Close #13022: _multiprocessing.recvfd() doesn't check that file descriptor was actually received

commit: c23484b21f8b62ec7c62a6e2253cf5f656e2ef06 [log] [tgz]
author: Jesus Cea <jcea@jcea.es> Wed Sep 21 03:47:39 2011 +0200
committer: Jesus Cea <jcea@jcea.es> Wed Sep 21 03:47:39 2011 +0200
tree: 6ae29d5fec5ac44b18f218c9de2da19ad4b2d24d
parent: 4ac5d2cda495b90c7990f9e231553fa2dca9854f [diff] [blame]
diff --git a/Modules/_multiprocessing/multiprocessing.c b/Modules/_multiprocessing/multiprocessing.c
index 7582664..31a8da8 100644
--- a/Modules/_multiprocessing/multiprocessing.c
+++ b/Modules/_multiprocessing/multiprocessing.c

@@ -177,6 +177,17 @@
     if (res < 0)
         return PyErr_SetFromErrno(PyExc_OSError);
 
+    if (msg.msg_controllen < CMSG_LEN(sizeof(int)) ||
+        (cmsg = CMSG_FIRSTHDR(&msg)) == NULL ||
+        cmsg->cmsg_level != SOL_SOCKET ||
+        cmsg->cmsg_type != SCM_RIGHTS ||
+        cmsg->cmsg_len < CMSG_LEN(sizeof(int))) {
+        /* If at least one control message is present, there should be
+           no room for any further data in the buffer. */
+        PyErr_SetString(PyExc_RuntimeError, "No file descriptor received");
+        return NULL;
+    }
+
     fd = * (int *) CMSG_DATA(cmsg);
     return Py_BuildValue("i", fd);
 }
commit	c23484b21f8b62ec7c62a6e2253cf5f656e2ef06	[log] [tgz]
author	Jesus Cea <jcea@jcea.es>	Wed Sep 21 03:47:39 2011 +0200
committer	Jesus Cea <jcea@jcea.es>	Wed Sep 21 03:47:39 2011 +0200
tree	6ae29d5fec5ac44b18f218c9de2da19ad4b2d24d
parent	4ac5d2cda495b90c7990f9e231553fa2dca9854f [diff] [blame]