From 4569cd5eab5092c4508e6d0471eb9f535e71193a Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Sun, 23 Jun 2013 14:58:43 +0200 Subject: _ssl.c: strip trailing spaces --- Modules/_ssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index abb48b9..79d2f71 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1136,7 +1136,7 @@ static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) { const unsigned char *out; unsigned int outlen; - SSL_get0_next_proto_negotiated(self->ssl, + SSL_get0_next_proto_negotiated(self->ssl, &out, &outlen); if (out == NULL) @@ -1763,8 +1763,8 @@ set_ciphers(PySSLContext *self, PyObject *args) #ifdef OPENSSL_NPN_NEGOTIATED /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */ static int -_advertiseNPN_cb(SSL *s, - const unsigned char **data, unsigned int *len, +_advertiseNPN_cb(SSL *s, + const unsigned char **data, unsigned int *len, void *args) { PySSLContext *ssl_ctx = (PySSLContext *) args; @@ -1781,7 +1781,7 @@ _advertiseNPN_cb(SSL *s, } /* this callback gets passed to SSL_CTX_set_next_proto_select_cb */ static int -_selectNPN_cb(SSL *s, +_selectNPN_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, void *args) @@ -2848,7 +2848,7 @@ PyInit__ssl(void) } if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names)) return NULL; - + /* OpenSSL version */ /* SSLeay() gives us the version of the library linked against, which could be different from the headers version. -- cgit v0.12 From 9ee0203057e7a566e562233e2c48e0c752ecc989 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Sun, 23 Jun 2013 15:08:23 +0200 Subject: Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and passwords longer than 2 gigabytes. --- Misc/NEWS | 4 ++++ Modules/_ssl.c | 16 +++++++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 04b5e41..95b1716 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -35,6 +35,10 @@ Core and Builtins Library ------- +- Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write() + and in ssl.SSLContext.load_cert_chain() for strings and passwords longer than + 2 gigabytes. + - Issue #18248: Fix libffi build on AIX. - Issue #18259: Declare sethostname in socketmodule.c for AIX diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 79d2f71..ebd84d5 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1284,8 +1284,9 @@ static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args) goto error; } do { + len = (int)Py_MIN(buf.len, INT_MAX); PySSL_BEGIN_ALLOW_THREADS - len = SSL_write(self->ssl, buf.buf, buf.len); + len = SSL_write(self->ssl, buf.buf, len); err = SSL_get_error(self->ssl, len); PySSL_END_ALLOW_THREADS if (PyErr_CheckSignals()) { @@ -1576,7 +1577,7 @@ PySSL_tls_unique_cb(PySSLSocket *self) { PyObject *retval = NULL; char buf[PySSL_CB_MAXLEN]; - int len; + size_t len; if (SSL_session_reused(self->ssl) ^ !self->socket_type) { /* if session is resumed XOR we are the client */ @@ -1588,7 +1589,6 @@ PySSL_tls_unique_cb(PySSLSocket *self) } /* It cannot be negative in current OpenSSL version as of July 2011 */ - assert(len >= 0); if (len == 0) Py_RETURN_NONE; @@ -1915,7 +1915,7 @@ typedef struct { PyThreadState *thread_state; PyObject *callable; char *password; - Py_ssize_t size; + int size; int error; } _PySSLPasswordInfo; @@ -1949,6 +1949,12 @@ _pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password, goto error; } + if (size > (Py_ssize_t)INT_MAX) { + PyErr_Format(PyExc_ValueError, + "password cannot be longer than %d bytes", INT_MAX); + goto error; + } + free(pw_info->password); pw_info->password = malloc(size); if (!pw_info->password) { @@ -1957,7 +1963,7 @@ _pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password, goto error; } memcpy(pw_info->password, data, size); - pw_info->size = size; + pw_info->size = (int)size; Py_XDECREF(password_bytes); return 1; -- cgit v0.12