Skip to content

IPv6 address validation is wrong #39184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DemiMarie opened this issue Apr 20, 2025 · 5 comments
Open

IPv6 address validation is wrong #39184

DemiMarie opened this issue Apr 20, 2025 · 5 comments
Labels
area/http_connection_manager bug

Comments

@DemiMarie
Copy link

Description:
Envoy tries to validate IPv6 addresses in headers, but it does so incorrectly. It both accepts invalid IPv6 addresses (such as 1:2) and rejects valid ones (such as ::1:1:1:1:1:1:1).

I recommend checking that the buffer does not have NUL or . and is less than 40 bytes, then copying to a 40-byte buffer, adding a NUL terminator, and calling inet_pton(AF_INET6, buf, &value). This will use the libc inet_pton() function, which validates IPv6 addresses correctly. If calling this function on untrusted input is not an option due to security concerns, it is possible to implement IPv6 address validation directly in C++, but the libc code would likely be more battle-tested.

If checking that the address is canonical is desired, the simplest approach is to convert the IPv6 address to numeric form, check that the numeric form is not in ::ffff:0:0/96 (IPv4-mapped) and not in ::/96 (IPv4-compatible), convert back to text with inet_ntop, and check that the result is the same as what was provided.

Repro steps:
Use one of the above-mentioned addresses as the IPv6 address part of a Host: header.

Admin and Stats Output:
N/A as this was found by code review.

Config:
N/A

Logs:
N/A

Call Stack:
N/A
@DemiMarie DemiMarie added bug triage Issue requires triage labels Apr 20, 2025
@yanavlasov
Copy link
Contributor

Envoy does not validate the host or authority headers beyond the character set. There wasn't a use case where additional validation for IP literals was needed. If you have a reason to do so, you can implement an option in HCM to do additional validation for authority.

@ravenblackx ravenblackx added area/http_connection_manager and removed triage Issue requires triage labels Apr 21, 2025
@ravenblackx
Copy link
Contributor

Repro steps:
Use one of the above-mentioned addresses as the IPv6 address part of a Host: header.

What is the unwanted behavior exhibited if you do this?

@DemiMarie
Copy link
Author

The code and commit history claims that the goal is to validate IPv6 addresses, but the code isn’t consistent with this. If Envoy is going to validate IPv6 addresses at all, it should do so correctly.

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label May 22, 2025
@DemiMarie
Copy link
Author

Not stale.

@github-actions github-actions bot removed the stale stalebot believes this issue/PR has not been touched recently label May 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/http_connection_manager bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ravenblackx @yanavlasov @DemiMarie