This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Andrey Wagin, benjamin.peterson, berker.peksag, christian.heimes, martin.panter
Date 2016-09-26.15:31:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1474903906.23.0.497592075418.issue24933@psf.upfronthosting.co.za>
In-reply-to
Content 
Ah, I misunderstood MSG_TRUNC. It's not a buffer overflow. MSG_TRUNC does not write beyond the end of the buffer. In this example the libc function recv() writes two bytes into the buffer but returns a larger value than 2.

---
import socket
a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
a.send(b'abcdefgh')
result = b.recv(2, socket.MSG_TRUNC)
print(len(result), result)
---
stdout: 2 b'ab'

To fix the wrong result of recv() with MSG_TRUNC, only resize when outlen < recvlen (line 3089).

To get the size of the message, you have to use recv_into() with a buffer.

---
a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
a.send(b'abcdefgh')
msg = bytearray(2)
result = b.recv_into(msg, flags=socket.MSG_TRUNC)
print(result, msg)
---
stdout: 8 bytearray(b'ab')
History
Date User Action Args
2016-09-26 15:31:46christian.heimessetrecipients: + christian.heimes, benjamin.peterson, berker.peksag, martin.panter, Andrey Wagin
2016-09-26 15:31:46christian.heimessetmessageid: <1474903906.23.0.497592075418.issue24933@psf.upfronthosting.co.za>
2016-09-26 15:31:46christian.heimeslinkissue24933 messages
2016-09-26 15:31:46christian.heimescreate