python/CVE-2014-1912-recvfrom_into.patch


# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1389671978 18000
# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9
# Parent  2631d33ee7fbd5f0288931ef37872218d511d2e8
complain when nbytes > buflen to fix possible buffer overflow (closes #20246)

Index: Python-2.7.6/Lib/test/test_socket.py
===================================================================
--- Python-2.7.6.orig/Lib/test/test_socket.py	2013-11-10 08:36:40.000000000 +0100
+++ Python-2.7.6/Lib/test/test_socket.py	2014-02-13 18:04:12.710244327 +0100
@@ -1616,6 +1616,16 @@
 
     _testRecvFromIntoMemoryview = _testRecvFromIntoArray
 
+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        with test_support.check_py3k_warnings():
+            buf = buffer(MSG)
+        self.serv_conn.send(buf)
+
 
 TIPC_STYPE = 2000
 TIPC_LOWER = 200
Index: Python-2.7.6/Misc/ACKS
===================================================================
--- Python-2.7.6.orig/Misc/ACKS	2013-11-10 08:36:41.000000000 +0100
+++ Python-2.7.6/Misc/ACKS	2014-02-13 18:04:12.710244327 +0100
@@ -973,6 +973,7 @@
 Christopher Smith
 Gregory P. Smith
 Roy Smith
+Ryan Smith-Roberts
 Rafal Smotrzyk
 Dirk Soede
 Paul Sokolovsky
Index: Python-2.7.6/Modules/socketmodule.c
===================================================================
--- Python-2.7.6.orig/Modules/socketmodule.c	2013-11-10 08:36:41.000000000 +0100
+++ Python-2.7.6/Modules/socketmodule.c	2014-02-13 18:04:12.711244332 +0100
@@ -2742,6 +2742,10 @@
     if (recvlen == 0) {
         /* If nbytes was not specified, use the buffer's length */
         recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        goto error;
     }
 
     readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=161 2014-02-13 16:49:05 +00:00
			`# HG changeset patch`
			`# User Benjamin Peterson <benjamin@python.org>`
			`# Date 1389671978 18000`
			`# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9`
			`# Parent 2631d33ee7fbd5f0288931ef37872218d511d2e8`
			`complain when nbytes > buflen to fix possible buffer overflow (closes #20246)`

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=162 2014-02-13 17:06:03 +00:00			`Index: Python-2.7.6/Lib/test/test_socket.py`
			`===================================================================`
			`--- Python-2.7.6.orig/Lib/test/test_socket.py 2013-11-10 08:36:40.000000000 +0100`
			`+++ Python-2.7.6/Lib/test/test_socket.py 2014-02-13 18:04:12.710244327 +0100`
			`@@ -1616,6 +1616,16 @@`
- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=161 2014-02-13 16:49:05 +00:00
			`_testRecvFromIntoMemoryview = _testRecvFromIntoArray`

			`+ def testRecvFromIntoSmallBuffer(self):`
			`+ # See issue #20246.`
			`+ buf = bytearray(8)`
			`+ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)`
			`+`
			`+ def _testRecvFromIntoSmallBuffer(self):`
			`+ with test_support.check_py3k_warnings():`
			`+ buf = buffer(MSG)`
			`+ self.serv_conn.send(buf)`
			`+`

			`TIPC_STYPE = 2000`
			`TIPC_LOWER = 200`
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=162 2014-02-13 17:06:03 +00:00			`Index: Python-2.7.6/Misc/ACKS`
			`===================================================================`
			`--- Python-2.7.6.orig/Misc/ACKS 2013-11-10 08:36:41.000000000 +0100`
			`+++ Python-2.7.6/Misc/ACKS 2014-02-13 18:04:12.710244327 +0100`
			`@@ -973,6 +973,7 @@`
- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=161 2014-02-13 16:49:05 +00:00			`Christopher Smith`
			`Gregory P. Smith`
			`Roy Smith`
			`+Ryan Smith-Roberts`
			`Rafal Smotrzyk`
			`Dirk Soede`
			`Paul Sokolovsky`
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=162 2014-02-13 17:06:03 +00:00			`Index: Python-2.7.6/Modules/socketmodule.c`
			`===================================================================`
			`--- Python-2.7.6.orig/Modules/socketmodule.c 2013-11-10 08:36:41.000000000 +0100`
			`+++ Python-2.7.6/Modules/socketmodule.c 2014-02-13 18:04:12.711244332 +0100`
			`@@ -2742,6 +2742,10 @@`
- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=161 2014-02-13 16:49:05 +00:00			`if (recvlen == 0) {`
			`/* If nbytes was not specified, use the buffer's length */`
			`recvlen = buflen;`
			`+ } else if (recvlen > buflen) {`
			`+ PyErr_SetString(PyExc_ValueError,`
			`+ "nbytes is greater than the length of the buffer");`
			`+ goto error;`
			`}`

			`readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);`