Message128938
| Author |
socketpair |
| Recipients |
Arfrever, giampaolo.rodola, socketpair |
| Date |
2011年02月21日.04:56:58 |
| SpamBayes Score |
2.189648e-06 |
| Marked as misclassified |
No |
| Message-id |
<1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
asynchat.py: class async_chat: handle_read():
-----------------------
elif isinstance(terminator, int) or isinstance(terminator, long):
# numeric terminator
n = terminator
if lb < n:
self.collect_incoming_data (self.ac_in_buffer)
self.ac_in_buffer = ''
self.terminator = self.terminator - lb
else:
self.collect_incoming_data (self.ac_in_buffer[:n])
self.ac_in_buffer = self.ac_in_buffer[n:]
self.terminator = 0
self.found_terminator()
------------------------------
suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed.
next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to push data to user. It should push some data from beginning of the buffer, intead of this, total buffer except last 10 characters pushed.
Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail.
Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak.
In any way, author of this code does not thought about negative n in constructions [:n] or [n:]. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2011年02月21日 04:56:59 | socketpair | set | recipients:
+ socketpair, giampaolo.rodola, Arfrever |
| 2011年02月21日 04:56:59 | socketpair | set | messageid: <1298264219.69.0.732931273804.issue11259@psf.upfronthosting.co.za> |
| 2011年02月21日 04:56:59 | socketpair | link | issue11259 messages |
| 2011年02月21日 04:56:58 | socketpair | create |
|