Message328312
Christian and me created a bug report at the same time :-) My message:
I found two interesting warnings on socketmodule.c in the Coverity report:
Error: BUFFER_SIZE_WARNING (CWE-120): [#def12]
Python-3.6.5/Modules/socketmodule.c:2069: buffer_size_warning: Calling strncpy with a maximum size argument of 14 bytes on destination array "sa->salg_type" of size 14 bytes might leave the destination string unterminated.
# 2067| return 0;
# 2068| }
# 2069|-> strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
# 2070| if (strlen(name) > sizeof(sa->salg_name)) {
# 2071| PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");
Error: BUFFER_SIZE_WARNING (CWE-120): [#def13]
Python-3.6.5/Modules/socketmodule.c:2074: buffer_size_warning: Calling strncpy with a maximum size argument of 64 bytes on destination array "sa->salg_name" of size 64 bytes might leave the destination string unterminated.
# 2072| return 0;
# 2073| }
# 2074|-> strncpy((char *)sa->salg_name, name, sizeof(sa->salg_name));
# 2075|
# 2076| *len_ret = sizeof(*sa);
It seems like the Linux kernel always write a terminating NUL byte for AF_ALG:
https://elixir.bootlin.com/linux/latest/source/crypto/af_alg.c#L171
The Python code does not create buffer overflow, it's just that the Linux kernel will always reject names which are too long. Python should reject them as well. |
|
Date |
User |
Action |
Args |
2018-10-23 13:02:39 | vstinner | set | recipients:
+ vstinner, christian.heimes |
2018-10-23 13:02:39 | vstinner | set | messageid: <1540299759.96.0.788709270274.issue35050@psf.upfronthosting.co.za> |
2018-10-23 13:02:39 | vstinner | link | issue35050 messages |
2018-10-23 13:02:39 | vstinner | create | |
|