FIX: Possible Denial of Service Attack with Appropriate NULL Bytes in TDS Header (248749)

SYMPTOMS

Network packets filled with appropriately placed NULL bytes may cause an access violation (AV) within SQL Server, causing the process to terminate. Prior to terminating, SQL Server will print a stack dump to the error log with text similar to the text shown below. Note that the Exception Address is in IGetFullEvent.

1999-12-17 09:22:13.20 server Using 'sqlimage.dll' version '4.0.5
Stack Dump being sent to d:\MSSQL7\log\SQL00009.dmp
1999-12-17 09:22:23.78 server process_commands: Process 496 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.
**********************************************************************
*
*
* BEGIN STACK DUMP:
* 12/17/99 09:22:23 spid 0
*
* Exception Address = 41061E40 (IGetFullEvent + 103)
* Exception Code = c0000005 E
* Access Violation occurred reading address 120B0000

CAUSE

The length of data in each Tabular Data Stream (TDS) packet is encoded in the packet header. SQL Server fails to handle a situation where the packet length encoded in the TDS header is less than the number of bytes already read from the network. In attempting to determine what events are contained within the packet, a signed arithmetic problem allows the server to read past the bounds of the network buffer size allocated for the client, causing the exception.

This exploit does not allow any data to be overwritten within the SQL Server address space. SQL Server correctly limits the number of bytes read to the network packet size, thus preventing any possible exploits due to a buffer overflow.

WORKAROUND

To work around this problem, prevent access to the server from untrusted client computers. For example, if the server is used as part of an Internet Web site, place the SQL Server behind a firewall and filter any traffic to that host from untrusted computers. By default, SQL Server listens on TCP port 1433.

STATUS

Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 2 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

254561 INF: How to Obtain Service Pack 2 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0

For more information, contact your primary support provider.

MORE INFORMATION

TDS, Tabular Data Stream, is the proprietary format used to describe the data contained in all transmissions between a SQL Server client and the server.

The original report of this problem indicated that SQL Server would crash any time that three or more contiguous NULL bytes were in a TDS packet. This is not the case. In fact, many packets contain many more NULL bytes than this. The problem is specific to overwriting the portion of the TDS header that contains the packet length.

Dependencies

You must be running SQL Server 7.0 Service Pack 1 before applying this fix. The fix will be included in Service Pack 2 and later releases, so no action will be required when the system is upgraded to one of those releases.
Due to a prior change in Opends60.dll that the multiprotocol network library is dependent on, if you use this network library to make a trusted connection to SQL Server, you must also update the Ssmsrp70.dll file with the one included. If the two DLLs are not updated at the same time, all clients attempting a trusted multiprotocol connection to SQL Server will fail.

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

247641 FIX: Trusted TCP/IP Socket Connection May Fail with Error Message 18452