Closed Bug 338736 Opened 18 years ago Closed 18 years ago

hang with sprundels ircfuzzer

Categories

(Other Applications :: ChatZilla, defect)

Product:
Other Applications
Component:
ChatZilla
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: bernd_mozilla, Assigned: rginda)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: hang)

Attachments

(4 files)

original file
7.82 KB, text/plain
Details
winxp variant
9.90 KB, text/plain
Details
executable
28.84 KB, application/zip
Details
stacktrace
5.16 KB, text/plain
Details 
I was eager to get the fuzzer running under winXP and it does hang chatzilla after a few cycles, it seldom takes more than 15.
To test this:
1. start irc.exe from the command line 
2. start firefox
3. open chatzilla
4. /attach 127.0.0.1
5. wait till the console with irc.exe does not change anymore (it should produce every second one line) 


As I am not sure whats going on I file this security sensitive to protect the tool. Remove the security setting if you think thats over eager.
Attached file original file 

    
    

    
  

      
      
      
      

        Attached file
          
        winxp variant
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        executable
      

    


  

    
    

    
  
Does the program leave a log of what it sends?  Does it hang just chatzilla or the browser as well?

    
    

    
  
This is not a security-sensitive bug.  This program sends a huge line (up to 1KB) of binary data to the irc client every 10ms.  Any "hang" you see is the munger working on the long lines.  I did get the slow script dialog once at the beginning.  Unless anyone has any other comments, I'll mark this invalid in a few days.

    
    

    
  
(In reply to comment #5)
> This is not a security-sensitive bug.  This program sends a huge line (up to
> 1KB) of binary data to the irc client every 10ms.  Any "hang" you see is the
> munger working on the long lines.  I did get the slow script dialog once at the
> beginning.  Unless anyone has any other comments, I'll mark this invalid in a
> few days.

Can we, per the spec, truncate lines at 512 chars, and would that speed things up? If we do so, it might be worthwhile...

    
    

    
  
From http://www.faqs.org/rfcs/rfc1459.html
IRC messages are always lines of characters terminated with a CR-LF (Carriage Return - Line Feed) pair, and these messages shall not exceed 512 characters in length, counting all characters including the trailing CR-LF. Thus, there are 510 characters maximum allowed for the command and its parameters.


    
    

    
  
>This program sends a huge line (up to
>1KB) of binary data to the irc client every 10ms.

dump_sendbuffer(char* buf)
{
  SYSTEMTIME st;
  Sleep(1000); <==== this waits for 1000ms on every line it sends.

The original code did as you say send the information without any delay, the modified code however pauses just to avoid the impression that the hang is due to heavy load. Usually as I wrote when no new lines are printed one can easily kill irc.exe and chatzilla will keep the machine at 100% load for as long as you want.

When chatzilla hangs as I described why is this bug invalid?

    
    

    
  
I would be happy if you lift the security flag, but as the tool did hang for me rather soon so one can not test chatzilla decently. See http://www.donationcoder.com/Software/Mouser/mircryption/index.php for example why I am so cautious.

    
    

    
  
I used the attached "original file" which sends a line every 10ms.  ChatZilla of course used 100% CPU time, but it didn't hang.  After I killed the fuzzer program, ChatZilla ran for quite a while before hitting the end of its input queue.  I'll try again with a reasonable delay so it can run for a while.  Which version of ChatZilla did you try?

The reason this is unlikely to cause a problem is because ChatZilla is written in JavaScript, so the only way we can have a buffer overflow is if there's a bug in the JS interpreter.

    
    

    
  
>Which version of ChatZilla did you try?
CVS trunk

OK, if you feel good, lets make it open.

    
  

        Attachment #222799 -
        Attachment mime type: text/x-csrc → text/plain

    
    

    
  
I can pretty much guarantee that all the time is spent in Gecko (for displaying the crap data) and SpiderMonkey's RegExp engine (trying to parse the crap data).

The random data does not test anything in ChatZilla. Even the pretend commands doesn't really test anything of interest.

Hence, this bug not security sensitive, and INVALID.

    
    

    
  
removing flag
Group: security

    
    

    
  

      
      
      
      

        Attached file
          
        stacktrace
      

    


  
yeah the fuzzer has a weakness 

case 0:			// long string 
      end = (rand () % 12000) + 10;
      for (i = 0; i < end; i++)
	{
	  do
	    {
	      buf[i] = rand () % 256;
	    }
	  while (buf[i] == '\n' || buf[i] == '\r' || buf[i] == '\0');
	}
its missing a buf[i]= 0; here 
      break;
which is causing these very long strings.
Once this if fixed it takes a finite amount of time to exit via the shown stack trace.

    
    

    
  
So what are you actually saying? You're saying it 'exits' - do you mean crash, or what? If all the hanging is in Gecko, and the stack points at nspr, then why is this bug on file against *us* ? :-)

Crashes (as I think Silver pointed out on this bug already) are never our own fault - you'll want to find a better place for whatever it is you're seeing, and Silver would be right - this bug is now INVALID.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: