Re: [twsocket] Serious bug in TWSocket(AVorbufferoverflow)Pleasehelp !
I have found some similar code in function TCustomLineWSocket.DoRecv() from ICS-V5: === --- D:/DelphiComponents/Ics/Delphi/Vc32/WSocket.pas (revision 279) +++ D:/DelphiComponents/Ics/Delphi/Vc32/WSocket.pas (working copy) @@ -7874,13 +7874,13 @@ { We are in line mode an a line is received } if FLineLength = BufferSize then begin { User buffer is greater than received data, copy all and clear } -Move(FRcvdPtr^, Buffer, FLineLength); +Move(FRcvdPtr^, Buffer^, FLineLength); Result := FLineLength; FLineLength := 0; Exit; end; { User buffer is smaller, copy as much as possible } -Move(FRcvdPtr^, Buffer, BufferSize); +Move(FRcvdPtr^, Buffer^, BufferSize); Result := BufferSize; { Move the end of line to beginning of buffer to be read the next time } Move(FRcvdPtr[BufferSize], FRcvdPtr^, FLineLength - BufferSize); @@ -7897,13 +7897,13 @@ { We already have received data into our internal buffer } if FRcvdCnt = BufferSize then begin { User buffer is greater than received data, copy all and clear } -Move(FRcvdPtr^, Buffer, FRcvdCnt); +Move(FRcvdPtr^, Buffer^, FRcvdCnt); Result := FRcvdCnt; FRcvdCnt := 0; Exit; end; { User buffer is smaller, copy as much as possible } -Move(FRcvdPtr^, Buffer, BufferSize); +Move(FRcvdPtr^, Buffer^, BufferSize); Result := BufferSize; { Then move remaining data to front og buffer 16/10/99 } Move(FRcvdPtr[BufferSize], FRcvdPtr^, FRcvdCnt - BufferSize + 1); Regards, Tobias Max Terentiev wrote: Hi Arno, I think all Move() calls in ICS code should be checked... Bugs maybe not only in this place --- With best regards, Max Terentiev. Business Software Products. AMS Development Team. supp...@bspdev.com -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Serious bug in TWSocket(AVorbufferoverflow)Pleasehelp !
Tobias Rapp wrote: I have found some similar code in function TCustomLineWSocket.DoRecv() from ICS-V5: I don't think it is a bug in ICS-V5, since Buffer mostly was of no type (if memory serves well). This changed in ICS V6 where Buffer is of type TWSocketData which maps to Pointer in Win32. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Serious bug in TWSocket(AVorbufferoverflow)Pleasehelp !
Arno Garrels wrote: I don't think it is a bug in ICS-V5, since Buffer mostly was of no type (if memory serves well). This changed in ICS V6 where Buffer is of type TWSocketData which maps to Pointer in Win32. That's true. As a programmer coming from C language the typeless var Buffer thing often buffles me :-) Tobias -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Serious bug in TWSocket (AVorbufferoverflow)Pleasehelp !
