Fixed buffer overflow (upstream patch)

Resolves: rhbz#1062374
2014-02-10 14:42:12 +01:00 · 2014-02-10 14:42:12 +01:00 · c8f16f3941
commit c8f16f3941
parent a39396d0b5
2 changed files with 55 additions and 1 deletions
--- a/00192-buffer-overflow.patch
+++ b/00192-buffer-overflow.patch
@ -0,0 +1,42 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1389672775 18000
+# Node ID 7f176a45211ff3cb85a2fbdc75f7979d642bb563
+# Parent  ed1c27b68068c942c6e845bdf8e987e963d50920# Parent  9c56217e5c793685eeaf0ee224848c402bdf1e4c
+merge 3.2 (#20246)
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
+@@ -4538,6 +4538,14 @@ class BufferIOTest(SocketConnectedTest):
+ 
+     _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+ 
+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        self.serv_conn.send(MSG*2048)
+
+ 
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
+--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
+@@ -2935,6 +2935,11 @@ sock_recvfrom_into(PySocketSockObject *s
+     if (recvlen == 0) {
+         /* If nbytes was not specified, use the buffer's length */
+         recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyBuffer_Release(&pbuf);
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        return NULL;
+     }
+ 
+     readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
+