[5.0.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.

Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

django/db/models/fields/__init__.py

@@ -30,7 +30,7 @@ from django.utils.dateparse import (
 )
 from django.utils.duration import duration_microseconds, duration_string
 from django.utils.functional import Promise, cached_property
-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
 from django.utils.itercompat import is_iterable
 from django.utils.text import capfirst
 from django.utils.translation import gettext_lazy as _
@@ -2220,7 +2220,7 @@ class GenericIPAddressField(Field):
             invalid_error_message,
         ) = validators.ip_address_validators(protocol, unpack_ipv4)
         self.default_error_messages["invalid"] = invalid_error_message
-        kwargs["max_length"] = 39
+        kwargs["max_length"] = MAX_IPV6_ADDRESS_LENGTH
         super().__init__(verbose_name, name, *args, **kwargs)
 
     def check(self, **kwargs):
@@ -2247,7 +2247,7 @@ class GenericIPAddressField(Field):
             kwargs["unpack_ipv4"] = self.unpack_ipv4
         if self.protocol != "both":
             kwargs["protocol"] = self.protocol
-        if kwargs.get("max_length") == 39:
+        if kwargs.get("max_length") == self.max_length:
             del kwargs["max_length"]
         return name, path, args, kwargs
 

django/forms/fields.py

@@ -46,7 +46,7 @@ from django.utils.choices import normalize_choices
 from django.utils.dateparse import parse_datetime, parse_duration
 from django.utils.deprecation import RemovedInDjango60Warning
 from django.utils.duration import duration_string
-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
 from django.utils.regex_helper import _lazy_re_compile
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import ngettext_lazy
@@ -1295,6 +1295,7 @@ class GenericIPAddressField(CharField):
         self.default_validators = validators.ip_address_validators(
             protocol, unpack_ipv4
         )[0]
+        kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
         super().__init__(**kwargs)
 
     def to_python(self, value):
@@ -1302,7 +1303,9 @@ class GenericIPAddressField(CharField):
             return ""
         value = value.strip()
         if value and ":" in value:
-            return clean_ipv6_address(value, self.unpack_ipv4)
+            return clean_ipv6_address(
+                value, self.unpack_ipv4, max_length=self.max_length
+            )
         return value
 
 

django/utils/ipv6.py

@@ -3,9 +3,22 @@ import ipaddress
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 
+MAX_IPV6_ADDRESS_LENGTH = 39
+
+
+def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
+    if len(ip_str) > max_length:
+        raise ValueError(
+            f"Unable to convert {ip_str} to an IPv6 address (value too long)."
+        )
+    return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+
 
 def clean_ipv6_address(
-    ip_str, unpack_ipv4=False, error_message=_("This is not a valid IPv6 address.")
+    ip_str,
+    unpack_ipv4=False,
+    error_message=_("This is not a valid IPv6 address."),
+    max_length=MAX_IPV6_ADDRESS_LENGTH,
 ):
     """
     Clean an IPv6 address string.
@@ -24,7 +37,7 @@ def clean_ipv6_address(
     Return a compressed IPv6 address or the same value.
     """
     try:
-        addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
+        addr = _ipv6_address_from_str(ip_str, max_length)
     except ValueError:
         raise ValidationError(error_message, code="invalid")
 
@@ -41,7 +54,7 @@ def is_valid_ipv6_address(ip_str):
     Return whether or not the `ip_str` string is a valid IPv6 address.
     """
     try:
-        ipaddress.IPv6Address(ip_str)
+        _ipv6_address_from_str(ip_str)
     except ValueError:
         return False
     return True