asyncio: Possible missing typecheck in overlapped.c

[JelleZijlstra]

I don't have a Windows machine to check, but I noticed while reading code that the _overlapped.WSAConnect() function calls PyTuple_GET_SIZE on its argument without checking that it is actually a tuple (

cpython/Modules/overlapped.c

Line 1358 in 3e07f82

switch (PyTuple_GET_SIZE(obj)) {

).

The following code should reproduce the problem and access out-of-bounds memory:

import asyncio.windows_events
import socket
ip = asyncio.windows_events.IocpProactor()
sock = socket.socket(type=socket.SOCK_DGRAM)
ip.connect(sock, None)

• PR: [3.11] gh-98793: Fix typecheck in overlapped.c (GH-98835) #98889

• PR: [3.10] gh-98793: Fix typecheck in overlapped.c (GH-98835) #98890

[serhiy-storchaka]

It is checked in _overlapped.Overlapped.ConnectEx, but not in _overlapped.WSAConnect and _overlapped.Overlapped.WSASendTo.

[Fidget-Spinner]

I can confirm on Windows debug build that this gives me:
Assertion failed: PyTuple_Check(op), file D:\Ken\Documents\GitHub\cpython\Include\cpython\tupleobject.h, line 23
So there needs to be a type check somewhere.

[serhiy-storchaka]

I have marked it as "easy" because the fix is trivial -- just use corresponding Argument Clinic declaration in other methods as in _overlapped.Overlapped.ConnectEx. The nontrivial part is writing tests for both of affected functions. It needs an access to Windows and some time, so I left it to other contributors.

[CharlieZhao95]

I'm trying to create a PR for this issue and it won't take long :)

[hauntsaninja]

Thanks, looks like this has been completed!