ircd buffer overflow

Andy Church (achurch@DRAGONFIRE.NET)
Tue, 01 Jul 1997 02:20:47 -0400 (EDT)

There is a buffer overflow present in many IRC servers derived from
the irc2.x distribution, which has been reported as being actively
exploited on many networks. In short, insufficient bounds checking on the
parameters to the SERVER message will overflow a buffer, and you can do
more or less anything you could do with any other buffer overflow. (The
current spate of attacks is aimed at just crashing servers; this can be
accomplished with a single line of shell code.) This overflow is a bit
more interesting than the usual, because it's not a case of _missing_
bounds checking; rather, it's _incorrect_ bounds checking, leading to a
strncpy(s1, s2, -1) under certain circumstances.

This bug is known to be present in all versions of ircd.dal through
4.4.10, as well as the base irc2.8.21 distribution. The bug is believed to
NOT be present in ircu2.9.32, and is known to not be present in
ircd.dal4.4.11. The patch below was made against ircd.dal4.4.5, but should
apply more or less cleanly to other irc2.x derivations.

--Andy Church | If Bell Atlantic really is the heart
achurch@dragonfire.net | of communication, then it desperately
www.dragonfire.net/~achurch/ | needs a quadruple bypass.

---------------------------------------------------------------------------

--- src/s_serv.c.old Sun Dec 8 21:06:55 1996
+++ src/s_serv.c Tue Jul 1 00:42:16 1997
@@ -282,15 +282,17 @@
{
hop = atoi(parv[2]);
(void)strncpy(info, parv[3], REALLEN);
+ info[REALLEN] = 0;
}
else if (parc > 2)
{
- (void)strncpy(info, parv[2], REALLEN);
+ (void)strncpy(info, parv[2], REALLEN-2);
+ info[REALLEN-2] = 0;
if (parc > 3)
{
- i = strlen(info);
- (void)strncat(info, " ", REALLEN - i - 1);
- (void)strncat(info, parv[3], REALLEN - i - 2);
+ (void)strcat(info, " ");
+ (void)strncat(info, parv[3], REALLEN-strlen(info));
+ info[REALLEN] = 0;
}
}
/*