Message 208062 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	rmsr
Recipients	rmsr
Date	2014-01-14.00:43:59
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1389660239.25.0.341393063834.issue20246@psf.upfronthosting.co.za>
In-reply-to

Content
recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end. I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable. Quickie trigger script, crash on interpreter exit: --------- BEGIN SEGFAULT --------- import socket r, w = socket.socketpair() w.send(b'X' * 1024) r.recvfrom_into(bytearray(), 1024)

recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.

I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable.

Quickie trigger script, crash on interpreter exit:

--------- BEGIN SEGFAULT ---------

import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)

History
Date	User	Action	Args
2014-01-14 00:43:59	rmsr	set	recipients: + rmsr
2014-01-14 00:43:59	rmsr	set	messageid: <1389660239.25.0.341393063834.issue20246@psf.upfronthosting.co.za>
2014-01-14 00:43:59	rmsr	link	issue20246 messages
2014-01-14 00:43:59	rmsr	create