Author socketpair
Recipients Arfrever, giampaolo.rodola, socketpair
Date 2011-02-21.04:56:58
SpamBayes Score 2.18965e-06
Marked as misclassified No
Message-id <1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za>
In-reply-to
Content
asynchat.py: class async_chat: handle_read():
-----------------------
            elif isinstance(terminator, int) or isinstance(terminator, long):
                # numeric terminator
                n = terminator
                if lb < n:
                    self.collect_incoming_data (self.ac_in_buffer)
                    self.ac_in_buffer = ''
                    self.terminator = self.terminator - lb
                else:
                    self.collect_incoming_data (self.ac_in_buffer[:n])
                    self.ac_in_buffer = self.ac_in_buffer[n:]
                    self.terminator = 0
                    self.found_terminator()
------------------------------
suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed.
next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to push data to user. It should push some data from beginning of the buffer, intead of this, total buffer except last 10  characters pushed.

Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail.

Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak.

In any way, author of this code does not thought about negative n in constructions [:n] or [n:].
History
Date User Action Args
2011-02-21 04:56:59socketpairsetrecipients: + socketpair, giampaolo.rodola, Arfrever
2011-02-21 04:56:59socketpairsetmessageid: <1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za>
2011-02-21 04:56:59socketpairlinkissue11259 messages
2011-02-21 04:56:58socketpaircreate