Spot the Bug! : Spot the Bug - November 28, 2005

Monday, November 28, 2005 6:34 PM rsamona

Spot the Bug - November 28, 2005

Some people commented that the last bug was too easy, and it was, but buffer overruns are still common enough that I wanted to send the point home. This one is a bit more challenging.
Courtesy of Neelay Shah, Consultant, Foundstone

void Socket_Setup(void)
{
   WORD wVersionRequested;
   WSADATA wsaData;
   wVersionRequested = MAKEWORD( 2, 2 );
   ::WSAStartup(wVersionRequested, &wsaData);

   SOCKET sTCPServer = ::socket(AF_INET, SOCK_STREAM, 0);
   struct sockaddr_in saTCPServAddr;
   saTCPServAddr.sin_family = AF_INET;
   saTCPServAddr.sin_addr.S_un.S_addr = ::htonl(INADDR_ANY);
   saTCPServAddr.sin_port = ::htons(5678);
   int len = sizeof(saTCPServAddr);

   int iFail =::bind(sTCPServer, (struct sockaddr*)&saTCPServAddr, len);
   DWORD dwErr;
   if(0 != iFail)
   {
      dwErr = ::WSAGetLastError();
      printf("\n\t Error occured.\n");
      return;
     }

iFail = ::listen(sTCPServer, 2);

   struct sockaddr_in saClient;
   int iClsize = sizeof(saClient);
   SOCKET sClient = ::accept(sTCPServer, (struct sockaddr*)&saClient ,&iClsize);

char strData[1024];
::recv(sClient, strData, 1024, 0);

   printf("\n\nRealServer--Data from client --- %s ---", strData);

   ::shutdown(sTCPServer, SD_BOTH);

   ::WSACleanup();

return;
}

Solution

Wow, we had a lot of great posts to this one!

Assuming nothing was missed, here is the solution:

void Socket_Setup(void)
{
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 2 );
::WSAStartup(wVersionRequested, &wsaData);

SOCKET sTCPServer = ::socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in saTCPServAddr;
saTCPServAddr.sin_family = AF_INET;
saTCPServAddr.sin_addr.S_un.S_addr = ::htonl(INADDR_ANY);
saTCPServAddr.sin_port = ::htons(5678);
int len = sizeof(saTCPServAddr);

//Approach 1
//Enable exclusive use so that another process cannot bind to the same socket
//BOOL bExclusiveUse = TRUE;
//int iValLen = sizeof(BOOL);
//::setsockopt(sTCPServer, SOL_SOCKET, SO_EXCLUSIVEADDRUSE,
//(char*)&bExclusiveUse, iValLen);

int iFail =::bind(sTCPServer, (struct sockaddr*)&saTCPServAddr, len);
DWORD dwErr;
if(0 != iFail)
{
    dwErr = ::WSAGetLastError();
    printf("\n\t Error occured.\n");
    return;
}

//Approach 2:
//Strong ACL the socket only local admin’s and local service can bind
//Starting Win 2003 Server SP1
PSECURITY_DESCRIPTOR psD = NULL;
if(!ConvertStringSecurityDescriptorToSecurityDescriptor(
    "D:(A;;GA;;;LS)(A;;GA;;;BA)",
    SECURITY_DESCRIPTOR_REVISION,
    &psD, NULL))
{
    printf("Convert Failed \n");
}

if(!SetKernelObjectSecurity(
    (HANDLE)sTCPServer,
    DACL_SECURITY_INFORMATION, psD))
{
    printf ("SetKernelObjectSecurity failed %d",GetLastError());
}

iFail = ::listen(sTCPServer, 2);

struct sockaddr_in saClient;
int iClsize = sizeof(saClient);
SOCKET sClient = ::accept(sTCPServer, (struct sockaddr*)&saClient ,&iClsize);

char strData[1024];
::recv(sClient, strData, 1024, 0);

printf("\n\nRealServer--Data from client --- %s ---", strData);

::shutdown(sTCPServer, SD_BOTH);

::WSACleanup();

return;
}

Description:
Creating sockets and binding them to any interface can be tricky. This can enable a malicious attacker to write a malicious server program which binds to same port but to a specific port which results in the malicious server getting the client connections along with their data. This is referred as “socket hijacking”. One approach is to strong ACL the socket (starting Win 2003 server and above). The above example shows the socket to be strong ACLed to allow only the local administrators and the Local Service account. Another approach is to set the “SO_EXCLUSIVEADDRUSE” socket option which disallows another process to bind to the same port on all available interfaces.

Filed under: Bug Squashed

Comments

# re: Spot the Bug - November 28, 2005

Monday, November 28, 2005 10:07 PM by Stuart Ballard

I don't know the APIs in question, but my guess would be that you have an off-by-one error in the size of strData. Either that ::recv reads a full 1024 bytes plus a null terminator that goes outside the buffer, or ::recv receives 1024 bytes without a null terminator causing the printf to print garbage memory.

If ::recv retrieves one *less* than the specified buffer size and then a null-terminator char, then the bug must be somewhere else...

