RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow

From: David LeBlanc (dleblanc_at_exchange.microsoft.com)
Date: 01/28/05

  • Next message: David Roberts: "Re: Unrestricted I/O access vulnerability in INCA Gameguard"
    Date: Fri, 28 Jan 2005 13:00:12 -0800
    To: "3APA3A" <3APA3A@security.nnov.ru>, <bugtraq@securityfocus.com>
    
    

    -----Original Message-----
    3APA3A [mailto:3APA3A@security.nnov.ru] wrote:

    > For Windows fd_set is a sockets array, not bitmask and FD_SETSIZE
    defines maximum number of sockets in this array. So, Windows
    application may be vulnerable only if it places a large number of
    sockets into same fd_set structure (finite state machine architecture).

    [snip]
    > For Windows default FD_SETSIZE is 64 and select() is only
    POSIX-complatible function to wait on socket input (there is no poll(),
    but there are Windows specific functions).
    [snip]

    If you look at Winsock[2].h, you find this:

    #ifndef FD_SETSIZE
    #define FD_SETSIZE 64
    #endif /* FD_SETSIZE */

    typedef struct fd_set {
            u_int fd_count; /* how many are SET? */
            SOCKET fd_array[FD_SETSIZE]; /* an array of SOCKETs */
    } fd_set;

    #define FD_SET(fd, set) do { \
        u_int __i; \
        for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
            if (((fd_set FAR *)(set))->fd_array[__i] == (fd)) { \
                break; \
            } \
        } \
        if (__i == ((fd_set FAR *)(set))->fd_count) { \
            if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                ((fd_set FAR *)(set))->fd_array[__i] = (fd); \
                ((fd_set FAR *)(set))->fd_count++; \
            } \
        } \
    } while(0)

    So if you attempted to put FD_SETSIZE + 1 sockets into an fd_set, it
    would just fail.

    Additionally, if you want to write a high-performance asynchronous
    sockets application on Windows, I highly recommend either using
    WSAEventSelect or I/O completion ports. If you are dealing with a
    cross-platform application, I would abstract out the platform-specific
    code - the perf gains are worth it. I've done this, and the improvements
    were significant.

    Hope this helps -


  • Next message: David Roberts: "Re: Unrestricted I/O access vulnerability in INCA Gameguard"

    Relevant Pages

    • Re: TCP Client socket in zweiten Thread
      ... > Windows CE3.0 Application Programming von Nick Grattan: ... and Winsock itself is based around the Berkeley socket library. ... Die non-blocking Sockets verhindern Aktionen, die das Programm blockieren ...
      (microsoft.public.de.vc)
    • Re: Socket communication on multihomed box
      ... LAN route before USB ... as for sockets, I'm using native syscalls, not MFC. ... Another thing is that is should work both under Linux and Windows. ...
      (microsoft.public.win32.programmer.networks)
    • Re: ooRexx - inter-program communication
      ... under Windows. ... I'm only considering pairs/triples/more of apps running on a single platform ... Can ooRexx programs communicate with each other? ... Are there any example programs showing use of sockets? ...
      (comp.lang.rexx)
    • Re: Socket communication on multihomed box
      ... LAN route before USB ... The thing is that connection MUST always stay open. ... as for sockets, I'm using native syscalls, not MFC. ... Another thing is that is should work both under Linux and Windows. ...
      (microsoft.public.win32.programmer.networks)
    • Re: linux to windows porting help
      ... I am working on a project that involves porting c programs from ... linux environment to windows environment. ... Any effort to move some decent software to the Windows platform ... all the networking headers with, add the relevant sockets ...
      (comp.programming)