Bugtraq mailing list archives
RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow
From: "David LeBlanc" <dleblanc () exchange microsoft com>
Date: Fri, 28 Jan 2005 13:00:12 -0800
-----Original Message----- 3APA3A [mailto:3APA3A () security nnov ru] wrote:
For Windows fd_set is a sockets array, not bitmask and FD_SETSIZE
defines maximum number of sockets in this array. So, Windows application may be vulnerable only if it places a large number of sockets into same fd_set structure (finite state machine architecture). [snip]
For Windows default FD_SETSIZE is 64 and select() is only
POSIX-complatible function to wait on socket input (there is no poll(), but there are Windows specific functions). [snip] If you look at Winsock[2].h, you find this: #ifndef FD_SETSIZE #define FD_SETSIZE 64 #endif /* FD_SETSIZE */ typedef struct fd_set { u_int fd_count; /* how many are SET? */ SOCKET fd_array[FD_SETSIZE]; /* an array of SOCKETs */ } fd_set; #define FD_SET(fd, set) do { \ u_int __i; \ for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \ if (((fd_set FAR *)(set))->fd_array[__i] == (fd)) { \ break; \ } \ } \ if (__i == ((fd_set FAR *)(set))->fd_count) { \ if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ((fd_set FAR *)(set))->fd_array[__i] = (fd); \ ((fd_set FAR *)(set))->fd_count++; \ } \ } \ } while(0) So if you attempted to put FD_SETSIZE + 1 sockets into an fd_set, it would just fail. Additionally, if you want to write a high-performance asynchronous sockets application on Windows, I highly recommend either using WSAEventSelect or I/O completion ports. If you are dealing with a cross-platform application, I would abstract out the platform-specific code - the perf gains are worth it. I've done this, and the improvements were significant. Hope this helps -
Current thread:
- SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow 3APA3A (Jan 24)
- Re: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow Michael Hampton (Jan 25)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow David LeBlanc (Jan 28)
- RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow David LeBlanc (Jan 29)
- Re: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow Lee Dilkie (Jan 29)
- Re: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow Casper . Dik (Jan 31)
- Re: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow Lee Dilkie (Jan 29)