From b1d7f3d6e816ae9eb62625e0b0d35a8d36b0aa02 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 16:20:36 -0800 Subject: [PATCH] s3tables: Add upper bound validation for MaxBuckets parameter MaxBuckets is user-controlled and used in uint32(maxBuckets*2) for ListEntries. Very large values can overflow uint32 or trigger overly expensive scans. Cap MaxBuckets to 1000 and reject out-of-range values, consistent with MaxTables handling and S3 MaxKeys validation elsewhere in the codebase. --- weed/s3api/s3tables/handler_bucket_get_list_delete.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/weed/s3api/s3tables/handler_bucket_get_list_delete.go b/weed/s3api/s3tables/handler_bucket_get_list_delete.go index 1a793cf36..7c3e8eefe 100644 --- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go +++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go @@ -101,6 +101,12 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http. if maxBuckets <= 0 { maxBuckets = 100 } + // Cap to prevent uint32 overflow when used in uint32(maxBuckets*2) + const maxBucketsLimit = 1000 + if maxBuckets > maxBucketsLimit { + h.writeError(w, http.StatusBadRequest, ErrCodeInvalidRequest, "MaxBuckets exceeds maximum allowed value") + return fmt.Errorf("invalid maxBuckets value: %d", maxBuckets) + } var buckets []TableBucketSummary