MLDonkey Forum Index
Homepage •  Bugs •  Tasks •  Patches •  SF.net Project Page •  ChangeLog •  German forum •  Links •  Wiki •  Downloads
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
mldonkey 3.1.5 crash on startup (buffer overflow)

 
Post new topic   Reply to topic    MLDonkey Forum Index -> Alternative platforms
View previous topic :: View next topic  
Author Message
fenugreek
neophyte


Joined: 26 Apr 2014
Posts: 3

PostPosted: Sat Apr 26, 2014 1:40 pm    Post subject: mldonkey 3.1.5 crash on startup (buffer overflow) Reply with quote

Have this compiled for ubuntu 12.04 LTS 64bit with the following config flags:
./configure --enable-option-checking=fatal --prefix=/opt/mldonkey --enable-checks


Startup begins ok:
---
2014/04/26 08:31:39 [cO] Starting MLDonkey 3.1.5 ...
2014/04/26 08:31:39 [cO] Language EN, locale UTF-8, ulimit for open files 1024
2014/04/26 08:31:39 [cO] raised ulimit for open files from 1024 to 4096
2014/04/26 08:31:39 [cO] MLDonkey is working in /opt/mldonkey/.mldonkey
2014/04/26 08:31:39 [Gettext] Loading language resource mlnet_strings.en_US.UTF-8
2014/04/26 08:31:39 [cO] loaded language resource file
2014/04/26 08:31:39 [cO] PID file /opt/mldonkey/.mldonkey/mlnet.pid exists.
2014/04/26 08:31:39 [cO] Checking whether PID 29871 is still used...
2014/04/26 08:31:39 [cO] Removing stalled file mlnet.pid...
2014/04/26 08:31:39 [cO] Removing stalled file /opt/mldonkey/.mldonkey/config_files_space.tmp...
2014/04/26 08:31:39 [DNS] Resolving [loki] ...
2014/04/26 08:31:39 [DNS] Resolving [www.mldonkey.org] ...
2014/04/26 08:31:40 [dMain] Libmagic file-type recognition database present
2014/04/26 08:31:40 [cO] Logging in /opt/mldonkey/.mldonkey/mlnet.log
2014/04/26 08:31:40 [dMain] Core started
---

Then within a couple seconds it crashes completely:
----------
*** buffer overflow detected ***: mlnet terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f01ba41bf47]
/lib/x86_64-linux-gnu/libc.so.6(+0x109e40)[0x7f01ba41ae40]
mlnet(ml_ip_job_start+0x28)[0x7c5d58]
mlnet[0x7df20c]
======= Memory map: ========
00400000-00823000 r-xp 00000000 00:15 33920 /opt/mldonkey/bin/mlnet
00a23000-00a5a000 r--p 00423000 00:15 33920 /opt/mldonkey/bin/mlnet
00a5a000-00cb4000 rw-p 0045a000 00:15 33920 /opt/mldonkey/bin/mlnet
00cb4000-00d05000 rw-p 00000000 00:00 0
0230a000-02711000 rw-p 00000000 00:00 0 [heap]
7f01b4000000-7f01b4021000 rw-p 00000000 00:00 0
7f01b4021000-7f01b8000000 ---p 00000000 00:00 0
7f01b8455000-7f01b8c26000 rw-p 00000000 00:00 0
7f01b8c26000-7f01b8c27000 ---p 00000000 00:00 0
7f01b8c27000-7f01b9427000 rw-p 00000000 00:00 0
7f01b9427000-7f01b9574000 rw-p 00000000 00:15 32940 /opt/mldonkey/.mldonkey/web_infos/GeoIP.dat
7f01b9574000-7f01b995c000 rw-p 00000000 00:00 0
7f01b995c000-7f01b9974000 r-xp 00000000 08:02 2924567 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f01b9974000-7f01b9b74000 ---p 00018000 08:02 2924567 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f01b9b74000-7f01b9b75000 r--p 00018000 08:02 2924567 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f01b9b75000-7f01b9b76000 rw-p 00019000 08:02 2924567 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f01b9b76000-7f01b9b78000 rw-p 00000000 00:00 0
7f01b9b78000-7f01b9b7f000 r-xp 00000000 08:02 2924568 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f01b9b7f000-7f01b9d7e000 ---p 00007000 08:02 2924568 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f01b9d7e000-7f01b9d7f000 r--p 00006000 08:02 2924568 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f01b9d7f000-7f01b9d80000 rw-p 00007000 08:02 2924568 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7f01b9d80000-7f01b9e7a000 rw-p 00000000 00:00 0
7f01b9e7a000-7f01b9e86000 r-xp 00000000 08:02 2924566 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f01b9e86000-7f01ba085000 ---p 0000c000 08:02 2924566 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f01ba085000-7f01ba086000 r--p 0000b000 08:02 2924566 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f01ba086000-7f01ba087000 rw-p 0000c000 08:02 2924566 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f01ba087000-7f01ba188000 rw-p 00000000 00:00 0
7f01ba188000-7f01ba311000 r--p 00000000 08:02 35591 /usr/lib/locale/locale-archive
7f01ba311000-7f01ba4c6000 r-xp 00000000 08:02 2924562 /lib/x86_64-linux-gnu/libc-2.15.so
7f01ba4c6000-7f01ba6c6000 ---p 001b5000 08:02 2924562 /lib/x86_64-linux-gnu/libc-2.15.so
7f01ba6c6000-7f01ba6ca000 r--p 001b5000 08:02 2924562 /lib/x86_64-linux-gnu/libc-2.15.so
7f01ba6ca000-7f01ba6cc000 rw-p 001b9000 08:02 2924562 /lib/x86_64-linux-gnu/libc-2.15.so
7f01ba6cc000-7f01ba6d1000 rw-p 00000000 00:00 0
7f01ba6d1000-7f01ba6e9000 r-xp 00000000 08:02 2924571 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f01ba6e9000-7f01ba8e8000 ---p 00018000 08:02 2924571 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f01ba8e8000-7f01ba8e9000 r--p 00017000 08:02 2924571 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f01ba8e9000-7f01ba8ea000 rw-p 00018000 08:02 2924571 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f01ba8ea000-7f01ba8ee000 rw-p 00000000 00:00 0
7f01ba8ee000-7f01ba903000 r-xp 00000000 08:02 183638 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f01ba903000-7f01bab02000 ---p 00015000 08:02 183638 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f01bab02000-7f01bab03000 r--p 00014000 08:02 183638 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f01bab03000-7f01bab04000 rw-p 00015000 08:02 183638 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f01bab04000-7f01babff000 r-xp 00000000 08:02 2924573 /lib/x86_64-linux-gnu/libm-2.15.so
7f01babff000-7f01badfe000 ---p 000fb000 08:02 2924573 /lib/x86_64-linux-gnu/libm-2.15.so
7f01badfe000-7f01badff000 r--p 000fa000 08:02 2924573 /lib/x86_64-linux-gnu/libm-2.15.so
7f01badff000-7f01bae00000 rw-p 000fb000 08:02 2924573 /lib/x86_64-linux-gnu/libm-2.15.so
7f01bae00000-7f01baee2000 r-xp 00000000 08:02 29220 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f01baee2000-7f01bb0e1000 ---p 000e2000 08:02 29220 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f01bb0e1000-7f01bb0e9000 r--p 000e1000 08:02 29220 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f01bb0e9000-7f01bb0eb000 rw-p 000e9000 08:02 29220 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16
7f01bb0eb000-7f01bb100000 rw-p 00000000 00:00 0
7f01bb100000-7f01bb102000 r-xp 00000000 08:02 2924577 /lib/x86_64-linux-gnu/libdl-2.15.so
7f01bb102000-7f01bb302000 ---p 00002000 08:02 2924577 /lib/x86_64-linux-gnu/libdl-2.15.so
7f01bb302000-7f01bb303000 r--p 00002000 08:02 2924577 /lib/x86_64-linux-gnu/libdl-2.15.so
7f01bb303000-7f01bb304000 rw-p 00003000 08:02 2924577 /lib/x86_64-linux-gnu/libdl-2.15.so
7f01bb304000-7f01bb31e000 r-xp 00000000 08:02 9167 /usr/lib/libmagic.so.1.0.0
7f01bb31e000-7f01bb51d000 ---p 0001a000 08:02 9167 /usr/lib/libmagic.so.1.0.0
7f01bb51d000-7f01bb51e000 r--p 00019000 08:02 9167 /usr/lib/libmagic.so.1.0.0
7f01bb51e000-7f01bb51f000 rw-p 0001a000 08:02 9167 /usr/lib/libmagic.so.1.0.0
7f01bb51f000-7f01bb52e000 r-xp 00000000 08:02 183666 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f01bb52e000-7f01bb72d000 ---p 0000f000 08:02 183666 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f01bb72d000-7f01bb72e000 r--p 0000e000 08:02 183666 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f01bb72e000-7f01bb72f000 rw-p 0000f000 08:02 183666 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f01bb72f000-7f01bb745000 r-xp 00000000 08:02 183643 /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f01bb745000-7f01bb944000 ---p 00016000 08:02 183643 /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f01bb944000-7f01bb945000 r--p 00015000 08:02 183643 /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f01bb945000-7f01bb946000 rw-p 00016000 08:02 183643 /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f01bb946000-7f01bb968000 r-xp 00000000 08:02 2924574 /lib/x86_64-linux-gnu/ld-2.15.so
7f01bba1b000-7f01bbb5e000 rw-p 00000000 00:00 0
7f01bbb5f000-7f01bbb66000 r--s 00000000 08:02 26984 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f01bbb66000-7f01bbb68000 rw-p 00000000 00:00 0
7f01bbb68000-7f01bbb69000 r--p 00022000 08:02 2924574 /lib/x86_64-linux-gnu/ld-2.15.so
7f01bbb69000-7f01bbb6b000 rw-p 00023000 08:02 2924574 /lib/x86_64-linux-gnu/ld-2.15.so
7fff82cdc000-7fff82cfd000 rw-p 00000000 00:00 0 [stack]
7fff82deb000-7fff82dec000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
------------


The last items in the mlnet.log are:

----
2014/04/26 08:31:40 [dMain] Core started
2014/04/26 08:31:41 [cWeb] request contact.dat (http://download.overnet.org/contact.dat)
2014/04/26 08:31:41 [cWeb] request geoip.dat (http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz)
2014/04/26 08:31:41 [cWeb] request ocl (http://www.peerates.net/servers.php)
2014/04/26 08:31:41 [cWeb] request server.met (http://www.gruk.org/server.met.gz)
2014/04/26 08:31:41 [cWeb] request guarding.p2p (http://www.bluetack.co.uk/config/level1.gz)
2014/04/26 08:31:41 [cWeb] request hublist (http://dchublist.com/hublist.config.bz2)
2014/04/26 08:31:41 [cWeb] request nodes.gzip (http://update.kceasy.com/update/fasttrack/nodes.gzip)
2014/04/26 08:31:43 [bS] Pervasives.Exit : unexpected exn exec can_read
2014/04/26 08:31:50 [BT] Cannot share "torrents/seeded/System 7.5 Version 7.5.3.torrent" - exn open failed on incoming/directories/System 7.5 Version 7.5.3/System Install CD/System 7.5 Version 7.5.3.nrg: No such file or directory
2014/04/26 08:31:50 [DNS] could not resolve <META NAME=keywords CONTENT=telechargement, check URL
2014/04/26 08:31:50 [DNS] could not resolve .Style3 {font-family: Verdana, check URL
2014/04/26 08:31:51 [DNS] could not resolve .Style6 {font-family: Arial, check URL
2014/04/26 08:31:51 [DNS] could not resolve .Style51 {font-family: Verdana, check URL
2014/04/26 08:31:51 [DNS] could not resolve .Style78 {font-size: 10px; color: #000000; font-family: Verdana, check URL
2014/04/26 08:31:51 [DNS] could not resolve .Style114 { font-family: Courier New, check URL
2014/04/26 08:31:51 [DNS] could not resolve .Style123 { font-weight: bold; color: #333333; font-size: 9px; font-family: Arial, check URL
2014/04/26 08:31:52 [DNS] could not resolve .Style123r {font-weight: bold; color: #FF0000; font-size: 9px; font-family: Arial, check URL
2014/04/26 08:31:52 [DNS] could not resolve .Style125 {font-size: 12px; color: #333333; font-family: Courier New, check URL
2014/04/26 08:31:52 [DNS] could not resolve .Style154 {font-size: 14px; color: #333333; font-family: Courier New, check URL
2014/04/26 08:31:52 [DNS] could not resolve .Style189 { font-family: Georgia, check URL
2014/04/26 08:31:52 [DNS] could not resolve .StyleServerinject {font-size: 12px; color: #333333; font-family: Arial, check URL
2014/04/26 08:31:53 [DNS] could not resolve .Style191 {font-family: Geneva, check URL
2014/04/26 08:31:53 [DNS] could not resolve <td><span>324, check URL
2014/04/26 08:31:54 [DNS] could not resolve <td><span>62, check URL
2014/04/26 08:31:54 [DNS] could not resolve <a href=mapservers.php?lang=0&sel=205748455245205245463d3120204f524445522042592053434f5245204445534320 alt=carte des serveurs border=0 target=wmapserver onClick=window.open('mapservers.php', check URL
2014/04/26 08:31:54 [DNS] could not resolve <td><span>10, check URL
2014/04/26 08:31:55 [DNS] could not resolve <td><span>324, check URL
2014/04/26 08:31:55 [DNS] could not resolve <td><span>54, check URL
2014/04/26 08:31:55 [DNS] could not resolve <td><span>62, check URL
2014/04/26 08:31:55 [DNS] could not resolve <a href=buildlist.php?lang=0&sel=53454c454354202a2046524f4d207365727665727320205748455245205245463d3120204f524445522042592053434f5245204445534320204c494d495420302c3235alt=inject servers list border=0 target=wclose onClick=window.open('buildlist.php', check URL
---------


