New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid calling IRC_KillClient with Client == NULL #276
Conversation
I'm not familiar enough with the ngircd codebase, so I am not entirely
sure if `Client` is the right variable to pass to `KillClient` or if
it should be `c` instead.
This crash (segfault) was found using American Fuzzy Lop.
Build flags:
./configure --without-syslog --with-iconv CC=afl-clang
Run mode:
ngircd -n -f src/testsuite/ngircd-test1.conf
Manually inimized input:
PASS pwd1 0210-IRC+ Cd|t0:CHLMSX P
SERVER ngircd.test.server3 :on
:ngi 376 ngircd.test.server
:ngircd.test.server3 NICK NickNa.e 1 ~ locst 1 + :e
:ngircd.test.server3 JOIN #Channel :e.eEN
:ngircd.test.server3 NICK NickName 1 ~ locst 1 + :e
:ngircd.test.server3 NJOIN #Channel :@Nickname,,,ngircd.test.server3!d
Stacktrace:
#0 Client_ID (Client=0x0) at client.c:707
#1 0x000000000042570c in IRC_KillClient (Client=0x0, From=0x0,
Nick=0x7fffffffd00c "ngircd.test.server3!d", Reason=<optimized out>) at irc.c:379
ngircd#2 0x000000000044050a in IRC_NJOIN (Client=0x47d6b0, Req=0x7fffffffd260) at irc-server.c:291
ngircd#3 0x0000000000447eb7 in Handle_Request (Idx=<optimized out>, Req=0x7fffffffd260) at parse.c:544
ngircd#4 Parse_Request (Idx=7, Request=<optimized out>) at parse.c:267
ngircd#5 0x000000000041e788 in Handle_Buffer (Idx=7) at conn.c:1817
ngircd#6 0x00000000004206f9 in Read_Request (Idx=7) at conn.c:1650
ngircd#7 cb_clientserver (sock=7, what=<optimized out>) at conn.c:297
ngircd#8 0x0000000000424bd0 in io_docallback (fd=7, what=<optimized out>) at io.c:924
ngircd#9 io_dispatch_epoll (tv=<optimized out>) at io.c:497
ngircd#10 io_dispatch (tv=<optimized out>) at io.c:896
ngircd#11 0x000000000041defd in Conn_Handler () at conn.c:766
ngircd#12 0x0000000000405489 in main (argc=<optimized out>, argv=<optimized out>) at ngircd.c:317
|
I think this fix is wrong – as probably is the whole logic here … Calling So the bug is And here I'll have to look into that, but I think the bug is in So probably I’ll try to change the whole |
|
To be honest, this is a big mess …
So what needs to be done?
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, this doesn’t fix this bug properly: Most probably it will prevent the crash by sending a bogus ERR_CANTKILLSERVER_MSG (see IRC_KillClient() ) to the peer, but the IRC network still get’s out of sync …
|
BTW: even the „client not found, let’s just skip it“ logic is bogus: if we do this, the global IRC network state is out of sync, as this client is joined to that channel on some servers, but not on all! The only possible „solution“ is to enforce a net split, that is, disconnect the server from which we got commands that we weren’t able to handle … |
|
Will this be fixed anytime soon? I'm kind of worried about using ngIRCd when there's a known security bug in it. |
|
Hi @DerDakon! As far as I know no one is working on this, at least I’m not. And I don’t see this as a security bug that much, as it only affects authenticated server-server connections: when you have a malicious but authenticated server in your network, all is lost anyway … the IRC server-server protocol is trusted by design, and this is especially true for ngIRCd. Regards |
|
You probably meant @dkoao instead of me, no? |
|
Ah nice, thank you for elaboration. |
|
Closing this pull request as "won't fix": this patch doesn't fix the issue, and the issue only affects the server-server protocol and can't happen during normal operation (without "faking" a buggy server). And the server-server protocol is "secure by definition". |
I'm not familiar enough with the ngircd codebase, so I am not entirely
sure if
Clientis the right variable to pass toKillClientor ifit should be
cinstead.This crash (segfault) was found using American Fuzzy Lop.
Build flags:
Run mode:
Manually inimized input:
Stacktrace: