https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d
commit: 1274766d3c29007ab77245a72abbf8dce2a9db4d
branch: main
author: Seth Larson <[email protected]>
committer: gvanrossum <[email protected]>
date: 2026-04-21T07:29:07-07:00
summary:
gh-148808: Add boundary check to asyncio.AbstractEventLoop.sock_recvf… (#148809)
files:
A Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
M Lib/test/test_asyncio/test_sock_lowlevel.py
M Modules/overlapped.c
diff --git a/Lib/test/test_asyncio/test_sock_lowlevel.py
b/Lib/test/test_asyncio/test_sock_lowlevel.py
index df4ec7948975f6..f32dcd589e2de2 100644
--- a/Lib/test/test_asyncio/test_sock_lowlevel.py
+++ b/Lib/test/test_asyncio/test_sock_lowlevel.py
@@ -427,6 +427,27 @@ def test_recvfrom_into(self):
self.loop.run_until_complete(
self._basetest_datagram_recvfrom_into(server_address))
+ async def _basetest_datagram_recvfrom_into_wrong_size(self,
server_address):
+ # Call sock_sendto() with a size larger than the buffer
+ with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
+ sock.setblocking(False)
+
+ buf = bytearray(5000)
+ data = b'\x01' * 4096
+ wrong_size = len(buf) + 1
+ await self.loop.sock_sendto(sock, data, server_address)
+ with self.assertRaises(ValueError):
+ await self.loop.sock_recvfrom_into(
+ sock, buf, wrong_size)
+
+ size, addr = await self.loop.sock_recvfrom_into(sock, buf)
+ self.assertEqual(buf[:size], data)
+
+ def test_recvfrom_into_wrong_size(self):
+ with test_utils.run_udp_echo_server() as server_address:
+ self.loop.run_until_complete(
+
self._basetest_datagram_recvfrom_into_wrong_size(server_address))
+
async def _basetest_datagram_sendto_blocking(self, server_address):
# Sad path, sock.sendto() raises BlockingIOError
# This involves patching sock.sendto() to raise BlockingIOError but
diff --git
a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
new file mode 100644
index 00000000000000..0b5cf85fedfba1
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
@@ -0,0 +1,3 @@
+Added buffer boundary check when using ``nbytes`` parameter with
+:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only
+relevant for Windows and the :class:`asyncio.ProactorEventLoop`.
diff --git a/Modules/overlapped.c b/Modules/overlapped.c
index 822e1ce4bdc28d..51aee5afd35b6d 100644
--- a/Modules/overlapped.c
+++ b/Modules/overlapped.c
@@ -1910,6 +1910,11 @@
_overlapped_Overlapped_WSARecvFromInto_impl(OverlappedObject *self,
}
#endif
+ if (bufobj->len < (Py_ssize_t)size) {
+ PyErr_SetString(PyExc_ValueError, "nbytes is greater than the length
of the buffer");
+ return NULL;
+ }
+
wsabuf.buf = bufobj->buf;
wsabuf.len = size;
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
