From ad866a1ca3e7d60da888d25d27e46a8adb2ed36e Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Mon, 6 Jan 2025 15:51:45 -0300
Subject: [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6
 validation.

Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
---
 django/forms/fields.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'django/forms/fields.py')

diff --git a/django/forms/fields.py b/django/forms/fields.py
index 01cd831964..e62417f552 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -42,7 +42,7 @@ from django.forms.widgets import (
 from django.utils import formats
 from django.utils.dateparse import parse_datetime, parse_duration
 from django.utils.duration import duration_string
-from django.utils.ipv6 import clean_ipv6_address
+from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
 from django.utils.regex_helper import _lazy_re_compile
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import ngettext_lazy
@@ -1284,6 +1284,7 @@ class GenericIPAddressField(CharField):
         self.default_validators = validators.ip_address_validators(
             protocol, unpack_ipv4
         )[0]
+        kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
         super().__init__(**kwargs)
 
     def to_python(self, value):
@@ -1291,7 +1292,9 @@ class GenericIPAddressField(CharField):
             return ""
         value = value.strip()
         if value and ":" in value:
-            return clean_ipv6_address(value, self.unpack_ipv4)
+            return clean_ipv6_address(
+                value, self.unpack_ipv4, max_length=self.max_length
+            )
         return value
 
 
-- 
cgit v1.3