Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFnet Paralyzed By Vulnerability

Posted by Unknown on from the blame-c dept.

An anonymous reader writes "EFnet member Fionn 'Fudge' Kelleher reported several vulnerabilities in the IRC daemons charybdis, ircd-ratbox, and other derivative IRCds. The vulnerability was subsequently used to bring down large portions of the EFnet IRC network." By crafting a particular message, you can cause the IRC daemon to call strlen(NULL) and game over, core dumped.

3 of 156 comments (clear)

  1. Re:C strings strike again! by ls671 · · Score: 2, Informative

    An uncaugh NullPointerException on a call to aString.length() in java would have the same effect and kill the running Thread, the program if it is the main Thread.

    http://stackoverflow.com/questions/5796103/strlen-not-checking-for-null

    --
    Everything I write is lies, read between the lines.
  2. Re:EFnet is already paralyzed by nenolod · · Score: 3, Informative

    There has been a lot of work in this area with a few projects now... Microsoft's IRCX, then IRCNEXT, IRCPLUS and now atheme.org's IRCv3. IRCv3 is becoming the defacto standard at this point, supplanting the traditional IRC protocol, as almost all vendors that are noteworthy have adopted support for revision 3.1 of the protocol already.

    Both Atheme and Anope can be interacted with via RPC from scripts allowing for web integrations. Also, there are immersive web clients which provide a lot of useful metadata to clients.

  3. Re:C strings strike again! by Lunix+Nutcase · · Score: 3, Informative

    Pitty intel didnt implement string functions in the CPU.

    They did. Welcome to decades ago.