I received a question from Justin Rudd about my response to Simon Fell's commentary on the ASP.NET unchecked buffer security bulletin.

Here's the question:

Hey Drew,

You mention in your post about the ASP.NET buffer overrun that it is in the ISAPI DLL.  I didn't see anything mentioned in the technical details about the ISAPI DLL.  It seems that the problem only occurs if you use the out of process state server.

And my response:

The problem is actually not in the managed components but in the implementation of the ASP.NET worker process which is unmanaged. Notice the title of bulletin: Unchecked Buffer in ASP.NET Worker Process. (ed. note: now that I'm looking at this last sentence here, it sounds a bit smart assy! Sorry Justin, I hope it didn't come across that way.)

Now, Microsoft doesn't go into too much detail about exact what the problem is (for good reasons), but System.Web, like a lot of framework libraries, has an internal class called UnsafeNativeMethods which contains P/Invoke mappings for various external helper methods. There are four methods related to session here that map to aspnet_isapi.dll:

SessionNDCloseConnection
SessionNDConnectToService
SessionNDGetBody
SessionNDMakeRequest

The unchecked buffer likely lives in one of these external methods.

Also, if you look in your <windows>Microsoft.NETFrameworkv1.0.3705 folder for aspnet_perf.ini, aspnet_wp.exe, aspnet_regiis.dll, aspnet_isapi.dll, and System.Web.dll you'll see that they are all updated with a minor version of 272 instead of 0 like the other framework components.