Message 340421 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Arfrever, cheryl.sabella, maker, neologix, pitrou, vstinner
Date	2019-04-17.17:00:09
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1555520409.92.0.230450355101.issue18564@roundup.psfhosted.org>
In-reply-to

Content
> In Modules/socketmodule.c , the bluetooth address supplied is vulnerable to integer overflow. Attached PR 12864 modifies the following code: unsigned int b0, b1, b2, b3, b4, b5; char ch; int n; n = sscanf(name, "%X:%X:%X:%X:%X:%X%c", &b5, &b4, &b3, &b2, &b1, &b0, &ch); Can someone please elaborate how this code can trigger an integer overflow? What is the consequence of an integer overflow? Does Python crash?

> In Modules/socketmodule.c , the bluetooth address supplied is vulnerable to integer overflow.

Attached PR 12864 modifies the following code:


  unsigned int b0, b1, b2, b3, b4, b5;
  char ch;
  int n;
  n = sscanf(name, "%X:%X:%X:%X:%X:%X%c", &b5, &b4, &b3, &b2, &b1, &b0, &ch);

Can someone please elaborate how this code can trigger an integer overflow? What is the consequence of an integer overflow? Does Python crash?

History
Date	User	Action	Args
2019-04-17 17:00:09	vstinner	set	recipients: + vstinner, pitrou, Arfrever, neologix, maker, cheryl.sabella
2019-04-17 17:00:09	vstinner	set	messageid: <1555520409.92.0.230450355101.issue18564@roundup.psfhosted.org>
2019-04-17 17:00:09	vstinner	link	issue18564 messages
2019-04-17 17:00:09	vstinner	create