Paul Gofman : ws2_32: Fix buffer size check in WSAIoctl() for SIO_GET_INTERFACE_LIST.
Alexandre Julliard
julliard at winehq.org
Wed Dec 16 15:53:58 CST 2020
Module: wine
Branch: master
Commit: f17404f8ed2883e28ef33887c7e0a9c2fc2e4874
URL: https://source.winehq.org/git/wine.git/?a=commit;h=f17404f8ed2883e28ef33887c7e0a9c2fc2e4874
Author: Paul Gofman <pgofman at codeweavers.com>
Date: Wed Dec 16 11:58:27 2020 +0300
ws2_32: Fix buffer size check in WSAIoctl() for SIO_GET_INTERFACE_LIST.
Fixes out of bound memory access in Anno 1404 Addon.
Signed-off-by: Paul Gofman <pgofman at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/ws2_32/socket.c | 3 ++-
dlls/ws2_32/tests/sock.c | 25 +++++++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/dlls/ws2_32/socket.c b/dlls/ws2_32/socket.c
index 6cb35bcd135..05097ce53b8 100644
--- a/dlls/ws2_32/socket.c
+++ b/dlls/ws2_32/socket.c
@@ -4618,10 +4618,11 @@ INT WINAPI WSAIoctl(SOCKET s, DWORD code, LPVOID in_buff, DWORD in_size, LPVOID
if (ptr->IpAddressList.IpAddress.String[0] == '\0')
continue;
- if ((numInt + 1)*sizeof(INTERFACE_INFO)/sizeof(IP_ADAPTER_INFO) > out_size)
+ if ((numInt + 1) * sizeof(INTERFACE_INFO) > out_size)
{
WARN("Buffer too small = %u, out_size = %u\n", numInt + 1, out_size);
status = WSAEFAULT;
+ if (ret_size) *ret_size = 0;
break;
}
diff --git a/dlls/ws2_32/tests/sock.c b/dlls/ws2_32/tests/sock.c
index 8711b65fcea..98cc3881853 100644
--- a/dlls/ws2_32/tests/sock.c
+++ b/dlls/ws2_32/tests/sock.c
@@ -10514,6 +10514,30 @@ static void test_WSCGetProviderPath(void)
ok(len == 256, "Got unexpected len %d.\n", len);
}
+static void test_wsaioctl(void)
+{
+ char buffer[4096];
+ DWORD size;
+ SOCKET s;
+ int ret;
+
+ s = WSASocketW(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, WSA_FLAG_OVERLAPPED);
+ ok(s != INVALID_SOCKET, "failed to create socket, error %u\n", WSAGetLastError());
+
+ size = 0xdeadbeef;
+ ret = WSAIoctl(s, SIO_GET_INTERFACE_LIST, NULL, 0, buffer, sizeof(buffer), &size, NULL, NULL);
+ ok(!ret, "Got unexpected ret %d.\n", ret);
+ ok(size && size != 0xdeadbeef && !(size % sizeof(INTERFACE_INFO)), "Got unexpected size %u.\n", size);
+
+ size = 0xdeadbeef;
+ ret = WSAIoctl(s, SIO_GET_INTERFACE_LIST, NULL, 0, buffer, sizeof(INTERFACE_INFO), &size, NULL, NULL);
+ ok(ret == -1, "Got unexpected ret %d.\n", ret);
+ ok(WSAGetLastError() == WSAEFAULT, "Got unexpected error %d.\n", WSAGetLastError());
+ ok(!size, "Got unexpected size %u.\n", size);
+
+ closesocket(s);
+}
+
START_TEST( sock )
{
int i;
@@ -10595,6 +10619,7 @@ START_TEST( sock )
/* this is an io heavy test, do it at the end so the kernel doesn't start dropping packets */
test_send();
test_synchronous_WSAIoctl();
+ test_wsaioctl();
Exit();
}
More information about the wine-cvs
mailing list