Message 328312 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	christian.heimes, vstinner
Date	2018-10-23.13:02:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1540299759.96.0.788709270274.issue35050@psf.upfronthosting.co.za>
In-reply-to

Content
Christian and me created a bug report at the same time :-) My message: I found two interesting warnings on socketmodule.c in the Coverity report: Error: BUFFER_SIZE_WARNING (CWE-120): [#def12] Python-3.6.5/Modules/socketmodule.c:2069: buffer_size_warning: Calling strncpy with a maximum size argument of 14 bytes on destination array "sa->salg_type" of size 14 bytes might leave the destination string unterminated. # 2067\| return 0; # 2068\| } # 2069\|-> strncpy((char )sa->salg_type, type, sizeof(sa->salg_type)); # 2070\| if (strlen(name) > sizeof(sa->salg_name)) { # 2071\| PyErr_SetString(PyExc_ValueError, "AF_ALG name too long."); Error: BUFFER_SIZE_WARNING (CWE-120): [#def13] Python-3.6.5/Modules/socketmodule.c:2074: buffer_size_warning: Calling strncpy with a maximum size argument of 64 bytes on destination array "sa->salg_name" of size 64 bytes might leave the destination string unterminated. # 2072\| return 0; # 2073\| } # 2074\|-> strncpy((char )sa->salg_name, name, sizeof(sa->salg_name)); # 2075\| # 2076\| len_ret = sizeof(sa); It seems like the Linux kernel always write a terminating NUL byte for AF_ALG: https://elixir.bootlin.com/linux/latest/source/crypto/af_alg.c#L171 The Python code does not create buffer overflow, it's just that the Linux kernel will always reject names which are too long. Python should reject them as well.

Christian and me created a bug report at the same time :-) My message:

I found two interesting warnings on socketmodule.c in the Coverity report:

Error: BUFFER_SIZE_WARNING (CWE-120): [#def12]
Python-3.6.5/Modules/socketmodule.c:2069: buffer_size_warning: Calling strncpy with a maximum size argument of 14 bytes on destination array "sa->salg_type" of size 14 bytes might leave the destination string unterminated.
# 2067|               return 0;
# 2068|           }
# 2069|->         strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
# 2070|           if (strlen(name) > sizeof(sa->salg_name)) {
# 2071|               PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");

Error: BUFFER_SIZE_WARNING (CWE-120): [#def13]
Python-3.6.5/Modules/socketmodule.c:2074: buffer_size_warning: Calling strncpy with a maximum size argument of 64 bytes on destination array "sa->salg_name" of size 64 bytes might leave the destination string unterminated.
# 2072|               return 0;
# 2073|           }
# 2074|->         strncpy((char *)sa->salg_name, name, sizeof(sa->salg_name));
# 2075|   
# 2076|           *len_ret = sizeof(*sa);


It seems like the Linux kernel always write a terminating NUL byte for AF_ALG:
https://elixir.bootlin.com/linux/latest/source/crypto/af_alg.c#L171

The Python code does not create buffer overflow, it's just that the Linux kernel will always reject names which are too long. Python should reject them as well.

History
Date	User	Action	Args
2018-10-23 13:02:39	vstinner	set	recipients: + vstinner, christian.heimes
2018-10-23 13:02:39	vstinner	set	messageid: <1540299759.96.0.788709270274.issue35050@psf.upfronthosting.co.za>
2018-10-23 13:02:39	vstinner	link	issue35050 messages
2018-10-23 13:02:39	vstinner	create