[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SERVSET may crash the server.
Hi,
while experimenting with services the server (2.9.3b17) crashed,
because I ommited the optional SERVSET burst parameter.
#2 0x17ea8 in m_servset (cptr=0x40c00, sptr=0x40c00, parc=2, parv=0x2f848)
at ../ircd/s_service.c:446
446 burst = sptr->service->wants & atoi(parv[2]);
(gdb) print parc
$1 = 2
(gdb) print parv[2]
$2 = 0x0
Although this parameter is optional, there's no check if
it is used. An
if (parc > 2)
{
...
}
around the last part of m_servset (lines 446 - 566 in s_service.c)
should fix this.
I could send a diff, but it's 278 lines just for 3 added lines
and indentation changes...
SERVICE_WANT_PREFIX crashes the server sometimes too...
#0 0x173a0 in check_services_butone (action=32,
server=0x3abe0 "Berlin.Wunder-Nett.org", cptr=0x0,
fmt=0x18767 "NICK %s :%d", p1=0x4082e, p2=0x0, p3=0x408d1, p4=0x408bb,
p5=0x408b5, p6=0x2f848, p7=0x5, p8=0x260ac) at ../ircd/s_service.c:135
s_service.c:
133 if ((acptr->service->wants & action)
134 && (!server || !match(acptr->service->dist, server)))
135 if ((acptr->service->wants & SERVICE_WANT_PREFIX) &&
136 IsRegisteredUser(cptr))
#1 0x18e16 in register_user (cptr=0x40800, sptr=0x40800, nick=0x4082e "test",
username=0x2e2e0 "") at ../ircd/s_user.c:585
s_user.c
585 check_services_butone(SERVICE_WANT_NICK, user->server, NULL,
586 "NICK %s :%d", nick, sptr->hopcount);
Here check_services_butone() is always called with cptr == NULL and as
IsRegisteredUser() does no checks -> Segmentation Fault.
I don't understand, why this does not always crashes the server...
This happened, after I connected a second client. (Same user@host)
No time for further checking.
stelb
--
Stefan Le Breton''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''|
| Don't pretend that you don't know me stelb@xxxxxxxxxxxxxxx
|__Just pay me what you owe me... Pay the ghosts!__http://home.pages.de/~stelb/