Skip to content

Commit 597c672

Browse files
socket: fix re-entrant mutation in sendmsg ancillary data
1 parent 888d101 commit 597c672

1 file changed

Lines changed: 14 additions & 2 deletions

File tree

Modules/socketmodule.c

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5001,15 +5001,27 @@ _socket_socket_sendmsg_impl(PySocketSockObject *s, PyObject *data_arg,
50015001
controllen = controllen_last = 0;
50025002
while (ncmsgbufs < ncmsgs) {
50035003
size_t bufsize, space;
5004+
PyObject *item;
50045005

5005-
if (!PyArg_Parse(PySequence_Fast_GET_ITEM(cmsg_fast, ncmsgbufs),
5006+
item = PySequence_Fast_GET_ITEM(cmsg_fast, ncmsgbufs);
5007+
Py_INCREF(item);
5008+
5009+
if (!PyArg_Parse(item,
50065010
"(iiy*):[sendmsg() ancillary data items]",
50075011
&cmsgs[ncmsgbufs].level,
50085012
&cmsgs[ncmsgbufs].type,
50095013
&cmsgs[ncmsgbufs].data))
5014+
Py_DECREF(item);
50105015
goto finally;
5016+
Py_DECREF(item);
50115017
bufsize = cmsgs[ncmsgbufs++].data.len;
5012-
5018+
space=CMSG_SPACE(bufsize);
5019+
if(space>maxcmsgslen){
5020+
PyErr_SetString(PyExc_OSError, "ancillary data item too large");
5021+
goto finally;
5022+
}
5023+
maxcmsgslen+=space;
5024+
}
50135025
#ifdef CMSG_SPACE
50145026
if (!get_CMSG_SPACE(bufsize, &space)) {
50155027
#else

0 commit comments

Comments
 (0)