Close #13022: _multiprocessing.recvfd() doesn't check that file descriptor was actually received

author: Jesus Cea <jcea@jcea.es> 2011-09-21 01:53:25 (GMT)
committer: Jesus Cea <jcea@jcea.es> 2011-09-21 01:53:25 (GMT)
commit: 4507e6456e6170f92e14d7ecb68f2617a3b48412 (patch)
tree: 1bcd9a9cc702bf911d39fd3df5168b2837eb534b /Modules/_multiprocessing
parent: d0b10a64351069aa9246d40cb8bd207cc9209cee (diff)
download: cpython-4507e6456e6170f92e14d7ecb68f2617a3b48412.zip
cpython-4507e6456e6170f92e14d7ecb68f2617a3b48412.tar.gz
cpython-4507e6456e6170f92e14d7ecb68f2617a3b48412.tar.bz2
1 files changed, 11 insertions, 0 deletions
diff --git a/Modules/_multiprocessing/multiprocessing.c b/Modules/_multiprocessing/multiprocessing.c
index bc635da..83df1eb 100644
--- a/Modules/_multiprocessing/multiprocessing.c
+++ b/Modules/_multiprocessing/multiprocessing.c
@@ -177,6 +177,17 @@ multiprocessing_recvfd(PyObject *self, PyObject *args)
     if (res < 0)
         return PyErr_SetFromErrno(PyExc_OSError);
 
+    if (msg.msg_controllen < CMSG_LEN(sizeof(int)) ||
+        (cmsg = CMSG_FIRSTHDR(&msg)) == NULL ||
+        cmsg->cmsg_level != SOL_SOCKET ||
+        cmsg->cmsg_type != SCM_RIGHTS ||
+        cmsg->cmsg_len < CMSG_LEN(sizeof(int))) {
+        /* If at least one control message is present, there should be
+           no room for any further data in the buffer. */
+        PyErr_SetString(PyExc_RuntimeError, "No file descriptor received");
+        return NULL;
+    }
+
     fd = * (int *) CMSG_DATA(cmsg);
     return Py_BuildValue("i", fd);
 }
author	Jesus Cea <jcea@jcea.es>	2011-09-21 01:53:25 (GMT)
committer	Jesus Cea <jcea@jcea.es>	2011-09-21 01:53:25 (GMT)
commit	4507e6456e6170f92e14d7ecb68f2617a3b48412 (patch)
tree	1bcd9a9cc702bf911d39fd3df5168b2837eb534b /Modules/_multiprocessing
parent	d0b10a64351069aa9246d40cb8bd207cc9209cee (diff)
download	cpython-4507e6456e6170f92e14d7ecb68f2617a3b48412.zip cpython-4507e6456e6170f92e14d7ecb68f2617a3b48412.tar.gz cpython-4507e6456e6170f92e14d7ecb68f2617a3b48412.tar.bz2