1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
# Edited from Mercurial patch: deleted the NEWS hunk, since it didn't apply cleanly.
# It added the following line to NEWS:
# - Issue #20246: Fix buffer overflow in socket.recvfrom_into.
# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1389671978 18000
# Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c
# Parent 2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6
complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest):
_testRecvFromIntoMemoryview = _testRecvFromIntoArray
+ def testRecvFromIntoSmallBuffer(self):
+ # See issue #20246.
+ buf = bytearray(8)
+ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+ def _testRecvFromIntoSmallBuffer(self):
+ self.serv_conn.send(MSG*2048)
+
TIPC_STYPE = 2000
TIPC_LOWER = 200
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1020,6 +1020,7 @@ Eric V. Smith
Christopher Smith
Gregory P. Smith
Roy Smith
+Ryan Smith-Roberts
Rafal Smotrzyk
Dirk Soede
Paul Sokolovsky
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s
if (recvlen == 0) {
/* If nbytes was not specified, use the buffer's length */
recvlen = buflen;
+ } else if (recvlen > buflen) {
+ PyBuffer_Release(&pbuf);
+ PyErr_SetString(PyExc_ValueError,
+ "nbytes is greater than the length of the buffer");
+ return NULL;
}
readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
|