net: limit the size of ParseIP input?

[bradfitz]

Maybe net.ParseIP shouldn't successfully parse IP addresses out of unbounded inputs?

e.g. fmt.Println(net.ParseIP(strings.Repeat("0", 10<<20) + "000000192.0000168.00000.00001")) passes, as does UnmarshalText (https://play.golang.org/p/bXGEzOS6KVQ)

Of course, in both those cases the data is already fully in memory, so most the harm has been done if this is attacker-controlled.

Still, a bit surprising. Intentional?

Some parsers reject past 3 digits per octet, so 196.168.020.001 is valid, but not 0196.0168.0020.0001.

[oiooj]

On Linux, see constant INET6_ADDRSTRLEN is 48, and INET_ADDRSTRLEN is 16. https://github.com/torvalds/linux/blob/master/include/linux/inet.h#L50

[bradfitz]

Previously: #30999 ("proposal: net/url: reject leading zeros in IP address parsers")

[gopherbot]

Change https://golang.org/cl/325829 mentions this issue: net: reject leading zeros in IP address parsers

[benjsmi]

Hello. I know the discussion about this has been primarily centered on how to best deliver it to Go v1.17, but my team is still reliant on Go v1.15, the amd64 build, which is still in the support stream according to https://golang.org/doc/go1.15. Specifically:

Go continues to support the 64-bit darwin/amd64 and darwin/arm64 ports.

To clarify, we are using Linux amd 64bit, not Mac, not Windows.

We see patches continue to be released on the Go 1.15 stream, for which we are very grateful to the community.

This issue, btw, corresponds to CVE-2021-29923. We would very much appreciate its resolution on the Go v1.15 branch; and will happily move to Go v1.15.16 if it contains this fix.

There's another issue #30999, which seems to be related closely in that it's in the same CVE (29923) and also relates to IP addresses. Can we address them both for Go v1.15.16? Please?

[toothrot]

@benjsmi As of the Go 1.17 release, Go 1.15.x is no longer supported for any further releases as per our maintenance policy.

Please upgrade to the latest supported version of Go.

[ALTree]

@benjsmi Go 1.15 is no longer supported since 1.17 was released:

[...] fixes for security issues, serious problems with no workaround, and documentation fixes are backported to the most recent two release branches, if applicable to that branch.

https://github.com/golang/go/wiki/MinorReleases

So security fixes in minor releases at the moment are limited to 1.16 and 1.17. In general, you should not expect 1.15 to have further minor releases.

[benjsmi]

Thanks for the responses everyone. This is an unfortunate situation but I completely understand why you're handling it this way.

[benjsmi]

So I'm not seeing this issue specifically mentioned in the Go 1.16 release notes -- is CVE-2021-29923 addressed in Go 1.16.x? And if so, which x?

[ianlancetaylor]

The net.ParseIP function rejects IPv4 addresses that contain decimal components with leading zeros in Go 1.17 but not in Go 1.16.

[dal13002]

Hey,
Since Go 1.16 is still supported, can we get a patch for this issue pushed to there? Go 1.16.15 is returning CVE-2021-29923 vulnerability and is preventing us from moving forward.

Thanks

[seankhliao]

With the release of 1.18, 1.16 is no longer supported.