Jinais IRC Server 0.1.8 NULL Pointer Vulnerability

 Name              Jinais IRC Server
 Vendor            http://jinais.sourceforge.net
 Versions Affected 0.1.8

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-03-21

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 VI.   DISCLOSURE TIMELINE
 

I. ABOUT THE APPLICATION

Application description.


II. DESCRIPTION

An IRC server written in C from scratch.  Well,  it's  not
_yet_ a fully featured IRC server. The goal is to  make it 
multi-platformed, highly configurable  at  compile and run 
times, to  allow  it  to  run  on slow machines, using the 
least amount of resources.


III. ANALYSIS

Summary:

 A) NULL Pointer

A) NULL Pointer

A NULL Pointer occurs when a client  sends  a  TOPIC  IRC
command without setting an IRC channel name.
The function that causes the vulnerability is the following:

commands.c:

int command_user_topic(user_t *user, char *line)
{
	char ch[1024];	
	if (NEXTPARAM)
	{
		chopstr(ch, MAX_CHANNEL_NAME);
		if (channel_name_valid(ch))
		{
			channel_t *chan = channel_find(ch);
					
			if (NEXTPARAM)
				channel_set_topic(user, chan, ch);
			else
				channel_return_topic(user, chan);
			return 1;
		}	
	}	
	else
		respond_need_params(user, "TOPIC");
	return 0;
}

chan is not properly checked. The  function  now calls
channel_return_topic that tries to access a bad memory
location since chan is equal to 0x00000000:

channel_return_topic (user=0x100a20, chan=0x0) at channels.c:171
171		if (!(chan->mode & 


IV. SAMPLE CODE

http://www.salvatorefresta.net/files/poc/PoC-Jinais0.1.8.c


V. FIX

int command_user_topic(user_t *user, char *line)
{
	char ch[1024];	
	if (NEXTPARAM)
	{
		chopstr(ch, MAX_CHANNEL_NAME);
		if (channel_name_valid(ch))
		{
			channel_t *chan = channel_find(ch);
			
			if(!chan) return 0;
					
			if (NEXTPARAM)
				channel_set_topic(user, chan, ch);
			else
				channel_return_topic(user, chan);
			return 1;
		}	
	}	
	else
		respond_need_params(user, "TOPIC");
	return 0;
}


VIII. DISCLOSURE TIMELINE

2010-03-21 Bug discovered
2010-03-22 Initial vendor contact
2010-03-22 Advisory Release