View Issue Details

IDProjectCategoryView StatusLast Update
0002425unrealircdpublic2005-03-14 12:01
ReporterDukatAssigned Tosyzop 
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinuxOSMandrake LinuxOS Version10.0
Product Version3.2.3 
Target VersionFixed in Version3.2.4 
Summary0002425: Segmentation fault on bad "badwords"
DescriptionThe following entry in the config file will crash the IRCd on an exiting client:

badword quit { word "*[Firefox*"; replace "Client Exited"; };



It won't crash if you add it as a correct regexp:
badword quit { word ".*\[Firefox.*"; replace "Client Exited"; };


Additional InformationMandrake running with security level "Paranoid".



Backtraces:
[..]
#0 0x080986a0 in tre_match ()
(gdb) bt
#0 0x080986a0 in tre_match ()
#1 0x080987cf in regnexec ()
(gdb) quit
[..more..]
TagsNo tags attached.
3rd party modules

Activities

syzop

2005-03-14 11:04

administrator   ~0009594

Seems like a crash in TRE indeed.
Program received signal SIGSEGV, Segmentation fault.
0x080a82ed in tre_match (tnfa=0x0, string=0x80c13a0, len=4294967295, type=STR_BYTE, nmatch=1, pmatch=0xbffff718, eflags=0) at regexec.c:159
159       if (tnfa->num_tags > 0 && nmatch > 0)
(gdb) bt
#0  0x080a82ed in tre_match (tnfa=0x0, string=0x80c13a0, len=4294967295, type=STR_BYTE, nmatch=1, pmatch=0xbffff718, eflags=0) at regexec.c:159
#1  0x080a848f in regnexec (preg=0x81796e0, str=0x80c13a0 "kwit", len=4294967295, nmatch=1, pmatch=0xbffff718, eflags=0) at regexec.c:222
#2  0x080a84b3 in regexec (preg=0x81796e0, str=0x80c13a0 "kwit", nmatch=1, pmatch=0xbffff718, eflags=0) at regexec.c:229
#3  0x08054cdd in stripbadwords (str=0x816a682 "kwit", start_bw=0x81796c8, blocked=0xbffff784) at badwords.c:244
#4  0x08054ebb in stripbadwords_quit (str=0x816a682 "kwit", blocked=0xbffff784) at badwords.c:290
#5  0x002c571e in m_quit (cptr=0x816a598, sptr=0x816a598, parc=2, parv=0x812cee0) at m_quit.c:117
#6  0x08066a30 in parse (cptr=0x816a598, buffer=0x816a67c "QUIT", bufend=0x816a686 "") at parse.c:447
#7  0x08065646 in dopacket (cptr=0x816a598, buffer=0x812d8c0 "QUIT :kwit\n", length=0) at packet.c:138
0000008  0x0806e6e0 in read_packet (cptr=0x816a598, rfd=0xbffff990) at s_bsd.c:1476
#9  0x0806f2cc in read_message (delay=1, listp=0x8146040) at s_bsd.c:1937
#10 0x0806045c in main (argc=0, argv=0xbffffb08) at ircd.c:1564
(gdb)

syzop

2005-03-14 11:07

administrator   ~0009595

Hm, I think I get it already.. unreal_checkregex() wasn't updated so it was (incorrectly) seen as a non-regex first, hence no error checking. fun.

syzop

2005-03-14 11:11

administrator   ~0009596

www.vulnscan.org/tmp/badregex_in_conf_crash.patch for a patch that fixes this.

Dukat

2005-03-14 11:18

reporter   ~0009597

Negative, that patch doesn't work.

syzop

2005-03-14 11:20

administrator   ~0009598

Last edited: 2005-03-14 11:21

works perfectly fine here :P.

[error] unrealircd.conf:360: badword::word contains an invalid regex: Missing ']'
[error] 1 errors encountered
[error] IRCd configuration failed to pass testing


Dukat

2005-03-14 11:22

reporter   ~0009599

Oh, sorry... I was only rehashing (doh)

It works, thanks :)
[error] unrealircd.conf:250: badword::word contains an invalid regex: Missing ']'

syzop

2005-03-14 11:25

administrator   ~0009600

ok, good :)

syzop

2005-03-14 12:01

administrator   ~0009601

Fixed in .346

Issue History

Date Modified Username Field Change
2005-03-14 10:53 Dukat New Issue
2005-03-14 11:03 syzop View Status public => private
2005-03-14 11:04 syzop Note Added: 0009594
2005-03-14 11:07 syzop Note Added: 0009595
2005-03-14 11:11 syzop Note Added: 0009596
2005-03-14 11:18 Dukat Note Added: 0009597
2005-03-14 11:20 syzop Note Added: 0009598
2005-03-14 11:21 syzop Note Edited: 0009598
2005-03-14 11:22 Dukat Note Added: 0009599
2005-03-14 11:25 syzop Note Added: 0009600
2005-03-14 12:00 syzop View Status private => public
2005-03-14 12:01 syzop Additional Information Updated
2005-03-14 12:01 syzop Status new => resolved
2005-03-14 12:01 syzop Fixed in Version => 3.2.4
2005-03-14 12:01 syzop Resolution open => fixed
2005-03-14 12:01 syzop Assigned To => syzop
2005-03-14 12:01 syzop Note Added: 0009601