[Bug 49371] New: Incorrect output buffer length check in WSAIoctl with SIO_GET_INTERFACE_LIST

[WineHQ Bugzilla]

https://bugs.winehq.org/show_bug.cgi?id=49371

            Bug ID: 49371
           Summary: Incorrect output buffer length check in WSAIoctl with
                    SIO_GET_INTERFACE_LIST
           Product: Wine
           Version: unspecified
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: winsock
          Assignee: wine-bugs at winehq.org
          Reporter: j.g.rennison at gmail.com
      Distribution: ---

The output buffer length check in the implementation of the
SIO_GET_INTERFACE_LIST ioctl in WSAIoctl is not correct.
In the event that there are more interfaces than the supplied buffer is sized
for, this can result in output data being written beyond the end of the
supplied buffer and no error returned. This can cause undefined behaviour such
as crashes, etc.

With reference to line 4796 in dlls/ws2_32/socket.c
https://github.com/wine-mirror/wine/blob/343043153b44fa46a2081fa8a2c171eac7c8dab6/dlls/ws2_32/socket.c#L4796

if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size)

should instead be

if ((numInt + 1)*sizeof(INTERFACE_INFO) > out_size)

This because the output buffer write pointer intArray is of type
INTERFACE_INFO*, and numInt is the index relative to the start of the output
buffer, not the size returned from GetAdaptersInfo.

The bug appears to have been introduced in commit a239e8ed.
https://github.com/wine-mirror/wine/commit/a239e8ed27b1c3cde6bc568c3d7b9996a9e846b5

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.