complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

28cf368c · Benjamin Peterson · aec3065b · 28cf368c · 28cf368c · 28cf368c
Commit 28cf368c authored Jan 13, 2014 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

Lib/test/test_socket.py Lib/test/test_socket.py +10 -0

Misc/ACKS Misc/ACKS +1 -0

Misc/NEWS Misc/NEWS +2 -0

Modules/socketmodule.c Modules/socketmodule.c +4 -0

No files found.
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest):

    _testRecvFromIntoMemoryview = _testRecvFromIntoArray

+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        with test_support.check_py3k_warnings():
+            buf = buffer(MSG*2048)
+        self.serv_conn.send(buf)
+

 TIPC_STYPE = 2000
 TIPC_LOWER = 200

--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -979,6 +979,7 @@ Eric V. Smith
 Christopher Smith
 Gregory P. Smith
 Roy Smith
+Ryan Smith-Roberts
 Rafal Smotrzyk
 Dirk Soede
 Paul Sokolovsky

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,8 @@ Core and Builtins
 Library
 -------

+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
 - Issue #19082: Working SimpleXMLRPCServer and xmlrpclib examples, both in
  modules and documentation.


--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds)
    if (recvlen == 0) {
        /* If nbytes was not specified, use the buffer's length */
        recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        goto error;
    }

    readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);