Re: MSQL 2.0.1 Bug

Dave Glowacki (dglo@SSEC.WISC.EDU)
Wed, 13 Aug 1997 10:12:06 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "BoS: solaris 2.5 D.O.S. attack"
Previous message: Phillip R. Jaenke: "Possible fixed identd"
Maybe in reply to: vempire: "MSQL 2.0.1 Bug"

> Msql v2.0.1 can be killed off by telneting into the port running msql on
> a remote system and pressing Ctrl-C.
>
> May requre pressing Ctrl-C a few times...
>
> The msql server recievies a kill sig and dies off.

Actually, the server receives an out-of-band msg inline, tries to translate
it into a 4-byte integer (ending up with a very large negative number) and
then uses that offset to set the "end" of the string to 0, causing a SIGSEGV

The following patch adds code which checks for a negative offset and, if
found, returns an error.

*** net.c 1997/08/13 14:25:44 1.1
--- net.c 1997/08/13 14:36:39
***************
*** 158,163 ****
--- 158,169 ----
alarm(0);
return(-1);
}
+ if (len < 0)
+ {
+ fprintf(stderr,"Packet too small (%d)\n", len);
+ alarm(0);
+ return(-1);
+ }
remain = len;
offset = 0;
while(remain > 0)

Next message: Aleph One: "BoS: solaris 2.5 D.O.S. attack"
Previous message: Phillip R. Jaenke: "Possible fixed identd"
Maybe in reply to: vempire: "MSQL 2.0.1 Bug"