Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(3)

Side by Side Diff: Modules/_ssl.c

Issue 18135: _ssl module: possible integer overflow for very long strings (+2^31 bytes)
Patch Set: Created 6 years, 7 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* SSL socket module 1 /* SSL socket module
2 2
3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs. 3 SSL support based on patches by Brian E Gallew and Laszlo Kovacs.
4 Re-worked a bit by Bill Janssen to add server-side support and 4 Re-worked a bit by Bill Janssen to add server-side support and
5 certificate decoding. Chris Stawarz contributed some non-blocking 5 certificate decoding. Chris Stawarz contributed some non-blocking
6 patches. 6 patches.
7 7
8 This module is imported by ssl.py. It should *not* be used 8 This module is imported by ssl.py. It should *not* be used
9 directly. 9 directly.
10 10
(...skipping 1244 matching lines...) Expand 10 before | Expand all | Expand 10 after
1255 if (((PyObject*)sock) == Py_None) { 1255 if (((PyObject*)sock) == Py_None) {
1256 _setSSLError("Underlying socket connection gone", 1256 _setSSLError("Underlying socket connection gone",
1257 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__); 1257 PY_SSL_ERROR_NO_SOCKET, __FILE__, __LINE__);
1258 return NULL; 1258 return NULL;
1259 } 1259 }
1260 Py_INCREF(sock); 1260 Py_INCREF(sock);
1261 1261
1262 if (!PyArg_ParseTuple(args, "y*:write", &buf)) { 1262 if (!PyArg_ParseTuple(args, "y*:write", &buf)) {
1263 Py_DECREF(sock); 1263 Py_DECREF(sock);
1264 return NULL; 1264 return NULL;
1265 }
1266
1267 if (buf.len > INT_MAX) {
1268 PyErr_Format(PyExc_OverflowError,
1269 "string longer than %d bytes", INT_MAX);
1270 goto error;
1265 } 1271 }
1266 1272
1267 /* just in case the blocking state of the socket has been changed */ 1273 /* just in case the blocking state of the socket has been changed */
1268 nonblocking = (sock->sock_timeout >= 0.0); 1274 nonblocking = (sock->sock_timeout >= 0.0);
1269 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking); 1275 BIO_set_nbio(SSL_get_rbio(self->ssl), nonblocking);
1270 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking); 1276 BIO_set_nbio(SSL_get_wbio(self->ssl), nonblocking);
1271 1277
1272 sockstate = check_socket_and_wait_for_timeout(sock, 1); 1278 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1273 if (sockstate == SOCKET_HAS_TIMED_OUT) { 1279 if (sockstate == SOCKET_HAS_TIMED_OUT) {
1274 PyErr_SetString(PySocketModule.timeout_error, 1280 PyErr_SetString(PySocketModule.timeout_error,
1275 "The write operation timed out"); 1281 "The write operation timed out");
1276 goto error; 1282 goto error;
1277 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) { 1283 } else if (sockstate == SOCKET_HAS_BEEN_CLOSED) {
1278 PyErr_SetString(PySSLErrorObject, 1284 PyErr_SetString(PySSLErrorObject,
1279 "Underlying socket has been closed."); 1285 "Underlying socket has been closed.");
1280 goto error; 1286 goto error;
1281 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) { 1287 } else if (sockstate == SOCKET_TOO_LARGE_FOR_SELECT) {
1282 PyErr_SetString(PySSLErrorObject, 1288 PyErr_SetString(PySSLErrorObject,
1283 "Underlying socket too large for select()."); 1289 "Underlying socket too large for select().");
1284 goto error; 1290 goto error;
1285 } 1291 }
1286 do { 1292 do {
1287 len = (int)Py_MIN(buf.len, INT_MAX);
1288 PySSL_BEGIN_ALLOW_THREADS 1293 PySSL_BEGIN_ALLOW_THREADS
1289 len = SSL_write(self->ssl, buf.buf, len); 1294 len = SSL_write(self->ssl, buf.buf, len);
AntoinePitrou 2013/06/23 20:49:31 len is never initialized?
1290 err = SSL_get_error(self->ssl, len); 1295 err = SSL_get_error(self->ssl, len);
1291 PySSL_END_ALLOW_THREADS 1296 PySSL_END_ALLOW_THREADS
1292 if (PyErr_CheckSignals()) { 1297 if (PyErr_CheckSignals()) {
1293 goto error; 1298 goto error;
1294 } 1299 }
1295 if (err == SSL_ERROR_WANT_READ) { 1300 if (err == SSL_ERROR_WANT_READ) {
1296 sockstate = check_socket_and_wait_for_timeout(sock, 0); 1301 sockstate = check_socket_and_wait_for_timeout(sock, 0);
1297 } else if (err == SSL_ERROR_WANT_WRITE) { 1302 } else if (err == SSL_ERROR_WANT_WRITE) {
1298 sockstate = check_socket_and_wait_for_timeout(sock, 1); 1303 sockstate = check_socket_and_wait_for_timeout(sock, 1);
1299 } else { 1304 } else {
(...skipping 1574 matching lines...) Expand 10 before | Expand all | Expand 10 after
2874 return NULL; 2879 return NULL;
2875 2880
2876 libver = OPENSSL_VERSION_NUMBER; 2881 libver = OPENSSL_VERSION_NUMBER;
2877 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status); 2882 parse_openssl_version(libver, &major, &minor, &fix, &patch, &status);
2878 r = Py_BuildValue("IIIII", major, minor, fix, patch, status); 2883 r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
2879 if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r)) 2884 if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
2880 return NULL; 2885 return NULL;
2881 2886
2882 return m; 2887 return m;
2883 } 2888 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+