git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Victor Stinner <vstinner@python.org>
	Wed, 10 Jun 2026 17:04:04 +0000 (19:04 +0200)
committer	GitHub <noreply@github.com>
	Wed, 10 Jun 2026 17:04:04 +0000 (19:04 +0200)
commit	87b9729522abfb69817beb23075b77f5de84bef5
tree	126e4c7c993da3f651936f9985b5b93592e47344	tree \| snapshot
parent	a1f43ef9d92975b56f0926eb3bc903dc360e12c0	commit \| diff

[3.13][3.14] gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into (#143987) (#151251) (#151256)

[3.14] gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into (#143987) (#151251)

gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into (#143987)

Fix crashes in socket.sendmsg() and socket.recvmsg_into() that could
occur if buffer sequences are mutated re-entrantly during argument
parsing via __buffer__ protocol callbacks.

The bug occurs because:

1. PySequence_Fast() returns the original list object when the input
is already a list (not a copy).
2. During iteration, PyObject_GetBuffer() triggers __buffer__
callbacks which may clear the list.
3. Subsequent iterations access invalid memory (heap OOB read).

The fix replaces PySequence_Fast() with PySequence_Tuple() which
always creates a new tuple, ensuring the sequence cannot be mutated
during iteration.

(cherry picked from commit 896f7fdc7d0ba6d4ace06935b9d67c4da0f9ecbe)

(cherry picked from commit 632daaf5e9fb172e3206c4c1f700a4490a2d6df3)

Co-authored-by: tonghuaroot (童话) <tonghuaroot@gmail.com>
Co-authored-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>

Lib/test/test_socket.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-01-18-06-42-47.gh-issue-143988.MtLtCP.rst	[new file with mode: 0644]	blob
Modules/socketmodule.c		diff \| blob \| blame \| history