[Python-checkins] bpo-35050: AF_ALG length check off-by-one error (GH-10058) (GH-11070)
Victor Stinner
webhook-mailer at python.org
Mon Dec 10 06:12:56 EST 2018
https://github.com/python/cpython/commit/bad41cefef6625807198a813d9dec2c08d59dc60
commit: bad41cefef6625807198a813d9dec2c08d59dc60
branch: 3.6
author: Victor Stinner <vstinner at redhat.com>
committer: GitHub <noreply at github.com>
date: 2018-12-10T12:12:47+01:00
summary:
bpo-35050: AF_ALG length check off-by-one error (GH-10058) (GH-11070)
The length check for AF_ALG salg_name and salg_type had a off-by-one
error. The code assumed that both values are not necessarily NULL
terminated. However the Kernel code for alg_bind() ensures that the last
byte of both strings are NULL terminated.
Signed-off-by: Christian Heimes <christian at python.org>
(cherry picked from commit 2eb6ad8578fa9d764c21a92acd8e054e3202ad19)
files:
A Misc/NEWS.d/next/Core and Builtins/2018-10-23-15-03-53.bpo-35050.49wraS.rst
M Lib/test/test_socket.py
M Modules/socketmodule.c
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
index 6b7afba49d9e..56adec18c636 100644
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -5591,6 +5591,24 @@ def test_sendmsg_afalg_args(self):
with self.assertRaises(TypeError):
sock.sendmsg_afalg(op=socket.ALG_OP_ENCRYPT, assoclen=-1)
+ def test_length_restriction(self):
+ # bpo-35050, off-by-one error in length check
+ sock = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
+ self.addCleanup(sock.close)
+
+ # salg_type[14]
+ with self.assertRaises(FileNotFoundError):
+ sock.bind(("t" * 13, "name"))
+ with self.assertRaisesRegex(ValueError, "type too long"):
+ sock.bind(("t" * 14, "name"))
+
+ # salg_name[64]
+ with self.assertRaises(FileNotFoundError):
+ sock.bind(("type", "n" * 63))
+ with self.assertRaisesRegex(ValueError, "name too long"):
+ sock.bind(("type", "n" * 64))
+
+
@unittest.skipUnless(sys.platform.startswith("win"), "requires Windows")
class TestMSWindowsTCPFlags(unittest.TestCase):
knownTCPFlags = {
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-10-23-15-03-53.bpo-35050.49wraS.rst b/Misc/NEWS.d/next/Core and Builtins/2018-10-23-15-03-53.bpo-35050.49wraS.rst
new file mode 100644
index 000000000000..9a33416089a2
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-10-23-15-03-53.bpo-35050.49wraS.rst
@@ -0,0 +1 @@
+:mod:`socket`: Fix off-by-one bug in length check for ``AF_ALG`` name and type.
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
index c940f1b81693..0daf98b6d238 100644
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -356,7 +356,7 @@ remove_unusable_flags(PyObject *m)
for (int i=0; i<sizeof(win_runtime_flags)/sizeof(FlagRuntimeInfo); i++) {
info.dwBuildNumber = win_runtime_flags[i].build_number;
- /* greater than or equal to the specified version?
+ /* greater than or equal to the specified version?
Compatibility Mode will not cheat VerifyVersionInfo(...) */
if (VerifyVersionInfo(
&info,
@@ -2058,14 +2058,18 @@ getsockaddrarg(PySocketSockObject *s, PyObject *args,
if (!PyArg_ParseTuple(args, "ss|HH:getsockaddrarg",
&type, &name, &sa->salg_feat, &sa->salg_mask))
+ {
return 0;
- /* sockaddr_alg has fixed-sized char arrays for type and name */
- if (strlen(type) > sizeof(sa->salg_type)) {
+ }
+ /* sockaddr_alg has fixed-sized char arrays for type, and name
+ * both must be NULL terminated.
+ */
+ if (strlen(type) >= sizeof(sa->salg_type)) {
PyErr_SetString(PyExc_ValueError, "AF_ALG type too long.");
return 0;
}
strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
- if (strlen(name) > sizeof(sa->salg_name)) {
+ if (strlen(name) >= sizeof(sa->salg_name)) {
PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");
return 0;
}
More information about the Python-checkins
mailing list