[Python-checkins] cpython (merge 3.3 -> default): (Merge 3.3) Issue #18135: Fix a possible integer overflow in

Sun Jun 23 15:18:50 CEST 2013

http://hg.python.org/cpython/rev/f90d82a75a43
changeset: 84271:f90d82a75a43
parent: 84267:81fef2666ebb
parent: 84270:f0d934732ab1
user: Victor Stinner <victor.stinner at gmail.com>
date: Sun Jun 23 15:09:26 2013 +0200
summary:
 (Merge 3.3) Issue #18135: Fix a possible integer overflow in
ssl.SSLSocket.write() and in ssl.SSLContext.load_cert_chain() for strings and
passwords longer than 2 gigabytes.
files:
 Misc/NEWS | 4 ++++
 Modules/_ssl.c | 26 ++++++++++++++++----------
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -126,6 +126,10 @@
 Library
 -------
 
+- Issue #18135: Fix a possible integer overflow in ssl.SSLSocket.write()
+ and in ssl.SSLContext.load_cert_chain() for strings and passwords longer than
+ 2 gigabytes.
+
 - Issue #11016: Add C implementation of the stat module as _stat.
 
 - Issue #18248: Fix libffi build on AIX.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1172,7 +1172,7 @@
 const unsigned char *out;
 unsigned int outlen;
 
- SSL_get0_next_proto_negotiated(self->ssl, 
+ SSL_get0_next_proto_negotiated(self->ssl,
 &out, &outlen);
 
 if (out == NULL)
@@ -1358,8 +1358,9 @@
 goto error;
 }
 do {
+ len = (int)Py_MIN(buf.len, INT_MAX);
 PySSL_BEGIN_ALLOW_THREADS
- len = SSL_write(self->ssl, buf.buf, buf.len);
+ len = SSL_write(self->ssl, buf.buf, len);
 err = SSL_get_error(self->ssl, len);
 PySSL_END_ALLOW_THREADS
 if (PyErr_CheckSignals()) {
@@ -1650,7 +1651,7 @@
 {
 PyObject *retval = NULL;
 char buf[PySSL_CB_MAXLEN];
- int len;
+ size_t len;
 
 if (SSL_session_reused(self->ssl) ^ !self->socket_type) {
 /* if session is resumed XOR we are the client */
@@ -1662,7 +1663,6 @@
 }
 
 /* It cannot be negative in current OpenSSL version as of July 2011 */
- assert(len >= 0);
 if (len == 0)
 Py_RETURN_NONE;
 
@@ -1873,8 +1873,8 @@
 #ifdef OPENSSL_NPN_NEGOTIATED
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
-_advertiseNPN_cb(SSL *s, 
- const unsigned char **data, unsigned int *len, 
+_advertiseNPN_cb(SSL *s,
+ const unsigned char **data, unsigned int *len,
 void *args)
 {
 PySSLContext *ssl_ctx = (PySSLContext *) args;
@@ -1891,7 +1891,7 @@
 }
 /* this callback gets passed to SSL_CTX_set_next_proto_select_cb */
 static int
-_selectNPN_cb(SSL *s, 
+_selectNPN_cb(SSL *s,
 unsigned char **out, unsigned char *outlen,
 const unsigned char *server, unsigned int server_len,
 void *args)
@@ -2025,7 +2025,7 @@
 PyThreadState *thread_state;
 PyObject *callable;
 char *password;
- Py_ssize_t size;
+ int size;
 int error;
 } _PySSLPasswordInfo;
 
@@ -2059,6 +2059,12 @@
 goto error;
 }
 
+ if (size > (Py_ssize_t)INT_MAX) {
+ PyErr_Format(PyExc_ValueError,
+ "password cannot be longer than %d bytes", INT_MAX);
+ goto error;
+ }
+
 free(pw_info->password);
 pw_info->password = malloc(size);
 if (!pw_info->password) {
@@ -2067,7 +2073,7 @@
 goto error;
 }
 memcpy(pw_info->password, data, size);
- pw_info->size = size;
+ pw_info->size = (int)size;
 
 Py_XDECREF(password_bytes);
 return 1;
@@ -3441,7 +3447,7 @@
 }
 if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names))
 return NULL;
- 
+
 /* OpenSSL version */
 /* SSLeay() gives us the version of the library linked against,
 which could be different from the headers version.
-- 
Repository URL: http://hg.python.org/cpython
