I have found an out-of-bounds error by fuzzing ngircd using AFL and libdislocate (a custom memory allocator). Conn_Write is called with Idx=-1 which leads to a crash when accessing My_Connections[Idx].sock.
The binary is built from rel-26-rc1 with patches to fix #275 and #276 and __AFL_INIT() patched into Conn_InitListeners in order to support afl-clang-fast.
#0 0x000000000041eb58 in Conn_Write (Idx=-1, Data=<optimized out>, Len=63) at conn.c:937
#1 Conn_WriteStr (Idx=-1, Format=<optimized out>) at conn.c:885
#2 0x00000000004404a0 in IRC_WriteStrClientPrefix (Client=<optimized out>, Prefix=0x7ffff7ce9e60,
Format=<optimized out>) at irc-write.c:150
#3 0x0000000000440271 in IRC_WriteErrClient (Client=0x7ffff7ce9e60, Format=<optimized out>)
at irc-write.c:73
#4 0x0000000000408966 in Channel_Join (Client=0x7ffff7ce9e60, Name=0x7ffff7cbdef2 "0")
at channel.c:261
#5 0x000000000043f1dc in IRC_NJOIN (Client=0x7ffff7cbfe60, Req=0x7fffffffdff0) at irc-server.c:286
#6 0x00000000004471d7 in Handle_Request (Idx=<optimized out>, Req=0x7fffffffdff0) at parse.c:544
#7 Parse_Request (Idx=7, Request=<optimized out>) at parse.c:267
#8 0x000000000041e618 in Handle_Buffer (Idx=7) at conn.c:1820
#9 0x000000000041d949 in Conn_Handler () at conn.c:687
#10 0x00000000004053d9 in main (argc=<optimized out>, argv=<optimized out>) at ngircd.c:317
The text was updated successfully, but these errors were encountered:
This is closely related to pull request #276, pointing out bugs in IRC_NJOIN() and functions called from there – which is the case here, too: Channel_Join() somewhat „correctly“ fails to add an IRC server to a channel (:ngircd.test.server3 NJOIN 0 :ngircd.test.server!).
This affects the server-server protocol only, so not sure how to proceed … see comments in #276!
alexbarton
added
s2s-bug
This bug affects the server-server protocol only
and removed
bug
Issue affects current expected functionality
labels
May 31, 2020
Closing this bug report as "won't fix": this only affects the server-server protocol and can't happen during normal operation (without "faking" a buggy server). And the server-server protocol is "secure by definition".
I have found an out-of-bounds error by fuzzing ngircd using AFL and libdislocate (a custom memory allocator).
Conn_Writeis called withIdx=-1which leads to a crash when accessingMy_Connections[Idx].sock.The binary is built from
rel-26-rc1with patches to fix #275 and #276 and__AFL_INIT()patched intoConn_InitListenersin order to supportafl-clang-fast.Build flags:
Run mode:
Input (id:000000,sig:11,src:001568,time:131476447,op:ext_AO,pos:224-min.txt):
Stacktrace:
The text was updated successfully, but these errors were encountered: