Issue Details (XML | Word | Printable)

Key: CORE-2437
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Alexander Peshkov
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Buffer overflow on client when delivering events.

Created: 17/Apr/09 05:36 AM   Updated: 08/Nov/09 10:43 PM
Component/s: API / Client Library, Engine
Affects Version/s: 2.0.0, 1.5.4, 2.0.1, 2.0.2, 2.0.3, 1.5.5, 2.1.0, 2.0.4, 2.5 Alpha 1, 2.1.1, 2.0.5, 2.1.2, 2.5 Beta 1
Fix Version/s: 2.5 Beta 2, 2.1.3, 2.0.6

Time Tracking:
Not Specified

Issue Links:
Relate
 

Planning Status: Unspecified


 Description  « Hide
If for any reason badly formed list of events is used in isc_events_que(), it's sent to server and processed without any sanity checks (for server reads data after the end of passed buffer). As a result event with name, longer than expected, can be returned to client, passed to callback routine and cause BOF on client.

 All   Comments   Work Log   Change History   Version Control   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov added a comment - 17/Apr/09 05:39 AM
Bug was found when trying to reproduce CORE-2272

Alexander Peshkov added a comment - 17/Apr/09 05:48 AM
Added minimum sanity check for malformed EPB on server and check for size of received event notification on client.

Alexander Peshkov added a comment - 08/May/09 03:54 PM
Reopened to add backporting info