View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005667 | unreal | ircd | public | 2020-05-06 08:42 | 2020-05-08 15:02 |
Reporter | moody | Assigned To | syzop | ||
Priority | normal | Severity | crash | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Fixed in Version | 5.0.5 | ||||
Summary | 0005667: Buffer overflow in crule parser | ||||
Description | static buffers sized are used in the parsing of crules, this can lead to crashes if the user supplied rule is too long. [New Thread 0x7ffff73ad700 (LWP 27543)] [Thread 0x7ffff73ad700 (LWP 27543) exited] *** stack smashing detected ***: terminated Thread 1 "unrealircd" received signal SIGABRT, Aborted. 0x00007ffff7908ea1 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff7908ea1 in raise () from /lib64/libc.so.6 #1 0x00007ffff78f253d in abort () from /lib64/libc.so.6 #2 0x00007ffff794c48f in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff79dbe32 in __fortify_fail () from /lib64/libc.so.6 #4 0x00007ffff79dbe02 in __stack_chk_fail () from /lib64/libc.so.6 #5 0x0000555555575389 in crule_parsearglist (argrootp=0x555555a1db60, next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:625 #6 0x00005555555754a2 in crule_parsefunction (funcrootp=0x7fffffffdb80, next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:576 #7 0x000055555557567a in crule_parseprimary (primrootp=primrootp@entry=0x7fffffffdb80, next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:532 0000008 0x0000555555575701 in crule_parseandexpr (androotp=androotp@entry=0x7fffffffdbc0, next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:438 #9 0x0000555555575811 in crule_parseorexpr (orrootp=orrootp@entry=0x7fffffffdc10, next_tokp=next_tokp@entry=0x7fffffffdc04, ruleptr=ruleptr@entry=0x7fffffffdc08) at crule.c:384 #10 0x0000555555575b13 in crule_test (rule=<optimized out>) at crule.c:696 #11 0x0000555555589cb5 in _test_deny (conf=<optimized out>, ce=0x5555559955a0) at conf.c:9863 #12 0x0000555555596048 in config_test () at conf.c:2831 #13 0x000055555559ddc9 in config_test_all () at conf.c:1965 #14 0x000055555559df02 in init_conf (rootconf=0x555555972d00 "/home/moody/unrealircd/conf/unrealircd.conf", rehash=0) at conf.c:2057 #15 0x000055555556fb3f in main (argc=<optimized out>, argv=<optimized out>) at ircd.c:1257 (gdb) | ||||
Steps To Reproduce | add a deny link block similar to the following. deny link { mask "irc.example.com"; rule connected(zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz); type all; } | ||||
Tags | No tags attached. | ||||
3rd party modules | |||||
|
Right, that is silly indeed. I will have a look at it in the weekend or next week, after I have finished other coding. I am treating it as a crash bug due to a configuration fault, not as a security issue, by the way. Because you need to have access to the configuration to trigger it, in which case you can do just about anything anyway. |
|
Fixed, thanks for the report. commit 606a35bed00eb4e0f8d105e6eaaeaad7f25042b9 (HEAD -> unreal50) Author: Bram Matthys <[email protected]> Date: Fri May 8 14:58:49 2020 +0200 Fix crash when using deny link::rule with oversized argument. Reported by moody in https://bugs.unrealircd.org/view.php?id=5667 https://github.com/unrealircd/unrealircd/commit/606a35bed00eb4e0f8d105e6eaaeaad7f25042b9 |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-05-06 08:42 | moody | New Issue | |
2020-05-06 09:11 | syzop | Assigned To | => syzop |
2020-05-06 09:11 | syzop | Status | new => acknowledged |
2020-05-06 09:11 | syzop | Note Added: 0021551 | |
2020-05-08 15:02 | syzop | Status | acknowledged => resolved |
2020-05-08 15:02 | syzop | Resolution | open => fixed |
2020-05-08 15:02 | syzop | Fixed in Version | => 5.0.5 |
2020-05-08 15:02 | syzop | Note Added: 0021558 |