Fastream Technologies wrote: I think a C compiler would complain if you pass a char instead of char* in compile time. That's what I meant. Look at the declaration of Move() that makes it clear. -- Arno Garrels On Sun, Nov 1, 2009 at 8:07 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: It is rather strange Delphi compiler does not give error on this! C compiler would I think. It effects SOCKS connections only. It isn't a compiler specific bug but timing related. The buggy code wasn't called at all until I set a break point in TCustomSocksWSocket.TriggerDataAvailable, tested with TSmtpCli. That's probably why nobody hit it before. I applied the posted fix to the source base of both V6 and V7. It will be available with the next nightly built snapshot downloadable at: http://wiki.overbyte.be/wiki/index.php/FAQ#How_to_get_ICS -- Arno Garrels On Sun, Nov 1, 2009 at 12:29 PM, Max Terentiev maxterent...@mail.ru wrote: Hi Arno, Yes, it's helps ! But I will perform some heavy tests for sure... Thanx for the fix !!! --- With best regards, Max Terentiev. Business Software Products. AMS Development Team. supp...@bspdev.com - Original Message - From: Arno Garrels arno.garr...@gmx.de To: ICS support mailing twsocket@elists.org Sent: Sunday, November 01, 2009 12:01 PM Subject: Re: [twsocket] Serious bug in TWSocket (AV or bufferoverflow)Pleasehelp ! Hello Max, I was able to reproduce the AV! Please try this change: function TCustomSocksWSocket.DoRecv() [..] {$IFDEF WIN32} //Move(FRcvBuf[FSocksRcvdPtr], Buffer, FSocksRcvdCnt); // == Move(FRcvBuf[FSocksRcvdPtr], Buffer^, FSocksRcvdCnt); // == {$ENDIF} Result:= FSocksRcvdCnt; FSocksRcvdCnt := 0; Exit; end; { User buffer is smaller, copy as much as possible } {$IFDEF CLR} for I := 0 to BufferSize - 1 do Buffer[I] := FRcvBuf[FSocksRcvdPtr + I]; {$ENDIF} {$IFDEF WIN32} //Move(FRcvBuf[FSocksRcvdPtr], Buffer, BufferSize); // == Move(FRcvBuf[FSocksRcvdPtr], Buffer^, BufferSize); // == {$ENDIF} Does that help? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Serious bug in TWSocket(AVorbufferoverflow)Pleasehelp !
Hi Arno, I think all Move() calls in ICS code should be checked... Bugs maybe not only in this place --- With best regards, Max Terentiev. Business Software Products. AMS Development Team. supp...@bspdev.com - Original Message - From: Arno Garrels arno.garr...@gmx.de To: ICS support mailing twsocket@elists.org Sent: Sunday, November 01, 2009 9:35 PM Subject: Re: [twsocket] Serious bug in TWSocket(AVorbufferoverflow)Pleasehelp ! Fastream Technologies wrote: I think a C compiler would complain if you pass a char instead of char* in compile time. That's what I meant. Look at the declaration of Move() that makes it clear. -- Arno Garrels On Sun, Nov 1, 2009 at 8:07 PM, Arno Garrels arno.garr...@gmx.de wrote: Fastream Technologies wrote: It is rather strange Delphi compiler does not give error on this! C compiler would I think. It effects SOCKS connections only. It isn't a compiler specific bug but timing related. The buggy code wasn't called at all until I set a break point in TCustomSocksWSocket.TriggerDataAvailable, tested with TSmtpCli. That's probably why nobody hit it before. I applied the posted fix to the source base of both V6 and V7. It will be available with the next nightly built snapshot downloadable at: http://wiki.overbyte.be/wiki/index.php/FAQ#How_to_get_ICS -- Arno Garrels On Sun, Nov 1, 2009 at 12:29 PM, Max Terentiev maxterent...@mail.ru wrote: Hi Arno, Yes, it's helps ! But I will perform some heavy tests for sure... Thanx for the fix !!! --- With best regards, Max Terentiev. Business Software Products. AMS Development Team. supp...@bspdev.com - Original Message - From: Arno Garrels arno.garr...@gmx.de To: ICS support mailing twsocket@elists.org Sent: Sunday, November 01, 2009 12:01 PM Subject: Re: [twsocket] Serious bug in TWSocket (AV or bufferoverflow)Pleasehelp ! Hello Max, I was able to reproduce the AV! Please try this change: function TCustomSocksWSocket.DoRecv() [..] {$IFDEF WIN32} //Move(FRcvBuf[FSocksRcvdPtr], Buffer, FSocksRcvdCnt); // == Move(FRcvBuf[FSocksRcvdPtr], Buffer^, FSocksRcvdCnt); // == {$ENDIF} Result:= FSocksRcvdCnt; FSocksRcvdCnt := 0; Exit; end; { User buffer is smaller, copy as much as possible } {$IFDEF CLR} for I := 0 to BufferSize - 1 do Buffer[I] := FRcvBuf[FSocksRcvdPtr + I]; {$ENDIF} {$IFDEF WIN32} //Move(FRcvBuf[FSocksRcvdPtr], Buffer, BufferSize); // == Move(FRcvBuf[FSocksRcvdPtr], Buffer^, BufferSize); // == {$ENDIF} Does that help? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be