-
-
Notifications
You must be signed in to change notification settings - Fork 31.6k
Off-by-one bug in AF_ALG #79231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
The error checking code for salg_name and salg_type have an off-by-one bug. It should check that both strings are NUL terminated strings. It's not a security bug, because the Linux kernel ensures that the last byte is a NULL byte. |
Christian and me created a bug report at the same time :-) My message: I found two interesting warnings on socketmodule.c in the Coverity report: Error: BUFFER_SIZE_WARNING (CWE-120): [#def12] Error: BUFFER_SIZE_WARNING (CWE-120): [#def13] It seems like the Linux kernel always write a terminating NUL byte for AF_ALG: The Python code does not create buffer overflow, it's just that the Linux kernel will always reject names which are too long. Python should reject them as well. |
The Kernel doesn't have a direct length restriction. It just ensures that type and name are NULL terminated. Other code inside the Kernel rejects unknown type and name values. |
The error checking code for salg_name and salg_type have an off-by-one bug. Must check that both strings are NUL terminated strings. |
Thanks for the fix Christian! Note: Python 2 is not affected, it doesn't support AF_ALG. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: