IPv6 address parsing doesn't limit buffer size

[sethmlarson]

Bug report

Bug description:

IPv6 addresses have a maximum length (8 colon-separated parts) but the current implementation doesn't limit the length. Similar issue to django/django@ca2be77

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

• gh-128840: Limit the number of parts in IPv6 address parsing #128841
• [3.14] gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) #134610
• [3.13] gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) #134611
• [3.12] gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) #134612
• [3.11] gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) #134613
• [3.10] gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) #134614
• [3.9] gh-128840: Limit the number of parts in IPv6 address parsing (GH-128841) #134615
• gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address #134836
• [3.14] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836) #134845
• [3.13] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836) #134846
• [3.12] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836) #134847
• [3.10] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836) #135089
• [3.9] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836) #135090
• [3.11] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address (GH-134836) #135091

[serhiy-storchaka]

I do not think this is a security issue.

[frenzymadness]

Are you sure the fix for the issue is backward-compatible? It seems to me that addresses like 1111:2222:3333:4444:5555:6666:255.255.255.255 are now rejected even they are valid as far as I know. Embedding of an IPv4 address into an IPv6 address is an established standard.

[frenzymadness]

Python 3.13:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
>>> addr
IPv6Address('1111:2222:3333:4444:5555:6666:ffff:ffff')

Python 3.14 beta 2:

>>> domain_literal = '1111:2222:3333:4444:5555:6666:255.255.255.255'
>>> addr = ipaddress.IPv6Address(domain_literal)
Traceback (most recent call last):
  File "<python-input-7>", line 1, in <module>
    addr = ipaddress.IPv6Address(domain_literal)
  File "/usr/lib64/python3.14/ipaddress.py", line 1952, in __init__
    self._ip = self._ip_int_from_string(addr_str)
               ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/lib64/python3.14/ipaddress.py", line 1666, in _ip_int_from_string
    raise AddressValueError(msg)
ipaddress.AddressValueError: At most 39 characters expected in '1111:2222:3333'(17 chars elided)'55.255.255.255'

[hroncok]

I'd like to ensure this is resolved before it is released in 3.13.4 and 3.12.11 as a (potential) regression. cc @Yhg1s

[serhiy-storchaka]

Thank you for your report @frenzymadness. Indeed, this is a regression.

#134836 increases the limit and improves the error message, so now the whole valid IP address will be shown if the garbage was only added at one side.

[gpshead]

Good catch and thank you for the fixes!