Segfault when receiving malformed packet from network [CORE6367] #6607
Submitted by: @AlexPeshkoff
In some *_getbytes() functions (serving XDRs data stream) parameter count (number of bytes to transfer) is unsigned 32-bit integer, but inside function code is casted to signed 32-bit integer. At the same time the value of this parameter is taken from the network (something like string length) and sent to that routine as is. Therefore sending very big integer can make internal bytes counter become negative causing buffer to be overwritten and damaging the stack.
Such effect may be used to execute arbitrary code before authentication on server.
The text was updated successfully, but these errors were encountered: