bpo-35050: AF_ALG length check off-by-one error (GH-10058)

tiran · vstinner · commit 2eb6ad8578fa · 2018-12-10T11:22:37.000+01:00
The length check for AF_ALG salg_name and salg_type had a off-by-one
error. The code assumed that both values are not necessarily NULL
terminated. However the Kernel code for alg_bind() ensures that the last
byte of both strings are NULL terminated.

Signed-off-by: Christian Heimes &lt;christian@python.org&gt;
diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
@@ -5969,6 +5969,24 @@ def test_sendmsg_afalg_args(self):
             with self.assertRaises(TypeError):
                 sock.sendmsg_afalg(op=socket.ALG_OP_ENCRYPT, assoclen=-1)
 
+    def test_length_restriction(self):
+        # bpo-35050, off-by-one error in length check
+        sock = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
+        self.addCleanup(sock.close)
+
+        # salg_type[14]
+        with self.assertRaises(FileNotFoundError):
+            sock.bind(("t" * 13, "name"))
+        with self.assertRaisesRegex(ValueError, "type too long"):
+            sock.bind(("t" * 14, "name"))
+
+        # salg_name[64]
+        with self.assertRaises(FileNotFoundError):
+            sock.bind(("type", "n" * 63))
+        with self.assertRaisesRegex(ValueError, "name too long"):
+            sock.bind(("type", "n" * 64))
+
+
 @unittest.skipUnless(sys.platform.startswith("win"), "requires Windows")
 class TestMSWindowsTCPFlags(unittest.TestCase):
     knownTCPFlags = {
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-10-23-15-03-53.bpo-35050.49wraS.rst b/Misc/NEWS.d/next/Core and Builtins/2018-10-23-15-03-53.bpo-35050.49wraS.rst
@@ -0,0 +1 @@
+:mod:`socket`: Fix off-by-one bug in length check for ``AF_ALG`` name and type.
diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
@@ -2245,13 +2245,15 @@ getsockaddrarg(PySocketSockObject *s, PyObject *args,
         {
             return 0;
         }
-        /* sockaddr_alg has fixed-sized char arrays for type and name */
-        if (strlen(type) > sizeof(sa->salg_type)) {
+        /* sockaddr_alg has fixed-sized char arrays for type, and name
+         * both must be NULL terminated.
+         */
+        if (strlen(type) >= sizeof(sa->salg_type)) {
             PyErr_SetString(PyExc_ValueError, "AF_ALG type too long.");
             return 0;
         }
         strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));
-        if (strlen(name) > sizeof(sa->salg_name)) {
+        if (strlen(name) >= sizeof(sa->salg_name)) {
             PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");
             return 0;
         }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+:mod:`socket`: Fix off-by-one bug in length check for ``AF_ALG`` name and type.
Original file line number	Diff line number	Diff line change
`@@ -2245,13 +2245,15 @@ getsockaddrarg(PySocketSockObject s, PyObject args,`
`2245`	`2245`	`{`
`2246`	`2246`	`return 0;`
`2247`	`2247`	`}`
`2248`		`- /* sockaddr_alg has fixed-sized char arrays for type and name */`
`2249`		`- if (strlen(type) > sizeof(sa->salg_type)) {`
	`2248`	`+ /* sockaddr_alg has fixed-sized char arrays for type, and name`
	`2249`	`+ * both must be NULL terminated.`
	`2250`	`+ */`
	`2251`	`+ if (strlen(type) >= sizeof(sa->salg_type)) {`
`2250`	`2252`	`PyErr_SetString(PyExc_ValueError, "AF_ALG type too long.");`
`2251`	`2253`	`return 0;`
`2252`	`2254`	`}`
`2253`	`2255`	`strncpy((char *)sa->salg_type, type, sizeof(sa->salg_type));`
`2254`		`- if (strlen(name) > sizeof(sa->salg_name)) {`
	`2256`	`+ if (strlen(name) >= sizeof(sa->salg_name)) {`
`2255`	`2257`	`PyErr_SetString(PyExc_ValueError, "AF_ALG name too long.");`
`2256`	`2258`	`return 0;`
`2257`	`2259`	`}`