[Bug 43252] IcmpSendEcho doesn't work with a ReplySize<56

Tue Jan 16 13:39:29 CST 2018

https://bugs.winehq.org/show_bug.cgi?id=43252

Mark Mankins <Mark.Mankins at ngc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Mark.Mankins at ngc.com

--- Comment #1 from Mark Mankins <Mark.Mankins at ngc.com> ---
This bug affects IDA Pro (Floating License) v 7.0.

When IDA Pro is run for the first time, it sends an icmp echo request to the
floating license server.  The icmp payload is set to a length of 17 bytes.

IcmpSendEcho() incorrectly calculates the expected size of the icmp echo reply.

Here's the pertinent code:

    ip_header=(struct ip *) ((char *) ReplyBuffer+sizeof(ICMP_ECHO_REPLY));   
    endbuf=(char *) ReplyBuffer+ReplySize;                                    
    maxlen=ReplySize-sizeof(ICMP_ECHO_REPLY);                                 

[snip]

    res=recvfrom(icp->sid, (char*)ip_header, maxlen, 0, (struct
sockaddr*)&addr,&addrlen);
    TRACE("received %d bytes from %s\n",res, inet_ntoa(addr.sin_addr));

ip_header is set to be a pointer ICMP_ECHO_REPLY characters past the start of
ReplyBuffer.  This appears to be incorrect and a contributor to the issue.

The calculation of endbuf seems to be correct.  This the end of the buffer that
receives the echo reply packet.

In my initial example, maxlen will be set to 25 bytes.  The actual size of the
icmp echo reply packet is 45 bytes.  20 bytes for the ip header, 8 bytes for
the icmp header, and 17 bytes for the icmp data.  maxlen should be 45 bytes to
fully read the entire reply packet.

Since only 25 bytes is read, the entire icmp header will not be read, and wine
will incorrectly drop the icmp echo reply packet.

I believe this diff corrects the issue:

diff --git a/dlls/iphlpapi/icmp.c b/dlls/iphlpapi/icmp.c
index ebc2f2b..8bfdf25 100644
--- a/dlls/iphlpapi/icmp.c
+++ b/dlls/iphlpapi/icmp.c
@@ -367,9 +367,9 @@ DWORD WINAPI IcmpSendEcho(
     fdr.events = POLLIN;
     addrlen=sizeof(addr);
     ier=ReplyBuffer;
-    ip_header=(struct ip *) ((char *) ReplyBuffer+sizeof(ICMP_ECHO_REPLY));
+    ip_header=(struct ip *) ((char *) ReplyBuffer);
     endbuf=(char *) ReplyBuffer+ReplySize;
-    maxlen=ReplySize-sizeof(ICMP_ECHO_REPLY);
+    maxlen=ReplySize;

     /* Send the packet */
     TRACE("Sending %d bytes (RequestSize=%d) to %s\n", reqsize, RequestSize,
inet_ntoa(addr.sin_addr));



ip_header should be set to be the start of the ReplyBuffer.  This is the start
of the buffer recvfrom should write to.  It should be large enough to hold the
ip header, the icmp header, and the icmp payload.

With this diff applied, IDA Pro runs as expected.

I will attempt to create a simple console application that replicates this bug.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

