[3.13] gh-148808: Add boundary check to asyncio.AbstractEventLoop.sock_recvf… (GH...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Tue, 21 Apr 2026 16:26:37 +0000 (18:26 +0200)

committer GitHub <noreply@github.com>

Tue, 21 Apr 2026 16:26:37 +0000 (21:56 +0530)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 21 Apr 2026 16:26:37 +0000 (18:26 +0200)
committer GitHub <noreply@github.com>
Tue, 21 Apr 2026 16:26:37 +0000 (21:56 +0530)
diff --git a/Lib/test/test_asyncio/test_sock_lowlevel.py b/Lib/test/test_asyncio/test_sock_lowlevel.py

index acef24a703ba38b1a5ae0ce0d6110e39a771156e..112ba572f8b4c37891bd4e5a4865ded2f2e1f562 100644 (file)
--- a/Lib/test/test_asyncio/test_sock_lowlevel.py
+++ b/Lib/test/test_asyncio/test_sock_lowlevel.py
@@ -427,6 +427,27 @@ class BaseSockTestsMixin:
              self.loop.run_until_complete(
                  self._basetest_datagram_recvfrom_into(server_address))
  
+    async def _basetest_datagram_recvfrom_into_wrong_size(self, server_address):
+        # Call sock_sendto() with a size larger than the buffer
+        with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
+            sock.setblocking(False)
+
+            buf = bytearray(5000)
+            data = b'\x01' * 4096
+            wrong_size = len(buf) + 1
+            await self.loop.sock_sendto(sock, data, server_address)
+            with self.assertRaises(ValueError):
+                await self.loop.sock_recvfrom_into(
+                    sock, buf, wrong_size)
+
+            size, addr = await self.loop.sock_recvfrom_into(sock, buf)
+            self.assertEqual(buf[:size], data)
+
+    def test_recvfrom_into_wrong_size(self):
+        with test_utils.run_udp_echo_server() as server_address:
+            self.loop.run_until_complete(
+                self._basetest_datagram_recvfrom_into_wrong_size(server_address))
+
      async def _basetest_datagram_sendto_blocking(self, server_address):
          # Sad path, sock.sendto() raises BlockingIOError
          # This involves patching sock.sendto() to raise BlockingIOError but
diff --git a/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst

new file mode 100644 (file)

index 0000000..0b5cf85
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst
@@ -0,0 +1,3 @@
+Added buffer boundary check when using ``nbytes`` parameter with
+:meth:`!asyncio.AbstractEventLoop.sock_recvfrom_into`. Only
+relevant for Windows and the :class:`asyncio.ProactorEventLoop`.
diff --git a/Modules/overlapped.c b/Modules/overlapped.c

index 567593e05c4c11147c036879901724535880a106..6d774c5347a33779bfe5379575da3956e16a0679 100644 (file)
--- a/Modules/overlapped.c
+++ b/Modules/overlapped.c
@@ -1909,6 +1909,11 @@ _overlapped_Overlapped_WSARecvFromInto_impl(OverlappedObject *self,
      }
  #endif
  
+    if (bufobj->len < (Py_ssize_t)size) {
+        PyErr_SetString(PyExc_ValueError, "nbytes is greater than the length of the buffer");
+        return NULL;
+    }
+
      wsabuf.buf = bufobj->buf;
      wsabuf.len = size;
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Tue, 21 Apr 2026 16:26:37 +0000 (18:26 +0200)
committer	GitHub <noreply@github.com>
	Tue, 21 Apr 2026 16:26:37 +0000 (21:56 +0530)
Lib/test/test_asyncio/test_sock_lowlevel.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-04-20-15-31-37.gh-issue-148808._Z8JL0.rst	[new file with mode: 0644]	patch \| blob
Modules/overlapped.c		patch \| blob \| blame \| history