STINNER Victor <[email protected]> added the comment:
Christian and me created a bug report at the same time :-) My message:
I found two interesting warnings on socketmodule.c in the Coverity report:
Error: BUFFER_SIZE_WARNING (CWE-120): [#def12]
Python-3.6.5/Modules/socketmodule.c:2069: buffer_size_warning: Calling strncpy
with a maximum size argument of 14 bytes on destination array "sa->salg_type"
of size 14 bytes might leave the destination string unterminated.
# 2067| return 0;
# 2068| }
# 2069|-> strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
# 2070| if (strlen(name) > sizeof(sa->salg_name)) {
# 2071| PyErr_SetString(PyExc_ValueError, "AF_ALG name too
long.");
Error: BUFFER_SIZE_WARNING (CWE-120): [#def13]
Python-3.6.5/Modules/socketmodule.c:2074: buffer_size_warning: Calling strncpy
with a maximum size argument of 64 bytes on destination array "sa->salg_name"
of size 64 bytes might leave the destination string unterminated.
# 2072| return 0;
# 2073| }
# 2074|-> strncpy((char *)sa->salg_name, name, sizeof(sa->salg_name));
# 2075|
# 2076| *len_ret = sizeof(*sa);
It seems like the Linux kernel always write a terminating NUL byte for AF_ALG:
https://elixir.bootlin.com/linux/latest/source/crypto/af_alg.c#L171
The Python code does not create buffer overflow, it's just that the Linux
kernel will always reject names which are too long. Python should reject them
as well.
----------
nosy: +vstinner
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue35050>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
