Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault when receiving malformed packet from network [CORE6367] #6607

Closed
firebird-automations opened this issue Jul 23, 2020 · 3 comments
Closed

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @AlexPeshkoff

In some *_getbytes() functions (serving XDRs data stream) parameter count (number of bytes to transfer) is unsigned 32-bit integer, but inside function code is casted to signed 32-bit integer. At the same time the value of this parameter is taken from the network (something like string length) and sent to that routine as is. Therefore sending very big integer can make internal bytes counter become negative causing buffer to be overwritten and damaging the stack.

Such effect may be used to execute arbitrary code before authentication on server.

Commits: 6367d2b 5a7c0c7

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Cleanup of code (changed related var-s to be unsigned and removed a number of casts) solved an issue.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 RC 1 [ 10930 ]

Fix Version: 3.0.7 [ 10940 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment