https://bugs.winehq.org/show_bug.cgi?id=49371
Bug ID: 49371 Summary: Incorrect output buffer length check in WSAIoctl with SIO_GET_INTERFACE_LIST Product: Wine Version: unspecified Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winsock Assignee: wine-bugs@winehq.org Reporter: j.g.rennison@gmail.com Distribution: ---
The output buffer length check in the implementation of the SIO_GET_INTERFACE_LIST ioctl in WSAIoctl is not correct. In the event that there are more interfaces than the supplied buffer is sized for, this can result in output data being written beyond the end of the supplied buffer and no error returned. This can cause undefined behaviour such as crashes, etc.
With reference to line 4796 in dlls/ws2_32/socket.c https://github.com/wine-mirror/wine/blob/343043153b44fa46a2081fa8a2c171eac7c...
if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size)
should instead be
if ((numInt + 1)*sizeof(INTERFACE_INFO) > out_size)
This because the output buffer write pointer intArray is of type INTERFACE_INFO*, and numInt is the index relative to the start of the output buffer, not the size returned from GetAdaptersInfo.
The bug appears to have been introduced in commit a239e8ed. https://github.com/wine-mirror/wine/commit/a239e8ed27b1c3cde6bc568c3d7b9996a...
https://bugs.winehq.org/show_bug.cgi?id=49371
--- Comment #1 from Gijs Vermeulen gijsvrm@gmail.com --- Was this bug changed by https://source.winehq.org/git/wine.git/commit/03fcb54c0e852b93b94bd11225237af84cdc3697? If you can, please retest with wine-6.1.
https://bugs.winehq.org/show_bug.cgi?id=49371
Damjan Jovanovic damjan.jov@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Fixed by SHA1| |f17404f8ed2883e28ef33887c7e | |0a9c2fc2e4874 Status|UNCONFIRMED |RESOLVED CC| |damjan.jov@gmail.com
--- Comment #2 from Damjan Jovanovic damjan.jov@gmail.com --- It was fixed even earlier, by this commit:
---snip--- commit f17404f8ed2883e28ef33887c7e0a9c2fc2e4874 Author: Paul Gofman pgofman@codeweavers.com Date: Wed Dec 16 11:58:27 2020 +0300
ws2_32: Fix buffer size check in WSAIoctl() for SIO_GET_INTERFACE_LIST.
Fixes out of bound memory access in Anno 1404 Addon.
Signed-off-by: Paul Gofman pgofman@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org
diff --git a/dlls/ws2_32/socket.c b/dlls/ws2_32/socket.c index 6cb35bcd135..05097ce53b8 100644 --- a/dlls/ws2_32/socket.c +++ b/dlls/ws2_32/socket.c @@ -4618,10 +4618,11 @@ INT WINAPI WSAIoctl(SOCKET s, DWORD code, LPVOID in_buff, DWORD in_size, LPVOID if (ptr->IpAddressList.IpAddress.String[0] == '\0') continue;
- if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size) + if ((numInt + 1) * sizeof(INTERFACE_INFO) > out_size) { WARN("Buffer too small = %u, out_size = %u\n", numInt + 1, out_size); status = WSAEFAULT; + if (ret_size) *ret_size = 0; break; } ---snip---
Resolving FIXED. Thank you for your bug report!
https://bugs.winehq.org/show_bug.cgi?id=49371
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.13.