lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 28 Jan 2005 13:00:12 -0800
From: "David LeBlanc" <dleblanc@...hange.microsoft.com>
To: "3APA3A" <3APA3A@...urity.nnov.ru>, <bugtraq@...urityfocus.com>
Subject: RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow



-----Original Message-----
3APA3A [mailto:3APA3A@...urity.nnov.ru] wrote:

> For Windows fd_set is a sockets array, not bitmask and FD_SETSIZE
defines  maximum number of sockets in this array. So, Windows
application may be  vulnerable only if it places a large number of
sockets into same fd_set  structure (finite state machine architecture).

[snip]
> For Windows default FD_SETSIZE is 64 and select() is only
POSIX-complatible  function to wait on socket input (there is no poll(),
but there are Windows  specific functions).
[snip]

If you look at Winsock[2].h, you find this:

#ifndef FD_SETSIZE
#define FD_SETSIZE      64
#endif /* FD_SETSIZE */

typedef struct fd_set {
        u_int fd_count;               /* how many are SET? */
        SOCKET  fd_array[FD_SETSIZE];   /* an array of SOCKETs */
} fd_set;

#define FD_SET(fd, set) do { \
    u_int __i; \
    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
        if (((fd_set FAR *)(set))->fd_array[__i] == (fd)) { \
            break; \
        } \
    } \
    if (__i == ((fd_set FAR *)(set))->fd_count) { \
        if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            ((fd_set FAR *)(set))->fd_array[__i] = (fd); \
            ((fd_set FAR *)(set))->fd_count++; \
        } \
    } \
} while(0) 

So if you attempted to put FD_SETSIZE + 1 sockets into an fd_set, it
would just fail.

Additionally, if you want to write a high-performance asynchronous
sockets application on Windows, I highly recommend either using
WSAEventSelect or I/O completion ports. If you are dealing with a
cross-platform application, I would abstract out the platform-specific
code - the perf gains are worth it. I've done this, and the improvements
were significant.

Hope this helps -

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