Message277429
Ah, I misunderstood MSG_TRUNC. It's not a buffer overflow. MSG_TRUNC does not write beyond the end of the buffer. In this example the libc function recv() writes two bytes into the buffer but returns a larger value than 2.
---
import socket
a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
a.send(b'abcdefgh')
result = b.recv(2, socket.MSG_TRUNC)
print(len(result), result)
---
stdout: 2 b'ab'
To fix the wrong result of recv() with MSG_TRUNC, only resize when outlen < recvlen (line 3089).
To get the size of the message, you have to use recv_into() with a buffer.
---
a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
a.send(b'abcdefgh')
msg = bytearray(2)
result = b.recv_into(msg, flags=socket.MSG_TRUNC)
print(result, msg)
---
stdout: 8 bytearray(b'ab') |
|
Date |
User |
Action |
Args |
2016-09-26 15:31:46 | christian.heimes | set | recipients:
+ christian.heimes, benjamin.peterson, berker.peksag, martin.panter, Andrey Wagin |
2016-09-26 15:31:46 | christian.heimes | set | messageid: <1474903906.23.0.497592075418.issue24933@psf.upfronthosting.co.za> |
2016-09-26 15:31:46 | christian.heimes | link | issue24933 messages |
2016-09-26 15:31:46 | christian.heimes | create | |
|