New submission from Ryan Smith-Roberts: recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.
I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable. Quickie trigger script, crash on interpreter exit: --------- BEGIN SEGFAULT --------- import socket r, w = socket.socketpair() w.send(b'X' * 1024) r.recvfrom_into(bytearray(), 1024) ---------- components: Extension Modules messages: 208062 nosy: rmsr priority: normal severity: normal status: open title: buffer overflow in socket.recvfrom_into type: crash versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20246> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
