I have been fuzzing ngircd using AFL a bit, based on inputs that are used in the testsuite. AFL has found input that can be used to crash a server that has been built with --with-iconv. My current hypothesis is that the crash happens because the iconv_t context that is passed into iconv is invalid (i.e. has not been been initialized at all using iconv_open).
#0 0x00007ffff7e0fadd in __gconv (cd=0x12591, inbuf=inbuf@entry=0x7fffffffc078,
inbufend=0x7fffffffc1bd "", outbuf=outbuf@entry=0x7fffffffc070,
outbufend=0x46a060 <Encoding_Buffer+512> "", irreversible=irreversible@entry=0x7fffffffc020)
at gconv.c:38
#1 0x00007ffff7e0f477 in iconv (cd=<optimized out>, inbuf=0x7fffffffc078,
inbytesleft=0x7fffffffc088, outbuf=0x7fffffffc070, outbytesleft=0x7fffffffc080) at iconv.c:52
#2 0x00000000004224a9 in Convert_Message (Handle=0x12591, Message=0x7fffffffc1ae "No such channel")
at conn-encoding.c:124
#3 Conn_EncodingTo (Conn=<optimized out>, Message=<optimized out>) at conn-encoding.c:186
#4 0x000000000041ecf0 in Conn_WriteStr (Idx=-1, Format=<optimized out>) at conn.c:870
#5 0x00000000004411d0 in IRC_WriteStrClientPrefix (Client=<optimized out>, Prefix=0x499120,
Format=<optimized out>) at irc-write.c:150
#6 0x0000000000440fa1 in IRC_WriteErrClient (Client=0x499120, Format=<optimized out>)
at irc-write.c:73
#7 0x0000000000408a16 in Channel_Join (Client=0x499120, Name=0x47d87b "0") at channel.c:261
#8 0x000000000043ff0c in IRC_NJOIN (Client=0x47d6b0, Req=0x7fffffffd270) at irc-server.c:286
#9 0x0000000000447f17 in Handle_Request (Idx=<optimized out>, Req=0x7fffffffd270) at parse.c:544
#10 Parse_Request (Idx=7, Request=<optimized out>) at parse.c:267
#11 0x000000000041e788 in Handle_Buffer (Idx=7) at conn.c:1817
#12 0x00000000004206f9 in Read_Request (Idx=7) at conn.c:1650
#13 cb_clientserver (sock=7, what=<optimized out>) at conn.c:297
#14 0x0000000000424c30 in io_docallback (fd=7, what=<optimized out>) at io.c:924
#15 io_dispatch_epoll (tv=<optimized out>) at io.c:497
#16 io_dispatch (tv=<optimized out>) at io.c:896
#17 0x000000000041defd in Conn_Handler () at conn.c:766
#18 0x0000000000405489 in main (argc=<optimized out>, argv=<optimized out>) at ngircd.c:317
The text was updated successfully, but these errors were encountered:
alexbarton
added
s2s-bug
This bug affects the server-server protocol only
and removed
bug
Issue affects current expected functionality
labels
May 31, 2020
Actually, the error happens way before iconv() comes into play at all:
You want to add the server „ngircd.test.server“ to a channel named „0“ – so both parameters to NJOIN are invalid: a invalid client type and a invalid channel name …
ngIRCd tries to join that server to the channel, fails, and want’s to write an error to connection index -1 – which is the connection index signaling „no connection“ – in this case for the client structure of the local server „ngircd.test.server“.
This is closely related to #276 and #277: we trust the server-server protocol by design, and it is not an easy task to change this … so removing this bug from the ngIRCd 26 milestone.
Possible solution here: check channel name and nick to be valid, and disconnect peer if not.
Closing this bug report as "won't fix": this only affects the server-server protocol and can't happen during normal operation (without "faking" a buggy server). And the server-server protocol is "secure by definition".
I have been fuzzing ngircd using AFL a bit, based on inputs that are used in the testsuite. AFL has found input that can be used to crash a server that has been built with
--with-iconv. My current hypothesis is that the crash happens because theiconv_tcontext that is passed intoiconvis invalid (i.e. has not been been initialized at all usingiconv_open).Build flags:
Run mode:
Input (id:000039,sig:11,src:002604,time:492868267,op:havoc,rep:8-min.txt):
Stacktrace:
The text was updated successfully, but these errors were encountered: