Author nnewram
Recipients nnewram
Date 2020-06-17.13:11:52
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes' hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS.

The root of this is on line 1421 and 2095. On both lines, self._ip and will both be same, and when xor is applied they will cancel eachother out, leaving return self._prefixlen .
Since self._prefixlen is a constant, 32 and 64 respectively, this will lead to a constant hash.

The fix is trivial, on line 1421, change to:
return hash((self._ip, self._prefixlen, int(

and on line 2095, change to:
return hash((self._ip, self._prefixlen, int(
Date User Action Args
2020-06-17 13:11:52nnewramsetrecipients: + nnewram
2020-06-17 13:11:52nnewramsetmessageid: <>
2020-06-17 13:11:52nnewramlinkissue41004 messages
2020-06-17 13:11:52nnewramcreate