Message128938
asynchat.py: class async_chat: handle_read():
-----------------------
elif isinstance(terminator, int) or isinstance(terminator, long):
# numeric terminator
n = terminator
if lb < n:
self.collect_incoming_data (self.ac_in_buffer)
self.ac_in_buffer = ''
self.terminator = self.terminator - lb
else:
self.collect_incoming_data (self.ac_in_buffer[:n])
self.ac_in_buffer = self.ac_in_buffer[n:]
self.terminator = 0
self.found_terminator()
------------------------------
suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed.
next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to push data to user. It should push some data from beginning of the buffer, intead of this, total buffer except last 10 characters pushed.
Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail.
Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak.
In any way, author of this code does not thought about negative n in constructions [:n] or [n:]. |
|
Date |
User |
Action |
Args |
2011-02-21 04:56:59 | socketpair | set | recipients:
+ socketpair, giampaolo.rodola, Arfrever |
2011-02-21 04:56:59 | socketpair | set | messageid: <1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za> |
2011-02-21 04:56:59 | socketpair | link | issue11259 messages |
2011-02-21 04:56:58 | socketpair | create | |
|