[Python-checkins] cpython (merge 2.7 -> 3.1): complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

benjamin.peterson python-checkins at python.org
Tue Jan 14 05:15:09 CET 2014 

http://hg.python.org/cpython/rev/715fd3d8ac93
changeset:   88454:715fd3d8ac93
branch:      3.1
parent:      86777:b1ddcb220a7f
parent:      88453:87673659d8f7
user:        Benjamin Peterson <benjamin at python.org>
date:        Mon Jan 13 23:06:14 2014 -0500
summary:
  complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

files:
  Lib/test/test_socket.py |  8 ++++++++
  Misc/ACKS               |  1 +
  Misc/NEWS               |  2 ++
  Modules/socketmodule.c  |  6 ++++++
  4 files changed, 17 insertions(+), 0 deletions(-)


diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -1424,6 +1424,14 @@
         buf = bytes(MSG)
         self.serv_conn.send(buf)
 
+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        self.serv_conn.send(MSG*2048)
+
 
 TIPC_STYPE = 2000
 TIPC_LOWER = 200
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -757,6 +757,7 @@
 Eric V. Smith
 Christopher Smith
 Gregory P. Smith
+Ryan Smith-Roberts
 Rafal Smotrzyk
 Dirk Soede
 Paul Sokolovsky
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,8 @@
 Library
 -------
 
+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
 - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
 
 - Issue #14984: On POSIX systems, when netrc is called without a filename
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2494,6 +2494,12 @@
     if (recvlen == 0) {
         /* If nbytes was not specified, use the buffer's length */
         recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyBuffer_Release(&pbuf);
+        Py_XDECREF(addr);
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        return NULL;
     }
 
     readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list