From c6b37e21f513e056b06013a432be715937a27861 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 13 Jan 2014 23:14:42 -0500
Subject: merge 3.3 (#20246)

---
 Lib/test/test_socket.py | 8 ++++++++
 Misc/ACKS               | 1 +
 Misc/NEWS               | 2 ++
 Modules/socketmodule.c  | 5 +++++
 4 files changed, 16 insertions(+)

diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
index bf42432..cce412a 100644
--- a/Lib/test/test_socket.py
+++ b/Lib/test/test_socket.py
@@ -4683,6 +4683,14 @@ class BufferIOTest(SocketConnectedTest):
 
     _testRecvFromIntoMemoryview = _testRecvFromIntoArray
 
+    def testRecvFromIntoSmallBuffer(self):
+        # See issue #20246.
+        buf = bytearray(8)
+        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
+
+    def _testRecvFromIntoSmallBuffer(self):
+        self.serv_conn.send(MSG*2048)
+
 
 TIPC_STYPE = 2000
 TIPC_LOWER = 200
diff --git a/Misc/ACKS b/Misc/ACKS
index ed5afe7..e2f990e 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1218,6 +1218,7 @@ Eric V. Smith
 Gregory P. Smith
 Mark Smith
 Roy Smith
+Ryan Smith-Roberts
 Rafal Smotrzyk
 Eric Snow
 Dirk Soede
diff --git a/Misc/NEWS b/Misc/NEWS
index a6c5090..6c8cacd 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -28,6 +28,8 @@ Library
 - Issue #20242: Fixed basicConfig() format strings for the alternative
   formatting styles. Thanks to kespindler for the bug report and patch.
 
+- Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
 - Issues #20206 and #5803: Fix edge case in email.quoprimime.encode where it
   truncated lines ending in a character needing encoding but no newline by
   using a more efficient algorithm that doesn't have the bug.
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
index 6c229bc..9cc317f 100644
--- a/Modules/socketmodule.c
+++ b/Modules/socketmodule.c
@@ -2875,6 +2875,11 @@ sock_recvfrom_into(PySocketSockObject *s, PyObject *args, PyObject* kwds)
     if (recvlen == 0) {
         /* If nbytes was not specified, use the buffer's length */
         recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyBuffer_Release(&pbuf);
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        return NULL;
     }
 
     readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
-- 
cgit v0.12