oss-sec mailing list archives

ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()

From: Henri Salo <henri () nerv fi>
Date: Tue, 29 Jan 2013 17:37:19 +0200

Mr. Bob Nomnomnom from Torland reported a denial of service security
vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is
using strtoul to parse masks. Documentation says strtoul can parse "-number" as
well. Validation of input does not catch evil bits. I can give proof of concept
if needed.

Fixed in commit: 
http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786
Fixed in: ircd-hybrid 8.0.6

I have requested CVE identifier for this vulnerability in another email to Kurt.
Other ircds are using the same code. Consider this email as official advisory. I
tried to embargo this issue, but the commit is out already.

Program received signal SIGSEGV, Segmentation fault.
0x000000000041c799 in try_parse_v4_netmask (text=<value optimized out>, addr=0x113e270, b=0x113e2f8) at hostmask.c:229
229     addb[bits / 8] &= ~((1 << (8 - bits % 8)) - 1);

--
Henri Salo

Current thread:

ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask() Henri Salo (Jan 29)
- Re: ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask() Kurt Seifried (Jan 29)