[Bug 49371] New: Incorrect output buffer length check in WSAIoctl with SIO_GET_INTERFACE_LIST
WineHQ Bugzilla
wine-bugs at winehq.org
Thu Jun 11 16:08:43 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=49371
Bug ID: 49371
Summary: Incorrect output buffer length check in WSAIoctl with
SIO_GET_INTERFACE_LIST
Product: Wine
Version: unspecified
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: winsock
Assignee: wine-bugs at winehq.org
Reporter: j.g.rennison at gmail.com
Distribution: ---
The output buffer length check in the implementation of the
SIO_GET_INTERFACE_LIST ioctl in WSAIoctl is not correct.
In the event that there are more interfaces than the supplied buffer is sized
for, this can result in output data being written beyond the end of the
supplied buffer and no error returned. This can cause undefined behaviour such
as crashes, etc.
With reference to line 4796 in dlls/ws2_32/socket.c
https://github.com/wine-mirror/wine/blob/343043153b44fa46a2081fa8a2c171eac7c8dab6/dlls/ws2_32/socket.c#L4796
if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size)
should instead be
if ((numInt + 1)*sizeof(INTERFACE_INFO) > out_size)
This because the output buffer write pointer intArray is of type
INTERFACE_INFO*, and numInt is the index relative to the start of the output
buffer, not the size returned from GetAdaptersInfo.
The bug appears to have been introduced in commit a239e8ed.
https://github.com/wine-mirror/wine/commit/a239e8ed27b1c3cde6bc568c3d7b9996a9e846b5
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list