COMMAND

    mSQL

SYSTEMS AFFECTED

    Systems running mSQL

PROBLEM

    Stacey Son found following quick and dirty DOS attack:

	(1) telnet <your_favorite_msql_server> 1114
	(2) type ^C (control C)

    This causes the server to dump and go away.  Actually, the  server
    receives an out-of-band msg inline,  tries to translate it into  a
    4-byte integer (ending up with  a very large negative number)  and
    then uses that offset to set the "end" of the string to 0, causing
    a SIGSEGV.

SOLUTION

    The patch (for version 2.0.1):

    *** net.c.orig  Mon Jul 28 14:19:30 1997
    --- net.c       Mon Jul 28 14:20:50 1997
    ***************
    *** 120,127 ****
	    int     fd;
      {
	    u_char   buf[4];
    !       int     len,
    !               remain,
		    offset,
		    numBytes;

    --- 120,127 ----
	    int     fd;
      {
	    u_char   buf[4];
    !       u_int   len;
    !       int     remain,
		    offset,
		    numBytes;

    The following patch adds code  which checks for a negative  offset
    and, if found, returns an error:

    *** net.c       1997/08/13 14:25:44     1.1
    --- net.c       1997/08/13 14:36:39
    ***************
    *** 158,163 ****
    --- 158,169 ----
		    alarm(0);
		    return(-1);
	    }
    +       if (len < 0)
    +       {
    +               fprintf(stderr,"Packet too small (%d)\n", len);
    +               alarm(0);
    +               return(-1);
    +       }
	    remain = len;
	    offset = 0;
	    while(remain > 0)