View Issue Details

IDProjectCategoryView StatusLast Update
0003738unrealircdpublic2009-05-13 06:36
ReporterDarth AndroidAssigned To 
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Platformamd64OSUbuntuOS Version8.10
Product Version3.2.7-RC2 
Target VersionFixed in Version3.2.8 
Summary0003738: IRCd segfaults when linking to the network
DescriptionMy network contains the following servers:
1. Unreal 3.2.7 (ubuntu64)
2. Unreal 3.2.5 (openbsd32)
3. Unreal 3.2.7 (win32)

Server 2 is the hub server, and server 3 can link fine with server 2.
Server 1 segfaults when trying to connect to server 2, producing the attached backtrace.

server 1 also complains about an unknown server (the services server), so it seems that server 2 isn't sending server 1 a complete server list.

server 2 is in the middle of sending the list of active g-lines when server 1 segfaults.

Additional Informationdmesg contains the following regarding the segfault:
[2861628.081732] ircd[23816]: segfault at 0 rip 7f0cc19f8a01 rsp 7fffcad49b78 error 4
[2868922.336779] ircd[26606]: segfault at 0 rip 7fd707a6fa01 rsp 7fff10dc0be8 error 4
[2869074.114687] ircd[26654]: segfault at 0 rip 7f4f97cdfa01 rsp 7fffa1031e58 error 4

BACKTRACE:

warning: Can't read pathname for load map: Input/output error.
Core was generated by `/var/lib/ircd/Unreal3.2.7/src/ircd'.
Program terminated with signal 11, Segmentation fault.
[New process 26654]
#0 0x00007f4f97cdfa01 in strncpy () from /lib/libc.so.6
#0 0x00007f4f97cdfa01 in strncpy () from /lib/libc.so.6
#1 0x00007f4f97a14015 in _m_tkl (cptr=0x862180, sptr=0x862180, parc=9, parv=0x717aa0)
    at /usr/include/bits/string3.h:122
#2 0x0000000000425cdb in dopacket (cptr=0x862180, buffer=<value optimized out>, length=6307)
    at packet.c:138
#3 0x00000000004159cf in read_message (delay=1, listp=0x7493a0) at s_bsd.c:1475
#4 0x0000000000420d8b in main (argc=1225594408, argv=<value optimized out>) at ircd.c:1597

#0 0x00007f4f97cdfa01 in strncpy () from /lib/libc.so.6

0x74e3a0 <backupbuf>: ":zathur.dragon-fire.org BD + G * pool-70-104-245-88.ptldor.dsl-w.verizon.net Netham45!Netham45@Netham45.org 5565259448521326591 1222504225 :One Week ban"

#0 0x00007f4f97cdfa01 in strncpy () from /lib/libc.so.6
No symbol table info available.
#1 0x00007f4f97a14015 in _m_tkl (cptr=0x862180, sptr=0x862180, parc=9, parv=0x717aa0)
    at /usr/include/bits/string3.h:122
        tk = (aTKline *) 0x896950
        type = 5
        gmt = "Sat Sep 27 08:30:25 2008\n", '\0' <repeats 230 times>
        gmt2 = "0�y\000\000\000\000\000\224�y\000\000\000\000\000��y\000\000\000\000\000�y\000\000\000\000\000\217�\210\000\000\000\000\000`&\000\000\000\000\000\000`&\000\000f\002\000\000n&\000\000\000\000\000\000\000\203\036\230n�\000\000Pwr\000\000\000\000\000;\006\000\000\v\000\000\000Pwr\000\000\000\000\000�\025\000\000\000\000\000\000\006\000\f\000K\006\000\000��\006\000\000\000\000\000\032�\006\000\000\000\000\000<\v\000\000\000\000\000\000;�\000\000\000\000\000\000u�\002\000\000\000\000\000�\002\000\000\000\000\000\020qr\000\000\000\000\000�\033\000\000\000\000\000\000�e\206\000\000\000\000\000z\005\000\000\000\000\000\000 �y", '\0' <repeats 21 times>...
        txt = '\0' <repeats 16 times>, "\230\"\003��\177\000\000\236��\230O\177\000\000\000\000\000\000\000\000\000\000\a\000\000\000\000\000\000\000\000��\227O\177\000\000�\000\000\000\000\000\000\000\220e\211\000\000\000\000\000`f\211\000\000\000\000\000\200!\206\000\000\000\000\000`f\211\000\000\000\000\000\200!\206\000\000\000\000\000�\000\000\000\000\000\000\000\220e\211\000\000\000\000\000�\217�\227O\177\000\0000i\211\000\000\000\000\000�hHF\000\000\000\000`h\211\000\000\000\000\000\030\000\000\000\000\000\000\000\033", '\0' <repeats 15 times>, "�E\206\000\032\000\000\000��y\000\000\000\000\000\200!\206\000\000\000\000\000�m\036\230O\177\000\000�\"\206"...
        expiry_1 = 5565259448521326591
        setat_1 = 1222504225
        spamf_tklduration = 0
        reason = 0x862338 "One Week ban"
#2 0x0000000000425cdb in dopacket (cptr=0x862180, buffer=<value optimized out>, length=6307)
    at packet.c:138
        ch1 = 0x100 <Address 0x100 out of bounds>
        ch2 = 0x725eb8 "\n:zathur.dragon-fire.org BD + G * dante01.u.washington.edu Netham45!Netham45@Netham45.org 5565259446373842944 1217649843 :been warned enough times about that real-name. This is a perminant ban.\r\n:zath"...
        acpt = <value optimized out>
        zipped = 1
GCC: gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu10)
UNAME: Linux tinuvael 2.6.24-21-generic #1 SMP Mon Aug 25 16:57:51 UTC 2008 x86_64 GNU/Linux
UNREAL: Unreal3.2.7 build 1.1.1.1.2.1.2.1.2.2234.2.676 2007/07/13 10:43:04
CORE: -rw------- 1 irc irc 2703360 2008-11-01 21:54 core
TagsNo tags attached.
3rd party modules

Activities

syzop

2008-12-21 14:20

administrator   ~0015470

I think this is the cause:
:zathur.dragon-fire.org BD + G * pool-70-104-245-88.ptldor.dsl-w.verizon.net Netham45!Netham45@Netham45.org 5565259448521326591 1222504225 :One Week ban

The expiry time of that gline(?) is 5565259448521326591, which is quite out of range.. leading to asctime() returning NULL leading to a crash in strncpy.

syzop

2008-12-21 14:32

administrator   ~0015473

fixed in .722:
- Fix crash if settime/expirytime is out of range in TKL, set by another server.
  Should never happen except when using faulty services or when something else
  got horrible wrong (like a date which is 40 years ahead). Reported by
  Darth Android (0003738).
[unverified!]

can you confirm that this weird gline with that 5565259448521326591 expiry time got indeed set by services or something?

syzop

2009-05-13 06:36

administrator   ~0015848

assuming this is fixed...

Issue History

Date Modified Username Field Change
2008-11-02 18:01 Darth Android New Issue
2008-12-21 14:20 syzop Note Added: 0015470
2008-12-21 14:32 syzop Note Added: 0015473
2009-05-13 06:36 syzop QA => Not touched yet by developer
2009-05-13 06:36 syzop U4: Need for upstream patch => No need for upstream InspIRCd patch
2009-05-13 06:36 syzop Note Added: 0015848
2009-05-13 06:36 syzop Status new => closed
2009-05-13 06:36 syzop Resolution open => fixed
2009-05-13 06:36 syzop Fixed in Version => 3.2.8