fix(nif): low-severity robustness hardening

Guard make_py_error against a NULL message/type when a Python exception's
text isn't UTF-8-encodable (and against a NULL exception type). Reject
embedded NULs in binary_to_string so a module/func/attr/code name can't
be silently truncated at the NUL. Release the leaked split() method in
ReactorBuffer_split. Drop a stray debug fprintf on the normal worker
send path. Document that the worker-pool init/shutdown is gen_server
serialized (no lock needed).

Adds py_SUITE:test_embedded_nul_name_rejected.

Author: benoitc

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 ## Unreleased
 
+### Fixed
+
+- **NIF robustness hardening** - `make_py_error` no longer passes a NULL message/type
+  to `enif_make_string`/`enif_make_atom` when a Python exception's text isn't
+  UTF-8-encodable; `binary_to_string` rejects names/code containing an embedded NUL
+  (which would silently truncate a module/function/attr/code string) rather than
+  truncating; a leaked `split` method object in the reactor buffer is released; and a
+  stray debug `fprintf` on the normal worker send path is removed.
+
 ### Security
 
 - **No shell for venv/installer commands** - `py:ensure_venv` and dependency

c_src/py_convert.c

@@ -825,13 +825,22 @@ static ERL_NIF_TERM make_py_error(ErlNifEnv *env) {
             enif_make_tuple2(env, ATOM_STOP_ITERATION, ATOM_NONE));
     }
 
-    /* Get exception message */
+    /* Get exception message. PyUnicode_AsUTF8 can return NULL (e.g. a str with
+     * lone surrogates); never pass NULL to enif_make_string. */
     PyObject *str = PyObject_Str(value);
-    const char *err_msg = str ? PyUnicode_AsUTF8(str) : "unknown";
+    const char *err_msg = (str != NULL) ? PyUnicode_AsUTF8(str) : NULL;
+    if (err_msg == NULL) {
+        PyErr_Clear();
+        err_msg = "unknown";
+    }
 
-    /* Get exception type name */
-    PyObject *type_name = PyObject_GetAttrString(type, "__name__");
-    const char *type_str = type_name ? PyUnicode_AsUTF8(type_name) : "Exception";
+    /* Get exception type name (type itself may be NULL after PyErr_Fetch). */
+    PyObject *type_name = (type != NULL) ? PyObject_GetAttrString(type, "__name__") : NULL;
+    const char *type_str = (type_name != NULL) ? PyUnicode_AsUTF8(type_name) : NULL;
+    if (type_str == NULL) {
+        PyErr_Clear();
+        type_str = "Exception";
+    }
 
     /* Build error tuple: {error, {TypeAtom, MessageString}} */
     ERL_NIF_TERM error_tuple = enif_make_tuple2(env,

c_src/py_nif.h

@@ -1674,6 +1674,12 @@ static ERL_NIF_TERM make_py_error(ErlNifEnv *env);
  * @warning Caller must call enif_free() on the returned string
  */
 static char *binary_to_string(const ErlNifBinary *bin) {
+    /* Reject embedded NULs: the result is used as a C string, so a NUL would
+     * silently truncate a module/func/attr/code name (a name-smuggling vector).
+     * Callers already treat a NULL return as an error. */
+    if (bin->size > 0 && memchr(bin->data, '\0', bin->size) != NULL) {
+        return NULL;
+    }
     char *str = enif_alloc(bin->size + 1);
     if (str != NULL) {
         memcpy(str, bin->data, bin->size);

c_src/py_reactor_buffer.c

@@ -620,8 +620,13 @@ static PyObject *ReactorBuffer_split(ReactorBufferObject *self, PyObject *args,
         return NULL;
     }
 
-    PyObject *result = PyObject_Call(
-        PyObject_GetAttrString(bytes_obj, "split"), args, kwargs);
+    PyObject *split_meth = PyObject_GetAttrString(bytes_obj, "split");
+    if (split_meth == NULL) {
+        Py_DECREF(bytes_obj);
+        return NULL;
+    }
+    PyObject *result = PyObject_Call(split_meth, args, kwargs);
+    Py_DECREF(split_meth);
     Py_DECREF(bytes_obj);
     return result;
 }

c_src/py_worker_pool.c

@@ -219,9 +219,9 @@ static void py_pool_send_response(py_pool_request_t *req, ERL_NIF_TERM result) {
          * Set to NULL to prevent double-free in py_pool_request_free. */
         req->msg_env = NULL;
     } else {
+        /* enif_send fails normally when the caller has already died; the
+         * g_responses_failed counter records it (no stderr spam). */
         atomic_fetch_add(&g_responses_failed, 1);
-        fprintf(stderr, "[DEBUG] enif_send FAILED for req_id=%llu\n",
-                (unsigned long long)req->request_id);
         /* On failure, msg_env is still valid and will be freed in request_free */
     }
 }
@@ -579,6 +579,9 @@ static void *py_pool_worker_thread(void *arg) {
  * ============================================================================ */
 
 static int py_pool_init(int num_workers) {
+    /* Init/shutdown are serialized by the single Erlang gen_server that owns the
+     * pool, so this check-then-init runs without a concurrent caller and needs no
+     * extra lock. */
     if (g_pool.initialized) {
         return 0;  /* Already initialized */
     }

test/py_SUITE.erl

@@ -22,6 +22,7 @@
     test_type_conversions/1,
     test_nested_types/1,
     test_conversion_depth_guard/1,
+    test_embedded_nul_name_rejected/1,
     test_timeout/1,
     test_special_floats/1,
     test_streaming/1,
@@ -84,6 +85,7 @@ all() ->
         test_type_conversions,
         test_nested_types,
         test_conversion_depth_guard,
+        test_embedded_nul_name_rejected,
         test_timeout,
         test_special_floats,
         test_streaming,
@@ -326,6 +328,16 @@ test_conversion_depth_guard(_Config) ->
     {ok, 4.0} = py:call(math, sqrt, [16]),
     ok.
 
+%% @doc A code string with an embedded NUL must be rejected, not silently
+%% truncated at the NUL (which would run something other than intended). Exercises
+%% the binary_to_string NUL guard shared by all name/code decoding.
+test_embedded_nul_name_rejected(_Config) ->
+    {error, _} = py:eval(<<"1", 0, "+1">>),
+    {error, _} = py:exec(<<"x = 1", 0, "; y = 2">>),
+    %% Node still alive and clean code still works.
+    {ok, 2} = py:eval(<<"1+1">>),
+    ok.
+
 test_timeout(_Config) ->
     %% Test that timeout works - use time.sleep which guarantees delay
     %% time.sleep(1) will definitely exceed 100ms timeout