
RabbitMQ integer overflow that leads to heap memory corruption - DyslexicAtheist
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18609
======
tonyg
Note this is for one of the client libraries - the C library, to be specific -
not the server (written predominantly in Erlang, a memory-safe language).

~~~
tonyg
(Furthermore, checking the git blame, it turns out this bug is my fault,
nearly a decade ago. Decoding a size_t out of the packet and then adding a
small constant (7) to it turns out to be able to overflow size_t ... sigh.
Programming in C should be against some kind of Geneva Convention.)

~~~
stinos
So it's a typical 'oh a size_t is big enough I'm never going to have numbers
that big' bug? Not that I blame you, I've written enough of those..

~~~
tonyg
More of a "oh yeah, that's right, C doesn't have integers, just machine words,
and it doesn't help you avoid errors when you use machine words to simulate
integers" bug. Overflow? You get to keep both pieces.

------
hinkley
I figured this was some counter wrapping around but this is a size field, for
what looks like data?

Who is transporting 2GB files over RabbitMQ? I did not think that was a thing
reasonable people would do.

