Signed-off-by: Stefan Dösinger stefan@codeweavers.com
---
This fixes random crashes in AllocateAndGetIpNetTableFromStack on MacOS Catalina. Netmask sockaddr_ins only have enough bytes to store the bits of the netmask that are non-zero, which are 0 for the default route - this leads to a 4 byte struct in the array.
As a result we read the gateway wrong on 64 bit builds. That was survivable at least as far as memory allocations go, but since Catalina there is one more struct sockaddr in the route info for some routes - RTA_IFA. Thanks to the wrong offset from the netmask we added a byte originating from the gateway's IP address to the RTA_IFA pointer and tried to read the address only to realize later that we don't know what to do anyway. Depending on the IP address and if the route in question is towards the end of the routing table we might read beyond the memory buffer.
A similar problem occurs with AF_LINK sockaddrs which have a size of 20 bytes, which we incorrectly aligned to 24.
See https://opensource.apple.com/source/network_cmds/network_cmds-596/netstat.tp.... --- dlls/iphlpapi/ipstats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/iphlpapi/ipstats.c b/dlls/iphlpapi/ipstats.c index efb4d64c90..94fb4af5fa 100644 --- a/dlls/iphlpapi/ipstats.c +++ b/dlls/iphlpapi/ipstats.c @@ -145,7 +145,7 @@
#ifndef ROUNDUP #define ROUNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) + ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t)) #endif #ifndef ADVANCE #define ADVANCE(x, n) (x += ROUNDUP(((struct sockaddr *)n)->sa_len))