innd 2.2.1 and 2.2 crash on invalid Distribution: header

Tomasz R. Surmacz tsurmacz at ict.pwr.wroc.pl
Thu Nov 18 14:26:03 UTC 1999 

server versions:

200 nntp-papaja.wroc.apk.net InterNetNews server INN 2.2.1 25-Aug-1999 ready
200 plonk.apk.net InterNetNews server INN 2.2 21-Jan-1999 ready

Problem:

If newsfeeds file contains a list of distributions, ie:

	ME:*/world,pl,pl-news,wroc::

and an article arrives (using IHAVE protocol from another peer) that has the
following header:

	Distribution: ,

then the server crashes in MaxLength (p=0x0, q=0x0) at innd.c:136, called from
ARTpost at art.c:2292, where distribution!=NULL, but (*distribution)==NULL, and
in the following code:

innd/art.c:
  2289      if (distributions) {
  2290          DISTparse(distributions, &Data);
  2291          if (ME.Distributions
  2292           && !DISTwantany(ME.Distributions, distributions)) {
  2293              (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
  2294                      NNTP_REJECTIT_VAL,
  2295                      MaxLength(distributions[0], distributions[0]));
  2296              ARTlog(&Data, ART_REJECT, buff);

the check in line 2289 does not prevent passing a NULL pointer to MaxLength
in line 2295.

The patch is included at the end.  It seems, that in such case (the
Distribution: header is invalid, according to RFC1036, as a comma should
separate two distributions), but nevertheless it should not crash the
server.

Actually, the problem was spotted when UUNET servers tried to send article
<942925094.1792snx at wang.pc.my> to news.apk.net causing it to crash with a
segfault and a core dump.

I have succesfully reproduced it on my home server running innd 2.2.1, as below:

papaja 4 ~> telnet localhost 119
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 nntp-papaja.wroc.apk.net InterNetNews server INN 2.2.1 25-Aug-1999 ready
ihave <1 at abc>
335
Message-ID: <1 at abc>
Path: local
From: <tester at local.host>
Subject: test 1
Date: Fri, 12 Nov 1999 12:18:24 GMT
Newsgroups: pl.test
Distribution: ,
Lines: 1
 
.
Connection closed by foreign host.

as you can see, it closed the connection crashing, instead of accepting
the article.  Here is the patch:

--- art.c.orig	Mon May  3 19:58:11 1999
+++ art.c	Thu Nov 18 00:15:40 1999
@@ -2285,7 +2287,7 @@
     /* If we limit what distributions we get, see if we want this one. */
     p = HDR(_distribution);
     distributions = *p ? CommaSplit(p) : NULL;
-    if (distributions) {
+    if (distributions && distributions[0]) {
 	DISTparse(distributions, &Data);
 	if (ME.Distributions
 	 && !DISTwantany(ME.Distributions, distributions)) {


Also, first attempts to solve the problem showed me that innd was crashing
on calling memcpy() with NULL pointer and i=0 in the following code,
so it should also be patched.

--- art.c.orig	Mon May  3 19:58:11 1999
+++ art.c	Thu Nov 18 00:15:40 1999
@@ -850,8 +850,10 @@
 	return NULL;
     }
     hp->Length = i;
-    (void)memcpy((POINTER)hp->Value, (POINTER)p, (SIZE_T)i);
-    hp->Value[i] = '\0';
+    if (i>0 && hp->Value) {
+	(void)memcpy((POINTER)hp->Value, (POINTER)p, (SIZE_T)i);
+	hp->Value[i] = '\0';
+    }
 
     return in;
 }

Tomasz Surmacz

-- 
 _________
(_   _' __) Tomasz R. Surmacz *--* Work:(071)320-2752 tsurmacz at ict.pwr,wroc.pl
  |  (__  \ http://www.ict.pwr.wroc.pl/~tsurmacz/ *---* Home: ts @wroc,apk,net
  |__(____/ For PGP key finger tsurmacz at asic.ict,pwr,wroc.pl *---* irc: TomekS

More information about the inn-bugs mailing list