Message 128938 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	socketpair
Recipients	Arfrever, giampaolo.rodola, socketpair
Date	2011-02-21.04:56:58
SpamBayes Score	2.189648e-06
Marked as misclassified	No
Message-id	<1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za>
In-reply-to

Content
asynchat.py: class async_chat: handle_read(): ----------------------- elif isinstance(terminator, int) or isinstance(terminator, long): # numeric terminator n = terminator if lb < n: self.collect_incoming_data (self.ac_in_buffer) self.ac_in_buffer = '' self.terminator = self.terminator - lb else: self.collect_incoming_data (self.ac_in_buffer[:n]) self.ac_in_buffer = self.ac_in_buffer[n:] self.terminator = 0 self.found_terminator() ------------------------------ suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed. next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to push data to user. It should push some data from beginning of the buffer, intead of this, total buffer except last 10 characters pushed. Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail. Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak. In any way, author of this code does not thought about negative n in constructions [:n] or [n:].

asynchat.py: class async_chat: handle_read():
-----------------------
            elif isinstance(terminator, int) or isinstance(terminator, long):
                # numeric terminator
                n = terminator
                if lb < n:
                    self.collect_incoming_data (self.ac_in_buffer)
                    self.ac_in_buffer = ''
                    self.terminator = self.terminator - lb
                else:
                    self.collect_incoming_data (self.ac_in_buffer[:n])
                    self.ac_in_buffer = self.ac_in_buffer[n:]
                    self.terminator = 0
                    self.found_terminator()
------------------------------
suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed.
next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to push data to user. It should push some data from beginning of the buffer, intead of this, total buffer except last 10  characters pushed.

Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail.

Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak.

In any way, author of this code does not thought about negative n in constructions [:n] or [n:].

History
Date	User	Action	Args
2011-02-21 04:56:59	socketpair	set	recipients: + socketpair, giampaolo.rodola, Arfrever
2011-02-21 04:56:59	socketpair	set	messageid: <1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za>
2011-02-21 04:56:59	socketpair	link	issue11259 messages
2011-02-21 04:56:58	socketpair	create