[Python-checkins] cpython (3.3): Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write()

victor.stinner python-checkins at python.org
Sun Jun 23 15:18:49 CEST 2013


http://hg.python.org/cpython/rev/f0d934732ab1
changeset:   84270:f0d934732ab1
branch:      3.3
user:        Victor Stinner <victor.stinner at gmail.com>
date:        Sun Jun 23 15:08:23 2013 +0200
summary:
  Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write()
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes.

files:
  Misc/NEWS      |   4 ++++
  Modules/_ssl.c |  16 +++++++++++-----
  2 files changed, 15 insertions(+), 5 deletions(-)


diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,10 @@
 Library
 -------
 
+- Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write()
+  and in ssl.SSLContext.load_cert_chain() for strings and passwords longer than
+  2 gigabytes.
+
 - Issue #18248: Fix libffi build on AIX.
 
 - Issue #18259: Declare sethostname in socketmodule.c for AIX
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1284,8 +1284,9 @@
         goto error;
     }
     do {
+        len = (int)Py_MIN(buf.len, INT_MAX);
         PySSL_BEGIN_ALLOW_THREADS
-        len = SSL_write(self->ssl, buf.buf, buf.len);
+        len = SSL_write(self->ssl, buf.buf, len);
         err = SSL_get_error(self->ssl, len);
         PySSL_END_ALLOW_THREADS
         if (PyErr_CheckSignals()) {
@@ -1576,7 +1577,7 @@
 {
     PyObject *retval = NULL;
     char buf[PySSL_CB_MAXLEN];
-    int len;
+    size_t len;
 
     if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
         /* if session is resumed XOR we are the client */
@@ -1588,7 +1589,6 @@
     }
 
     /* It cannot be negative in current OpenSSL version as of July 2011 */
-    assert(len >= 0);
     if (len == 0)
         Py_RETURN_NONE;
 
@@ -1915,7 +1915,7 @@
     PyThreadState *thread_state;
     PyObject *callable;
     char *password;
-    Py_ssize_t size;
+    int size;
     int error;
 } _PySSLPasswordInfo;
 
@@ -1949,6 +1949,12 @@
         goto error;
     }
 
+    if (size > (Py_ssize_t)INT_MAX) {
+        PyErr_Format(PyExc_ValueError,
+                     "password cannot be longer than %d bytes", INT_MAX);
+        goto error;
+    }
+
     free(pw_info->password);
     pw_info->password = malloc(size);
     if (!pw_info->password) {
@@ -1957,7 +1963,7 @@
         goto error;
     }
     memcpy(pw_info->password, data, size);
-    pw_info->size = size;
+    pw_info->size = (int)size;
 
     Py_XDECREF(password_bytes);
     return 1;

-- 
Repository URL: http://hg.python.org/cpython


More information about the Python-checkins mailing list