[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2016-09-26 Thread Christian Heimes
Christian Heimes added the comment: Ah, I misunderstood MSG_TRUNC. It's not a buffer overflow. MSG_TRUNC does not write beyond the end of the buffer. In this example the libc function recv() writes two bytes into the buffer but returns a larger value than 2. --- import socket a, b =

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2016-09-26 Thread Christian Heimes
Christian Heimes added the comment: MSG_TRUNC literally causes a buffer overflow. In the example sock_recv() and friends only allocate a buffer of size 1 on the heap. With MSG_TRUNC recv() ignores the maximum size and writes beyond the buffer. We cannot recover from a buffer overflow because

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2016-09-08 Thread Christian Heimes
Changes by Christian Heimes : -- nosy: +christian.heimes ___ Python tracker ___ ___

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2016-04-26 Thread Martin Panter
Martin Panter added the comment: As far as I know, passing MSG_TRUNC into recv() is Linux-specific. I guess the “right” portable way to get a message size is to know it in advance, or guess and expand the buffer if MSG_PEEK cannot return the whole message. Andrey: I don’t think we are

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2016-04-26 Thread Berker Peksag
Changes by Berker Peksag : -- nosy: +berker.peksag stage: -> needs patch versions: +Python 3.5, Python 3.6 ___ Python tracker

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2015-08-26 Thread Andrey Wagin
Andrey Wagin added the comment: There is the same behavior for python 3.4 sks[1].send(basdfasdfsadfasdfsdfsadfsdfasdfsdfasdfsadfa) 42 sks[0].recv(1, socket.MSG_PEEK | socket.MSG_TRUNC) b'a\x00Nx\x94\x7f\x00\x00sadfasdfsdfsadfsdfasdfsdfasdfsadfa' -- versions: +Python 3.4

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2015-08-26 Thread Andrey Wagin
Changes by Andrey Wagin ava...@gmail.com: -- type: - security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24933 ___ ___ Python-bugs-list

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2015-08-25 Thread Benjamin Peterson
Benjamin Peterson added the comment: Evidently, the recv code doesn't know anything about MSG_TRUNC, which causes it to do incorrect things when the output length is greater than the buffer length. -- nosy: +benjamin.peterson ___ Python tracker

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2015-08-25 Thread Andrey Wagin
New submission from Andrey Wagin: In [1]: import socket In [2]: sks = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM) In [3]: sks[1].send(asdfasdfsadfasdfsdfsadfsdfasdfsdfasdfsadfa) Out[3]: 42 In [4]: sks[0].recv(1, socket.MSG_PEEK | socket.MSG_TRUNC) Out[4]:

[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

2015-08-25 Thread Andrey Wagin
Andrey Wagin added the comment: sendto(4, asdfasdfsadfasdfsdfsadfsdfasdfsd..., 42, 0, NULL, 0) = 42 recvfrom(3, a\0n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\2\0\0\0..., 1, MSG_TRUNC, NULL, NULL) = 42 I think the exit code is interpreted incorrectly. In this case it isn't equal to