View Issue Details

IDProjectCategoryView StatusLast Update
0003913unrealircdpublic2010-06-21 14:30
ReporterMonkAssigned Tosyzop 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status resolvedResolutionfixed 
PlatformLinuxOSDebianOS Version5
Product Version3.2.8 
Target VersionFixed in Version3.2.9-RC1 
Summary0003913: Address out of bounds
DescriptionCrash that looks quite similar to 0003689

mindirc@srv1245 ~/lircd_drno > ./unreal backtrace
Core files available:
-rw------- 1 mindirc mindirc 7372800 2010-06-19 10:21 core.2991

=================== START HERE ======================
BACKTRACE:

warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/mindirc/lircd_drno/lircd_drno'.
Program terminated with signal 11, Segmentation fault.
[New process 2991]
#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {
#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
#1 0xb73c1695 in m_server_remote (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:520
#2 0xb73c1f01 in m_server (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:443
#3 0x0806c277 in parse (cptr=0x8182308, buffer=0x81823ec "@2M '", bufend=0x818241a "") at parse.c:440
#4 0x0806b458 in dopacket (cptr=0x8182308,
    buffer=0x80bc220 ":Ocean.MindForge.org SMO o :(\002link\002) Link Ocean.MindForge.org -> tools.MindForge.org[@127.0.0.1.60447] established\r\n@2M ' tools.MindForge.org 3 6 :MindForge Tools\r\n& eMuleChansDrop 3 !1C7E1T eMule Bot"..., length=328) at packet.c:138
#5 0x0805b47a in read_message (delay=1, listp=0x814c740) at s_bsd.c:1485
#6 0x0806640d in main (argc=0, argv=0xbfffebd4) at ircd.c:1793

#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {

0x81599e0 <backupbuf>: "@2M ' tools.MindForge.org 3 6 :MindForge Tools"

#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
No locals.
#1 0xb73c1695 in m_server_remote (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:520
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bcptr = <value optimized out>
        bconf = <value optimized out>
        hop = 3
        info = "MindForge Tools", '\0' <repeats 95 times>
        numeric = 6
        servername = 0x81823f2 "tools.MindForge.org"
        i = <value optimized out>
#2 0xb73c1f01 in m_server (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:443
        servername = 0x81823f2 "tools.MindForge.org"
        ch = <value optimized out>
        inpath = 0x8129c40 "Dr_Strangelove.MindForge.org[@127.0.0.1.0]"
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bconf = <value optimized out>
        hop = <value optimized out>
        numeric = <value optimized out>
        info = "H>· Á\032\b\b#\030\b8ßÿ¿\212;:·ÐYj\b\233´=·\211¿\024\bùYj\b\b$\030\b\001\000\000\000\030\037\030\b9\236¡\026¤\222\027\b\021\205\016\000\233´=·\211¿\024\b\b\220\027\b\032\000\000\0008ßÿ¿ä·\006\b\230\212\033\bð#\030\b\000\000\000\000&7\006\b\000\000\000\000'\000\000\000\213\034<·"
        aconf = <value optimized out>
#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {
#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
#1 0xb73c1695 in m_server_remote (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:520
#2 0xb73c1f01 in m_server (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:443
#3 0x0806c277 in parse (cptr=0x8182308, buffer=0x81823ec "@2M '", bufend=0x818241a "") at parse.c:440
#4 0x0806b458 in dopacket (cptr=0x8182308,
    buffer=0x80bc220 ":Ocean.MindForge.org SMO o :(\002link\002) Link Ocean.MindForge.org -> tools.MindForge.org[@127.0.0.1.60447] established\r\n@2M ' tools.MindForge.org 3 6 :MindForge Tools\r\n& eMuleChansDrop 3 !1C7E1T eMule Bot"..., length=328) at packet.c:138
#5 0x0805b47a in read_message (delay=1, listp=0x814c740) at s_bsd.c:1485
#6 0x0806640d in main (argc=0, argv=0xbfffebd4) at ircd.c:1793

#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {

0x81599e0 <backupbuf>: "@2M ' tools.MindForge.org 3 6 :MindForge Tools"

#0 match (mask=0x7265626d <Address 0x7265626d out of bounds>, name=0x81823f2 "tools.MindForge.org") at match.c:411
No locals.
#1 0xb73c1695 in m_server_remote (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:520
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bcptr = <value optimized out>
        bconf = <value optimized out>
        hop = 3
        info = "MindForge Tools", '\0' <repeats 95 times>
        numeric = 6
        servername = 0x81823f2 "tools.MindForge.org"
        i = <value optimized out>
#2 0xb73c1f01 in m_server (cptr=0x8182308, sptr=0x81ac120, parc=5, parv=0x8129060) at m_server.c:443
        servername = 0x81823f2 "tools.MindForge.org"
        ch = <value optimized out>
        inpath = 0x8129c40 "Dr_Strangelove.MindForge.org[@127.0.0.1.0]"
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bconf = <value optimized out>
        hop = <value optimized out>
        numeric = <value optimized out>
        info = "H>· Á\032\b\b#\030\b8ßÿ¿\212;:·ÐYj\b\233´=·\211¿\024\bùYj\b\b$\030\b\001\000\000\000\030\037\030\b9\236¡\026¤\222\027\b\021\205\016\000\233´=·\211¿\024\b\b\220\027\b\032\000\000\0008ßÿ¿ä·\006\b\230\212\033\bð#\030\b\000\000\000\000&7\006\b\000\000\000\000'\000\000\000\213\034<·"
        aconf = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        deny = <value optimized out>
        flags = <value optimized out>
        protocol = <value optimized out>
        inf = <value optimized out>
        num = <value optimized out>
GCC: gcc version 4.3.2 (Debian 4.3.2-1.1)
UNAME: Linux srv1245.pingpipe.com 2.6.26-2-686 #1 SMP Wed May 12 21:56:10 UTC 2010 i686 GNU/Linux
UNREAL: Unreal3.2.8.1 build 1.1.1.1.2.26 2009/04/13 11:03:55
CORE: -rw------- 1 mindirc mindirc 7372800 2010-06-19 10:21 core.2991


Best regards,

Monk
TagsNo tags attached.
3rd party modules

Activities

syzop

2010-06-19 21:01

administrator   ~0016118

Seems like a server was trying to link in, and when checking the deny { } blocks it went wrong.
More specifically, it seems one deny item in memory was freed or overwritten.

Could you paste your deny {} blocks? perhaps we can get some clue as to why this happened :)

Also, could you send me the following files (as .tar.gz, or upload them somewhere) to syzop@vulnscan.org:
1. core file (core.2991)
2. ircd binary (/home/mindirc/lircd_drno/lircd_drno)
3. the commands.so

I can't guarantee that we will find the real cause, but let's try...

Thanks.

Monk

2010-06-21 06:29

reporter   ~0016121

Mail is sent. Here is a new one:

=================== START HERE ======================
BACKTRACE:

warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/mindirc/lircd_drno/lircd_drno'.
Program terminated with signal 11, Segmentation fault.
[New process 1955]
#0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {
#0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411
#1 0xb742e695 in m_server_remote (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:520
#2 0xb742ef01 in m_server (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:443
#3 0x0806c277 in parse (cptr=0x81825d0, buffer=0x81826b4 "@3 '", bufend=0x81826e5 "") at parse.c:440
#4 0x0806b458 in dopacket (cptr=0x81825d0,
    buffer=0x80bc220 ":Dr_Strangelove.MindForge.org SMO o :(\002link\002) Secure link Dr_Strangelove.MindForge.org -> Ocean.MindForge.org[@80.82.209.67.0] established (SSLv3-AES256-SHA-256bits)\r\n@3 ' Ocean.MindForge.org 2 150 :i"..., length=685) at packet.c:138
#5 0x0805b47a in read_message (delay=1, listp=0x8147e20) at s_bsd.c:1485
#6 0x08066598 in main (argc=0, argv=0xbfffe3d4) at ircd.c:1812

#0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {

0x81599e0 <backupbuf>: "@3 ' Ocean.MindForge.org 2 150 :irc.MindForge.org"

#0 match (mask=0x746e6576 <Address 0x746e6576 out of bounds>, name=0x81826b9 "Ocean.MindForge.org") at match.c:411
No locals.
#1 0xb742e695 in m_server_remote (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:520
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bcptr = <value optimized out>
        bconf = <value optimized out>
        hop = 2
        info = "irc.MindForge.org", '\0' <repeats 93 times>
        numeric = 150
        servername = 0x81826b9 "Ocean.MindForge.org"
        i = <value optimized out>
#2 0xb742ef01 in m_server (cptr=0x81825d0, sptr=0x81825d0, parc=5, parv=0x8129060) at m_server.c:443
        servername = 0x81826b9 "Ocean.MindForge.org"
        ch = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        inpath = 0x8129c40 "Dr_Strangelove.MindForge.org[@127.0.0.1.0]"
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bconf = <value optimized out>
        hop = <value optimized out>
        numeric = <value optimized out>
        info = "\030E·Ð%\030\bÐ%\030\b8×ÿ¿\212\vA·Øbk\b\233\204D·\211¿\024\b\001ck\bÙ&\030\b\001\000\000\000H+\030\bòС:¤\222\027\b\f\217\234\000\233\204D·\211¿\024\b\b\220\027\b\032\000\000\0008×ÿ¿ä·\006\bh\213\033\b·&\030\b\000\000\000\000&7\006\b\000\000\000\000'\000\000\000\213ìB·"
        aconf = <value optimized out>
        deny = <value optimized out>
        flags = <value optimized out>
        protocol = <value optimized out>
        inf = <value optimized out>
        num = <value optimized out>
GCC: gcc version 4.3.2 (Debian 4.3.2-1.1)
UNAME: Linux srv1245.pingpipe.com 2.6.26-2-686 #1 SMP Wed May 12 21:56:10 UTC 2010 i686 GNU/Linux
UNREAL: Unreal3.2.8.1 build 1.1.1.1.2.26 2009/04/13 11:03:55
CORE: -rw------- 1 mindirc mindirc 7286784 2010-06-20 15:41 core.1955
=================== STOP HERE ======================

Best regards,

Monk

syzop

2010-06-21 10:28

administrator   ~0016122

It's indeed exactly the same as 0003689, and has nothing to do with deny link { } as I thought earlier (sorry was looking at the wrong spot).

That means the fix from back then for 3.2.8 didn't fix it as you are on 3.2.8.1.

I'm going to debug it further, really want to find this, thanks for the two tar.bz2's & info :)

syzop

2010-06-21 14:30

administrator   ~0016124

Ok, that wasn't easy to trace, but it was a simple bug to fix once found.

Fixed in CVS .823, thanks for the report! :)

See this URL for the diff:
http://cvsweb.unrealircd.com/cgi-bin/cvsweb/unreal/src/modules/Attic/m_server.c.diff?r1=1.1.2.4.2.14;r2=1.1.2.4.2.15;f=h

Issue History

Date Modified Username Field Change
2010-06-19 20:43 Monk New Issue
2010-06-19 21:01 syzop Note Added: 0016118
2010-06-21 06:29 Monk Note Added: 0016121
2010-06-21 10:28 syzop Note Added: 0016122
2010-06-21 10:28 syzop Status new => assigned
2010-06-21 14:30 syzop QA => Not touched yet by developer
2010-06-21 14:30 syzop U4: Need for upstream patch => No need for upstream InspIRCd patch
2010-06-21 14:30 syzop Note Added: 0016124
2010-06-21 14:30 syzop Status assigned => resolved
2010-06-21 14:30 syzop Fixed in Version => 3.2.9-RC1
2010-06-21 14:30 syzop Resolution open => fixed
2010-06-21 14:30 syzop Assigned To => syzop