Christian Heimes added the comment: Ah, I misunderstood MSG_TRUNC. It's not a buffer overflow. MSG_TRUNC does not write beyond the end of the buffer. In this example the libc function recv() writes two bytes into the buffer but returns a larger value than 2.
--- import socket a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM) a.send(b'abcdefgh') result = b.recv(2, socket.MSG_TRUNC) print(len(result), result) --- stdout: 2 b'ab' To fix the wrong result of recv() with MSG_TRUNC, only resize when outlen < recvlen (line 3089). To get the size of the message, you have to use recv_into() with a buffer. --- a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM) a.send(b'abcdefgh') msg = bytearray(2) result = b.recv_into(msg, flags=socket.MSG_TRUNC) print(result, msg) --- stdout: 8 bytearray(b'ab') ---------- priority: critical -> high type: security -> behavior versions: -Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24933> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
