Skip to content

[Responsible Disclosure] uint32 underflow in NumUsableHostsForMask crashes CIDR allocation for /32 masks — MEDIUM (CWE-191) #1

Description

@dom-omg

Hello,

My name is Dominik Blain, Co-Founder at QreativeLab. I conduct formal verification analysis of open-source software.

I identified two defects in StatCan open-source repositories affecting the Advanced Analytics Workspace (AAW). I am disclosing under a 90-day responsible disclosure window.


Finding SC-001 — MEDIUM

Repo: StatCan/cidr-allocator
File: internal/networking/networking.go:56
CWE: CWE-191 — Integer Underflow

func NumUsableHostsForMask(ones uint8) (uint32, error) {
    total, err := NumHostsForMask(ones)  // returns uint32(2^(32-ones))
    if err != nil {
        return 0, err
    }
    return total - 2, nil  // uint32 underflow when ones=32 (total=1)
}

When ones = 32, NumHostsForMask returns total = 1. The expression total - 2 underflows in unsigned arithmetic to 4,294,967,295. The downstream CIDR calculation produces an incorrect subnet size, leading to overlapping pod CIDRs across Kubernetes nodes and potential pod-to-pod routing failures.

Second path in nodecidrallocation_controller.go:228-229: int64 cast to uint32 without bounds check on maxPods.

Fix:

if total < 2 {
    return 0, fmt.Errorf("mask /%d has insufficient hosts for usable allocation", ones)
}
return total - 2, nil

Finding SC-002 — HIGH

Repo: StatCan/zone-oidc-authservice (issues disabled — reporting here)
File: server.go:383-384
CWE: CWE-476 — NULL Pointer Dereference

newTokens, _, err := oidc.TokenSource(ctx, s.oauth2Config, oauth2Tokens)
userInfo, err := oidc.GetUserInfo(ctx, s.provider, newTokens)  // err overwritten, newTokens may be nil

TokenSource can return nil on OAuth2 provider failure. That error is silently overwritten. GetUserInfo calls newTokens.SetAuthHeader(req) on a nil pointer → Go panic → AuthService pod crash → all AAW users logged out.

Fix: Check err from TokenSource before calling GetUserInfo and return early.


Timeline

  • 2026-04-02 — Initial disclosure
  • 2026-07-01 — 90-day window expires

Dominik Blain
Co-Founder, QreativeLab
dominik@qreativelab.io

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions