[issue24933] socket.recv(size, MSG_TRUNC) returns more than size bytes

Tue, 25 Aug 2015 06:22:46 -0700 

Andrey Wagin added the comment:

sendto(4, "asdfasdfsadfasdfsdfsadfsdfasdfsd"..., 42, 0, NULL, 0) = 42
recvfrom(3, 
"a\0n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\2\0\0\0"..., 1, 
MSG_TRUNC, NULL, NULL) = 42

I think the exit code is interpreted incorrectly. In this case it isn't equal 
to the number of bytes received. Then python copies this number of bytes from 
the buffer with smaller size, so it may access memory which are not allocated 
or allocated by someone else.

valgrind detects this type of errors:
[avagin@localhost ~]$ cat sock.py 
import socket, os, sys

sks = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
pid = os.fork()
if pid == 0:
        sks[1].send("\0" * 4096)
        sys.exit(0)
sk = sks[0]
print sk.recv(1, socket.MSG_TRUNC )

[avagin@localhost ~]$ valgrind python sock.py
==25511== Memcheck, a memory error detector
==25511== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25511== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==25511== Command: python sock.py
==25511== 
==25511== Syscall param write(buf) points to uninitialised byte(s)
==25511==    at 0x320B4F0940: __write_nocancel (in /usr/lib64/libc-2.20.so)
==25511==    by 0x320B478D2C: _IO_file_write@@GLIBC_2.2.5 (in 
/usr/lib64/libc-2.20.so)
==25511==    by 0x320B4794EE: _IO_file_xsputn@@GLIBC_2.2.5 (in 
/usr/lib64/libc-2.20.so)
==25511==    by 0x320B46EE68: fwrite (in /usr/lib64/libc-2.20.so)
==25511==    by 0x369CC90210: ??? (in /usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CC85EAE: ??? (in /usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CC681AB: PyFile_WriteObject (in 
/usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CCE08F9: PyEval_EvalFrameEx (in 
/usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CCE340F: PyEval_EvalCodeEx (in 
/usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CCE3508: PyEval_EvalCode (in 
/usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CCFC91E: ??? (in /usr/lib64/libpython2.7.so.1.0)
==25511==    by 0x369CCFDB41: PyRun_FileExFlags (in 
/usr/lib64/libpython2.7.so.1.0)

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24933>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to