[5155] in bugtraq
Re: MSQL 2.0.1 Bug
daemon@ATHENA.MIT.EDU (Dave Glowacki)
Thu Aug 14 07:12:53 1997
Date: Wed, 13 Aug 1997 10:12:06 -0500
Reply-To: Dave Glowacki <dglo@SSEC.WISC.EDU>
From: Dave Glowacki <dglo@SSEC.WISC.EDU>
X-To: vempire <vempire@usa.net>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 12 Aug 1997 10:20:19 +1000."
<33EFAC43.2EC6C22@usa.net>
> Msql v2.0.1 can be killed off by telneting into the port running msql on
> a remote system and pressing Ctrl-C.
>
> May requre pressing Ctrl-C a few times...
>
> The msql server recievies a kill sig and dies off.
Actually, the server receives an out-of-band msg inline, tries to translate
it into a 4-byte integer (ending up with a very large negative number) and
then uses that offset to set the "end" of the string to 0, causing a SIGSEGV
The following patch adds code which checks for a negative offset and, if
found, returns an error.
*** net.c 1997/08/13 14:25:44 1.1
--- net.c 1997/08/13 14:36:39
***************
*** 158,163 ****
--- 158,169 ----
alarm(0);
return(-1);
}
+ if (len < 0)
+ {
+ fprintf(stderr,"Packet too small (%d)\n", len);
+ alarm(0);
+ return(-1);
+ }
remain = len;
offset = 0;
while(remain > 0)
