Skip to content
Permalink
Browse files

bpo-35050: AF_ALG length check off-by-one error (GH-10058) (GH-11069)

The length check for AF_ALG salg_name and salg_type had a off-by-one
error. The code assumed that both values are not necessarily NULL
terminated. However the Kernel code for alg_bind() ensures that the last
byte of both strings are NULL terminated.

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 2eb6ad8)
  • Loading branch information
vstinner committed Dec 10, 2018
1 parent c3cc751 commit 1a7b62d5571b3742e706d247dfe6509f68f1409d
@@ -5944,6 +5944,24 @@ def test_sendmsg_afalg_args(self):
with self.assertRaises(TypeError):
sock.sendmsg_afalg(op=socket.ALG_OP_ENCRYPT, assoclen=-1)

def test_length_restriction(self):
# bpo-35050, off-by-one error in length check
sock = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
self.addCleanup(sock.close)

# salg_type[14]
with self.assertRaises(FileNotFoundError):
sock.bind(("t" * 13, "name"))
with self.assertRaisesRegex(ValueError, "type too long"):
sock.bind(("t" * 14, "name"))

# salg_name[64]
with self.assertRaises(FileNotFoundError):
sock.bind(("type", "n" * 63))
with self.assertRaisesRegex(ValueError, "name too long"):
sock.bind(("type", "n" * 64))


@unittest.skipUnless(sys.platform.startswith("win"), "requires Windows")
class TestMSWindowsTCPFlags(unittest.TestCase):
knownTCPFlags = {
@@ -0,0 +1 @@
:mod:`socket`: Fix off-by-one bug in length check for ``AF_ALG`` name and type.
@@ -2157,14 +2157,18 @@ getsockaddrarg(PySocketSockObject *s, PyObject *args,

if (!PyArg_ParseTuple(args, "ss|HH:getsockaddrarg",
&type, &name, &sa->salg_feat, &sa->salg_mask))
{
return 0;
/* sockaddr_alg has fixed-sized char arrays for type and name */
if (strlen(type) > sizeof(sa->salg_type)) {
}
/* sockaddr_alg has fixed-sized char arrays for type, and name
* both must be NULL terminated.
*/
if (strlen(type) >= sizeof(sa->salg_type)) {
PyErr_SetString(PyExc_ValueError, "AF_ALG type too long.");
return 0;
}
strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
if (strlen(name) > sizeof(sa->salg_name)) {
if (strlen(name) >= sizeof(sa->salg_name)) {
PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");
return 0;
}

0 comments on commit 1a7b62d

Please sign in to comment.
You can’t perform that action at this time.