Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iconv-related crash (AFL) #274

Closed
hillu opened this issue May 10, 2020 · 2 comments
Closed

iconv-related crash (AFL) #274

hillu opened this issue May 10, 2020 · 2 comments
Assignees
Labels
s2s-bug This bug affects the server-server protocol only

Comments

@hillu
Copy link
Contributor

hillu commented May 10, 2020

I have been fuzzing ngircd using AFL a bit, based on inputs that are used in the testsuite. AFL has found input that can be used to crash a server that has been built with --with-iconv. My current hypothesis is that the crash happens because the iconv_t context that is passed into iconv is invalid (i.e. has not been been initialized at all using iconv_open).

Build flags:

./configure --without-syslog --with-iconv CC=afl-clang

Run mode:

ngircd -n -f src/testsuite/ngircd-test1.conf

Input (id:000039,sig:11,src:002604,time:492868267,op:havoc,rep:8-min.txt):

PASS pwd1 0 0
SERVER ngircd.test.server3 0
:ngircd.test.server3 NJOIN 0 ngircd.test.server

Stacktrace:

#0  0x00007ffff7e0fadd in __gconv (cd=0x12591, inbuf=inbuf@entry=0x7fffffffc078, 
    inbufend=0x7fffffffc1bd "", outbuf=outbuf@entry=0x7fffffffc070, 
    outbufend=0x46a060 <Encoding_Buffer+512> "", irreversible=irreversible@entry=0x7fffffffc020)
    at gconv.c:38
#1  0x00007ffff7e0f477 in iconv (cd=<optimized out>, inbuf=0x7fffffffc078, 
    inbytesleft=0x7fffffffc088, outbuf=0x7fffffffc070, outbytesleft=0x7fffffffc080) at iconv.c:52
#2  0x00000000004224a9 in Convert_Message (Handle=0x12591, Message=0x7fffffffc1ae "No such channel")
    at conn-encoding.c:124
#3  Conn_EncodingTo (Conn=<optimized out>, Message=<optimized out>) at conn-encoding.c:186
#4  0x000000000041ecf0 in Conn_WriteStr (Idx=-1, Format=<optimized out>) at conn.c:870
#5  0x00000000004411d0 in IRC_WriteStrClientPrefix (Client=<optimized out>, Prefix=0x499120, 
    Format=<optimized out>) at irc-write.c:150
#6  0x0000000000440fa1 in IRC_WriteErrClient (Client=0x499120, Format=<optimized out>)
    at irc-write.c:73
#7  0x0000000000408a16 in Channel_Join (Client=0x499120, Name=0x47d87b "0") at channel.c:261
#8  0x000000000043ff0c in IRC_NJOIN (Client=0x47d6b0, Req=0x7fffffffd270) at irc-server.c:286
#9  0x0000000000447f17 in Handle_Request (Idx=<optimized out>, Req=0x7fffffffd270) at parse.c:544
#10 Parse_Request (Idx=7, Request=<optimized out>) at parse.c:267
#11 0x000000000041e788 in Handle_Buffer (Idx=7) at conn.c:1817
#12 0x00000000004206f9 in Read_Request (Idx=7) at conn.c:1650
#13 cb_clientserver (sock=7, what=<optimized out>) at conn.c:297
#14 0x0000000000424c30 in io_docallback (fd=7, what=<optimized out>) at io.c:924
#15 io_dispatch_epoll (tv=<optimized out>) at io.c:497
#16 io_dispatch (tv=<optimized out>) at io.c:896
#17 0x000000000041defd in Conn_Handler () at conn.c:766
#18 0x0000000000405489 in main (argc=<optimized out>, argv=<optimized out>) at ngircd.c:317
@alexbarton alexbarton added the bug Issue affects current expected functionality label May 10, 2020
@alexbarton alexbarton added this to the ngIRCd-26 milestone May 25, 2020
@alexbarton alexbarton self-assigned this May 31, 2020
@alexbarton alexbarton added s2s-bug This bug affects the server-server protocol only and removed bug Issue affects current expected functionality labels May 31, 2020
@alexbarton
Copy link
Member

Actually, the error happens way before iconv() comes into play at all:

You want to add the server „ngircd.test.server“ to a channel named „0“ – so both parameters to NJOIN are invalid: a invalid client type and a invalid channel name …

ngIRCd tries to join that server to the channel, fails, and want’s to write an error to connection index -1 – which is the connection index signaling „no connection“ – in this case for the client structure of the local server „ngircd.test.server“.

This is closely related to #276 and #277: we trust the server-server protocol by design, and it is not an easy task to change this … so removing this bug from the ngIRCd 26 milestone.

Possible solution here: check channel name and nick to be valid, and disconnect peer if not.

@alexbarton alexbarton removed this from the ngIRCd-26 milestone May 31, 2020
@alexbarton
Copy link
Member

Closing this bug report as "won't fix": this only affects the server-server protocol and can't happen during normal operation (without "faking" a buggy server). And the server-server protocol is "secure by definition".

@alexbarton alexbarton closed this as not planned Won't fix, can't repro, duplicate, stale Jan 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
s2s-bug This bug affects the server-server protocol only
Projects
None yet
Development

No branches or pull requests

2 participants