complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
index 4a60be3..c7ad121 100644
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -1620,6 +1620,16 @@
_testRecvFromIntoMemoryview = _testRecvFromIntoArray
+ def testRecvFromIntoSmallBuffer(self):
+ # See issue #20246.
+ buf = bytearray(8)
+ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+ def _testRecvFromIntoSmallBuffer(self):
+ with test_support.check_py3k_warnings():
+ buf = buffer(MSG*2048)
+ self.serv_conn.send(buf)
+
TIPC_STYPE = 2000
TIPC_LOWER = 200
diff --git a/Misc/ACKS b/Misc/ACKS
index 2ea2322..2d778a4 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -979,6 +979,7 @@
Christopher Smith
Gregory P. Smith
Roy Smith
+Ryan Smith-Roberts
Rafal Smotrzyk
Dirk Soede
Paul Sokolovsky
diff --git a/Misc/NEWS b/Misc/NEWS
index 6eee65c..17e61fd 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,8 @@
Library
-------
+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
- Issue #19082: Working SimpleXMLRPCServer and xmlrpclib examples, both in
modules and documentation.
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
index 2735ecc..27df333 100644
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2742,6 +2742,10 @@
if (recvlen == 0) {
/* If nbytes was not specified, use the buffer's length */
recvlen = buflen;
+ } else if (recvlen > buflen) {
+ PyErr_SetString(PyExc_ValueError,
+ "nbytes is greater than the length of the buffer");
+ goto error;
}
readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);