gh-143637: Fix re-entrant mutation of ancillary data in socket.sendmsg() #143892
Conversation
|
Hi, this PR fixes an internal correctness issue in socket.sendmsg(). |
|
No. It remains uaerfacing. In general, every bug fix should be announced if it can be seen only with pure python code and the public API |
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
Thanks for guiding, I have added the news entry. |
|
I have made the requested changes; please review again. |
|
Thanks for making the requested changes! @picnixz: please review the changes made to this pull request. |
…nshu2282-cyber/cpython into fix-sendmsg-reentrant-cmsg
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <vstinner@python.org>
Lib/test/test_socket.py
Outdated
| class GeneralModuleTests(unittest.TestCase): | ||
|
|
||
| @unittest.skipUnless(hasattr(socket.socket, "sendmsg"),"sendmsg not supported") | ||
| def test_sendmsg_reentrant_ancillary_mutation(self): |
There was a problem hiding this comment.
New tests are added at the end of the class (GeneralModuleTests).
There was a problem hiding this comment.
done, I have put the test at the end.
vstinner
left a comment
vstinner
left a comment
There was a problem hiding this comment.
I ran the test on unmodified Python, it does crash as expected:
test_sendmsg_reentrant_ancillary_mutation (test.test_socket.GeneralModuleTests.test_sendmsg_reentrant_ancillary_mutation) ...
Fatal Python error: Segmentation fault
Co-authored-by: Victor Stinner <vstinner@python.org>
vstinner
dismissed
picnixz’s stale review
picnixz's review has been addressed.
|
"All required checks pass" failed with:
I'm not sure what's going on. Let me try to update this branch, maybe it will magically fix thei ssue? |
| controllen = controllen_last = 0; | ||
| while (ncmsgbufs < ncmsgs) { | ||
| size_t bufsize, space; | ||
| PyObject *item = PyTuple_GET_ITEM(cmsg_fast, ncmsgbufs); |
There was a problem hiding this comment.
Why did we need a temporary variable here?
There was a problem hiding this comment.
IMO it makes the code more readable and so the change is worth it.
There was a problem hiding this comment.
If we storeit in a temporary variable that makes the call clearer and avoids repeating a long expression, happy to keep it in a single line without temporary variable if needed.
There was a problem hiding this comment.
I would prefer reducing the diff but ok for the temporary variable.
There was a problem hiding this comment.
I would prefer reducing the diff but ok for the temporary variable.
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
3 participants
Fix a crash in socket.sendmsg() caused by re-entrant mutation of ancillary data during argument parsing.
Hold a strong reference to each ancillary item while parsing to avoid use-after-free, and added a regression test.
socket.sendmsgancillary parser after re-entrant__index__clears the control list #143637