From ph0x at freequest.net Mon Aug 18 08:00:47 2008 From: ph0x at freequest.net (ph0x) Date: Mon, 18 Aug 2008 10:00:47 +0200 Subject: [services] Nasty services bugs found Message-ID: <48A92C2F.4080706@freequest.net> Hi, We on FreeQuest noticed a bug yesterday. Someone had problems with their BNC, and triggered a bunch of rapid nick changes from guest to enforcer etc. Another possible bug is that NickServ assumes that the Guest nick the user is being collided to is free, but it will not check it. Not sure how that will affect services internally when a user gets e.g. Guest1-24531 instead of Guest1. We sucessfully managed to reproduce the bug.. several times. The user collides with the enforcer because of a rapid nick change, and triggers another timer.When you have multiple timers on the same nick, you will try to free the data two times.. [Aug 18 03:06:44 2008] timeout_release(): Ignoring NULL t->data [Aug 18 03:07:10 2008] timeout_release for id 19073 triggered at 1219021628 [Aug 18 03:08:27 2008] timeout_collide for Cruise (id 19073) triggered at 1219021705 [Aug 18 03:08:54 2008] timeout_collide for Cruise (id 19073) triggered at 1219021733 [Aug 18 03:09:21 2008] timeout_collide for Cruise (id 19073) triggered at 1219021759 [Aug 18 03:09:46 2008] timeout_collide for Cruise (id 19073) triggered at 1219021786 [Aug 18 03:09:46 2008] timeout_release for id 19073 triggered at 1219021768 [Aug 18 03:09:54 2008] timeout_release(): Ignoring NULL t->data [Aug 18 03:10:25 2008] timeout_release(): Ignoring NULL t->data [Aug 18 03:10:48 2008] timeout_release for id 19073 triggered at 1219021846 [Aug 18 03:11:22 2008] timeout_collide for Cruise (id 19073) triggered at 1219021880 [Aug 18 03:11:46 2008] timeout_collide for Cruise (id 19073) triggered at 1219021903 [Aug 18 03:12:30 2008] timeout_release for id 19073 triggered at 1219021943 [Aug 18 03:12:36 2008] NickServ: Gluckon!~TEC at adsl-69-224-153-39.dsl.irvnca.pacbell.net identified for nick Gluckon [Aug 18 03:12:50 2008] timeout_release(): Ignoring NULL t->data Above errors were produced by using the mirc script: on 1:Notice:*i*will*change*:*:.timer -m 1 21000 { timer -m 8 200 raw nick Cruise } All credits for fixing this bug should go to xargoon at freequest.net, he did a good job locating and verifying it! To sum it up in the following order: 1) nickserv doesnt check for existing Guest nicks in collide(); 2) There is no check that nick != NULL in the function release(), which causes services to split when releasing a nick already released (like the above scenario). Regarding bug #2, we had not implemented the check for NULL in t->data on the timeout_release() function, so it will probably not occur on Blitzed. Bug #1 is solved by sending a kill to the guestnick, but a better fix would be to randomize the guest nicks and then check for an existing nickname before sending SVSNICK. I'm probably not making much sense, so please let me know if you need any further explaining :) /ph0x