Issue Details (XML | Word | Printable)

Key: CORE-2437
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Alexander Peshkov
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.
Firebird Core

Buffer overflow on client when delivering events.

Created: 17/Apr/09 05:36 AM   Updated: 08/Nov/09 10:43 PM
Component/s: API / Client Library, Engine
Affects Version/s: 2.0.0, 1.5.4, 2.0.1, 2.0.2, 2.0.3, 1.5.5, 2.1.0, 2.0.4, 2.5 Alpha 1, 2.1.1, 2.0.5, 2.1.2, 2.5 Beta 1
Fix Version/s: 2.5 Beta 2, 2.1.3, 2.0.6

Issue Links:

 Description  « Hide
If for any reason badly formed list of events is used in isc_events_que(), it's sent to server and processed without any sanity checks (for server reads data after the end of passed buffer). As a result event with name, longer than expected, can be returned to client, passed to callback routine and cause BOF on client.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov added a comment - 17/Apr/09 05:39 AM
Bug was found when trying to reproduce CORE-2272

Alexander Peshkov added a comment - 17/Apr/09 05:48 AM
Added minimum sanity check for malformed EPB on server and check for size of received event notification on client.

Alexander Peshkov added a comment - 08/May/09 03:54 PM
Reopened to add backporting info