This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author rmsr
Recipients rmsr
Date 2014-01-14.00:43:59
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.

I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable.

Quickie trigger script, crash on interpreter exit:

--------- BEGIN SEGFAULT ---------

import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)
Date User Action Args
2014-01-14 00:43:59rmsrsetrecipients: + rmsr
2014-01-14 00:43:59rmsrsetmessageid: <>
2014-01-14 00:43:59rmsrlinkissue20246 messages
2014-01-14 00:43:59rmsrcreate