[ python-Bugs-1468727 ] Possible Integer overflow

Tue, 11 Apr 2006 11:02:10 -0700 

Bugs item #1468727, was opened at 2006-04-11 18:00
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1468727&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.5
Status: Open
Resolution: None
Priority: 5
Submitted By: ekellinis (ekellinis)
Assigned to: Nobody/Anonymous (nobody)
Summary: Possible Integer overflow

Initial Comment:
There is possible integer overlow in the fcntlmodule.c 


=================================
fcntl_fcntl(PyObject *self, PyObject *args)
{
        int fd;
        int code;
        int arg;
        int ret;
        char *str;
        Py_ssize_t len;
        char buf[1024];

        if (PyArg_ParseTuple(args, "O&is#:fcntl",
                             conv_descriptor, &fd,
&code, &str, &len)) {
                if (len > sizeof buf) {
                        PyErr_SetString(PyExc_ValueError,
                                        "fcntl string arg too long");
                        return NULL;
                }
                memcpy(buf, str, len);
=================================
Explanation : 
if "len" receives very large value (>integer) there is
a possiblity that it will become negative and the value
will bypass the if statement and go directly to
memcpy(buf, str, len);

The latest  revision of the module (42787) has int
replaced with Py_ssize_t which as it mentions at
http://www.python.org/dev/peps/pep-0353/
"...Py_ssize_t is introduced, which has the same size
as the compiler's size_t type, but is signed.." so the
problem seem to still be there.

-The int type is used from revision 42093 and back

Someone needs to be able to execute arbitrary python to
exploit it , possible effect  : break from the Python
sandbox



----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1468727&group_id=5470
_______________________________________________
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to