Backported fix for CORE-2437: Buffer overflow on client when delivering events

src/jrd/event.cpp

@@ -386,6 +386,12 @@ SLONG EVENT_que(ISC_STATUS* status_vector,
  * Functional description
  *
  **************************************/
+// Sanity check
+
+	if (events[0] != EPB_version1) {
+		ERR_post(isc_random, isc_arg_string, "Invalid EPB form", isc_arg_end);
+	}
+
 // Allocate request block
 
 	acquire();
@@ -423,6 +429,13 @@ SLONG EVENT_que(ISC_STATUS* status_vector,
 
 		const USHORT count = *p++;
 
+		/* Sanity check */
+
+		if (count > end - events) {
+			release();
+			ERR_post(isc_random, isc_arg_string, "Invalid EPB form", isc_arg_end);
+		}
+
 		/* The data in the event block may have trailing blanks.  Strip them off. */
 
         const UCHAR* find_end = p + count;

src/remote/interface.cpp

@@ -5668,11 +5668,19 @@ static void event_handler( rem_port* port)
 			P_EVENT* pevent = &packet.p_event;
 			RVNT event = find_event(port, pevent->p_event_rid);
 			if (event) {
-				/* Call the asynchronous trap function associated with the event. */
-
-				(*event->rvnt_ast) (event->rvnt_arg,
-									pevent->p_event_items.cstr_length,
-									pevent->p_event_items.cstr_address);
+				USHORT length = pevent->p_event_items.cstr_length;
+				if (length <= event->rvnt_length)
+				{
+					/* Call the asynchronous trap function associated with the event. */
+					(*event->rvnt_ast) (event->rvnt_arg,
+										length,
+										pevent->p_event_items.cstr_address);
+				}
+				/*
+				else {....
+				In general this is error condition, but we have absolutely no ways to report it.
+				Therefore simply ignore such bad packet.
+				*/
 
 				event->rvnt_id = 0;
 			}

src/remote/remote.h

@@ -150,7 +150,7 @@ typedef struct rvnt
 	SLONG		rvnt_rid;	/* used by server to store client-side id */
 	rem_port*	rvnt_port;	/* used to id server from whence async came */
 	const UCHAR*		rvnt_items;
-	SSHORT		rvnt_length;
+	USHORT		rvnt_length;
 } *RVNT;
 
 struct rem_vec