View Issue Details

IDProjectCategoryView StatusLast Update
0005708unrealircdpublic2020-09-27 12:24
Reporterk4be Assigned Tosyzop  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.0.5.1 
Fixed in Version5.0.7-rc1 
Summary0005708: Multiple lines (\r\n) in single websocket frame with labeled-response
DescriptionThe first three replies are sent in a single frame when using websocket (this seems to happen on every BATCH, for example replies for HISTORY and WHOIS commands).

← @label=xxx history #testtest

In a single packet:
→ @label=xxx :test3.pirc.pl BATCH +PbZCD0QZGMMHQwa7KU5Y4V labeled-response
→ @batch=PbZCD0QZGMMHQwa7KU5Y4V :test3.pirc.pl BATCH +2CrEHYl23nQnHSS4KOolGT chathistory #testtest
→ @batch=PbZCD0QZGMMHQwa7KU5Y4V;batch=2CrEHYl23nQnHSS4KOolGT;time=2020-06-12T13:56:03.465Z;msgid=i5gz6M8Qw0hWThWnCyJQFa :k4be!testowy@127.0.0.1 PRIVMSG #testtest :7

Then the rest (every line in their own packet):
→ @batch=2CrEHYl23nQnHSS4KOolGT;time=2020-06-12T13:56:05.306Z;msgid=n9AFDtvL1QSpclJltL9WX9 :k4be!testowy@127.0.0.1 PRIVMSG #testtest :8
→ @batch=2CrEHYl23nQnHSS4KOolGT;time=2020-06-12T13:56:07.204Z;msgid=mvIN1kI7vzGbFSNhPFpsIU :k4be!testowy@127.0.0.1 PRIVMSG #testtest :9
...
Steps To ReproduceCreate a channel, set +H and store some history entries. Then do:
cap req :labeled-response batch server-time message-tags
@label=xxx history #testtest
TagsNo tags attached.
3rd party modules

Activities

syzop

2020-06-12 17:57

administrator   ~0021628

Thanks, probably not very easy to fix but we'll look into it (not very soon, though).

syzop

2020-07-14 18:59

administrator   ~0021663

websocket_create_frame() would need to be rewritten with some kind of loop. However, that needs to be done very carefully as it is very easy to make a small mistake there that lead to crashes and security issues. I don't have time for that at this very moment... and tbh I don't trust anyone else ;)

syzop

2020-09-27 12:24

administrator   ~0021759

Took a few hours of coding and testing/validating, but this is now fixed. More testing would be appreciated to make sure that it doesn't introduce new issues with websocket.

commit 61e8c8d8517209dcb143479a71e93ee84118da62 (HEAD -> unreal50, origin/unreal50)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Sun Sep 27 12:17:02 2020 +0200

    Fix labeled-response causing two lines in one websocket frame.
    This goes against our guarantee of 1 IRC line = 1 websocket frame.
    Reported by k4be in https://bugs.unrealircd.org/view.php?id=5708

https://github.com/unrealircd/unrealircd/commit/61e8c8d8517209dcb143479a71e93ee84118da62

Issue History

Date Modified Username Field Change
2020-06-12 17:38 k4be New Issue
2020-06-12 17:40 k4be Description Updated View Revisions
2020-06-12 17:40 k4be Steps to Reproduce Updated View Revisions
2020-06-12 17:45 syzop Summary Invalid BATCH behaviour when using labeled-response or websocket => Multiple lines (\r\n) in single websocket frame with labeled-response
2020-06-12 17:45 syzop Description Updated View Revisions
2020-06-12 17:48 k4be Description Updated View Revisions
2020-06-12 17:48 k4be Steps to Reproduce Updated View Revisions
2020-06-12 17:56 syzop Description Updated View Revisions
2020-06-12 17:57 syzop Status new => acknowledged
2020-06-12 17:57 syzop Note Added: 0021628
2020-07-14 18:59 syzop Note Added: 0021663
2020-09-27 12:24 syzop Assigned To => syzop
2020-09-27 12:24 syzop Status acknowledged => resolved
2020-09-27 12:24 syzop Resolution open => fixed
2020-09-27 12:24 syzop Fixed in Version => 5.0.7-rc1
2020-09-27 12:24 syzop Note Added: 0021759