[Bug 49371] New: Incorrect output buffer length check in WSAIoctl with SIO_GET_INTERFACE_LIST
https://bugs.winehq.org/show_bug.cgi?id=49371 Bug ID: 49371 Summary: Incorrect output buffer length check in WSAIoctl with SIO_GET_INTERFACE_LIST Product: Wine Version: unspecified Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winsock Assignee: wine-bugs(a)winehq.org Reporter: j.g.rennison(a)gmail.com Distribution: --- The output buffer length check in the implementation of the SIO_GET_INTERFACE_LIST ioctl in WSAIoctl is not correct. In the event that there are more interfaces than the supplied buffer is sized for, this can result in output data being written beyond the end of the supplied buffer and no error returned. This can cause undefined behaviour such as crashes, etc. With reference to line 4796 in dlls/ws2_32/socket.c https://github.com/wine-mirror/wine/blob/343043153b44fa46a2081fa8a2c171eac7c... if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size) should instead be if ((numInt + 1)*sizeof(INTERFACE_INFO) > out_size) This because the output buffer write pointer intArray is of type INTERFACE_INFO*, and numInt is the index relative to the start of the output buffer, not the size returned from GetAdaptersInfo. The bug appears to have been introduced in commit a239e8ed. https://github.com/wine-mirror/wine/commit/a239e8ed27b1c3cde6bc568c3d7b9996a... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49371 --- Comment #1 from Gijs Vermeulen <gijsvrm(a)gmail.com> --- Was this bug changed by <https://source.winehq.org/git/wine.git/commit/03fcb54c0e852b93b94bd11225237af84cdc3697>? If you can, please retest with wine-6.1. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49371 Damjan Jovanovic <damjan.jov(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Fixed by SHA1| |f17404f8ed2883e28ef33887c7e | |0a9c2fc2e4874 Status|UNCONFIRMED |RESOLVED CC| |damjan.jov(a)gmail.com --- Comment #2 from Damjan Jovanovic <damjan.jov(a)gmail.com> --- It was fixed even earlier, by this commit: ---snip--- commit f17404f8ed2883e28ef33887c7e0a9c2fc2e4874 Author: Paul Gofman <pgofman(a)codeweavers.com> Date: Wed Dec 16 11:58:27 2020 +0300 ws2_32: Fix buffer size check in WSAIoctl() for SIO_GET_INTERFACE_LIST. Fixes out of bound memory access in Anno 1404 Addon. Signed-off-by: Paul Gofman <pgofman(a)codeweavers.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> diff --git a/dlls/ws2_32/socket.c b/dlls/ws2_32/socket.c index 6cb35bcd135..05097ce53b8 100644 --- a/dlls/ws2_32/socket.c +++ b/dlls/ws2_32/socket.c @@ -4618,10 +4618,11 @@ INT WINAPI WSAIoctl(SOCKET s, DWORD code, LPVOID in_buff, DWORD in_size, LPVOID if (ptr->IpAddressList.IpAddress.String[0] == '\0') continue; - if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size) + if ((numInt + 1) * sizeof(INTERFACE_INFO) > out_size) { WARN("Buffer too small = %u, out_size = %u\n", numInt + 1, out_size); status = WSAEFAULT; + if (ret_size) *ret_size = 0; break; } ---snip--- Resolving FIXED. Thank you for your bug report! -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49371 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 8.13. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla