[原文]Integer signedness error in certain older versions of the NeL library, as used in Mtp-Target 1.2.2 and earlier, and possibly other products, allows remote attackers to cause a denial of service (memory consumption or server crash) via a negative value in a STLport call, which is not caught by a signed comparison.
A remote overflow exists in Mtp Target. The NeL library fails to verify if the amount of memory to allocate, a user-supplied integer parameter, is less than 1,000,000 bytes. With a specially crafted request containing a negative value, an attacker can cause the server to allocate a large amount of memory through a call to STLport, resulting in a loss of availability of the server process.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Luigi Auriemma <email@example.com> is credited with the discovery of this issue.
Mtp-Target Mtp-Target 1.2.2
The Mtp-Target server is prone to a memory corruption vulnerability. The issue exists because a comparison fails to ensure that an integer value parameter retrieved from a client is signed. A check is made to ensure that the user-supplied value is less than 1000000 bytes. If the value passed is FFFFFFFFh, it is interpreted as a signed -1 and the check passes. The value is later used as an unsigned integer in a memory allocation operation. An allocation of 4.29 GB of data is attempted and the service crashes.
Immediate consequences of exploitation of this vulnerability are a denial of service.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.