{"id":41523,"date":"2003-12-12T10:00:00","date_gmt":"2003-12-12T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2003\/12\/12\/why-are-structure-sizes-checked-strictly\/"},"modified":"2003-12-12T10:00:00","modified_gmt":"2003-12-12T10:00:00","slug":"why-are-structure-sizes-checked-strictly","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20031212-00\/?p=41523","title":{"rendered":"Why are structure sizes checked strictly?"},"content":{"rendered":"

\nYou may have noticed that Windows as a general rule\nchecks structure sizes strictly.\nFor example, consider the MENUITEMINFO structure:\n<\/p>\n

\ntypedef struct tagMENUITEMINFO {\n  UINT    cbSize;\n  UINT    fMask;\n  UINT    fType;\n  UINT    fState;\n  UINT    wID;\n  HMENU   hSubMenu;\n  HBITMAP hbmpChecked;\n  HBITMAP hbmpUnchecked;\n  ULONG_PTR dwItemData;\n  LPTSTR  dwTypeData;\n  UINT    cch;\n#if(WINVER >= 0x0500)\n  HBITMAP hbmpItem; \/\/ available only on Windows 2000 and higher\n#endif\n} MENUITEMINFO, *LPMENUITEMINFO;\n<\/pre>\n
\nNotice that the size of this structure changes\ndepending on whether WINVER >= 0x0500\n(i.e.<\/i>, whether you are targetting Windows 2000 or higher).\nIf you take the Windows 2000 version of this structure\nand pass it to Windows NT 4,\nthe call will fail since the sizes don’t match.\n<\/p>\n
\n“But the old version of the operating system\nshould accept any size that is greater than or equal to\nthe size it expects.\nA larger value means that the structure\ncame from a newer version of the program,\nand it should just ignore the parts it doesn’t understand.”\n<\/p>\n
\nWe tried that. It didn’t work.\n<\/p>\n
\nConsider the following imaginary sized structure\nand a function that consumes it.\nThis will be used as the guinea pig for the discussion to follow:\n<\/p>\n
\ntypedef struct tagIMAGINARY {\n  UINT cbSize;\n  BOOL fDance;\n  BOOL fSing;\n#if IMAGINARY_VERSION >= 2\n  \/\/ v2 added new features\n  IServiceProvider *psp; \/\/ where to get more info\n#endif\n} IMAGINARY;\n\/\/ perform the actions you specify\nSTDAPI DoImaginaryThing(const IMAGINARY *pimg);\n\/\/ query what things are currently happening\nSTDAPI GetImaginaryThing(IMAGINARY *pimg);\n<\/pre>\n
\nFirst, we found lots of programs which simply\nforgot to initialize the cbSize<\/code> member altogether.<\/p>\n
\nIMAGINARY img;\nimg.fDance = TRUE;\nimg.fSing = FALSE;\nDoImaginaryThing(&img);\n<\/pre>\n
\nSo they got stack garbage as their size.\nThe stack garbage happened to be a large number,\nso it passed the\n“greater than or equal to the expected cbSize<\/code>” test\nand the code worked.\nThen the next version of the header file expanded the structure,\nusing the cbSize<\/code> to detect\nwhether the caller is using the old or new style.\nNow, the stack garbage is still greater than or equal to\nthe new cbSize<\/code>,\nso version 2 of DoImaginaryThing<\/code> says,\n“Oh cool, this is somebody who wants to provide additional information\nvia the IServiceProvider<\/code> field.”\nExcept of course that it’s stack garbage,\nso calling the IServiceProvider::QueryService<\/code> method crashes.\n<\/p>\n
\nNow consider this related scenario:\n<\/p>\n
\nIMAGINARY img;\nGetImaginaryThing(&img);\n<\/pre>\n
\nThe next version of the header file expanded the structure,\nand the stack garbage happened to be a large number,\nso it passed the\n“greater than or equal to the expected cbSize<\/code>” test,\nso it returned not just the fDance<\/code> and\nfSing<\/code> flags, but also returned an\npsp<\/code>.\nOops, but the caller was compiled with v1, so its structure\ndoesn’t have a psp<\/code> member.\nThe psp<\/code> gets written past the end of the structure,\ncorrupting whatever came after it in memory.\nAh, so now we have one of those dreaded buffer overflow<\/b> bugs.\n<\/p>\n
\nEven if you were lucky and the memory that came afterwards was\nsafe to corrupt, you still have a bug:  By the rules of COM\nreference counts, when a function returns an interface pointer,\nit is the caller’s responsibility to release the pointer when\nno longer needed.\nBut the v1 caller doesn’t know about this psp<\/code> member,\nso it certainly doesn’t know that it needs to be\npsp->Release()<\/code>d.  So now, in addition to memory\ncorruption (as if that wasn’t bad enough), you also have a memory\nleak.\n<\/p>\n
\nWait, I’m not done yet.  Now let’s see what happens when a program\nwritten in the future runs on an older system.\n<\/p>\n
\nSuppose somebody is writing their program intending it to be run on v2.\nThey set the cbSize<\/code> to the larger v2 structure size\nand set the psp<\/code> member to a service provider\nthat performs security checks before allowing any\nsinging or dancing to take place.\n(E.g.<\/i>, makes sure everybody paid the entrance fee.)\nNow somebody takes this program and runs it on v1.\nThe new v2 structure size passes the\n“greater than or equal to the v1 structure size” test,\nso v1 will accept the structure and Do the ImaginaryThing.\nExcept that v1 didn’t support the psp<\/code> field,\nso your service provider never gets called\nand your security module is bypassed.\nNow everybody is coming into your club without paying.\n<\/p>\n
Now, you might say, “Well those are just buggy programs.\nThey deserve to lose.”\nIf you stand by that logic, then prepare to take the heat\nwhen you read magazine articles like\n“Microsoft intentionally designed <Product X>\nto be incompatible with <software from a major competitor>.\nWhere is the Justice Department when you need them?”<\/p>\n","protected":false},"excerpt":{"rendered":"
You may have noticed that Windows as a general rule checks structure sizes strictly. For example, consider the MENUITEMINFO structure: typedef struct tagMENUITEMINFO { UINT cbSize; UINT fMask; UINT fType; UINT fState; UINT wID; HMENU hSubMenu; HBITMAP hbmpChecked; HBITMAP hbmpUnchecked; ULONG_PTR dwItemData; LPTSTR dwTypeData; UINT cch; #if(WINVER >= 0x0500) HBITMAP hbmpItem; \/\/ available only on […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-41523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":"
You may have noticed that Windows as a general rule checks structure sizes strictly. For example, consider the MENUITEMINFO structure: typedef struct tagMENUITEMINFO { UINT cbSize; UINT fMask; UINT fType; UINT fState; UINT wID; HMENU hSubMenu; HBITMAP hbmpChecked; HBITMAP hbmpUnchecked; ULONG_PTR dwItemData; LPTSTR dwTypeData; UINT cch; #if(WINVER >= 0x0500) HBITMAP hbmpItem; \/\/ available only on […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/41523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=41523"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/41523\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=41523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=41523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=41523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}