https://bugs.winehq.org/show_bug.cgi?id=49371
Bug ID: 49371 Summary: Incorrect output buffer length check in WSAIoctl with SIO_GET_INTERFACE_LIST Product: Wine Version: unspecified Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winsock Assignee: wine-bugs@winehq.org Reporter: j.g.rennison@gmail.com Distribution: ---
The output buffer length check in the implementation of the SIO_GET_INTERFACE_LIST ioctl in WSAIoctl is not correct. In the event that there are more interfaces than the supplied buffer is sized for, this can result in output data being written beyond the end of the supplied buffer and no error returned. This can cause undefined behaviour such as crashes, etc.
With reference to line 4796 in dlls/ws2_32/socket.c https://github.com/wine-mirror/wine/blob/343043153b44fa46a2081fa8a2c171eac7c...
if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size)
should instead be
if ((numInt + 1)*sizeof(INTERFACE_INFO) > out_size)
This because the output buffer write pointer intArray is of type INTERFACE_INFO*, and numInt is the index relative to the start of the output buffer, not the size returned from GetAdaptersInfo.
The bug appears to have been introduced in commit a239e8ed. https://github.com/wine-mirror/wine/commit/a239e8ed27b1c3cde6bc568c3d7b9996a...