git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	tonghuaroot (童话) <tonghuaroot@gmail.com>
	Wed, 10 Jun 2026 13:03:49 +0000 (21:03 +0800)
committer	GitHub <noreply@github.com>
	Wed, 10 Jun 2026 13:03:49 +0000 (13:03 +0000)
commit	896f7fdc7d0ba6d4ace06935b9d67c4da0f9ecbe
tree	14535c21848e55f7bd54cdc1742ddce05c4b7be3	tree \| snapshot
parent	a621e8ad811e7d51d69b0969a2bd07888a02db1e	commit \| diff

gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into (#143987)

Fix crashes in socket.sendmsg() and socket.recvmsg_into() that could
occur if buffer sequences are mutated re-entrantly during argument
parsing via __buffer__ protocol callbacks.

The bug occurs because:

1. PySequence_Fast() returns the original list object when the input
is already a list (not a copy).
2. During iteration, PyObject_GetBuffer() triggers __buffer__
callbacks which may clear the list.
3. Subsequent iterations access invalid memory (heap OOB read).

The fix replaces PySequence_Fast() with PySequence_Tuple() which
always creates a new tuple, ensuring the sequence cannot be mutated
during iteration.

Co-authored-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>

Lib/test/test_socket.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-01-18-06-42-47.gh-issue-143988.MtLtCP.rst	[new file with mode: 0644]	blob
Modules/socketmodule.c		diff \| blob \| blame \| history