From aef1ad311a9d08c6113a2f17776f0f27320fbdc6 Mon Sep 17 00:00:00 2001 From: Zackery Spytz Date: Thu, 27 Sep 2018 11:10:32 -0600 Subject: [PATCH 1/4] bpo-34824: Fix a possible NULL pointer dereference in _ssl.c On failure, _PyBytes_Resize() will deallocate the bytes object and set "result" to NULL. --- .../Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst | 2 ++ Modules/_ssl.c | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst b/Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst new file mode 100644 index 00000000000000..fe95b8973c09a4 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst @@ -0,0 +1,2 @@ +Fix a possible null pointer dereference in Modules/_ssl.c. Patch by Zackery +Spytz. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 99d4ecceaf011e..82c19b4587faaa 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4712,7 +4712,6 @@ _ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len) nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len); /* There should never be any short reads but check anyway. */ if ((nbytes < len) && (_PyBytes_Resize(&result, len) < 0)) { - Py_DECREF(result); return NULL; } From 4031bc13f7a46106b84b95d3ce77375d8bbf6424 Mon Sep 17 00:00:00 2001 From: Zackery Spytz Date: Fri, 28 Sep 2018 09:11:08 -0600 Subject: [PATCH 2/4] Address the review comment. --- Modules/_ssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 82c19b4587faaa..463384100c4f80 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4711,8 +4711,8 @@ _ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len) nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len); /* There should never be any short reads but check anyway. */ - if ((nbytes < len) && (_PyBytes_Resize(&result, len) < 0)) { - return NULL; + if (nbytes < len) { + _PyBytes_Resize(&result, len); } return result; From 583c46583976f50412f9a75684f77086fd78843d Mon Sep 17 00:00:00 2001 From: Zackery Spytz Date: Mon, 1 Oct 2018 15:39:40 -0600 Subject: [PATCH 3/4] Check if BIO_read() returned < 0 and pass nbytes to _PyBytes_Resize() --- Modules/_ssl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 463384100c4f80..3619a6b8ca9390 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4710,9 +4710,14 @@ _ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len) return result; nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len); + if (nbytes < 0) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + return NULL; + } + /* There should never be any short reads but check anyway. */ if (nbytes < len) { - _PyBytes_Resize(&result, len); + _PyBytes_Resize(&result, nbytes); } return result; From 604f3237f5135ebc006cc30b357b0f86bf73f264 Mon Sep 17 00:00:00 2001 From: Zackery Spytz Date: Mon, 1 Oct 2018 16:21:47 -0600 Subject: [PATCH 4/4] Don't leak result --- Modules/_ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 3619a6b8ca9390..cd0864009ff3c7 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4711,6 +4711,7 @@ _ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len) nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len); if (nbytes < 0) { + Py_DECREF(result); _setSSLError(NULL, 0, __FILE__, __LINE__); return NULL; }