gh-148808: Add boundary check to asyncio.AbstractEventLoop.sock_recvf… (#148809)

author Seth Larson <seth@python.org>

Tue, 21 Apr 2026 14:29:07 +0000 (09:29 -0500)

committer GitHub <noreply@github.com>

Tue, 21 Apr 2026 14:29:07 +0000 (07:29 -0700)
author Seth Larson <seth@python.org>
Tue, 21 Apr 2026 14:29:07 +0000 (09:29 -0500)
committer GitHub <noreply@github.com>
Tue, 21 Apr 2026 14:29:07 +0000 (07:29 -0700)
diff --git a/Lib/test/test_asyncio/test_sock_lowlevel.py b/Lib/test/test_asyncio/test_sock_lowlevel.py

index df4ec7948975f60127e9c2de98e9e526fb91a503..f32dcd589e2de22b261a29e3e77c5cf5b63ce816 100644 (file)
--- a/Lib/test/test_asyncio/test_sock_lowlevel.py
+++ b/Lib/test/test_asyncio/test_sock_lowlevel.py
@@ -427,6 +427,27 @@ class BaseSockTestsMixin:
              self.loop.run_until_complete(
                  self._basetest_datagram_recvfrom_into(server_address))
  
+    async def _basetest_datagram_recvfrom_into_wrong_size(self, server_address):
+        # Call sock_sendto() with a size larger than the buffer
+        with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
+            sock.setblocking(False)
+
+            buf = bytearray(5000)
+            data = b'\x01' * 4096
+            wrong_size = len(buf) + 1
+            await self.loop.sock_sendto(sock, data, server_address)
+            with self.assertRaises(ValueError):
+                await self.loop.sock_recvfrom_into(
+                    sock, buf, wrong_size)
+
+            size, addr = await self.loop.sock_recvfrom_into(sock, buf)
+            self.assertEqual(buf[:size], data)
+
+    def test_recvfrom_into_wrong_size(self):
+        with test_utils.run_udp_echo_server() as server_address:
+            self.loop.run_until_complete(
+                self._basetest_datagram_recvfrom_into_wrong_size(server_address))
+
      async def _basetest_datagram_sendto_blocking(self, server_address):
          # Sad path, sock.sendto() raises BlockingIOError
          # This involves patching sock.sendto() to raise BlockingIOError but
diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst

new file mode 100644 (file)

index 0000000..0b5cf85
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
@@ -0,0 +1,3 @@
+Added buffer boundary check when using ``nbytes`` parameter with
+:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only
+relevant for Windows and the :class:`asyncio.ProactorEventLoop`.
diff --git a/Modules/overlapped.c b/Modules/overlapped.c

index 822e1ce4bdc28d749800da3dd703bd466570ef99..51aee5afd35b6da8aa676ecca920ce9cbe2d1cfe 100644 (file)
--- a/Modules/overlapped.c
+++ b/Modules/overlapped.c
@@ -1910,6 +1910,11 @@ _overlapped_Overlapped_WSARecvFromInto_impl(OverlappedObject *self,
      }
  #endif
  
+    if (bufobj->len < (Py_ssize_t)size) {
+        PyErr_SetString(PyExc_ValueError, "nbytes is greater than the length of the buffer");
+        return NULL;
+    }
+
      wsabuf.buf = bufobj->buf;
      wsabuf.len = size;
author	Seth Larson <seth@python.org>
	Tue, 21 Apr 2026 14:29:07 +0000 (09:29 -0500)
committer	GitHub <noreply@github.com>
	Tue, 21 Apr 2026 14:29:07 +0000 (07:29 -0700)
Lib/test/test_asyncio/test_sock_lowlevel.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst	[new file with mode: 0644]	patch \| blob
Modules/overlapped.c		patch \| blob \| blame \| history