[issue41004] Hash collisions in IPv4Interface and IPv6Interface
New submission from martin w : In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes' hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS. The root of this is on line 1421 and 2095. On both lines, self._ip and self.network.network_address will both be same, and when xor is applied they will cancel eachother out, leaving return self._prefixlen . Since self._prefixlen is a constant, 32 and 64 respectively, this will lead to a constant hash. The fix is trivial, on line 1421, change to: return hash((self._ip, self._prefixlen, int(self.network.network_address))) and on line 2095, change to: return hash((self._ip, self._prefixlen, int(self.network.network_address))) -- components: Library (Lib) messages: 371738 nosy: nnewram priority: normal severity: normal status: open title: Hash collisions in IPv4Interface and IPv6Interface versions: Python 3.8 ___ Python tracker <https://bugs.python.org/issue41004> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41004] Hash collisions in IPv4Interface and IPv6Interface
Change by martin w : -- type: -> security ___ Python tracker <https://bugs.python.org/issue41004> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41004] Hash collisions in IPv4Interface and IPv6Interface
Change by martin w : -- versions: +Python 3.10 -Python 3.8 ___ Python tracker <https://bugs.python.org/issue41004> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41004] Hash collisions in IPv4Interface and IPv6Interface
martin w added the comment: Forgot to add, this applies to all versions, 3.10, 3.9, 3.8, 3.7, 3.6, 3.5 -- versions: +Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 ___ Python tracker <https://bugs.python.org/issue41004> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41004] Hash collisions in IPv4Interface and IPv6Interface
martin w added the comment: Absolutely, go ahead Amir -- ___ Python tracker <https://bugs.python.org/issue41004> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
