From 4507e6456e6170f92e14d7ecb68f2617a3b48412 Mon Sep 17 00:00:00 2001
From: Jesus Cea <jcea@jcea.es>
Date: Wed, 21 Sep 2011 03:53:25 +0200
Subject: Close #13022: _multiprocessing.recvfd() doesn't check that file
 descriptor was actually received

---
 Lib/test/test_multiprocessing.py           | 17 +++++++++++++++++
 Misc/NEWS                                  |  3 +++
 Modules/_multiprocessing/multiprocessing.c | 11 +++++++++++
 3 files changed, 31 insertions(+)

diff --git a/Lib/test/test_multiprocessing.py b/Lib/test/test_multiprocessing.py
index 5d734ed..1d84ca8 100644
--- a/Lib/test/test_multiprocessing.py
+++ b/Lib/test/test_multiprocessing.py
@@ -1632,6 +1632,23 @@ class _TestConnection(BaseTestCase):
         with open(test.support.TESTFN, "rb") as f:
             self.assertEqual(f.read(), b"bar")
 
+    @classmethod
+    def _send_data_without_fd(self, conn):
+        os.write(conn.fileno(), b"\0")
+
+    @unittest.skipIf(sys.platform == "win32", "doesn't make sense on Windows")
+    def test_missing_fd_transfer(self):
+        # Check that exception is raised when received data is not
+        # accompanied by a file descriptor in ancillary data.
+        if self.TYPE != 'processes':
+            self.skipTest("only makes sense with processes")
+        conn, child_conn = self.Pipe(duplex=True)
+
+        p = self.Process(target=self._send_data_without_fd, args=(child_conn,))
+        p.daemon = True
+        p.start()
+        self.assertRaises(RuntimeError, reduction.recv_handle, conn)
+        p.join()
 
 class _TestListenerClient(BaseTestCase):
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 1d03385..6f4cb0a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -78,6 +78,9 @@ Tests
 Extension Modules
 -----------------
  
+- Issue #13022: Fix: _multiprocessing.recvfd() doesn't check that
+  file descriptor was actually received.
+
 - Issue #12483: ctypes: Fix a crash when the destruction of a callback
   object triggers the garbage collector.
 
diff --git a/Modules/_multiprocessing/multiprocessing.c b/Modules/_multiprocessing/multiprocessing.c
index bc635da..83df1eb 100644
--- a/Modules/_multiprocessing/multiprocessing.c
+++ b/Modules/_multiprocessing/multiprocessing.c
@@ -177,6 +177,17 @@ multiprocessing_recvfd(PyObject *self, PyObject *args)
     if (res < 0)
         return PyErr_SetFromErrno(PyExc_OSError);
 
+    if (msg.msg_controllen < CMSG_LEN(sizeof(int)) ||
+        (cmsg = CMSG_FIRSTHDR(&msg)) == NULL ||
+        cmsg->cmsg_level != SOL_SOCKET ||
+        cmsg->cmsg_type != SCM_RIGHTS ||
+        cmsg->cmsg_len < CMSG_LEN(sizeof(int))) {
+        /* If at least one control message is present, there should be
+           no room for any further data in the buffer. */
+        PyErr_SetString(PyExc_RuntimeError, "No file descriptor received");
+        return NULL;
+    }
+
     fd = * (int *) CMSG_DATA(cmsg);
     return Py_BuildValue("i", fd);
 }
-- 
cgit v0.12