SF bug/patch #1433877: string parameter to ioctl not null terminated
The new char-array used in ioctl calls wasn't explicitly NUL-terminated;
quite probably the cause for the test_pty failures on Solaris that we
circumvented earlier. (I wasn't able to reproduce it with this patch, but it
has been somewhat elusive to start with.)
diff --git a/Modules/fcntlmodule.c b/Modules/fcntlmodule.c
index a368494..477af06 100644
--- a/Modules/fcntlmodule.c
+++ b/Modules/fcntlmodule.c
@@ -95,6 +95,7 @@
static PyObject *
fcntl_ioctl(PyObject *self, PyObject *args)
{
+#define IOCTL_BUFSZ 1024
int fd;
/* In PyArg_ParseTuple below, use the unsigned int 'I' format for
the signed int 'code' variable, because Python turns 0x8000000
@@ -106,7 +107,7 @@
char *str;
Py_ssize_t len;
int mutate_arg = 1;
- char buf[1024];
+ char buf[IOCTL_BUFSZ+1]; /* argument plus NUL byte */
if (PyArg_ParseTuple(args, "O&Iw#|i:ioctl",
conv_descriptor, &fd, &code,
@@ -114,8 +115,9 @@
char *arg;
if (mutate_arg) {
- if (len <= sizeof buf) {
+ if (len <= IOCTL_BUFSZ) {
memcpy(buf, str, len);
+ buf[len] = '\0';
arg = buf;
}
else {
@@ -123,13 +125,14 @@
}
}
else {
- if (len > sizeof buf) {
+ if (len > IOCTL_BUFSZ) {
PyErr_SetString(PyExc_ValueError,
"ioctl string arg too long");
return NULL;
}
else {
memcpy(buf, str, len);
+ buf[len] = '\0';
arg = buf;
}
}
@@ -141,7 +144,7 @@
else {
ret = ioctl(fd, code, arg);
}
- if (mutate_arg && (len < sizeof buf)) {
+ if (mutate_arg && (len < IOCTL_BUFSZ)) {
memcpy(str, buf, len);
}
if (ret < 0) {
@@ -159,12 +162,13 @@
PyErr_Clear();
if (PyArg_ParseTuple(args, "O&Is#:ioctl",
conv_descriptor, &fd, &code, &str, &len)) {
- if (len > sizeof buf) {
+ if (len > IOCTL_BUFSZ) {
PyErr_SetString(PyExc_ValueError,
"ioctl string arg too long");
return NULL;
}
memcpy(buf, str, len);
+ buf[len] = '\0';
Py_BEGIN_ALLOW_THREADS
ret = ioctl(fd, code, buf);
Py_END_ALLOW_THREADS
@@ -195,6 +199,7 @@
return NULL;
}
return PyInt_FromLong((long)ret);
+#undef IOCTL_BUFSZ
}
PyDoc_STRVAR(ioctl_doc,