Hi,
there is a buffer overflow in socket.recvfrom_into (more details at
http://seclists.org/oss-sec/2014/q1/284 and http://bugs.python.org/issue20246).
Attached are the diff.
Could be good to have this in for 5.5.
Ok?
Cheers,
Remi.
Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/python/2.7/Makefile,v
retrieving revision 1.28
diff -u -p -r1.28 Makefile
--- Makefile 9 Jan 2014 18:03:35 -0000 1.28
+++ Makefile 8 Feb 2014 14:57:03 -0000
@@ -2,6 +2,7 @@
VERSION = 2.7
PATCHLEVEL = .6
+REVISION = 0
SHARED_LIBS = python2.7 0.0
VERSION_SPEC = >=2.7,<2.8
Index: patches/patch-Lib_test_test_socket_py
===================================================================
RCS file: patches/patch-Lib_test_test_socket_py
diff -N patches/patch-Lib_test_test_socket_py
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-Lib_test_test_socket_py 8 Feb 2014 14:57:03 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+--- Lib/test/test_socket.py.orig
++++ Lib/test/test_socket.py
+@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest):
+
+ _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+
++ def testRecvFromIntoSmallBuffer(self):
++ # See issue #20246.
++ buf = bytearray(8)
++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++ def _testRecvFromIntoSmallBuffer(self):
++ with test_support.check_py3k_warnings():
++ buf = buffer(MSG)
++ self.serv_conn.send(buf)
++
Index: patches/patch-Modules_socketmodule_c
===================================================================
RCS file: patches/patch-Modules_socketmodule_c
diff -N patches/patch-Modules_socketmodule_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-Modules_socketmodule_c 8 Feb 2014 14:57:03 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+--- Modules/socketmodule.c.orig
++++ Modules/socketmodule.c
+@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s
+ if (recvlen == 0) {
+ /* If nbytes was not specified, use the buffer's length */
+ recvlen = buflen;
++ } else if (recvlen > buflen) {
++ PyErr_SetString(PyExc_ValueError,
++ "nbytes is greater than the length of the buffer");
++ goto error;
+ }
+
+ readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/python/3.3/Makefile,v
retrieving revision 1.6
diff -u -p -r1.6 Makefile
--- Makefile 27 Oct 2013 18:32:55 -0000 1.6
+++ Makefile 8 Feb 2014 14:54:08 -0000
@@ -2,7 +2,7 @@
VERSION = 3.3
PATCHLEVEL = .2
-REVISION = 0
+REVISION = 1
SHARED_LIBS = python3.3m 0.0
VERSION_SPEC = >=3.3,<3.4
Index: patches/patch-Lib_test_test_socket_py
===================================================================
RCS file: patches/patch-Lib_test_test_socket_py
diff -N patches/patch-Lib_test_test_socket_py
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-Lib_test_test_socket_py 8 Feb 2014 14:54:08 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -4538,6 +4538,14 @@ class BufferIOTest(SocketConnectedTest):
+
+ _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+
++ def testRecvFromIntoSmallBuffer(self):
++ # See issue #20246.
++ buf = bytearray(8)
++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++ def _testRecvFromIntoSmallBuffer(self):
++ self.serv_conn.send(MSG)
++
Index: patches/patch-Modules_socketmodule_c
===================================================================
RCS file: patches/patch-Modules_socketmodule_c
diff -N patches/patch-Modules_socketmodule_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-Modules_socketmodule_c 8 Feb 2014 14:54:08 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+--- Modules/socketmodule.c.orig
++++ Modules/socketmodule.c
+@@ -2935,6 +2935,11 @@ sock_recvfrom_into(PySocketSockObject *s
+ if (recvlen == 0) {
+ /* If nbytes was not specified, use the buffer's length */
+ recvlen = buflen;
++ } else if (recvlen > buflen) {
++ PyBuffer_Release(&pbuf);
++ PyErr_SetString(PyExc_ValueError,
++ "nbytes is greater than the length of the buffer");
++ return NULL;
+ }
+
+ readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
