CVE-2019-18609
Description
An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in rabbitmq-c 0.9.0 allows heap memory corruption via a crafted AMQP frame header.
Vulnerability
An integer overflow in amqp_handle_input in amqp_connection.c in rabbitmq-c version 0.9.0 allows heap memory corruption. The issue occurs when processing CONNECTION_STATE_HEADER: the target_size calculation can overflow, leading to a smaller-than-expected size that is then used in a memcpy, causing a heap buffer overflow. [2]
Exploitation
An attacker acting as a rogue AMQP server can send a malicious frame header with a crafted frame size that triggers the integer overflow. No authentication or user interaction is required if the client connects to the rogue server. The vulnerable code path is reachable when handling the connection header.
Impact
Successfully exploiting this vulnerability allows the attacker to corrupt heap memory, potentially leading to remote code execution or denial of service. The compromise occurs at the privilege level of the application using rabbitmq-c.
Mitigation
The issue was fixed in commit fc85be7123050b91b054e45b91c78d3241a5047a by adding a check that rejects frame sizes greater than or equal to INT32_MAX [2]. The fix is included in releases after 0.9.0; users should update to a patched version. No workaround is available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2ffe918a5fcefPreparation for v0.10.0 release
3 files changed · +19 −4
ChangeLog.md+15 −0 modified@@ -1,4 +1,19 @@ # Change Log +## v0.10.0 - 2019-12-01 +## Added: +- amqp_ssl_socket_get_context can be used to get the current OpenSSL CTX* + associated with a connection. + +## Changed: +- openssl: missing OpenSSL config is ignored as an OpenSSL init error (#523) +- AMQP_DEFAULT_MAX_CHANNELS is now set to 2047 to follow current default channel + limit in the RabbitMQ broker. (#513) + +## Fixed: +- add additional input validation to prevent integer overflow when parsing a + frame header. This addresses CVE-2019-18609. + + ## v0.9.0 - 2018-05-08 ### Added: - amqp-publish: added support for specifying headers via the -H flag
CMakeLists.txt+3 −3 modified@@ -16,9 +16,9 @@ set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${CMAKE_CURRENT_SOURCE_DIR}/cmake) # 3. If any interfaces have been added since the last public release, then increment age. # 4. If any interfaces have been removed since the last public release, then set age to 0. -set(RMQ_SOVERSION_CURRENT 7) -set(RMQ_SOVERSION_REVISION 1) -set(RMQ_SOVERSION_AGE 3) +set(RMQ_SOVERSION_CURRENT 8) +set(RMQ_SOVERSION_REVISION 0) +set(RMQ_SOVERSION_AGE 4) math(EXPR RMQ_SOVERSION_MAJOR "${RMQ_SOVERSION_CURRENT} - ${RMQ_SOVERSION_AGE}") math(EXPR RMQ_SOVERSION_MINOR "${RMQ_SOVERSION_AGE}")
librabbitmq/amqp.h+1 −1 modified@@ -221,7 +221,7 @@ AMQP_BEGIN_DECLS #define AMQP_VERSION_MAJOR 0 #define AMQP_VERSION_MINOR 10 #define AMQP_VERSION_PATCH 0 -#define AMQP_VERSION_IS_RELEASE 0 +#define AMQP_VERSION_IS_RELEASE 1 /** * \def AMQP_VERSION_CODE
fc85be712305lib: check frame_size is >= INT32_MAX
1 file changed · +12 −3
librabbitmq/amqp_connection.c+12 −3 modified@@ -287,12 +287,21 @@ int amqp_handle_input(amqp_connection_state_t state, amqp_bytes_t received_data, case CONNECTION_STATE_HEADER: { amqp_channel_t channel; amqp_pool_t *channel_pool; - /* frame length is 3 bytes in */ + uint32_t frame_size; + channel = amqp_d16(amqp_offset(raw_frame, 1)); - state->target_size = - amqp_d32(amqp_offset(raw_frame, 3)) + HEADER_SIZE + FOOTER_SIZE; + /* frame length is 3 bytes in */ + frame_size = amqp_d32(amqp_offset(raw_frame, 3)); + /* To prevent the target_size calculation below from overflowing, check + * that the stated frame_size is smaller than a signed 32-bit. Given + * the library only allows configuring frame_max as an int32_t, and + * frame_size is uint32_t, the math below is safe from overflow. */ + if (frame_size >= INT32_MAX) { + return AMQP_STATUS_BAD_AMQP_DATA; + } + state->target_size = frame_size + HEADER_SIZE + FOOTER_SIZE; if ((size_t)state->frame_max < state->target_size) { return AMQP_STATUS_BAD_AMQP_DATA; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WA7CPNVYMF6OQNIYNLWUY6U2GTKFOKH3/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQER6XTKYMHNQR7QTHW7DJAH645WQROU/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202003-07mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4214-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4214-2/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/alanxz/rabbitmq-c/blob/master/ChangeLog.mdmitrex_refsource_MISC
- github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047amitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/12/msg00004.htmlmitremailing-listx_refsource_MLIST
- news.ycombinator.com/itemmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.