diff options
author | Benjamin Peterson <benjamin@python.org> | 2014-01-13 23:06:14 -0500 |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2014-01-13 23:06:14 -0500 |
commit | 7887fd97b54bf12c321212dbda3e14af4a688df9 (patch) | |
tree | 5e7efeee66b4cc6f92befc7a81bb398973bbbd50 | |
parent | ac25cd1dc3c245d49c1c2e9b3f6dce481e6c11df (diff) | |
parent | 64f6847a13bf539a69287edd49521b5e6d1f1a80 (diff) | |
download | cpython-7887fd97b54bf12c321212dbda3e14af4a688df9.tar.gz |
complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
-rw-r--r-- | Lib/test/test_socket.py | 8 | ||||
-rw-r--r-- | Misc/ACKS | 1 | ||||
-rw-r--r-- | Misc/NEWS | 2 | ||||
-rw-r--r-- | Modules/socketmodule.c | 6 |
4 files changed, 17 insertions, 0 deletions
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py index 6a9497bc7d..c242a57991 100644 --- a/Lib/test/test_socket.py +++ b/Lib/test/test_socket.py @@ -1424,6 +1424,14 @@ class BufferIOTest(SocketConnectedTest): buf = bytes(MSG) self.serv_conn.send(buf) + def testRecvFromIntoSmallBuffer(self): + # See issue #20246. + buf = bytearray(8) + self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) + + def _testRecvFromIntoSmallBuffer(self): + self.serv_conn.send(MSG*2048) + TIPC_STYPE = 2000 TIPC_LOWER = 200 @@ -757,6 +757,7 @@ Kragen Sitaker Eric V. Smith Christopher Smith Gregory P. Smith +Ryan Smith-Roberts Rafal Smotrzyk Dirk Soede Paul Sokolovsky @@ -13,6 +13,8 @@ Core and Builtins Library ------- +- Issue #20246: Fix buffer overflow in socket.recvfrom_into. + - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler. - Issue #14984: On POSIX systems, when netrc is called without a filename diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c index 5e911e0584..ebaebf51d1 100644 --- a/Modules/socketmodule.c +++ b/Modules/socketmodule.c @@ -2494,6 +2494,12 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds) if (recvlen == 0) { /* If nbytes was not specified, use the buffer's length */ recvlen = buflen; + } else if (recvlen > buflen) { + PyBuffer_Release(&pbuf); + Py_XDECREF(addr); + PyErr_SetString(PyExc_ValueError, + "nbytes is greater than the length of the buffer"); + return NULL; } readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); |