Skip to content

gh-144206: Improve error messages for buffer overflow in fcntl.fcntl() and fcntl.ioctl() #144273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
serhiy-storchaka merged 2 commits into from
Jan 29, 2026
+28 −5
Merged

gh-144206: Improve error messages for buffer overflow in fcntl.fcntl() and fcntl.ioctl() #144273

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d7b0f8
gh-144206: Improve error messages for buffer overflow in fcntl.fcntl(…
serhiy-storchaka Jan 27, 2026
f3c0474
Apply suggestion from @vstinner
serhiy-storchaka Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2026-01-27-14-23-10.gh-issue-144206.l0un4U.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Improve error messages for buffer overflow in :func:`fcntl.fcntl` and
:func:`fcntl.ioctl`.
31 changes: 26 additions & 5 deletions Modules/fcntlmodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,11 @@ fcntl_fcntl_impl(PyObject *module, int fd, int code, PyObject *arg)
return !async_err ? PyErr_SetFromErrno(PyExc_OSError) : NULL;
}
if (memcmp(buf + len, guard, GUARDSZ) != 0) {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
PyErr_SetString(PyExc_SystemError,
"Possible stack corruption in fcntl() due to "
"buffer overflow. "
Copy link
Member

@vstinner vstinner Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you use a different message for the memcmp() case? It's not a "Memory corruption" here as well?

Copy link
Member Author

@serhiy-storchaka serhiy-storchaka Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends whether the buffer was on the stack or in the heap memory (preallocated bytes object).

Copy link
Member Author

@serhiy-storchaka serhiy-storchaka Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends whether the buffer was on the stack or in the heap memory (preallocated bytes object).

Copy link
Member

@vstinner vstinner Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh ok, it makes sense. I didn't notice that one code path allocated memory on the stack.

"Provide an argument of sufficient size as "
"determined by the operation.");
return NULL;
}
return PyBytes_FromStringAndSize(buf, len);
Expand Down Expand Up @@ -139,7 +143,11 @@ fcntl_fcntl_impl(PyObject *module, int fd, int code, PyObject *arg)
return NULL;
}
if (ptr[len] != '\0') {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
PyErr_SetString(PyExc_SystemError,
"Memory corruption in fcntl() due to "
"buffer overflow. "
"Provide an argument of sufficient size as "
"determined by the operation.");
PyBytesWriter_Discard(writer);
return NULL;
}
Expand Down Expand Up @@ -264,7 +272,12 @@ fcntl_ioctl_impl(PyObject *module, int fd, unsigned long code, PyObject *arg,
}
PyBuffer_Release(&view);
if (ptr == buf && memcmp(buf + len, guard, GUARDSZ) != 0) {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
PyErr_SetString(PyExc_SystemError,
"Possible stack corruption in ioctl() due to "
"buffer overflow. "
"Provide a writable buffer argument of "
"sufficient size as determined by "
"the operation.");
return NULL;
}
return PyLong_FromLong(ret);
Expand Down Expand Up @@ -293,7 +306,11 @@ fcntl_ioctl_impl(PyObject *module, int fd, unsigned long code, PyObject *arg,
return !async_err ? PyErr_SetFromErrno(PyExc_OSError) : NULL;
}
if (memcmp(buf + len, guard, GUARDSZ) != 0) {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
PyErr_SetString(PyExc_SystemError,
"Possible stack corruption in ioctl() due to "
"buffer overflow. "
"Provide an argument of sufficient size as "
"determined by the operation.");
return NULL;
}
return PyBytes_FromStringAndSize(buf, len);
Expand Down Expand Up @@ -321,7 +338,11 @@ fcntl_ioctl_impl(PyObject *module, int fd, unsigned long code, PyObject *arg,
return NULL;
}
if (ptr[len] != '\0') {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
PyErr_SetString(PyExc_SystemError,
"Memory corruption in ioctl() due to "
"buffer overflow. "
"Provide an argument of sufficient size as "
"determined by the operation.");
PyBytesWriter_Discard(writer);
return NULL;
}
Expand Down
Loading