[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <42F638FF29F12F46930CFF347AE69680016A9AD6@DF-SEADOG-MSG.exchange.corp.microsoft.com>
Date: Fri, 28 Jan 2005 13:00:12 -0800
From: "David LeBlanc" <dleblanc@...hange.microsoft.com>
To: "3APA3A" <3APA3A@...urity.nnov.ru>, <bugtraq@...urityfocus.com>
Subject: RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow
-----Original Message-----
3APA3A [mailto:3APA3A@...urity.nnov.ru] wrote:
> For Windows fd_set is a sockets array, not bitmask and FD_SETSIZE
defines maximum number of sockets in this array. So, Windows
application may be vulnerable only if it places a large number of
sockets into same fd_set structure (finite state machine architecture).
[snip]
> For Windows default FD_SETSIZE is 64 and select() is only
POSIX-complatible function to wait on socket input (there is no poll(),
but there are Windows specific functions).
[snip]
If you look at Winsock[2].h, you find this:
#ifndef FD_SETSIZE
#define FD_SETSIZE 64
#endif /* FD_SETSIZE */
typedef struct fd_set {
u_int fd_count; /* how many are SET? */
SOCKET fd_array[FD_SETSIZE]; /* an array of SOCKETs */
} fd_set;
#define FD_SET(fd, set) do { \
u_int __i; \
for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
if (((fd_set FAR *)(set))->fd_array[__i] == (fd)) { \
break; \
} \
} \
if (__i == ((fd_set FAR *)(set))->fd_count) { \
if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
((fd_set FAR *)(set))->fd_array[__i] = (fd); \
((fd_set FAR *)(set))->fd_count++; \
} \
} \
} while(0)
So if you attempted to put FD_SETSIZE + 1 sockets into an fd_set, it
would just fail.
Additionally, if you want to write a high-performance asynchronous
sockets application on Windows, I highly recommend either using
WSAEventSelect or I/O completion ports. If you are dealing with a
cross-platform application, I would abstract out the platform-specific
code - the perf gains are worth it. I've done this, and the improvements
were significant.
Hope this helps -
Powered by blists - more mailing lists