gh-98793: Fix typecheck in overlapped.c

[CharlieZhao95]

Fixes typecheck in _overlapped.WSAConnect and _overlapped.Overlapped.WSASendTo.

• Issue: asyncio: Possible missing typecheck in overlapped.c #98793

[kumaraditya303]

This can potentially crash the interpreter so can be considered a security issue. The RMs should decide cc @pablogsal@ambv.

[gvanrossum]

Usually a crash is only a vulnerability if it can be exploited by sending an app that is using the API untrusted data.

[ambv]

Since it's complex to decide which crash can be triggered by user action, we usually treat crashers as potential vulnerabilities and patch them in security-only releases. We'd spend more time thinking about whether it's right to backport if the patch was overly complex or backwards incompatible. This isn't the case here so I'd backport to security-only releases, too.

Such crashers rarely get CVE numbers and we don't automatically trigger a security release for them. We just bundle the fix with the next release that is triggered by a CVE.

[ambv]

The backports might be a bit involved due to Argument Clinic. I'll take care of those.

[miss-islington]

Thanks @CharlieZhao95 for the PR, and @gvanrossum for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10, 3.11.
🐍🍒⛏🤖

[miss-islington]

Sorry @CharlieZhao95 and @gvanrossum, I had trouble checking out the 3.10 backport branch.
Please retry by removing and re-adding the "needs backport to 3.10" label.
Alternatively, you can backport using cherry_picker on the command line.
cherry_picker 3ac8c0ab6ee819a14b1c8e0992acbaf376a46058 3.10

[miss-islington]

Sorry, @CharlieZhao95 and @gvanrossum, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 3ac8c0ab6ee819a14b1c8e0992acbaf376a46058 3.9

[miss-islington]

Sorry @CharlieZhao95 and @gvanrossum, I had trouble checking out the 3.8 backport branch.
Please retry by removing and re-adding the "needs backport to 3.8" label.
Alternatively, you can backport using cherry_picker on the command line.
cherry_picker 3ac8c0ab6ee819a14b1c8e0992acbaf376a46058 3.8

[miss-islington]

Sorry, @CharlieZhao95 and @gvanrossum, I could not cleanly backport this to 3.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 3ac8c0ab6ee819a14b1c8e0992acbaf376a46058 3.7

[gvanrossum]

Okay @ambv go ahead with the backport!

[CharlieZhao95]

It seems that for recent releases(3.11/3.10), backporting is not that complicated, and I will help with those backports as well :)

[bedevere-bot]

GH-98889 is a backport of this pull request to the 3.11 branch.

[bedevere-bot]

GH-98890 is a backport of this pull request to the 3.10 branch.

[bedevere-bot]

GH-98890 is a backport of this pull request to the 3.10 branch.

[hugovk]

Since it's complex to decide which crash can be triggered by user action, we usually treat crashers as potential vulnerabilities and patch them in security-only releases. We'd spend more time thinking about whether it's right to backport if the patch was overly complex or backwards incompatible. This isn't the case here so I'd backport to security-only releases, too.

Does this still need backporting to 3.9? If not, let's remove the backport label.

[serhiy-storchaka]

Reminder about backporting. @CharlieZhao95@gvanrossum

[StanFromIreland]

Little ping @ambv since the final release is nearing.

[ambv]

Thanks, @StanFromIreland. I'll do the backport.

[serhiy-storchaka]

Was it backported to 3.9?

[serhiy-storchaka]

Hmm, for some reasons this was in the result of search for is:pr label:"needs backport to 3.9" is:merged. But the repeated search does not show it.

[StanFromIreland]

Hmm, for some reasons this was in the result of search for is:pr label:"needs backport to 3.9" is:merged. But the repeated search does not show it.

It may have been cached, the label has since been removed.