RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow

["David LeBlanc" <dleblanc () exchange microsoft com>]

-----Original Message-----
3APA3A [mailto:3APA3A () security nnov ru] wrote:

> For Windows fd_set is a sockets array, not bitmask and FD_SETSIZE
defines  maximum number of sockets in this array. So, Windows
application may be  vulnerable only if it places a large number of
sockets into same fd_set  structure (finite state machine architecture).

[snip]
> For Windows default FD_SETSIZE is 64 and select() is only
POSIX-complatible  function to wait on socket input (there is no poll(),
but there are Windows  specific functions).
[snip]

If you look at Winsock[2].h, you find this:

#ifndef FD_SETSIZE
#define FD_SETSIZE      64
#endif /* FD_SETSIZE */

typedef struct fd_set {
        u_int fd_count;               /* how many are SET? */
        SOCKET  fd_array[FD_SETSIZE];   /* an array of SOCKETs */
} fd_set;

#define FD_SET(fd, set) do { \
    u_int __i; \
    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
        if (((fd_set FAR *)(set))->fd_array[__i] == (fd)) { \
            break; \
        } \
    } \
    if (__i == ((fd_set FAR *)(set))->fd_count) { \
        if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            ((fd_set FAR *)(set))->fd_array[__i] = (fd); \
            ((fd_set FAR *)(set))->fd_count++; \
        } \
    } \
} while(0) 

So if you attempted to put FD_SETSIZE + 1 sockets into an fd_set, it
would just fail.

Additionally, if you want to write a high-performance asynchronous
sockets application on Windows, I highly recommend either using
WSAEventSelect or I/O completion ports. If you are dealing with a
cross-platform application, I would abstract out the platform-specific
code - the perf gains are worth it. I've done this, and the improvements
were significant.

Hope this helps -