Re: mirc32 6.0x crash when resolving dns.

["Roland Postle" <mail () blazde co uk>]

On Mon, 26 May 2003 23:22:37 +0200, aT4r InsaN3 wrote:

> every time i tried to resolve a few ips mirc32 dies. the problem seems to be 
> in the WSAAsyncGetHostByName() call.
> i have tested this feature in both mirc  6.01 and 6.03 in diferent 
> computers.

Interestingly the bug seems to be in WS2_32.DLL itself. mIRC does a
WSAAsyncGetHostByAddr() call which causes a new thread to be spawned
which performs the usual gethostbyaddr() call. The returned
HOSTENTcontains a NULL h_name field (as apposed to a pointer to an
empty string). I can't tell if that's correct behaviour when there's no
reverse lookup, but it's also interesting to note that reverse DNS
lookups on the IP addresses you posted seem to fall into a loop. After
performing the lookup CopyHostentToBuffer is called to copy the HOSTENT
structure so it can notify the appropriate windows of the lookup's
completion. BytesInHostent is called to count the number of bytes in
the HOSTENT, but it trips on the NULL pointer as it tries to count how
long the h_name field is.

My guess:
Vulnerable to NULL pointer dereference: Anything that calls
WSAAsyncGetHostByAddr.

(Btw, the bug appears to be WSAAsyncGetHostByName in windbg because you
only have the exported symbol names loaded)

Confirmed in WS2_32.DLL version 5.1.2600.0 (xpclient.010817-1148), XP
SP1, mIRC 6.03.

- Blazde