Segfault when receiving malformed packet from network [CORE6367] #6607
Labels
affect-version: 2.5.9
affect-version: 3.0.0
affect-version: 3.0.1
affect-version: 3.0.2
affect-version: 3.0.3
affect-version: 3.0.4
affect-version: 3.0.5
affect-version: 3.0.6
affect-version: 4.0 Alpha 1
affect-version: 4.0 Beta 1
affect-version: 4.0 Beta 2
affect-version: 4.0 Initial
component: api / client library
component: security
fix-version: 3.0.7
fix-version: 4.0 RC 1
priority: major
type: bug
Submitted by: @AlexPeshkoff
In some *_getbytes() functions (serving XDRs data stream) parameter count (number of bytes to transfer) is unsigned 32-bit integer, but inside function code is casted to signed 32-bit integer. At the same time the value of this parameter is taken from the network (something like string length) and sent to that routine as is. Therefore sending very big integer can make internal bytes counter become negative causing buffer to be overwritten and damaging the stack.
Such effect may be used to execute arbitrary code before authentication on server.
Commits: 6367d2b 5a7c0c7
The text was updated successfully, but these errors were encountered: