PublicArchive/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-05-06 04:37:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

gh-148808: Add boundary check to asyncio.AbstractEventLoop.sock_recvf… (#148809)

Browse Source
This commit is contained in:
Seth Larson
2026-04-21 09:29:07 -05:00
committed by GitHub
parent d206d42834
commit 1274766d3c
3 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Lib/test/test_asyncio/test_sock_lowlevel.py
+21
View File
@@ -427,6 +427,27 @@ class BaseSockTestsMixin:
self.loop.run_until_complete(
self._basetest_datagram_recvfrom_into(server_address))
async def _basetest_datagram_recvfrom_into_wrong_size(self, server_address):
# Call sock_sendto() with a size larger than the buffer
with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
sock.setblocking(False)
buf = bytearray(5000)
data = b'\x01' * 4096
wrong_size = len(buf) + 1
await self.loop.sock_sendto(sock, data, server_address)
with self.assertRaises(ValueError):
await self.loop.sock_recvfrom_into(
sock, buf, wrong_size)
size, addr = await self.loop.sock_recvfrom_into(sock, buf)
self.assertEqual(buf[:size], data)
def test_recvfrom_into_wrong_size(self):
with test_utils.run_udp_echo_server() as server_address:
self.loop.run_until_complete(
self._basetest_datagram_recvfrom_into_wrong_size(server_address))
async def _basetest_datagram_sendto_blocking(self, server_address):
# Sad path, sock.sendto() raises BlockingIOError
# This involves patching sock.sendto() to raise BlockingIOError but
Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
+3
View File
@@ -0,0 +1,3 @@
Added buffer boundary check when using ``nbytes`` parameter with
:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only
relevant for Windows and the :class:`asyncio.ProactorEventLoop`.
Modules/overlapped.c
+5
View File
@@ -1910,6 +1910,11 @@ _overlapped_Overlapped_WSARecvFromInto_impl(OverlappedObject *self,
}
#endif
if (bufobj->len < (Py_ssize_t)size) {
PyErr_SetString(PyExc_ValueError, "nbytes is greater than the length of the buffer");
return NULL;
}
wsabuf.buf = bufobj->buf;
wsabuf.len = size;