Article ID: 248749 - View products that this article applies to.
This article was previously published under Q248749
This article has been archived. It is offered "as is" and will no longer be updated.
BUG #: 53910 (SQLBUG_70)
Network packets filled with appropriately placed NULL bytes may cause an access violation (AV) within SQL Server, causing the process to terminate. Prior to terminating, SQL Server will print a stack dump to the error log with text similar to the text shown below. Note that the Exception Address is in IGetFullEvent.
1999-12-17 09:22:13.20 server Using 'sqlimage.dll' version '4.0.5
Stack Dump being sent to d:\MSSQL7\log\SQL00009.dmp
1999-12-17 09:22:23.78 server process_commands: Process 496 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.
* BEGIN STACK DUMP:
* 12/17/99 09:22:23 spid 0
* Exception Address = 41061E40 (IGetFullEvent + 103)
* Exception Code = c0000005 E
* Access Violation occurred reading address 120B0000
The length of data in each Tabular Data Stream (TDS) packet is encoded in the packet header. SQL Server fails to handle a situation where the packet length encoded in the TDS header is less than the number of bytes already read from the network. In attempting to determine what events are contained within the packet, a signed arithmetic problem allows the server to read past the bounds of the network buffer size allocated for the client, causing the exception.
This exploit does not allow any data to be overwritten within the SQL Server address space. SQL Server correctly limits the number of bytes read to the network packet size, thus preventing any possible exploits due to a buffer overflow.
To work around this problem, prevent access to the server from untrusted client computers. For example, if the server is used as part of an Internet Web site, place the SQL Server behind a firewall and filter any traffic to that host from untrusted computers. By default, SQL Server listens on TCP port 1433.
Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 2 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
254561For more information, contact your primary support provider.
(http://support.microsoft.com/kb/254561/ )INF: How to Obtain Service Pack 2 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0
TDS, Tabular Data Stream, is the proprietary format used to describe the data contained in all transmissions between a SQL Server client and the server.
The original report of this problem indicated that SQL Server would crash any time that three or more contiguous NULL bytes were in a TDS packet. This is not the case. In fact, many packets contain many more NULL bytes than this. The problem is specific to overwriting the portion of the TDS header that contains the packet length.
REFERENCESFor additional information, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/247641/EN-US/ )FIX: Trusted TCP/IP Socket Connection May Fail with Error Message 18452