Author rmsr
Recipients rmsr
Date 2014-01-14.00:43:59
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1389660239.25.0.341393063834.issue20246@psf.upfronthosting.co.za>
In-reply-to
Content
recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.

I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable.

Quickie trigger script, crash on interpreter exit:

--------- BEGIN SEGFAULT ---------

import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)
History
Date User Action Args
2014-01-14 00:43:59rmsrsetrecipients: + rmsr
2014-01-14 00:43:59rmsrsetmessageid: <1389660239.25.0.341393063834.issue20246@psf.upfronthosting.co.za>
2014-01-14 00:43:59rmsrlinkissue20246 messages
2014-01-14 00:43:59rmsrcreate