[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses
David Watson
report at bugs.python.org
Mon Apr 12 20:08:32 CEST 2010
David Watson <baikie at users.sourceforge.net> added the comment:
Attaching the C test programs I forgot to attach yesterday -
sorry about that. I've also tried these programs, and the
patches, on FreeBSD 5.3 (an old version from late 2004). I found
that it accepted unterminated addresses as well, and unlike Linux
it did not normally null-terminate addresses at all - the
existing socket code only worked for addresses shorter than
sun_path because it zero-filled the structure beforehand. The
return-unterminated patches worked with or without the
zero-filling.
Unlike Linux, FreeBSD also accepted oversized sockaddr_un
structures (sun_path longer than its definition), so just
allowing unterminated addresses wouldn't make the full range of
addresses usable there. That said, I did get a kernel panic
shortly after testing with oversized addresses, so perhaps it's
not a good idea to actually use them :)
----------
Added file: http://bugs.python.org/file16898/bindconn.c
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8372>
_______________________________________
More information about the Python-bugs-list
mailing list