Skip to content

gh-143637: Fix re-entrant mutation of ancillary data in socket.sendmsg() #143892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vstinner merged 21 commits into from
Feb 13, 2026
Merged

gh-143637: Fix re-entrant mutation of ancillary data in socket.sendmsg() #143892

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
597c672
socket: fix re-entrant mutation in sendmsg ancillary data
priyanshu2282-cyber Jan 15, 2026
7e57097
test_socket: add regression test for sendmsg re-entrancy
priyanshu2282-cyber Jan 15, 2026
a6fbd4b
gh-143637: Fix reentrant mutation crash in socket.sendmsg
priyanshu2282-cyber Jan 15, 2026
be7371d
chore: rerun CI
priyanshu2282-cyber Jan 16, 2026
4703c2b
restore spacing style for controllen calculation
priyanshu2282-cyber Jan 17, 2026
2bd7e14
📜🤖 Added by blurb_it.
blurb-it[bot] Jan 17, 2026
710daaa
add public wrapper for sendmsg re-entrant ancillary mutation test
priyanshu2282-cyber Jan 17, 2026
a2992a8
Merge branch 'fix-sendmsg-reentrant-cmsg' of https://github.com/priya…
priyanshu2282-cyber Jan 17, 2026
75d8ae9
fixed trailing whitespace
priyanshu2282-cyber Jan 17, 2026
6f0ddf4
PySequence_Tuple instead of PySequence_Fast and removed INCREF, DECREF
priyanshu2282-cyber Jan 17, 2026
ff8af98
Fix trailing whitespace
priyanshu2282-cyber Jan 17, 2026
5f0a05a
Fix sendmsg re-entrant ancillary mutation crash
priyanshu2282-cyber Jan 19, 2026
082e6b7
Corrected Indentation and moved test to seperate class
priyanshu2282-cyber Jan 19, 2026
fb99129
Update Modules/socketmodule.c
priyanshu2282-cyber Jan 19, 2026
7ec2dd6
Update Modules/socketmodule.c
priyanshu2282-cyber Jan 20, 2026
57b33f1
Move test to GeneralModuleTests
priyanshu2282-cyber Jan 20, 2026
3587510
Test added at last
priyanshu2282-cyber Jan 21, 2026
ef61722
Fixed trailing whitespace
priyanshu2282-cyber Jan 21, 2026
b299085
Update Lib/test/test_socket.py
priyanshu2282-cyber Jan 21, 2026
138a5df
Merge branch 'main' into fix-sendmsg-reentrant-cmsg
vstinner Jan 21, 2026
da0f263
Update Lib/test/test_socket.py
priyanshu2282-cyber Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions Lib/test/test_socket.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3572,6 +3572,33 @@ def _testSendmsgAfterClose(self):
class SendmsgStreamTests(SendmsgTests):
# Tests for sendmsg() which require a stream socket and do not
# involve recvmsg() or recvmsg_into().
@unittest.skipUnless(hasattr(socket.socket, "sendmsg"),
"sendmsg not supported")
def _test_sendmsg_reentrant_ancillary_mutation(self):
Comment thread
vstinner marked this conversation as resolved.
Outdated
import socket
Comment thread
vstinner marked this conversation as resolved.
Outdated

seq = []
Comment thread
vstinner marked this conversation as resolved.
Outdated

class Mut:
def __init__(self):
self.tripped = False
Comment thread
vstinner marked this conversation as resolved.
Outdated
def __index__(self):
if not self.tripped:
self.tripped = True
seq.clear()
return 0

seq[:] = [
(socket.SOL_SOCKET, Mut(), b'x'),
(socket.SOL_SOCKET, 0, b'x'),
]

left, right = socket.socketpair()
self.addCleanup(left.close)
self.addCleanup(right.close)

with self.assertRaises(Exception):
left.sendmsg([b'x'], seq)

def testSendmsgExplicitNoneAddr(self):
# Check that peer address can be specified as None.
Expand Down
26 changes: 15 additions & 11 deletions Modules/socketmodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5001,24 +5001,28 @@ _socket_socket_sendmsg_impl(PySocketSockObject *s, PyObject *data_arg,
controllen = controllen_last = 0;
while (ncmsgbufs < ncmsgs) {
size_t bufsize, space;
PyObject *item;

if (!PyArg_Parse(PySequence_Fast_GET_ITEM(cmsg_fast, ncmsgbufs),
"(iiy*):[sendmsg() ancillary data items]",
&cmsgs[ncmsgbufs].level,
&cmsgs[ncmsgbufs].type,
&cmsgs[ncmsgbufs].data))
item = PySequence_Fast_GET_ITEM(cmsg_fast, ncmsgbufs);
Py_INCREF(item);

if (!PyArg_Parse(item,
"(iiy*):[sendmsg() ancillary data items]",
&cmsgs[ncmsgbufs].level,
&cmsgs[ncmsgbufs].type,
&cmsgs[ncmsgbufs].data)){
Comment thread
priyanshu2282-cyber marked this conversation as resolved.
Outdated
Py_DECREF(item);
goto finally;
}
Py_DECREF(item);

bufsize = cmsgs[ncmsgbufs++].data.len;

#ifdef CMSG_SPACE
if (!get_CMSG_SPACE(bufsize, &space)) {
#else
if (!get_CMSG_LEN(bufsize, &space)) {
#endif
if(!get_CMSG_SPACE(bufsize, &space)){
Comment thread
vstinner marked this conversation as resolved.
Outdated
PyErr_SetString(PyExc_OSError, "ancillary data item too large");
goto finally;
}
controllen += space;
controllen+=space;
Comment thread
vstinner marked this conversation as resolved.
Outdated
if (controllen > SOCKLEN_T_LIMIT || controllen < controllen_last) {
PyErr_SetString(PyExc_OSError, "too much ancillary data");
goto finally;
Expand Down
Loading