From d310e4685142b40167693757807c960be94c2f6a Mon Sep 17 00:00:00 2001 From: alexpeshkoff Date: Tue, 2 Dec 2014 10:18:26 +0000 Subject: [PATCH] Fixed CORE-4630: Segfault in server caused by bad packet --- src/remote/protocol.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/remote/protocol.cpp b/src/remote/protocol.cpp index 30df6bfe6b..e39b902a76 100644 --- a/src/remote/protocol.cpp +++ b/src/remote/protocol.cpp @@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p) MAP(xdr_short, reinterpret_cast(response->p_resp_object)); MAP(xdr_quad, response->p_resp_blob_id); MAP(xdr_cstring, response->p_resp_data); + if (!response->p_resp_status_vector) // incorrectly called - packet not prepared + return P_FALSE(xdrs, p); return xdr_status_vector(xdrs, response->p_resp_status_vector) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p); @@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdrs, ISC_STATUS* vector) SLONG vec; SCHAR* sp = NULL; + ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH]; while (true) { + if (vector >= end) + return FALSE; if (xdrs->x_op == XDR_ENCODE) vec = (SLONG) * vector++; if (!xdr_long(xdrs, &vec)) @@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdrs, ISC_STATUS* vector) case isc_arg_interpreted: case isc_arg_string: case isc_arg_sql_state: + if (vector >= end) + return FALSE; if (xdrs->x_op == XDR_ENCODE) { if (!xdr_wrapstring(xdrs, reinterpret_cast(vector++))) @@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdrs, ISC_STATUS* vector) case isc_arg_number: default: + if (vector >= end) + return FALSE; if (xdrs->x_op == XDR_ENCODE) vec = (SLONG) * vector++; if (!xdr_long(xdrs, &vec))