Anssi Saari wrote: > Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> writes: > >> Here's the one-liner: >> >> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)' >> >> >> I think it is likely that y="0"*50000000 would segfault due to lack of >> memory on many machines. I wouldn't trust this as a test. > > Hmm, how much RAM does that one-liner actually need? My router has 128 > MB total RAM with about 90 MB free. So it can store the string once but > if it's copied with the gethostbyname call then it'll run out...
In Python 2, "0" is a byte (plus object header), so about 50MB give or take. In Python 3, "0" is a unicode string, so depending on whether you have a "narrow" or "wide" build, or version 3.3+, that could take 1, 2 or 4 bytes per character. So potentially 50, 100 or 200MB (plus a few extra bytes for the object header). > Anyways, here's an example calling gethostbyname directly in python: > > from ctypes import CDLL > o = CDLL('libc.so.6') > for i in range(0, 2500): > o.gethostbyname('0'*i) > > I don't have a vulnerable system to test on any more though. I stuck a "print i" just before the call to gethostbyname, and it got to i = 1004 and then crashed: *** glibc detected *** python2.7: realloc(): invalid next size: 0x08b9a7c0 *** with a page or three of diagnostics. -- Steve -- https://mail.python.org/mailman/listinfo/python-list