0003913: Address out of bounds - UnrealIRCd Bug Tracker

Notes
(0016118) syzop (administrator) 2010-06-19 21:01	Seems like a server was trying to link in, and when checking the deny { } blocks it went wrong. More specifically, it seems one deny item in memory was freed or overwritten. Could you paste your deny {} blocks? perhaps we can get some clue as to why this happened :) Also, could you send me the following files (as .tar.gz, or upload them somewhere) to syzop@vulnscan.org: 1. core file (core.2991) 2. ircd binary (/home/mindirc/lircd_drno/lircd_drno) 3. the commands.so I can't guarantee that we will find the real cause, but let's try... Thanks.

(0016121) Monk (reporter) 2010-06-21 06:29	Mail is sent. Here is a new one: =================== START HERE ====================== BACKTRACE: warning: Can't read pathname for load map: Input/output error. Core was generated by `/home/mindirc/lircd_drno/lircd_drno'. Program terminated with signal 11, Segmentation fault. [New process 1955] #0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411 411 if (mask[0] == '' && mask[1] == '!') { #0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411 #1 0xb742e695 in m_server_remote (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:520 #2 0xb742ef01 in m_server (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:443 #3 0x0806c277 in parse (cptr=0x81825d0, buffer=0x81826b4 "@3 '", bufend=0x81826e5 "") at parse.c:440 #4 0x0806b458 in dopacket (cptr=0x81825d0, buffer=0x80bc220 ":Dr_Strangelove.MindForge.org SMO o :(\002link\002) Secure link Dr_Strangelove.MindForge.org -> Ocean.MindForge.org[@80.82.209.67.0] established (SSLv3-AES256-SHA-256bits)\r\n@3 ' Ocean.MindForge.org 2 150 :i"..., length=685) at packet.c:138 #5 0x0805b47a in read_message (delay=1, listp=0x8147e20) at s_bsd.c:1485 #6 0x08066598 in main (argc=0, argv=0xbfffe3d4) at ircd.c:1812 #0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411 411 if (mask[0] == '' && mask[1] == '!') { 0x81599e0 <backupbuf>: "@3 ' Ocean.MindForge.org 2 150 :irc.MindForge.org" #0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411 No locals. #1 0xb742e695 in m_server_remote (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:520 acptr = <value optimized out> ocptr = <value optimized out> bcptr = <value optimized out> bconf = <value optimized out> hop = 2 info = "irc.MindForge.org", '\0' <repeats 93 times> numeric = 150 servername = 0x81826b9 "Ocean.MindForge.org" i = <value optimized out> #2 0xb742ef01 in m_server (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:443 servername = 0x81826b9 "Ocean.MindForge.org" ch = <value optimized out> ---Type <return> to continue, or q <return> to quit--- inpath = 0x8129c40 "Dr_Strangelove.MindForge.org[@127.0.0.1.0]" acptr = <value optimized out> ocptr = <value optimized out> bconf = <value optimized out> hop = <value optimized out> numeric = <value optimized out> info = "\030E·Ð%\030\bÐ%\030\b8×ÿ¿\212\vA·Øbk\b\233\204D·\211¿\024\b\001ck\bÙ&\030\b\001\000\000\000H+\030\bòÐ¡:¤\222\027\b\f\217\234\000\233\204D·\211¿\024\b\b\220\027\b\032\000\000\0008×ÿ¿ä·\006\bh\213\033\b·&\030\b\000\000\000\000&7\006\b\000\000\000\000'\000\000\000\213ìB·" aconf = <value optimized out> deny = <value optimized out> flags = <value optimized out> protocol = <value optimized out> inf = <value optimized out> num = <value optimized out> GCC: gcc version 4.3.2 (Debian 4.3.2-1.1) UNAME: Linux srv1245.pingpipe.com 2.6.26-2-686 #1 SMP Wed May 12 21:56:10 UTC 2010 i686 GNU/Linux UNREAL: Unreal3.2.8.1 build 1.1.1.1.2.26 2009/04/13 11:03:55 CORE: -rw------- 1 mindirc mindirc 7286784 2010-06-20 15:41 core.1955 =================== STOP HERE ====================== Best regards, Monk

(0016122) syzop (administrator) 2010-06-21 10:28	It's indeed exactly the same as 0003689, and has nothing to do with deny link { } as I thought earlier (sorry was looking at the wrong spot). That means the fix from back then for 3.2.8 didn't fix it as you are on 3.2.8.1. I'm going to debug it further, really want to find this, thanks for the two tar.bz2's & info :)

(0016124) syzop (administrator) 2010-06-21 14:30	Ok, that wasn't easy to trace, but it was a simple bug to fix once found. Fixed in CVS .823, thanks for the report! :) See this URL for the diff: http://cvsweb.unrealircd.com/cgi-bin/cvsweb/unreal/src/modules/Attic/m_server.c.diff?r1=1.1.2.4.2.14;r2=1.1.2.4.2.15;f=h [^]

Issue History
Date Modified	Username	Field	Change
2010-06-19 20:43	Monk	New Issue
2010-06-19 21:01	syzop	Note Added: 0016118
2010-06-21 06:29	Monk	Note Added: 0016121
2010-06-21 10:28	syzop	Note Added: 0016122
2010-06-21 10:28	syzop	Status	new => assigned
2010-06-21 14:30	syzop	QA	=> Not touched yet by developer
2010-06-21 14:30	syzop	U4: Need for upstream patch	=> No need for upstream InspIRCd patch
2010-06-21 14:30	syzop	Note Added: 0016124
2010-06-21 14:30	syzop	Status	assigned => resolved
2010-06-21 14:30	syzop	Fixed in Version	=> 3.2.9
2010-06-21 14:30	syzop	Resolution	open => fixed
2010-06-21 14:30	syzop	Assigned To	=> syzop

Relationships