Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conn_Write: out-of-bounds index access (AFL + libdislocate) #277

Closed
hillu opened this issue May 12, 2020 · 2 comments
Closed

Conn_Write: out-of-bounds index access (AFL + libdislocate) #277

hillu opened this issue May 12, 2020 · 2 comments
Assignees
Labels
s2s-bug This bug affects the server-server protocol only

Comments

@hillu
Copy link
Contributor

hillu commented May 12, 2020

I have found an out-of-bounds error by fuzzing ngircd using AFL and libdislocate (a custom memory allocator). Conn_Write is called with Idx=-1 which leads to a crash when accessing My_Connections[Idx].sock.

The binary is built from rel-26-rc1 with patches to fix #275 and #276 and __AFL_INIT() patched into Conn_InitListeners in order to support afl-clang-fast.

Build flags:

./configure --without-syslog CC=afl-clang-fast

Run mode:

ngircd -n -f src/testsuite/ngircd-test1.conf

Input (id:000000,sig:11,src:001568,time:131476447,op:ext_AO,pos:224-min.txt):

PASS pwd1 0000-IRC+ |:CHL 0
SERVER ngircd.test.server3 :
: 376 ngircd.test.server :
:ngircd.test.server3 NICK Nic0N00e 0 0 0 1 0 :
:ngircd.test.server3 NJOIN #00000 :@Nic0N00e
:ngircd.test.server3 NJOIN 0 :ngircd.test.server!

Stacktrace:

#0  0x000000000041eb58 in Conn_Write (Idx=-1, Data=<optimized out>, Len=63) at conn.c:937
#1  Conn_WriteStr (Idx=-1, Format=<optimized out>) at conn.c:885
#2  0x00000000004404a0 in IRC_WriteStrClientPrefix (Client=<optimized out>, Prefix=0x7ffff7ce9e60, 
    Format=<optimized out>) at irc-write.c:150
#3  0x0000000000440271 in IRC_WriteErrClient (Client=0x7ffff7ce9e60, Format=<optimized out>)
    at irc-write.c:73
#4  0x0000000000408966 in Channel_Join (Client=0x7ffff7ce9e60, Name=0x7ffff7cbdef2 "0")
    at channel.c:261
#5  0x000000000043f1dc in IRC_NJOIN (Client=0x7ffff7cbfe60, Req=0x7fffffffdff0) at irc-server.c:286
#6  0x00000000004471d7 in Handle_Request (Idx=<optimized out>, Req=0x7fffffffdff0) at parse.c:544
#7  Parse_Request (Idx=7, Request=<optimized out>) at parse.c:267
#8  0x000000000041e618 in Handle_Buffer (Idx=7) at conn.c:1820
#9  0x000000000041d949 in Conn_Handler () at conn.c:687
#10 0x00000000004053d9 in main (argc=<optimized out>, argv=<optimized out>) at ngircd.c:317
@alexbarton alexbarton added the bug Issue affects current expected functionality label May 13, 2020
@alexbarton alexbarton added this to the ngIRCd-26 milestone May 25, 2020
@alexbarton
Copy link
Member

This is closely related to pull request #276, pointing out bugs in IRC_NJOIN() and functions called from there – which is the case here, too: Channel_Join() somewhat „correctly“ fails to add an IRC server to a channel (:ngircd.test.server3 NJOIN 0 :ngircd.test.server!).

This affects the server-server protocol only, so not sure how to proceed … see comments in #276!

Removing from the ngIRCd 26 milestone.

@alexbarton alexbarton removed this from the ngIRCd-26 milestone May 31, 2020
@alexbarton alexbarton self-assigned this May 31, 2020
@alexbarton alexbarton added s2s-bug This bug affects the server-server protocol only and removed bug Issue affects current expected functionality labels May 31, 2020
@alexbarton
Copy link
Member

Closing this bug report as "won't fix": this only affects the server-server protocol and can't happen during normal operation (without "faking" a buggy server). And the server-server protocol is "secure by definition".

@alexbarton alexbarton closed this as not planned Won't fix, can't repro, duplicate, stale Jan 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
s2s-bug This bug affects the server-server protocol only
Projects
None yet
Development

No branches or pull requests

2 participants