8000 Fix segfault caused by malformed nzb files without subject by throwaway481 · Pull Request #745 · nzbget/nzbget · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Nov 18, 2022. It is now read-only.

Fix segfault caused by malformed nzb files without subject #745

Closed
wants to merge 2 commits into from
Closed

Fix segfault caused by malformed nzb files without subject #745

wants to merge 2 commits into from

Conversation

throwaway481
Copy link
@throwaway481 throwaway481 commented Apr 14, 2021
edited
Loading

fixes #744 and probably #741

Adding NZB files without a proper subject leads to uninitialised memory access (read & write) on non-windows systems. This may segfault or just corrupt memory.

@hugbug please consider releasing this soon. I have not examined how exploitable this actually is, but worst case this may lead to remote code execution.

Example nzb:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nzb PUBLIC "-//newzBin//DTD NZB 1.1//EN" "http://www.newzbin.com/DTD/nzb/nzb-1.1.dtd">
<nzb xmlns="http://www.newzbin.com/DTD/2003/nzb">
<head>
 <meta type="name">Unimportant</meta>
 <meta type="category">Unimportant</meta>
</head>
<file poster="dummy" date="1234567890">
 <groups>
  <group>alt.binaries.unimportant</group>
 </groups>
 <segments>
  <segment bytes="1" number="1">unimportant</segment>
 </segments>
</file>
</nzb>

I haven't programmed C/C++ in 15 years, so feel free to replace the fix with something more idiomatic if you want :-)

@throwaway481 throwaway481 mentioned this pull request Apr 14, 2021
Closed
@throwaway481
Copy link
Author
throwaway481 commented Apr 14, 2021
edited
Loading

Also... I just fixed this single uninitialised memory access that led to a crash with real world nzb data. Other structures may be affected as well, because of uninitialised strings in the structures. Someone may want to check this.

This was referenced Apr 14, 2021
Closed
Open
Closed
Closed
@ohmybahgosh ohmybahgosh mentioned this pull request Apr 14, 2021
Closed
@hugbug
Copy link
Member
hugbug commented Apr 14, 2021

Thank you.
Can you please send me a couple of real files? nzbget@gmail.com.
I'd like to check how to process them best. Obviously the program shouldn't crash. The question is if the file-elements contain any useful data and should be kept. Filename can be automatically generated at this stage. The real filename is read later from the article anyway.

@hugbug hugbug added the bug label Apr 14, 2021
hugbug added a commit that referenced this pull request Apr 14, 2021
@hugbug
#745: fixed crash caused by malformed nzb files
1ee8e02 
: for file elements not having subject attribute a (somewhat) random
subject is generated and is used as file name; correct file names are
read from articles later anyway
@hugbug
Copy link
Member
hugbug commented Apr 14, 2021

I've fixed this as follows: for file elements not having subject attribute an (almost) random subject is generated and is used as file name; correct file names are read from articles later during downloading.

Tested with the example real nzb-files and they were downloaded successfully without issues.

Thank you for reporting this and for the pull request.

BTW there are no uninitialised memory or uninitialised strings. All strings are initialised with null. It's just that sometimes this special value isn't expected in certain contexts ;) The program will then always crash, which is good (for reproducing) and isn't exploitable (I hope so).

@hugbug hugbug closed this Apr 14, 2021
@hugbug hugbug added this to the v21.x milestone Apr 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v21.x
Development

Successfully merging this pull request may close these issues.

Server Crash on potential bad NZB from sonarr/radarr
2 participants
@throwaway481 @hugbug
0