https://bugs.winehq.org/show_bug.cgi?id=43252
Mark Mankins Mark.Mankins@ngc.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |Mark.Mankins@ngc.com
--- Comment #1 from Mark Mankins Mark.Mankins@ngc.com --- This bug affects IDA Pro (Floating License) v 7.0.
When IDA Pro is run for the first time, it sends an icmp echo request to the floating license server. The icmp payload is set to a length of 17 bytes.
IcmpSendEcho() incorrectly calculates the expected size of the icmp echo reply.
Here's the pertinent code:
ip_header=(struct ip *) ((char *) ReplyBuffer+sizeof(ICMP_ECHO_REPLY)); endbuf=(char *) ReplyBuffer+ReplySize; maxlen=ReplySize-sizeof(ICMP_ECHO_REPLY);
[snip]
res=recvfrom(icp->sid, (char*)ip_header, maxlen, 0, (struct sockaddr*)&addr,&addrlen); TRACE("received %d bytes from %s\n",res, inet_ntoa(addr.sin_addr));
ip_header is set to be a pointer ICMP_ECHO_REPLY characters past the start of ReplyBuffer. This appears to be incorrect and a contributor to the issue.
The calculation of endbuf seems to be correct. This the end of the buffer that receives the echo reply packet.
In my initial example, maxlen will be set to 25 bytes. The actual size of the icmp echo reply packet is 45 bytes. 20 bytes for the ip header, 8 bytes for the icmp header, and 17 bytes for the icmp data. maxlen should be 45 bytes to fully read the entire reply packet.
Since only 25 bytes is read, the entire icmp header will not be read, and wine will incorrectly drop the icmp echo reply packet.
I believe this diff corrects the issue:
diff --git a/dlls/iphlpapi/icmp.c b/dlls/iphlpapi/icmp.c index ebc2f2b..8bfdf25 100644 --- a/dlls/iphlpapi/icmp.c +++ b/dlls/iphlpapi/icmp.c @@ -367,9 +367,9 @@ DWORD WINAPI IcmpSendEcho( fdr.events = POLLIN; addrlen=sizeof(addr); ier=ReplyBuffer; - ip_header=(struct ip *) ((char *) ReplyBuffer+sizeof(ICMP_ECHO_REPLY)); + ip_header=(struct ip *) ((char *) ReplyBuffer); endbuf=(char *) ReplyBuffer+ReplySize; - maxlen=ReplySize-sizeof(ICMP_ECHO_REPLY); + maxlen=ReplySize;
/* Send the packet */ TRACE("Sending %d bytes (RequestSize=%d) to %s\n", reqsize, RequestSize, inet_ntoa(addr.sin_addr));
ip_header should be set to be the start of the ReplyBuffer. This is the start of the buffer recvfrom should write to. It should be large enough to hold the ip header, the icmp header, and the icmp payload.
With this diff applied, IDA Pro runs as expected.
I will attempt to create a simple console application that replicates this bug.