New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overflow in win32_select() (PATCH included) #9057
Comments
From risto.kankkunen@f-secure.comThis is a bug report for perl from risto.kankkunen@f-secure.com, I've found a nasty buffer overflow problem in win32_select() function The problem happens, when some of the select() sets are not specified. win32/win32sck.c:282:
win32/win32sck.c:304:
Perl_fd_set is defined in win32/include/sys/socket.h:26 as:
If a socket number exceeds 63, this code writes over the end of dummy, win32/win32sck.c:334:
You can easily repro the problem with the attached socketcrash.pl script. I have attached a patch that fixes the buffer overflow by eliminating Regards, use strict;
use warnings;
use IO​::Socket;
sub fhbits \{
my @​fhlist = @​\_;
my\($bits\)="";
vec\($bits\,fileno\($\_\)\,1\) = 1 for \(@​fhlist\);
return $bits;
\}
my @​handles = \(\);
for \(1\.\.2000\) \{
my $handle = new IO​::Socket\(
Domain=>AF\_INET\,
Proto=>"udp"\,
PeerAddr=>"127\.0\.0\.2​:8888"
\) or die;
push\(@​handles\, $handle\);
\}
printf "handles=%d\-%d\\n"\, fileno\($handles\[0\]\)\, fileno\($handles\[\-1\]\);
my $rin = fhbits\(@​handles\);
my \($rout\, $wout\, $eout\);
my \($count\, $timeleft\) = select\($rout=$rin\, $wout=undef\, $eout=undef\, 1\);
print "count=$count\\n";
print "timeleft=$timeleft\\n";
printf "rin =%\*v08b\\n"\, " " \, $rin;
printf "rout=%\*v08b\\n"\, " " \, $rout || 0;
printf "wout=%\*v08b\\n"\, " " \, $wout || 0;
printf "eout=%\*v08b\\n"\, " " \, $eout || 0;
~~~ win32\_select\.patch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Index​: perl/src/win32/win32sck\.c
===================================================================
\-\-\- perl/src/win32/win32sck\.c \(revision 3794\)
\+\+\+ perl/src/win32/win32sck\.c \(working copy\)
@​@​ \-287\,9 \+287\,8 @​@​
\{
int r;
\#ifdef USE\_SOCKETS\_AS\_HANDLES
\- Perl\_fd\_set dummy;
int i\, fd\, save\_errno = errno;
\- FD\_SET nrd\, nwr\, nex\, \*prd\, \*pwr\, \*pex;
\+ FD\_SET nrd\, nwr\, nex;
/\* winsock seems incapable of dealing with all three null fd\_sets\,
\* so do the \(millisecond\) sleep as a special case
@​@​ \-303\,44 \+302\,31 @​@​
return 0;
\}
StartSockets\(\);
\- PERL\_FD\_ZERO\(&dummy\);
\- if \(\!rd\)
\- rd = &dummy\, prd = NULL;
\- else
\- prd = &nrd;
\- if \(\!wr\)
\- wr = &dummy\, pwr = NULL;
\- else
\- pwr = &nwr;
\- if \(\!ex\)
\- ex = &dummy\, pex = NULL;
\- else
\- pex = &nex;
FD\_ZERO\(&nrd\);
FD\_ZERO\(&nwr\);
FD\_ZERO\(&nex\);
for \(i = 0; i \< nfds; i\+\+\) \{
fd = TO\_SOCKET\(i\);
\- if \(PERL\_FD\_ISSET\(i\,rd\)\)
\+ if \(rd && PERL\_FD\_ISSET\(i\,rd\)\)
FD\_SET\(\(unsigned\)fd\, &nrd\);
\- if \(PERL\_FD\_ISSET\(i\,wr\)\)
\+ if \(wr && PERL\_FD\_ISSET\(i\,wr\)\)
FD\_SET\(\(unsigned\)fd\, &nwr\);
\- if \(PERL\_FD\_ISSET\(i\,ex\)\)
\+ if \(ex && PERL\_FD\_ISSET\(i\,ex\)\)
FD\_SET\(\(unsigned\)fd\, &nex\);
\}
errno = save\_errno;
\- SOCKET\_TEST\_ERROR\(r = select\(nfds\, prd\, pwr\, pex\, timeout\)\);
\+ SOCKET\_TEST\_ERROR\(r = select\(nfds\, &nrd\, &nwr\, &nex\, timeout\)\);
save\_errno = errno;
for \(i = 0; i \< nfds; i\+\+\) \{
fd = TO\_SOCKET\(i\);
\- if \(PERL\_FD\_ISSET\(i\,rd\) && \!FD\_ISSET\(fd\, &nrd\)\)
\+ if \(rd && PERL\_FD\_ISSET\(i\,rd\) && \!FD\_ISSET\(fd\, &nrd\)\)
PERL\_FD\_CLR\(i\,rd\);
\- if \(PERL\_FD\_ISSET\(i\,wr\) && \!FD\_ISSET\(fd\, &nwr\)\)
\+ if \(wr && PERL\_FD\_ISSET\(i\,wr\) && \!FD\_ISSET\(fd\, &nwr\)\)
PERL\_FD\_CLR\(i\,wr\);
\- if \(PERL\_FD\_ISSET\(i\,ex\) && \!FD\_ISSET\(fd\, &nex\)\)
\+ if \(ex && PERL\_FD\_ISSET\(i\,ex\) && \!FD\_ISSET\(fd\, &nex\)\)
PERL\_FD\_CLR\(i\,ex\);
\}
errno = save\_errno; Flags: Site configuration information for perl v5.8.7: Configured by kankri at Mon Oct 30 15:14:16 2006. Summary of my perl5 (revision 5 version 8 subversion 7) configuration: Locally applied patches: @INC for perl v5.8.7: Environment for perl v5.8.7: |
From @rgsOn 10/10/2007, via RT Risto Kankkunen <perlbug-followup@perl.org> wrote:
No feedback on this from our Win32 experts ? |
The RT System itself - Status changed from 'new' to 'open' |
From @steve-m-hayRafael Garcia-Suarez wrote:
I can confirm that the bug still exists in bleadperl (@32245) and that The patch *looks* OK to me, but I don't really know. Anyone else care to |
From @rgs2007/11/8 Steve Hay <SteveHay@planit.com>:
I finally applied it as #34067 to blead. |
@rgs - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#46309 (status was 'resolved')
Searchable as RT46309$
The text was updated successfully, but these errors were encountered: