Issue Details (XML | Word | Printable)

Key: CORE-4630
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Alexander Peshkov
Reporter: Kovalenko Dmitry
Votes: 0
Watchers: 1

If you were logged in you would be able to see more operations.
Firebird Core

Segfault in server caused by malformed network packet CVE-2014-9323

Created: 01/Dec/14 04:18 PM   Updated: 25/May/16 06:31 AM
Component/s: Security
Affects Version/s: 2.1.5, 2.5.2, 2.1.5 Update 1, 2.5.2 Update 1, 3.0 Alpha 1, 3.0 Alpha 2, 2.1.6, 2.5.3, 3.0 Beta 1
Fix Version/s: 2.1.7, 2.5.3 Update 1

File Attachments: 1. File crash.cpp (1 kB)

QA Status: Cannot be tested

 Description  « Hide
Sending malformed packet to the server (op = op_response with any non-empty status vector data) instead expected op_connect makes server try to write data at NULL address cause NULL pointer to status vector is passed to xdr_status_vector() function. This attack does not require login to server.

All Firebird versions except v3.0 are affected.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov added a comment - 01/Dec/14 04:20 PM
Test program causing server to die.

Alexander Peshkov added a comment - 03/Dec/14 04:54 PM
Added checks for both status vector overflow and presence