Close #13022: _multiprocessing.recvfd() doesn't check that file descriptor was actually received

author: Jesus Cea <jcea@jcea.es> 2011-09-21 03:56:05 +0200
committer: Jesus Cea <jcea@jcea.es> 2011-09-21 03:56:05 +0200
commit: 41c98a3207db26bd28c92e0c5df0a4849b3b7d83 (patch)
tree: bfa859562727a8a5e94fb40cb50ed8363ae0eb9d /Modules/_multiprocessing
parent: c78fb33f81819cd8c7c1faac352b0b669703425e (diff)
parent: 4507e6456e6170f92e14d7ecb68f2617a3b48412 (diff)
download: cpython-git-41c98a3207db26bd28c92e0c5df0a4849b3b7d83.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/Modules/_multiprocessing/multiprocessing.c b/Modules/_multiprocessing/multiprocessing.c
index f6c2259815..a1e6ed5986 100644
--- a/Modules/_multiprocessing/multiprocessing.c
+++ b/Modules/_multiprocessing/multiprocessing.c
@@ -166,6 +166,17 @@ multiprocessing_recvfd(PyObject *self, PyObject *args)
     if (res < 0)
         return PyErr_SetFromErrno(PyExc_OSError);
 
+    if (msg.msg_controllen < CMSG_LEN(sizeof(int)) ||
+        (cmsg = CMSG_FIRSTHDR(&msg)) == NULL ||
+        cmsg->cmsg_level != SOL_SOCKET ||
+        cmsg->cmsg_type != SCM_RIGHTS ||
+        cmsg->cmsg_len < CMSG_LEN(sizeof(int))) {
+        /* If at least one control message is present, there should be
+           no room for any further data in the buffer. */
+        PyErr_SetString(PyExc_RuntimeError, "No file descriptor received");
+        return NULL;
+    }
+
     fd = * (int *) CMSG_DATA(cmsg);
     return Py_BuildValue("i", fd);
 }
author	Jesus Cea <jcea@jcea.es>	2011-09-21 03:56:05 +0200
committer	Jesus Cea <jcea@jcea.es>	2011-09-21 03:56:05 +0200
commit	41c98a3207db26bd28c92e0c5df0a4849b3b7d83 (patch)
tree	bfa859562727a8a5e94fb40cb50ed8363ae0eb9d /Modules/_multiprocessing
parent	c78fb33f81819cd8c7c1faac352b0b669703425e (diff)
parent	4507e6456e6170f92e14d7ecb68f2617a3b48412 (diff)
download	cpython-git-41c98a3207db26bd28c92e0c5df0a4849b3b7d83.tar.gz