# HG changeset patch # Parent ac51dc99c1bd722e1b24b4bfa14520082e01f1a8 When parsing addresses returned by accept(), etc., do not assume null termination of sun_path in AF_UNIX addresses: rely instead on the returned address length. If this is longer then the original buffer, ignore it and use the original length. diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c --- a/Modules/socketmodule.c +++ b/Modules/socketmodule.c @@ -1129,13 +1129,22 @@ makebdaddr(bdaddr_t *bdaddr) /*ARGSUSED*/ static PyObject * -makesockaddr(SOCKET_T sockfd, struct sockaddr *addr, size_t addrlen, int proto) +makesockaddr(SOCKET_T sockfd, struct sockaddr *addr, socklen_t addrlen, + socklen_t buflen, int proto) { if (addrlen == 0) { /* No address -- may be recvfrom() from known socket */ Py_INCREF(Py_None); return Py_None; } + /* buflen is the length of the buffer containing the address, and + addrlen is either the same, or is the length returned by the OS + after writing an address into the buffer. Some systems return + the length they would have written if there had been space + (e.g. when an oversized AF_UNIX address has its sun_path + truncated). */ + if (addrlen > buflen) + addrlen = buflen; switch (addr->sa_family) { @@ -1155,18 +1164,28 @@ makesockaddr(SOCKET_T sockfd, struct soc #if defined(AF_UNIX) case AF_UNIX: { + Py_ssize_t len, splen; struct sockaddr_un *a = (struct sockaddr_un *) addr; + + if (addrlen < offsetof(struct sockaddr_un, sun_path)) + Py_RETURN_NONE; + else + splen = addrlen - offsetof(struct sockaddr_un, sun_path); #ifdef linux - if (a->sun_path[0] == 0) { /* Linux abstract namespace */ - addrlen -= offsetof(struct sockaddr_un, sun_path); - return PyBytes_FromStringAndSize(a->sun_path, addrlen); + /* Backwards compatibility: return empty addresses as bytes */ + if (splen == 0 || (splen > 0 && a->sun_path[0] == 0)) { + /* Linux abstract namespace */ + return PyBytes_FromStringAndSize(a->sun_path, splen); } else #endif /* linux */ { - /* regular NULL-terminated string */ - return PyUnicode_DecodeFSDefault(a->sun_path); + /* Path text can occupy all of sun_path[], and therefore + lack null termination */ + for (len = 0; len < splen && a->sun_path[len] != 0; len++) + ; } + return PyUnicode_DecodeFSDefaultAndSize(a->sun_path, len); } #endif /* AF_UNIX */ @@ -2212,6 +2231,7 @@ sock_accept(PySocketSockObject *s) sock_addr_t addrbuf; SOCKET_T newfd; socklen_t addrlen; + socklen_t buflen; PyObject *sock = NULL; PyObject *addr = NULL; PyObject *res = NULL; @@ -2219,6 +2239,7 @@ sock_accept(PySocketSockObject *s) if (!getsockaddrlen(s, &addrlen)) return NULL; + buflen = addrlen; memset(&addrbuf, 0, addrlen); if (!IS_SELECTABLE(s)) @@ -2256,7 +2277,7 @@ sock_accept(PySocketSockObject *s) } addr = makesockaddr(s->sock_fd, SAS2SA(&addrbuf), - addrlen, s->sock_proto); + addrlen, buflen, s->sock_proto); if (addr == NULL) goto finally; @@ -2720,16 +2741,18 @@ sock_getsockname(PySocketSockObject *s) sock_addr_t addrbuf; int res; socklen_t addrlen; + socklen_t buflen; if (!getsockaddrlen(s, &addrlen)) return NULL; + buflen = addrlen; memset(&addrbuf, 0, addrlen); Py_BEGIN_ALLOW_THREADS res = getsockname(s->sock_fd, SAS2SA(&addrbuf), &addrlen); Py_END_ALLOW_THREADS if (res < 0) return s->errorhandler(); - return makesockaddr(s->sock_fd, SAS2SA(&addrbuf), addrlen, + return makesockaddr(s->sock_fd, SAS2SA(&addrbuf), addrlen, buflen, s->sock_proto); } @@ -2749,16 +2772,18 @@ sock_getpeername(PySocketSockObject *s) sock_addr_t addrbuf; int res; socklen_t addrlen; + socklen_t buflen; if (!getsockaddrlen(s, &addrlen)) return NULL; + buflen = addrlen; memset(&addrbuf, 0, addrlen); Py_BEGIN_ALLOW_THREADS res = getpeername(s->sock_fd, SAS2SA(&addrbuf), &addrlen); Py_END_ALLOW_THREADS if (res < 0) return s->errorhandler(); - return makesockaddr(s->sock_fd, SAS2SA(&addrbuf), addrlen, + return makesockaddr(s->sock_fd, SAS2SA(&addrbuf), addrlen, buflen, s->sock_proto); } @@ -3017,12 +3042,14 @@ sock_recvfrom_guts(PySocketSockObject *s { sock_addr_t addrbuf; socklen_t addrlen; + socklen_t buflen; struct sock_recvfrom ctx; *addr = NULL; if (!getsockaddrlen(s, &addrlen)) return -1; + buflen = addrlen; if (!IS_SELECTABLE(s)) { select_error(); @@ -3037,7 +3064,7 @@ sock_recvfrom_guts(PySocketSockObject *s if (sock_call(s, 0, sock_recvfrom_impl, &ctx) < 0) return -1; - *addr = makesockaddr(s->sock_fd, SAS2SA(&addrbuf), addrlen, + *addr = makesockaddr(s->sock_fd, SAS2SA(&addrbuf), addrlen, buflen, s->sock_proto); if (*addr == NULL) return -1; @@ -3277,8 +3304,7 @@ sock_recvmsg_guts(PySocketSockObject *s, cmsg_list, (int)msg.msg_flags, makesockaddr(s->sock_fd, SAS2SA(&addrbuf), - ((msg.msg_namelen > addrbuflen) ? - addrbuflen : msg.msg_namelen), + msg.msg_namelen, addrbuflen, s->sock_proto)); if (retval == NULL) goto err_closefds; @@ -5560,7 +5586,8 @@ socket_getaddrinfo(PyObject *self, PyObj for (res = res0; res; res = res->ai_next) { PyObject *single; PyObject *addr = - makesockaddr(-1, res->ai_addr, res->ai_addrlen, protocol); + makesockaddr(-1, res->ai_addr, res->ai_addrlen, res->ai_addrlen, + protocol); if (addr == NULL) goto err; single = Py_BuildValue("iiisO", res->ai_family,