[ python-Bugs-1468727 ] Possible Integer overflow

Tue Apr 11 20:00:24 CEST 2006

Bugs item #1468727, was opened at 2006-04-11 18:00
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1468727&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.5
Status: Open
Resolution: None
Priority: 5
Submitted By: ekellinis (ekellinis)
Assigned to: Nobody/Anonymous (nobody)
Summary: Possible Integer overflow

Initial Comment:
There is possible integer overlow in the fcntlmodule.c 

=================================
fcntl_fcntl(PyObject *self, PyObject *args)
{
	int fd;
	int code;
	int arg;
	int ret;
	char *str;
	Py_ssize_t len;
	char buf[1024];

	if (PyArg_ParseTuple(args, "O&is#:fcntl",
                             conv_descriptor, &fd,
&code, &str, &len)) {
		if (len > sizeof buf) {
			PyErr_SetString(PyExc_ValueError,
					"fcntl string arg too long");
			return NULL;
		}
		memcpy(buf, str, len);
=================================
Explanation : 
if "len" receives very large value (>integer) there is
a possiblity that it will become negative and the value
will bypass the if statement and go directly to
memcpy(buf, str, len);

The latest  revision of the module (42787) has int
replaced with Py_ssize_t which as it mentions at
http://www.python.org/dev/peps/pep-0353/
"...Py_ssize_t is introduced, which has the same size
as the compiler's size_t type, but is signed.." so the
problem seem to still be there.

-The int type is used from revision 42093 and back

Someone needs to be able to execute arbitrary python to
exploit it , possible effect  : break from the Python
sandbox

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1468727&group_id=5470