complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
index 4ecab95..290c4dd 100644
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -1968,6 +1968,14 @@
_testRecvFromIntoMemoryview = _testRecvFromIntoArray
+ def testRecvFromIntoSmallBuffer(self):
+ # See issue #20246.
+ buf = bytearray(8)
+ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+ def _testRecvFromIntoSmallBuffer(self):
+ self.serv_conn.send(MSG*2048)
+
TIPC_STYPE = 2000
TIPC_LOWER = 200
diff --git a/Misc/ACKS b/Misc/ACKS
index 6ea3f78..5236e10 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1020,6 +1020,7 @@
Christopher Smith
Gregory P. Smith
Roy Smith
+Ryan Smith-Roberts
Rafal Smotrzyk
Dirk Soede
Paul Sokolovsky
diff --git a/Misc/NEWS b/Misc/NEWS
index 430bec2..693a0c8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@
Library
-------
+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
- Issue #12226: HTTPS is now used by default when connecting to PyPI.
- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
index e027625..903e10c 100644
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2598,6 +2598,11 @@
if (recvlen == 0) {
/* If nbytes was not specified, use the buffer's length */
recvlen = buflen;
+ } else if (recvlen > buflen) {
+ PyBuffer_Release(&pbuf);
+ PyErr_SetString(PyExc_ValueError,
+ "nbytes is greater than the length of the buffer");
+ return NULL;
}
readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);