(original) (raw)

changeset: 88454:715fd3d8ac93 branch: 3.1 parent: 86777:b1ddcb220a7f parent: 88453:87673659d8f7 user: Benjamin Peterson benjamin@python.org date: Mon Jan 13 23:06:14 2014 -0500 files: Lib/test/test_socket.py Misc/ACKS Misc/NEWS Modules/socketmodule.c description: complain when nbytes > buflen to fix possible buffer overflow (closes #20246) diff -r b1ddcb220a7f -r 715fd3d8ac93 Lib/test/test_socket.py --- a/Lib/test/test_socket.py Wed Oct 30 12:43:09 2013 -0400 +++ b/Lib/test/test_socket.py Mon Jan 13 23:06:14 2014 -0500 @@ -1424,6 +1424,14 @@ buf = bytes(MSG) self.serv_conn.send(buf) + def testRecvFromIntoSmallBuffer(self): + # See issue #20246. + buf = bytearray(8) + self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) + + def _testRecvFromIntoSmallBuffer(self): + self.serv_conn.send(MSG*2048) + TIPC_STYPE = 2000 TIPC_LOWER = 200 diff -r b1ddcb220a7f -r 715fd3d8ac93 Misc/ACKS --- a/Misc/ACKS Wed Oct 30 12:43:09 2013 -0400 +++ b/Misc/ACKS Mon Jan 13 23:06:14 2014 -0500 @@ -757,6 +757,7 @@ Eric V. Smith Christopher Smith Gregory P. Smith +Ryan Smith-Roberts Rafal Smotrzyk Dirk Soede Paul Sokolovsky diff -r b1ddcb220a7f -r 715fd3d8ac93 Misc/NEWS --- a/Misc/NEWS Wed Oct 30 12:43:09 2013 -0400 +++ b/Misc/NEWS Mon Jan 13 23:06:14 2014 -0500 @@ -13,6 +13,8 @@ Library ------- +- Issue #20246: Fix buffer overflow in socket.recvfrom_into. + - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler. - Issue #14984: On POSIX systems, when netrc is called without a filename diff -r b1ddcb220a7f -r 715fd3d8ac93 Modules/socketmodule.c --- a/Modules/socketmodule.c Wed Oct 30 12:43:09 2013 -0400 +++ b/Modules/socketmodule.c Mon Jan 13 23:06:14 2014 -0500 @@ -2494,6 +2494,12 @@ if (recvlen == 0) { /* If nbytes was not specified, use the buffer's length */ recvlen = buflen; + } else if (recvlen > buflen) { + PyBuffer_Release(&pbuf); + Py_XDECREF(addr); + PyErr_SetString(PyExc_ValueError, + "nbytes is greater than the length of the buffer"); + return NULL; } readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); /benjamin@python.org