View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004431 | unreal | ircd | public | 2015-10-21 05:16 | 2015-10-26 08:18 |
| Reporter | dboyz | Assigned To | syzop | ||
| Priority | high | Severity | crash | Reproducibility | random |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.0.0-rc1 | ||||
| Fixed in Version | 4.0.0-rc2 | ||||
| Summary | 0004431: Crash due to invite-notify capability | ||||
| Description | Random characters appearing as a response to INVITE with invite-notify capability enabled, reported by PlasmaStar. May crash the ircd. | ||||
| Steps To Reproduce | You need three clients to reproduce. - (1) and (2) is on #Test, (1) has invite-notify on, (2) invites (3) to #Test - (1) Sees corrupt message. | ||||
| Additional Information | I suspect this is due to use of uninitialized string. See: https://github.com/unrealircd/unrealircd/blob/unreal40/src/send.c#L333 Example raw message: <- :Plas!Plasma@localhost PART #Test <- :Plasma!Plasma@localhostITE à³U`¤V :ð?\ <- :Plas!Plasma@localhost JOIN :#Test | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
==00:00:01:50.551 4879== Conditional jump or move depends on uninitialised value(s) ==00:00:01:50.551 4879== at 0x465E65: vmakebuf_local_withprefix (send.c:1103) ==00:00:01:50.551 4879== by 0x46619A: vsendto_prefix_one (send.c:1143) ==00:00:01:50.551 4879== by 0x4632CA: sendto_channel_butone_with_capability (send.c:333) ==00:00:01:50.551 4879== by 0x1139DABF: cap_invitenotify_invite (cap_invitenotify.c:34) ==00:00:01:50.551 4879== by 0x421C7A: add_invite (channel.c:1118) ==00:00:01:50.551 4879== by 0xC327DD9: m_invite (m_invite.c:294) ==00:00:01:50.551 4879== by 0x433840: parse (parse.c:462) ==00:00:01:50.551 4879== by 0x43230A: dopacket (packet.c:65) ==00:00:01:50.551 4879== by 0x41C3FF: parse_client_queued (s_bsd.c:1270) ==00:00:01:50.551 4879== by 0x41C7DA: read_packet (s_bsd.c:1355) ==00:00:01:50.551 4879== by 0x4533D0: fd_select (s_dispatch.c:526) ==00:00:01:50.551 4879== by 0x42AD3B: main (ircd.c:1640) ==00:00:01:50.551 4879== ==00:00:01:50.551 4879== |
|
|
And fixed, https://github.com/unrealircd/unrealircd/commit/4d7e84b39aef73e067c8e67310e17836b569afd8 [unreal40 4d7e84b] Seems "someone" forgot to include the sender prefix in the format string. Fix crash reported by dboyz (0004431) & Erik (#4433) in invite notify. Thanks for the detailed report, I was able to reproduce it immediately and with the help of valgrind it was only a matter of minutes to get a fix :] |
|
|
This was an additional fix, incidently pointed out by DBoyZ earlier (yeah.. should have seen): https://github.com/unrealircd/unrealircd/commit/10f56911c445221650f5004fb2215099f120e712 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-10-21 05:16 | dboyz | New Issue | |
| 2015-10-21 08:27 | syzop | View Status | public => private |
| 2015-10-23 18:39 | syzop | Note Added: 0018775 | |
| 2015-10-23 18:51 | syzop | Note Added: 0018776 | |
| 2015-10-23 18:51 | syzop | Status | new => resolved |
| 2015-10-23 18:51 | syzop | Fixed in Version | => 4.0.0-rc2 |
| 2015-10-23 18:51 | syzop | Resolution | open => fixed |
| 2015-10-23 18:51 | syzop | Assigned To | => syzop |
| 2015-10-25 18:37 | syzop | View Status | private => public |
| 2015-10-26 08:18 | syzop | Note Added: 0018784 |
