commit 1a7b62d5571b3742e706d247dfe6509f68f1409d
author Victor Stinner <vstinner@redhat.com> Mon Dec 10 12:13:01 2018 +0100
committer GitHub <noreply@github.com> Mon Dec 10 12:13:01 2018 +0100
tree dccc6927ab20b00f789c07eba42185c74535e227
parent c3cc75134d41c6d436c21d3d315dc069b4826432

bpo-35050: AF_ALG length check off-by-one error (GH-10058) (GH-11069)

The length check for AF_ALG salg_name and salg_type had a off-by-one
error. The code assumed that both values are not necessarily NULL
terminated. However the Kernel code for alg_bind() ensures that the last
byte of both strings are NULL terminated.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 2eb6ad8578fa9d764c21a92acd8e054e3202ad19)

Modules/socketmodule.c

diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
index ddb1c43..53bf996 100644
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2157,14 +2157,18 @@
 
         if (!PyArg_ParseTuple(args, "ss|HH:getsockaddrarg",
                                 &type, &name, &sa->salg_feat, &sa->salg_mask))
+        {
             return 0;
-        /* sockaddr_alg has fixed-sized char arrays for type and name */
-        if (strlen(type) > sizeof(sa->salg_type)) {
+        }
+        /* sockaddr_alg has fixed-sized char arrays for type, and name
+         * both must be NULL terminated.
+         */
+        if (strlen(type) >= sizeof(sa->salg_type)) {
             PyErr_SetString(PyExc_ValueError, "AF_ALG type too long.");
             return 0;
         }
         strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
-        if (strlen(name) > sizeof(sa->salg_name)) {
+        if (strlen(name) >= sizeof(sa->salg_name)) {
             PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");
             return 0;
         }