Skip to content

_ssl.c does not handle errors on module creation #111230

New issue
New issue
Closed
Closed
_ssl.c does not handle errors on module creation#111230
Assignees
sobolevn
Labels
extension-modulesC modules in the Modules dirtopic-SSLtype-bugAn unexpected behavior, bug, or error
@sobolevn

Description

@sobolevn
sobolevn
opened on Oct 23, 2023

Bug report

sslmodule_init_constants does not return -1 when any of PyModule_Add* calls fail.

For example, PyModule_AddIntConstant returns -1 on error, but it is never checked:

cpython/Modules/_ssl.c

Lines 5790 to 5831 in 96cbd1e

PyModule_AddStringConstant(m, "_DEFAULT_CIPHERS",
PY_SSL_DEFAULT_CIPHER_STRING);
PyModule_AddIntConstant(m, "SSL_ERROR_ZERO_RETURN",
PY_SSL_ERROR_ZERO_RETURN);
PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
PY_SSL_ERROR_WANT_READ);
PyModule_AddIntConstant(m, "SSL_ERROR_WANT_WRITE",
PY_SSL_ERROR_WANT_WRITE);
PyModule_AddIntConstant(m, "SSL_ERROR_WANT_X509_LOOKUP",
PY_SSL_ERROR_WANT_X509_LOOKUP);
PyModule_AddIntConstant(m, "SSL_ERROR_SYSCALL",
PY_SSL_ERROR_SYSCALL);
PyModule_AddIntConstant(m, "SSL_ERROR_SSL",
PY_SSL_ERROR_SSL);
PyModule_AddIntConstant(m, "SSL_ERROR_WANT_CONNECT",
PY_SSL_ERROR_WANT_CONNECT);
/* non ssl.h errorcodes */
PyModule_AddIntConstant(m, "SSL_ERROR_EOF",
PY_SSL_ERROR_EOF);
PyModule_AddIntConstant(m, "SSL_ERROR_INVALID_ERROR_CODE",
PY_SSL_ERROR_INVALID_ERROR_CODE);
/* cert requirements */
PyModule_AddIntConstant(m, "CERT_NONE",
PY_SSL_CERT_NONE);
PyModule_AddIntConstant(m, "CERT_OPTIONAL",
PY_SSL_CERT_OPTIONAL);
PyModule_AddIntConstant(m, "CERT_REQUIRED",
PY_SSL_CERT_REQUIRED);
/* CRL verification for verification_flags */
PyModule_AddIntConstant(m, "VERIFY_DEFAULT",
0);
PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_LEAF",
X509_V_FLAG_CRL_CHECK);
PyModule_AddIntConstant(m, "VERIFY_CRL_CHECK_CHAIN",
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
X509_V_FLAG_X509_STRICT);
PyModule_AddIntConstant(m, "VERIFY_ALLOW_PROXY_CERTS",
X509_V_FLAG_ALLOW_PROXY_CERTS);
PyModule_AddIntConstant(m, "VERIFY_X509_TRUSTED_FIRST",
X509_V_FLAG_TRUSTED_FIRST);

Other ``sslmodule_init_*` functions do check for errors correctly.
I have a PR ready.

Linked PRs

Metadata

Metadata

Assignees

Labels

extension-modulesC modules in the Modules dirtopic-SSLtype-bugAn unexpected behavior, bug, or error

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions