complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

author Benjamin Peterson <benjamin@python.org>

Tue, 14 Jan 2014 03:59:38 +0000 (22:59 -0500)

committer Benjamin Peterson <benjamin@python.org>

Tue, 14 Jan 2014 03:59:38 +0000 (22:59 -0500)
author Benjamin Peterson <benjamin@python.org>
Tue, 14 Jan 2014 03:59:38 +0000 (22:59 -0500)
committer Benjamin Peterson <benjamin@python.org>
Tue, 14 Jan 2014 03:59:38 +0000 (22:59 -0500)
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py

index 4a60be3bcbb2b3dd42ad305e5fadc7396b8f3444..c7ad1217e4f4ca88b22b970b3b1566fab5274696 100644 (file)
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest):
  
      _testRecvFromIntoMemoryview = _testRecvFromIntoArray
  
+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        with test_support.check_py3k_warnings():
+            buf = buffer(MSG*2048)
+        self.serv_conn.send(buf)
+
  
  TIPC_STYPE = 2000
  TIPC_LOWER = 200
diff --git a/Misc/ACKS b/Misc/ACKS

index 2ea2322b4bcfd2a81b24dcddf261833315f09384..2d778a43c6eddc87c48f840e61d55e297dad4254 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -979,6 +979,7 @@ Eric V. Smith
  Christopher Smith
  Gregory P. Smith
  Roy Smith
+Ryan Smith-Roberts
  Rafal Smotrzyk
  Dirk Soede
  Paul Sokolovsky
diff --git a/Misc/NEWS b/Misc/NEWS

index 6eee65c9a324c4f4fc570cdfb42d545e0c286a8a..17e61fdf68fba9d3f8209385dbdd4dc79ee20bfa 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,8 @@ Core and Builtins
  Library
  -------
  
+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
  - Issue #19082: Working SimpleXMLRPCServer and xmlrpclib examples, both in
    modules and documentation.
  
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c

index 2735ecc77359f4deafd3e2cd38d491cd18aab231..27df333b7a7e1cfe6ff59bf09c2313f886ad8bc7 100644 (file)
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds)
      if (recvlen == 0) {
          /* If nbytes was not specified, use the buffer's length */
          recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        goto error;
      }
  
      readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
author	Benjamin Peterson <benjamin@python.org>
	Tue, 14 Jan 2014 03:59:38 +0000 (22:59 -0500)
committer	Benjamin Peterson <benjamin@python.org>
	Tue, 14 Jan 2014 03:59:38 +0000 (22:59 -0500)
Lib/test/test_socket.py		patch \| blob \| history
Misc/ACKS		patch \| blob \| history
Misc/NEWS		patch \| blob \| history
Modules/socketmodule.c		patch \| blob \| history