[Bug 10376] New: recent winsock SO_REUSEADDR patch reveals parameter handling problem in WS_setsockopt

Fri Nov 9 10:54:10 CST 2007

http://bugs.winehq.org/show_bug.cgi?id=10376

           Summary: recent winsock SO_REUSEADDR patch reveals parameter
                    handling problem in WS_setsockopt
           Product: Wine
           Version: CVS/GIT
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: wine-net
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net

Hello,

seems recent winsock SO_REUSEADDR patch

--- snip ---
URL:   
http://source.winehq.org/git/wine.git/?a=commit;h=58b030c270e68c4e130a7decb646ca1aa3d3ea2f
Author: Kai Blin <kai.blin <at> gmail.com>
Date:   Sat Nov 3 08:45:12 2007 +0100

    ws2_32: Map SO_REUSEADDR.

    BSD socket SO_REUSEADDR is not a complete match, but features like
    "allow binding to a port immediately after closing it" seem to be
compatible.
--- snip ---

triggers a code path in WS_setsockopt() which leads to crash.

The cause is an application bug.
EvenBalance PunkBuster "PnkBstrA" service which creates local communication
sockets accidentally passes the value instead of value address to
WS_setsockopt().

The services can be installed and tested with their "pbsvc.exe" tool from
http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe

--- snip ---
..
0015:trace:winsock:WS_setsockopt socket: 005c, level 0xffff, name 0x4, ptr 0x1,
len 1
0015:trace:seh:raise_exception code=c0000005 flags=0 addr=0x76587df5
0015:trace:seh:raise_exception  info[0]=00000000
0015:trace:seh:raise_exception  info[1]=00000001
0015:trace:seh:raise_exception  eax=00000001 ebx=7658e11c ecx=00000002
edx=00000004 esi=0000ffff edi=00000001
0015:trace:seh:raise_exception  ebp=617c57a4 esp=617c574c cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00210293
0015:trace:seh:call_stack_handlers calling handler at 0x7bc38810 code=c0000005
flags=0
--- snip ---

Their source code snippet probably looks like this:

--- snip ---
if (setsockopt( sock, .., ..., (char*)value, value_len) != SOCKET_ERROR)
--- snip ---

Instead of this:

--- snip ---
if (setsockopt( sock, .., ..., (char*)&value, value_len) != SOCKET_ERROR)
--- snip ---

Micro$oft "fixes" such crappy^H^H^H^H^H^Hbuggy applications by using SEH to
catch invalid pointer dereferencing.
If you execute a hand-crafted WS_setsockopt() test case with invalid pointer
value in Windows you will see something like this:

--- snip ---
First-chance exception at 0x719b5280 (mswsock.dll) in test.exe: 0xC0000005:
Access violation reading location 0x00000001.
--- snip ---

Returned last error is WSAEFAULT (bad pointer value/address supplied).

Solution: either wrap the whole function within structured exception handler
(SEH) or use IsBadReadPtr() on passed pointer and return WSAEFAULT if fishy.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.