# re: Spot the Bug - November 28, 2005

Tuesday, November 29, 2005 9:25 AM by Gonzalo Garcia

I agree, IMHO there's an of by one error on strData.

# re: Spot the Bug - November 28, 2005

Tuesday, November 29, 2005 2:39 PM by Mike Warriner

I'd consider this to be not just a "off by one" error, but also forgetting to null terminate the string properly. ::recv will return the number of bytes read, so the user should use this to null terminate the string, with the appropriate length checking. For example:

int bytecount = ::recv(sClient, strData, 1023, 0);
if (bytecount==SOCKET_ERROR)
{
// handle the error
}
else
{
// Technically this validation isn't really needed since the spec says any other failure will return zero and the max is the length specified. But just in case the API changes or there is a bug in the API.

if (bytecount>=0 && bytecount<=1023)
strData[bytecount] = '\0';
else
strData[0] = '\0'; // just in case.
}
recv reads up to the number of bytes you specify, with no null termination (it's designed to read binary data, not strings). An error is returned by returning SOCKET_ERROR, whose value is -1.

Mike

# re: Spot the Bug - November 28, 2005

Tuesday, December 06, 2005 4:35 PM by Blaine Brysh

I agree with the previous posts, but I'll add a new problem as well, the htonl call uses INADDR_ANY. This essentially tells the socket to listen on ALL the network interfaces on that machine. The catch here is that there can be more than one server listening on the same port. So if another server requests a more specific binding (an actual IP address instead of INADDR_ANY), that server wins in getting the packet. In essence, another program could hijack your port. A possible solution is to set a socket option called SO_EXCLUSIVEADDRUSE (at least in NT service pack 4 and up).

# re: Spot the Bug - November 28, 2005

Thursday, December 08, 2005 5:10 PM by D Byrne

The printf %s may not show all the data because the recv can read in binary data.

# re: Spot the Bug - November 28, 2005

Friday, December 09, 2005 7:59 PM by d brown

So, there are multiple problems:
1) The code assumes that the other side is sending ASCII text.
2) The code assumes the other side is including in its send the terminating NULL. If it doesn't, then the printf() can overrun the end of the buffer. This can be solved by either initializing the entire buffer to zero before the recv(), or null terminating the buffer after the recv() as in a previous post.
3) Since this code is only set up to allow one connection, the listen()ing socket should be closed after the call to accept().
4) The data socket should be closed (via closesocket()) at some point.
5) The return value of accept() is never checked. Since accept() can fail, there should be code that looks like":
if(INVALID_SOCKET == sClient )
{
dwErr = ::WSAGetLastError();
printf("\n\t Error occured.\n");
return;
}
6) The return value of recv() should be checked (again, as in Mike W.'s post)

# re: Spot the Bug - November 28, 2005

Monday, December 12, 2005 9:45 AM by P Hines

It's been a while since I did packet coding, but I'd actually take this a step further. The code assumes the size of the message will be within the range of 1024 characters. A better way to do this - especially since this is a single receive situation - is to use MSG_PEEK to get the size of the data that needs to be read, create your buffer based on that size, and then do the real read, adding the null termination character at the end. This approach still has the limitation of assuming the other end is sending data printable (and reasonably understandable) via the %s conversion type, but has the benefit of not being subject to the recv call failing with the WSAEMSGSIZE reason.

# re: Spot the Bug - November 28, 2005

Wednesday, December 14, 2005 2:10 AM by Suganth

i think there should be a validation for the socket returned by the accept api

SOCKET sClient = ::accept(sTCPServer, (struct sockaddr*)&saClient ,&iClsize);
if( INVALID_SOCKET != sClient )
{
//proceed with read operation
}

# re: Spot the Bug - November 28, 2005

Monday, December 19, 2005 2:23 PM by Alun Jones

You're still missing some bugs. Here's my assessment:
1. Return values are unchecked for WSAStartup, socket, listen, accept, recv - other functions I haven't listed here either have no failure modes, or the action on failure is the same as the action on success.
2. struct and char assignments aren't zeroed on creation - not very important, but see item 4 later.
3. The return value for recv() is the size of the data in bytes, and is unchecked and unused. Any code that throws away the length of data received should not hang on to the data received.
4. The data received by the recv() call is assumed to be null-terminated ASCII, suitable for printf. An attacker could overflow this by sending a single non-null byte, causing the program to access the uninitialised contents of strData. Or sending more than 1024 non-null bytes, causing printf() to read beyond the end of strData into other space.
5. closesocket is never called. While WSACleanup will free the resources used by the two sockets, it's polite to explicitly free it - and, as pointed out, closing the listening socket after the reset would be good, as it would disconnect any extra connections. A classic attack is to guess what port will be assigned to the next connection, and try to steal the connection before the true client. If you close the listener after the first accept, you will at least signal to the true client that there is a potential problem. [Better still, if a client opens a new connection with you, authenticate that connection!]
6. Even if the client sends null-terminated ASCII, that might not all come in the first call to recv(). TCP is known for its fondness for fragmenting and reassembling its data, so that the number of calls to recv() almost never matches the number of calls to send(). There should be a check to ensure that the whole data has been received.
As for the suggestion to use MSG_PEEK, that trick never works. There are numerous behaviours and bugs in MSG_PEEK (and ioctlsocket(...FIONREAD...)) that make peeking into socket streams unreliable and dangerous. recv() won't fail with WSAEMSGSIZE on a stream socket - until the stream has been closed, there's always the possibility of more data.

# re: Spot the Bug - November 28, 2005

Tuesday, December 20, 2005 4:02 AM by Klaus König

If bind fails WSACleanup needs to be called.

# re: Spot the Bug - November 28, 2005

Tuesday, December 20, 2005 7:43 PM by Shreyas

char strData[1024];
Array should be initialized with zero values.
We should use either memset() or char strData[1024] = {0};
After receive strData is not null terminated string, so print() will lead to buffer overflow.

# re: Spot the Bug - November 28, 2005

Wednesday, December 21, 2005 5:15 PM by Jonathan Mackenzie

I think the bug here is that as written recv will return with as much data as is available at the time it is called.
The buffer strData is filled with random crap partially overwritten with whatever came back from the socket. There's no null terminator anywhere, so likely the printf will produce strange results, but it's more dangerous in real life when you pass the buffer to another routine that expects it to be null termainated.
I always 'memset, 0' on socket buffers before use.

# re: Spot the Bug - November 28, 2005

Thursday, December 22, 2005 12:38 PM by DarkByte

I dunno how you guys come up with so many "BUGS" but as far as i am concerned, there is technically 1 bug that is obvious (more challenging ?). The rest is simply bad coding practice which assumes things will go right.

So, in the sense of "things will go right", the one bug i can see is the size of strData buffer. But there are 2 ways to "fix" the bug.

1) You can increment the buffer size by one and null terminate after reading
2) You can decrement the read size by one, althought you still need to null terminate.

It's not the right place to argue on coding styles or techniques, only the result is important (Finding the bug).

I can see that Shreyas would introduce a bug himself by keeping strData to a length of 1024 and trying to set strData[1024] to 0.

For those thinking that socket should be closed etc. Read the code carefully. Its a one deal function that initiates a sockets and closes it implicitly.

# re: Spot the Bug - November 28, 2005

Monday, December 26, 2005 1:13 AM by Travis James

The problem would be the printf() statement, since the char strData[1024] buffer is not initialized or terminated after the recv(). Unless null terminated, the printf() statement will overrun the buffer unless there happens to be a null terminator in the transmission.

# Spot the Bug - December, 2005

Tuesday, December 27, 2005 3:21 PM by Sean Batson

There is nothing wrong with:

char strData[1024];
::recv(sClient, strData, 1024, 0);

This only means it will read the first 1024 bytes and discard the remain stream transmission for the remote end-point because parameter 3 of the recv function sets the boundary for the input. To read the beyond the 1024 boundary and drop the input into the strData until the transmitted stream is read in full, then this will have to be the case sine strData represents a packet size:

char strData[1024];

while( int bytesRecv != SOCKET_ERROR ) {
bytesRecv = recv(sClient, strData, 1024, 0);
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) {
printf( "Connection Closed.\n");
break;
}
printf("\n\nRealServer--Data from client --- %s ---", strData);

}

This read in the full stream taking into account the full size of the transmitted stream.

Sean Batson
gimmenow2005-wuk at yahoo dot ca

# Spot the Bug - December(Correction), 2005

Tuesday, December 27, 2005 3:26 PM by Sean Batson

There is nothing wrong with:

char strData[1024];
::recv(sClient, strData, 1024, 0);

This only means it will read the first 1024 bytes and discard the remain stream transmission for the remote end-point because parameter 3 of the recv function sets the boundary for the input. To read the beyond the 1024 boundary and drop the input into the strData until the transmitted stream is read in full, then this will have to be the case sine strData represents a packet size:

/*
Init strData with
Read incoming transmission in
Packet sizes of 1024 bytes
And display recv data.
*/
char strData[1024]=" ";

while( int bytesRecv != SOCKET_ERROR ) {
bytesRecv = recv(sClient, strData, 1024, 0);
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) {
printf( "Connection Closed.\n");
break;
}
printf("\n\nRealServer--Data from client --- %s ---", strData);

}

This read in the full stream taking into account the full size of the transmitted stream.

Sean Batson
gimmenow2005-wuk at yahoo dot ca

# best slots machines online

Wednesday, December 28, 2005 12:15 AM by best slots machines online

It was briling and the slythie <a href="http://www.typo7.com/slot-machines">best">http://www.typo7.com/slot-machines">best slots machines online</a> was crankling on the brawl. Playing the best best slots machines online http://www.typo7.com/slot-machines best slots machines online on the web is fun and exciting.

New Comments to this post are disabled

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - November 28, 2005

Comments

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# Spot the Bug - December, 2005

# Spot the Bug - December(Correction), 2005

# best slots machines online

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - November 28, 2005

Comments

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# re: Spot the Bug - November 28, 2005

# Spot the Bug - December, 2005

# Spot the Bug - December(**Correction**), 2005

# best slots machines online

# Spot the Bug - December(Correction), 2005