Any ideas?
Back to top
View user's profile Send private message
Petroska
neophyte


Joined: 08 Apr 2014
Posts: 8

PostPosted: Sun Apr 27, 2014 1:01 pm    Post subject: Reply with quote

hi,

i have build 2 debian packages from mldonkey 3.1.5 64 bits

u want to have them?
Back to top
View user's profile Send private message
fenugreek
neophyte


Joined: 26 Apr 2014
Posts: 3

PostPosted: Mon Apr 28, 2014 1:16 am    Post subject: Reply with quote

Thanks, but not needed. I can get them built, I was posting this to hopefully help determine where the bug is in the mldonkey code for checking the buffer/input data which is causing it to crash. This appears to be a bad or no data validation checking going on in whatever section of code this is dying in.

Using the same executables allowing it to create new *.ini files, it works. Anything that can cause a crash like this might also be exploitable which is why I brought it up.
Back to top
View user's profile Send private message
ygrek
professional


Joined: 20 Mar 2010
Posts: 594

PostPosted: Mon Apr 28, 2014 3:06 pm    Post subject: Reply with quote

Thanks for bringing this up. DNS resolving code is definitely buggy wrt buffer overflows, please stand by for the patch.
_________________
Download | Report bugs | git mirror
Back to top
View user's profile Send private message Visit poster's website
spiralvoice
Sage


Joined: 06 Jan 2003
Posts: 3999
Location: Germany

PostPosted: Mon Apr 28, 2014 4:22 pm    Post subject: Re: mldonkey 3.1.5 crash on startup (buffer overflow) Reply with quote

fenugreek wrote:
2014/04/26 08:31:50 [DNS] could not resolve <META NAME=keywords CONTENT=telechargement, check URL
2014/04/26 08:31:50 [DNS] could not resolve .Style3 {font-family: Verdana, check URL
2014/04/26 08:31:51 [DNS] could not resolve .Style6 {font-family: Arial, check URL

Another question is, why would the DNS module look for URLs which look like html code?
_________________
Link overview and precompiled cores here: http://mldonkey.sourceforge.net/DownloadLinks
Back to top
View user's profile Send private message
ygrek
professional


Joined: 20 Mar 2010
Posts: 594

PostPosted: Mon Apr 28, 2014 4:38 pm    Post subject: Reply with quote

Please test https://github.com/ygrek/mldonkey/commit/1e7341ef879a0f42e304bdd24f3339245214b58a

Quote:
Another question is, why would the DNS module look for URLs which look like html code?

Yes, that's interesting, something is wrong on higher level, can you figure a way to reproduce this? (probably pasted html page into dl window?)
_________________
Download | Report bugs | git mirror
Back to top
View user's profile Send private message Visit poster's website
fenugreek
neophyte


Joined: 26 Apr 2014
Posts: 3

PostPosted: Wed Apr 30, 2014 11:58 pm    Post subject: Reply with quote

@ygrek- Sorry for the delay, they had me locked up at work. I've tested your patch and that prevents the buffer overflow error that I was having so that looks good.

Should probably be reviewed to get it into the main code base to help others.

I'll try and see where that overflow came from for the DNS module. No html pasting in, that would have caused this from the period where it broke. I use sancho and only added some magnet links. I've tried going through the last ones added in reverse order but haven't found where crap came from yet.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    MLDonkey Forum Index -> Alternative platforms All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Sourceforge.net Logo