http://bugs.winehq.org/show_bug.cgi?id=10376
Summary: recent winsock SO_REUSEADDR patch reveals parameter handling problem in WS_setsockopt Product: Wine Version: CVS/GIT Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-net AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net
Hello,
seems recent winsock SO_REUSEADDR patch
--- snip --- URL: http://source.winehq.org/git/wine.git/?a=commit;h=58b030c270e68c4e130a7decb6... Author: Kai Blin <kai.blin <at> gmail.com> Date: Sat Nov 3 08:45:12 2007 +0100
ws2_32: Map SO_REUSEADDR.
BSD socket SO_REUSEADDR is not a complete match, but features like "allow binding to a port immediately after closing it" seem to be compatible. --- snip ---
triggers a code path in WS_setsockopt() which leads to crash.
The cause is an application bug. EvenBalance PunkBuster "PnkBstrA" service which creates local communication sockets accidentally passes the value instead of value address to WS_setsockopt().
The services can be installed and tested with their "pbsvc.exe" tool from http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe
--- snip --- .. 0015:trace:winsock:WS_setsockopt socket: 005c, level 0xffff, name 0x4, ptr 0x1, len 1 0015:trace:seh:raise_exception code=c0000005 flags=0 addr=0x76587df5 0015:trace:seh:raise_exception info[0]=00000000 0015:trace:seh:raise_exception info[1]=00000001 0015:trace:seh:raise_exception eax=00000001 ebx=7658e11c ecx=00000002 edx=00000004 esi=0000ffff edi=00000001 0015:trace:seh:raise_exception ebp=617c57a4 esp=617c574c cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00210293 0015:trace:seh:call_stack_handlers calling handler at 0x7bc38810 code=c0000005 flags=0 --- snip ---
Their source code snippet probably looks like this:
--- snip --- if (setsockopt( sock, .., ..., (char*)value, value_len) != SOCKET_ERROR) --- snip ---
Instead of this:
--- snip --- if (setsockopt( sock, .., ..., (char*)&value, value_len) != SOCKET_ERROR) --- snip ---
Micro$oft "fixes" such crappy^H^H^H^H^H^Hbuggy applications by using SEH to catch invalid pointer dereferencing. If you execute a hand-crafted WS_setsockopt() test case with invalid pointer value in Windows you will see something like this:
--- snip --- First-chance exception at 0x719b5280 (mswsock.dll) in test.exe: 0xC0000005: Access violation reading location 0x00000001. --- snip ---
Returned last error is WSAEFAULT (bad pointer value/address supplied).
Solution: either wrap the whole function within structured exception handler (SEH) or use IsBadReadPtr() on passed pointer and return WSAEFAULT if fishy.
Regards
http://bugs.winehq.org/show_bug.cgi?id=10376
--- Comment #1 from Anastasius Focht focht@gmx.net 2007-11-09 11:05:17 --- Created an attachment (id=9046) --> (http://bugs.winehq.org/attachment.cgi?id=9046) pbsvc.exe test tool trace made with WINEDEBUG=+tid,+seh,+winsock
Hello,
attached is trace made with: WINEDEBUG=+tid,+seh,+winsock showing the crash location (dereferencing invalid optval parameter).
Regards
http://bugs.winehq.org/show_bug.cgi?id=10376
Kai Blin blin@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |ASSIGNED Ever Confirmed|0 |1
--- Comment #2 from Kai Blin blin@gmx.net 2007-11-11 12:51:13 --- I remember I had another app with a similar bug. I'll look into this.
http://bugs.winehq.org/show_bug.cgi?id=10376
Kai Blin blin@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |timonator@gmail.com
--- Comment #3 from Kai Blin blin@gmx.net 2007-11-12 03:06:07 --- *** Bug 6321 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=10376
--- Comment #4 from Kai Blin blin@gmx.net 2007-11-12 03:08:50 --- Patch sent.
http://bugs.winehq.org/show_bug.cgi?id=10376
Kai Blin blin@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED
--- Comment #5 from Kai Blin blin@gmx.net 2007-11-12 09:10:44 --- Patch is in git (d35c13c621a157fcbb60ba4f44a5eab29cfb49be).
Please reopen the bug if this still is an issue for you.
http://bugs.winehq.org/show_bug.cgi?id=10376
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #6 from Dan Kegel dank@kegel.com 2008-01-28 05:40:46 --- Closing all RESOLVED FIXED bugs older than four weeks.
http://bugs.winehq.org/show_bug.cgi?id=10376
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|CVS/GIT |unspecified
http://bugs.winehq.org/show_bug.cgi?id=10376
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Fixed by SHA1| |d35c13c621a157fcbb60ba4f44a | |5eab29cfb49be URL| |http://www.evenbalance.com/ | |downloads/pbsvc/pbsvc.exe Version|unspecified |0.9.49. Summary|recent winsock SO_REUSEADDR |recent winsock SO_REUSEADDR |patch reveals parameter |patch reveals parameter |handling problem in |handling problem in |WS_setsockopt |WS_setsockopt (EvenBalance | |PnkBstrA service) Regression SHA1| |58b030c270e68c4e130a7decb64 | |6ca1aa3d3ea2f
--- Comment #7 from Anastasius Focht focht@gmx.net 2011-10-12 04:16:50 CDT --- Hello,
filling/correcting fields ...
Regards
https://bugs.winehq.org/show_bug.cgi?id=10376
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.evenbalance.com/ |https://web.archive.org/web |downloads/pbsvc/pbsvc.exe |/20130505162834/http://www. | |evenbalance.com/downloads/p | |bsvc/pbsvc.exe