complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

Lib/test/test_socket.py

@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest):
 
     _testRecvFromIntoMemoryview = _testRecvFromIntoArray
 
+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        self.serv_conn.send(MSG*2048)
+
 
 TIPC_STYPE = 2000
 TIPC_LOWER = 200

Misc/ACKS

@@ -1020,6 +1020,7 @@ Eric V. Smith
 Christopher Smith
 Gregory P. Smith
 Roy Smith
+Ryan Smith-Roberts
 Rafal Smotrzyk
 Dirk Soede
 Paul Sokolovsky

Misc/NEWS

@@ -10,6 +10,8 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
 - Issue #12226: HTTPS is now used by default when connecting to PyPI.
 
 - Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.

Modules/socketmodule.c

@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds)
     if (recvlen == 0) {
         /* If nbytes was not specified, use the buffer's length */
         recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyBuffer_Release(&pbuf);
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        return NULL;
     }
 
     readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);