mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-03 19:34:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

(Merge 3.3) Issue #18135: Fix a possible integer overflow in

Browse source 
ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes.
This commit is contained in:
Victor Stinner 2013-06-23 15:09:26 +02:00
commit 8cfd67cfe7
2 changed files with 20 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Misc/NEWS
View file

@ -126,6 +126,10 @@ Core and Builtins
Library Library
------- -------
- Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write()
and in ssl.SSLContext.load_cert_chain() for strings and passwords longer than
2 gigabytes.
- Issue #11016: Add C implementation of the stat module as _stat. - Issue #11016: Add C implementation of the stat module as _stat.
- Issue #18248: Fix libffi build on AIX. - Issue #18248: Fix libffi build on AIX.

16
Modules/_ssl.c
View file

@ -1358,8 +1358,9 @@ static PyObject *PySSL_SSLwrite(PySSLSocket *self, PyObject *args)
goto error; goto error;
} }
do { do {
len = (int)Py_MIN(buf.len, INT_MAX);
PySSL_BEGIN_ALLOW_THREADS PySSL_BEGIN_ALLOW_THREADS
len = SSL_write(self->ssl, buf.buf, buf.len); len = SSL_write(self->ssl, buf.buf, len);
err = SSL_get_error(self->ssl, len); err = SSL_get_error(self->ssl, len);
PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS
if (PyErr_CheckSignals()) { if (PyErr_CheckSignals()) {
@ -1650,7 +1651,7 @@ PySSL_tls_unique_cb(PySSLSocket *self)
{ {
PyObject *retval = NULL; PyObject *retval = NULL;
char buf[PySSL_CB_MAXLEN]; char buf[PySSL_CB_MAXLEN];
int len; size_t len;
if (SSL_session_reused(self->ssl) ^ !self->socket_type) { if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
/* if session is resumed XOR we are the client */ /* if session is resumed XOR we are the client */
@ -1662,7 +1663,6 @@ PySSL_tls_unique_cb(PySSLSocket *self)
} }
/* It cannot be negative in current OpenSSL version as of July 2011 */ /* It cannot be negative in current OpenSSL version as of July 2011 */
assert(len >= 0);
if (len == 0) if (len == 0)
Py_RETURN_NONE; Py_RETURN_NONE;
@ -2025,7 +2025,7 @@ typedef struct {
PyThreadState *thread_state; PyThreadState *thread_state;
PyObject *callable; PyObject *callable;
char *password; char *password;
Py_ssize_t size; int size;
int error; int error;
} _PySSLPasswordInfo; } _PySSLPasswordInfo;
@ -2059,6 +2059,12 @@ _pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password,
goto error; goto error;
} }
if (size > (Py_ssize_t)INT_MAX) {
PyErr_Format(PyExc_ValueError,
"password cannot be longer than %d bytes", INT_MAX);
goto error;
}
free(pw_info->password); free(pw_info->password);
pw_info->password = malloc(size); pw_info->password = malloc(size);
if (!pw_info->password) { if (!pw_info->password) {
@ -2067,7 +2073,7 @@ _pwinfo_set(_PySSLPasswordInfo *pw_info, PyObject* password,
goto error; goto error;
} }
memcpy(pw_info->password, data, size); memcpy(pw_info->password, data, size);
pw_info->size = size; pw_info->size = (int)size;
Py_XDECREF(password_bytes); Py_XDECREF(password_bytes);
return 1; return 1;