From b578d9a606f9668f674f855e32f53530a472c213 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 20 Apr 2026 15:32:11 -0500 Subject: [PATCH 1/4] gh-148808: Add boundary check to asyncio.AbstractEventLoop.sock_recvfrom_into() Co-authored-by: null <32899400+GGAutomaton@users.noreply.github.com> Co-authored-by: Victor Stinner <194129+vstinner@users.noreply.github.com> --- Lib/test/test_asyncio/test_sock_lowlevel.py | 21 +++++++++++++++++++ ...-04-20-15-31-37.gh-issue-148808._Z8JL0.rst | 2 ++ Modules/overlapped.c | 5 +++++ 3 files changed, 28 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst diff --git a/Lib/test/test_asyncio/test_sock_lowlevel.py b/Lib/test/test_asyncio/test_sock_lowlevel.py index df4ec7948975f6..f32dcd589e2de2 100644 --- a/Lib/test/test_asyncio/test_sock_lowlevel.py +++ b/Lib/test/test_asyncio/test_sock_lowlevel.py @@ -427,6 +427,27 @@ def test_recvfrom_into(self): self.loop.run_until_complete( self._basetest_datagram_recvfrom_into(server_address)) + async def _basetest_datagram_recvfrom_into_wrong_size(self, server_address): + # Call sock_sendto() with a size larger than the buffer + with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock: + sock.setblocking(False) + + buf = bytearray(5000) + data = b'\x01' * 4096 + wrong_size = len(buf) + 1 + await self.loop.sock_sendto(sock, data, server_address) + with self.assertRaises(ValueError): + await self.loop.sock_recvfrom_into( + sock, buf, wrong_size) + + size, addr = await self.loop.sock_recvfrom_into(sock, buf) + self.assertEqual(buf[:size], data) + + def test_recvfrom_into_wrong_size(self): + with test_utils.run_udp_echo_server() as server_address: + self.loop.run_until_complete( + self._basetest_datagram_recvfrom_into_wrong_size(server_address)) + async def _basetest_datagram_sendto_blocking(self, server_address): # Sad path, sock.sendto() raises BlockingIOError # This involves patching sock.sendto() to raise BlockingIOError but diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst new file mode 100644 index 00000000000000..2dde26c9060a91 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst @@ -0,0 +1,2 @@ +Added buffer boundary check comparing ``nbytes`` parameter to +:meth:`asyncio.AbstractEventLoop.sock_recvfrom_into`. diff --git a/Modules/overlapped.c b/Modules/overlapped.c index 822e1ce4bdc28d..51aee5afd35b6d 100644 --- a/Modules/overlapped.c +++ b/Modules/overlapped.c @@ -1910,6 +1910,11 @@ _overlapped_Overlapped_WSARecvFromInto_impl(OverlappedObject *self, } #endif + if (bufobj->len < (Py_ssize_t)size) { + PyErr_SetString(PyExc_ValueError, "nbytes is greater than the length of the buffer"); + return NULL; + } + wsabuf.buf = bufobj->buf; wsabuf.len = size; From 1abcb16a7a5d0b14d5f31e1f273d56ee1a6eb6e4 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 20 Apr 2026 16:09:12 -0500 Subject: [PATCH 2/4] Add clarification that this change affects Windows/ProactorEventLoop --- .../Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst index 2dde26c9060a91..7a06a787c49354 100644 --- a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst +++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst @@ -1,2 +1,3 @@ -Added buffer boundary check comparing ``nbytes`` parameter to -:meth:`asyncio.AbstractEventLoop.sock_recvfrom_into`. +Added buffer boundary check when using ``nbytes`` parameter with +:meth:`asyncio.AbstractEventLoop.sock_recvfrom_into`. Only +relevant for Windows and the :class:`asyncio.ProactorEventLoop`. From b0286a85c9499b02e347ba9c548881914dd2ff3f Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 20 Apr 2026 16:14:38 -0500 Subject: [PATCH 3/4] Fix ref issue for newsfragment --- .../Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst index 7a06a787c49354..afa39d3f8c1962 100644 --- a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst +++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst @@ -1,3 +1,3 @@ Added buffer boundary check when using ``nbytes`` parameter with -:meth:`asyncio.AbstractEventLoop.sock_recvfrom_into`. Only +:meth:`~asyncio.AbstractEventLoop.sock_recvfrom_into`. Only relevant for Windows and the :class:`asyncio.ProactorEventLoop`. From dacb3da4c2250b82a8f7c9df96553a38eddaf813 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 20 Apr 2026 16:31:29 -0500 Subject: [PATCH 4/4] Use '!' to break references, not '~' --- .../Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst index afa39d3f8c1962..0b5cf85fedfba1 100644 --- a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst +++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst @@ -1,3 +1,3 @@ Added buffer boundary check when using ``nbytes`` parameter with -:meth:`~asyncio.AbstractEventLoop.sock_recvfrom_into`. Only +:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only relevant for Windows and the :class:`asyncio.ProactorEventLoop`.