Author vstinner
Recipients christian.heimes, vstinner
Date 2018-10-23.13:02:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1540299759.96.0.788709270274.issue35050@psf.upfronthosting.co.za>
In-reply-to
Content
Christian and me created a bug report at the same time :-) My message:

I found two interesting warnings on socketmodule.c in the Coverity report:

Error: BUFFER_SIZE_WARNING (CWE-120): [#def12]
Python-3.6.5/Modules/socketmodule.c:2069: buffer_size_warning: Calling strncpy with a maximum size argument of 14 bytes on destination array "sa->salg_type" of size 14 bytes might leave the destination string unterminated.
# 2067|               return 0;
# 2068|           }
# 2069|->         strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
# 2070|           if (strlen(name) > sizeof(sa->salg_name)) {
# 2071|               PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");

Error: BUFFER_SIZE_WARNING (CWE-120): [#def13]
Python-3.6.5/Modules/socketmodule.c:2074: buffer_size_warning: Calling strncpy with a maximum size argument of 64 bytes on destination array "sa->salg_name" of size 64 bytes might leave the destination string unterminated.
# 2072|               return 0;
# 2073|           }
# 2074|->         strncpy((char *)sa->salg_name, name, sizeof(sa->salg_name));
# 2075|   
# 2076|           *len_ret = sizeof(*sa);


It seems like the Linux kernel always write a terminating NUL byte for AF_ALG:
https://elixir.bootlin.com/linux/latest/source/crypto/af_alg.c#L171

The Python code does not create buffer overflow, it's just that the Linux kernel will always reject names which are too long. Python should reject them as well.
History
Date User Action Args
2018-10-23 13:02:39vstinnersetrecipients: + vstinner, christian.heimes
2018-10-23 13:02:39vstinnersetmessageid: <1540299759.96.0.788709270274.issue35050@psf.upfronthosting.co.za>
2018-10-23 13:02:39vstinnerlinkissue35050 messages
2018-10-23 13:02:39vstinnercreate