gsrlabs/go
1
0
Fork 0
mirror of https://github.com/golang/go.git synced 2026-02-04 01:45:06 +03:00
Code Issues Packages Projects Releases Wiki Activity

net/mail: avoid quadratic behavior in mail address parsing

Browse Source 
RFC 5322 domain-literal parsing built the dtext value one character
at a time with string concatenation, resulting in excessive
resource consumption when parsing very large domain-literal values.

Replace with a subslice.

Benchmark not included in this CL because it's too narrow to be
of general ongoing use, but for:

    ParseAddress("alice@[" + strings.Repeat("a", 0x40000) + "]")

goos: darwin
goarch: arm64
pkg: net/mail
cpu: Apple M4 Pro
                │  /tmp/bench.0  │            /tmp/bench.1             │
                │     sec/op     │   sec/op     vs base                │
ParseAddress-14   1987.732m ± 9%   1.524m ± 5%  -99.92% (p=0.000 n=10)

                │   /tmp/bench.0   │             /tmp/bench.1              │
                │       B/op       │     B/op      vs base                 │
ParseAddress-14   33692.767Mi ± 0%   1.282Mi ± 0%  -100.00% (p=0.000 n=10)

                │  /tmp/bench.0  │            /tmp/bench.1            │
                │   allocs/op    │ allocs/op   vs base                │
ParseAddress-14   263711.00 ± 0%   17.00 ± 0%  -99.99% (p=0.000 n=10)

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes CVE-2025-61725
Fixes #75680

Change-Id: Id971c2d5b59882bb476e22fceb7e01ec08234bb7
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2840
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709860
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
This commit is contained in:
Damien Neil
2025-09-25 14:41:53 -07:00
committed by Gopher Robot
parent 5ede095649
commit 463165699d
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/net/mail/message.go
View File

@@ -724,7 +724,8 @@ func (p *addrParser) consumeDomainLiteral() (string, error) {
}
// Parse the dtext
var dtext string
dtext := p.s
dtextLen := 0
for {
if p.empty() {
return "", errors.New("mail: unclosed domain-literal")
@@ -741,9 +742,10 @@ func (p *addrParser) consumeDomainLiteral() (string, error) {
return "", fmt.Errorf("mail: bad character in domain-literal: %q", r)
}
dtext += p.s[:size]
dtextLen += size
p.s = p.s[size:]
}
dtext = dtext[:dtextLen]
// Skip the trailing ]
if !p.consume(']') {