From 974c0c22403f09b0a5fb863e93eb45e843c43730 Mon Sep 17 00:00:00 2001
From: Dana Powers <dana.powers@gmail.com>
Date: Wed, 12 Feb 2025 10:22:22 -0800
Subject: [PATCH] Update socketpair w/ CVE-2024-3219 fix

---
 kafka/vendor/socketpair.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/kafka/vendor/socketpair.py b/kafka/vendor/socketpair.py
index b55e629ee..54d908767 100644
--- a/kafka/vendor/socketpair.py
+++ b/kafka/vendor/socketpair.py
@@ -53,6 +53,23 @@ def socketpair(family=socket.AF_INET, type=socket.SOCK_STREAM, proto=0):
                 raise
         finally:
             lsock.close()
+
+        # Authenticating avoids using a connection from something else
+        # able to connect to {host}:{port} instead of us.
+        # We expect only AF_INET and AF_INET6 families.
+        try:
+            if (
+                ssock.getsockname() != csock.getpeername()
+                or csock.getsockname() != ssock.getpeername()
+            ):
+                raise ConnectionError("Unexpected peer connection")
+        except:
+            # getsockname() and getpeername() can fail
+            # if either socket isn't connected.
+            ssock.close()
+            csock.close()
+            raise
+
         return (ssock, csock)
 
     socket.socketpair = socketpair