[Bug 10376] New: recent winsock SO_REUSEADDR patch reveals parameter handling problem in WS_setsockopt
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Nov 9 10:54:10 CST 2007
http://bugs.winehq.org/show_bug.cgi?id=10376
Summary: recent winsock SO_REUSEADDR patch reveals parameter
handling problem in WS_setsockopt
Product: Wine
Version: CVS/GIT
Platform: PC
OS/Version: Linux
Status: UNCONFIRMED
Severity: major
Priority: P2
Component: wine-net
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Hello,
seems recent winsock SO_REUSEADDR patch
--- snip ---
URL:
http://source.winehq.org/git/wine.git/?a=commit;h=58b030c270e68c4e130a7decb646ca1aa3d3ea2f
Author: Kai Blin <kai.blin <at> gmail.com>
Date: Sat Nov 3 08:45:12 2007 +0100
ws2_32: Map SO_REUSEADDR.
BSD socket SO_REUSEADDR is not a complete match, but features like
"allow binding to a port immediately after closing it" seem to be
compatible.
--- snip ---
triggers a code path in WS_setsockopt() which leads to crash.
The cause is an application bug.
EvenBalance PunkBuster "PnkBstrA" service which creates local communication
sockets accidentally passes the value instead of value address to
WS_setsockopt().
The services can be installed and tested with their "pbsvc.exe" tool from
http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe
--- snip ---
..
0015:trace:winsock:WS_setsockopt socket: 005c, level 0xffff, name 0x4, ptr 0x1,
len 1
0015:trace:seh:raise_exception code=c0000005 flags=0 addr=0x76587df5
0015:trace:seh:raise_exception info[0]=00000000
0015:trace:seh:raise_exception info[1]=00000001
0015:trace:seh:raise_exception eax=00000001 ebx=7658e11c ecx=00000002
edx=00000004 esi=0000ffff edi=00000001
0015:trace:seh:raise_exception ebp=617c57a4 esp=617c574c cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00210293
0015:trace:seh:call_stack_handlers calling handler at 0x7bc38810 code=c0000005
flags=0
--- snip ---
Their source code snippet probably looks like this:
--- snip ---
if (setsockopt( sock, .., ..., (char*)value, value_len) != SOCKET_ERROR)
--- snip ---
Instead of this:
--- snip ---
if (setsockopt( sock, .., ..., (char*)&value, value_len) != SOCKET_ERROR)
--- snip ---
Micro$oft "fixes" such crappy^H^H^H^H^H^Hbuggy applications by using SEH to
catch invalid pointer dereferencing.
If you execute a hand-crafted WS_setsockopt() test case with invalid pointer
value in Windows you will see something like this:
--- snip ---
First-chance exception at 0x719b5280 (mswsock.dll) in test.exe: 0xC0000005:
Access violation reading location 0x00000001.
--- snip ---
Returned last error is WSAEFAULT (bad pointer value/address supplied).
Solution: either wrap the whole function within structured exception handler
(SEH) or use IsBadReadPtr() on passed pointer and return WSAEFAULT if fishy.
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list