Created
March 4, 2014 17:50
-
-
Save leepa/9351856 to your computer and use it in GitHub Desktop.
CVE-2014-1912
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# HG changeset patch | |
# User Benjamin Peterson <benjamin@python.org> | |
# Date 1389671978 18000 | |
# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9 | |
# Parent 2631d33ee7fbd5f0288931ef37872218d511d2e8 | |
complain when nbytes > buflen to fix possible buffer overflow (closes #20246) | |
# HG changeset patch | |
# User Stefan Krah <skrah@bytereef.org> | |
# Date 1390341952 -3600 | |
# Node ID b6c5a37b221f5c617125faa363d1b460b0b61b42 | |
# Parent d55d1cbf5f9a9efa7908fc9412bae676a6b675ef | |
Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. | |
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py | |
--- Lib/test/test_socket.py | |
+++ Lib/test/test_socket.py | |
@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest): | |
_testRecvFromIntoMemoryview = _testRecvFromIntoArray | |
+ def testRecvFromIntoSmallBuffer(self): | |
+ # See issue #20246. | |
+ buf = bytearray(8) | |
+ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) | |
+ | |
+ def _testRecvFromIntoSmallBuffer(self): | |
+ with test_support.check_py3k_warnings(): | |
+ buf = buffer(MSG) | |
+ self.serv_conn.send(buf) | |
+ | |
TIPC_STYPE = 2000 | |
TIPC_LOWER = 200 | |
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c | |
--- Modules/socketmodule.c | |
+++ Modules/socketmodule.c | |
@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s | |
if (recvlen == 0) { | |
/* If nbytes was not specified, use the buffer's length */ | |
recvlen = buflen; | |
+ } else if (recvlen > buflen) { | |
+ PyErr_SetString(PyExc_ValueError, | |
+ "nbytes is greater than the length of the buffer"); | |
+ goto error; | |
} | |
readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment