diff options
| author | Victor Stinner <victor.stinner@gmail.com> | 2013-06-23 13:08:23 (GMT) |
|---|---|---|
| committer | Victor Stinner <victor.stinner@gmail.com> | 2013-06-23 13:08:23 (GMT) |
| commit | 9ee0203057e7a566e562233e2c48e0c752ecc989 (patch) | |
| tree | ca755c229f4cd9f231ef0d6d10b3130a4b89ca14 | |
| parent | 4569cd5eab5092c4508e6d0471eb9f535e71193a (diff) | |
| download | cpython-9ee0203057e7a566e562233e2c48e0c752ecc989.zip cpython-9ee0203057e7a566e562233e2c48e0c752ecc989.tar.gz cpython-9ee0203057e7a566e562233e2c48e0c752ecc989.tar.bz2 | |
Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write()
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer
than 2 gigabytes.
| -rw-r--r-- | Misc/NEWS | 4 | ||||
| -rw-r--r-- | Modules/_ssl.c | 16 |
2 files changed, 15 insertions, 5 deletions
@@ -35,6 +35,10 @@ Core and Builtins Library ------- +- Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write() + and in ssl.SSLContext.load_cert_chain() for strings and passwords longer than + 2 gigabytes. + - Issue #18248: Fix libffi build on AIX. - Issue #18259: Declare sethostname in socketmodule.c for AIX diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 79d2f71..ebd84d5 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1284,8 +1284,9 @@ static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args) goto error; } do { + len = (int)Py_MIN(buf.len, INT_MAX); PySSL_BEGIN_ALLOW_THREADS - len = SSL_write(self->ssl, buf.buf, buf.len); + len = SSL_write(self->ssl, buf.buf, len); err = SSL_get_error(self->ssl, len); PySSL_END_ALLOW_THREADS if (PyErr_CheckSignals()) { @@ -1576,7 +1577,7 @@ PySSL_tls_unique_cb(PySSLSocket *self) { PyObject *retval = NULL; char buf[PySSL_CB_MAXLEN]; - int len; + size_t len; if (SSL_session_reused(self->ssl) ^ !self->socket_type) { /* if session is resumed XOR we are the client */ @@ -1588,7 +1589,6 @@ PySSL_tls_unique_cb(PySSLSocket *self) } /* It cannot be negative in current OpenSSL version as of July 2011 */ - assert(len >= 0); if (len == 0) Py_RETURN_NONE; @@ -1915,7 +1915,7 @@ typedef struct { PyThreadState *thread_state; PyObject *callable; char *password; - Py_ssize_t size; + int size; int error; } _PySSLPasswordInfo; @@ -1949,6 +1949,12 @@ _pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password, goto error; } + if (size > (Py_ssize_t)INT_MAX) { + PyErr_Format(PyExc_ValueError, + "password cannot be longer than %d bytes", INT_MAX); + goto error; + } + free(pw_info->password); pw_info->password = malloc(size); if (!pw_info->password) { @@ -1957,7 +1963,7 @@ _pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password, goto error; } memcpy(pw_info->password, data, size); - pw_info->size = size; + pw_info->size = (int)size; Py_XDECREF(password_bytes); return 1; |