bpo-34824: Fix a possible NULL pointer dereference in _ssl.c by ZackerySpytz · Pull Request #9606 · python/cpython (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation16 Commits4 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

On failure, _PyBytes_Resize() will deallocate the bytes object and set "result" to NULL.

1st1 approved these changes Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

Please address the comment.

@@ -4712,7 +4712,6 @@ _ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len)
nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len);
/* There should never be any short reads but check anyway. */
if ((nbytes < len) && (_PyBytes_Resize(&result, len) < 0)) {
Py_DECREF(result);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's rewrite the block to conform to the style of other _PyBytes_Resize calls. There is no need to check the return value of _PyBytes_Resize, because the function returns result any way.

if (nbytes < len) {
    _PyBytes_Resize(&result, len);
}

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

I have made the requested changes; please review again.

Thanks for making the requested changes!

@1st1, @tiran: please review the changes made to this pull request.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current code doesn't have any effect and errors in BIO_read() are not handled.

Py_DECREF(result);
return NULL;
if (nbytes < len) {
_PyBytes_Resize(&result, len);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This operation doesn't have any effect. There should be nbytes instead of len. Note that nbytes can be negative, this denotes an error.

I have made the requested changes; please review again.

if ((nbytes < len) && (_PyBytes_Resize(&result, len) < 0)) {
Py_DECREF(result);
if (nbytes < 0) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
return NULL;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

result is leaked here.

I have made the requested changes; please review again.

Thanks @ZackerySpytz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Oct 6, 2018

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Oct 6, 2018

vstinner pushed a commit that referenced this pull request

Oct 19, 2018

vstinner pushed a commit that referenced this pull request

Oct 19, 2018