Commit 44b3d800 authored by Benjamin Peterson's avatar Benjamin Peterson

complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

parent f692021b
...@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest): ...@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest):
_testRecvFromIntoMemoryview = _testRecvFromIntoArray _testRecvFromIntoMemoryview = _testRecvFromIntoArray
def testRecvFromIntoSmallBuffer(self):
# See issue #20246.
buf = bytearray(8)
self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
def _testRecvFromIntoSmallBuffer(self):
self.serv_conn.send(MSG*2048)
TIPC_STYPE = 2000 TIPC_STYPE = 2000
TIPC_LOWER = 200 TIPC_LOWER = 200
......
...@@ -1020,6 +1020,7 @@ Eric V. Smith ...@@ -1020,6 +1020,7 @@ Eric V. Smith
Christopher Smith Christopher Smith
Gregory P. Smith Gregory P. Smith
Roy Smith Roy Smith
Ryan Smith-Roberts
Rafal Smotrzyk Rafal Smotrzyk
Dirk Soede Dirk Soede
Paul Sokolovsky Paul Sokolovsky
......
...@@ -10,6 +10,8 @@ What's New in Python 3.2.6? ...@@ -10,6 +10,8 @@ What's New in Python 3.2.6?
Library Library
------- -------
- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
- Issue #12226: HTTPS is now used by default when connecting to PyPI. - Issue #12226: HTTPS is now used by default when connecting to PyPI.
- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler. - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
......
...@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds) ...@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds)
if (recvlen == 0) { if (recvlen == 0) {
/* If nbytes was not specified, use the buffer's length */ /* If nbytes was not specified, use the buffer's length */
recvlen = buflen; recvlen = buflen;
} else if (recvlen > buflen) {
PyBuffer_Release(&pbuf);
PyErr_SetString(PyExc_ValueError,
"nbytes is greater than the length of the buffer");
return NULL;
} }
readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment