Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VPN-6268 - Fix ping Event Ready #9312

Merged
merged 5 commits into from
Apr 15, 2024
Merged

VPN-6268 - Fix ping Event Ready #9312

merged 5 commits into from
Apr 15, 2024

Conversation

strseb
Copy link
Collaborator

@strseb strseb commented Apr 2, 2024

Ugh this is an ugly one?

So the crash is happening in

memcpy(&sequence, replies[i].Data, sizeof(quint16)); 

With a EXE_BAD_ACCESS , so replies[i].Data is pointing to something wierd. Given that i cannot reproduce this, i'm trying to fix things that could theoretically have this point to a bad thing.

  1. We're not cleaning up the buffer before we re-pass it to windows, mabye there is corrupt data? I'm now cleaning this up before.
  2. We're casting the buffer to be an arraylike of ICMP_ECHO_REPLY, however that is not really the shape of the thing in memory.I was wondering where replies[0 ... replyCount].Data points and who owns the memory. We'll it is in our buffer! That's why the docs specifically asks us to allocate at least sizeof(ICMP_ECHO_REPLY) +WindowsPingPayloadSize + ICMP_ERR_SIZE + sizeof(IO_STATUS_BLOCK); bytes.
  • This means we can represent that memory with a packed struct.
  • Now given we also know how much memory we allocated for ICMP_ECHO_REPLY we can remove the for loop, given we can have only 0 or 1 Ping packages.
    -> With only 1 Possible Ping in the Struct, we know the position of the sequence in the buffer, so we can clearly just assert that the icmp ping points to that and use the data, no memcpy needed. Worst case here, it's 0 given we cleared it before causing a ping timeout but not a crash :)

@@ -493,7 +493,7 @@ QString WindowsSplitTunnel::convertPath(const QString& path) {
// device should contain : for e.g C:
return "";
}
QByteArray buffer(2048, 0xFF);
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given we now compile with warnings as errors, my MSVC compiler complained about the static type casting.

@strseb strseb requested a review from brizental April 2, 2024 17:54
src/platforms/windows/windowspingsender.cpp Show resolved Hide resolved
emit recvPing(sequence);
// We only allocated for one reply, so more should be impossible.
if (replyCount != 1){
logger.error() << "Invalid amount of responses recieved";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.error() << "Invalid amount of responses recieved";
logger.error() << "Invalid amount of responses received";

oskirby
oskirby previously requested changes Apr 5, 2024

#pragma pack(push, 1)
struct ICMP_ECHO_REPLY_BUFFER {
ICMP_ECHO_REPLY reply;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I filed a comment about it in the JIRA issue, but I think we should also switch out the ICMP_ECHO_REPLY struct with an ICMP_ECHO_REPLY32 as per the IcmpParseReplies documentation. It seems there is some 32/64-bit backwards compatibility issue around the Data pointer.

My guess as to the cause of the crash is that for whatever reason the Windows kernel is writing a 32-bit pointer into memory, but because we interpret the struct as a ICMP_ECHO_REPLY the client interprets the pointer as being 64-bits, and it just so happens to work fine when the top bits are zero, but crashes otherwise.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or better yet, check if the compiler macros are targeting a 64-bit system and make this an ICMP_ECHO_REPLY or ICMP_ECHO_REPLY32 as appropriate.

@strseb strseb requested a review from oskirby April 9, 2024 12:27
@strseb strseb force-pushed the basti/windows_ping_crash_fix branch from 00755d8 to f2e3dd3 Compare April 11, 2024 15:20
@strseb strseb enabled auto-merge (squash) April 11, 2024 15:20
@github-actions github-actions bot added the 🛬 Landing This PR is marked as "auto-merge" label Apr 11, 2024
@strseb strseb dismissed oskirby’s stale review April 15, 2024 14:53

Changes Requested were addressed :)

@strseb strseb merged commit 16269ff into main Apr 15, 2024
131 of 133 checks passed
@strseb strseb deleted the basti/windows_ping_crash_fix branch April 15, 2024 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🛬 Landing This PR is marked as "auto-merge"
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants