[Bug 10376] New: recent winsock SO_REUSEADDR patch reveals parameter handling problem in WS_setsockopt

http://bugs.winehq.org/show_bug.cgi?id=10376

Summary: recent winsock SO_REUSEADDR patch reveals parameter handling problem in WS_setsockopt Product: Wine Version: CVS/GIT Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-net AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net

Hello,

seems recent winsock SO_REUSEADDR patch

--- snip --- URL: http://source.winehq.org/git/wine.git/?a=commit;h=58b030c270e68c4e130a7decb6... Author: Kai Blin <kai.blin <at> gmail.com> Date: Sat Nov 3 08:45:12 2007 +0100

ws2_32: Map SO_REUSEADDR.

BSD socket SO_REUSEADDR is not a complete match, but features like "allow binding to a port immediately after closing it" seem to be compatible. --- snip ---

triggers a code path in WS_setsockopt() which leads to crash.

The cause is an application bug. EvenBalance PunkBuster "PnkBstrA" service which creates local communication sockets accidentally passes the value instead of value address to WS_setsockopt().

The services can be installed and tested with their "pbsvc.exe" tool from http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe

--- snip --- .. 0015:trace:winsock:WS_setsockopt socket: 005c, level 0xffff, name 0x4, ptr 0x1, len 1 0015:trace:seh:raise_exception code=c0000005 flags=0 addr=0x76587df5 0015:trace:seh:raise_exception info[0]=00000000 0015:trace:seh:raise_exception info[1]=00000001 0015:trace:seh:raise_exception eax=00000001 ebx=7658e11c ecx=00000002 edx=00000004 esi=0000ffff edi=00000001 0015:trace:seh:raise_exception ebp=617c57a4 esp=617c574c cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00210293 0015:trace:seh:call_stack_handlers calling handler at 0x7bc38810 code=c0000005 flags=0 --- snip ---

Their source code snippet probably looks like this:

--- snip --- if (setsockopt( sock, .., ..., (char*)value, value_len) != SOCKET_ERROR) --- snip ---

Instead of this:

--- snip --- if (setsockopt( sock, .., ..., (char*)&value, value_len) != SOCKET_ERROR) --- snip ---

Micro$oft "fixes" such crappy^H^H^H^H^H^Hbuggy applications by using SEH to catch invalid pointer dereferencing. If you execute a hand-crafted WS_setsockopt() test case with invalid pointer value in Windows you will see something like this:

--- snip --- First-chance exception at 0x719b5280 (mswsock.dll) in test.exe: 0xC0000005: Access violation reading location 0x00000001. --- snip ---

Returned last error is WSAEFAULT (bad pointer value/address supplied).

Solution: either wrap the whole function within structured exception handler (SEH) or use IsBadReadPtr() on passed pointer and return WSAEFAULT if fishy.

Regards