pythonGH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label May 24, 2025
@bedevere-app
Copy link

bedevere-app bot commented May 24, 2025

GH-134615 is a backport of this pull request to the 3.9 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.9 only security fixes label May 24, 2025
gpshead added a commit that referenced this pull request May 24, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.14] gh-128840: Limit the number of parts in IPv6 address parsing (G…
576177d 
…H-128841) (#134610)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead added a commit that referenced this pull request May 24, 2025
@miss-islington @sethmlarson
@hugovk @serhiy-storchaka @gpshead
[3.13] gh-128840: Limit the number of parts in IPv6 address parsing (G…
2e30341 
…H-128841) (#134611)

gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841)

GH-128840: Limit the number of parts in IPv6 address parsing
Limit length of IP address string to 39

---------
(cherry picked from commit 47f1161)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead left review comments

@nessita nessita nessita approved these changes

@MarkusH MarkusH MarkusH approved these changes

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

Assignees

@gpshead gpshead

Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@sethmlarson @lazysegtree @hugovk @gpshead @nessita @MarkusH @serhiy-storchaka