Bram Matthys
717c9cbfa5
The OOB write did not happen on file-backed downloads, such as remote includes. It only happened for memory-backed requests, which are only these 4 in standard UnrealIRCd: centralblocklist, central spam report, other spamreport blocks (eg to dronebl) and the log block with destination webhook. All those 4 cases are very likely to be trusted web servers, given the nature of the data you are sending to them. The fix was to extend the size fields everywhere to 64 bits. It was applied to both URL backends: url_unreal.c and url_curl.c. The new API feature is a 'max_size' in OutgoingWebRequest, which defaults to 1MB. This is only used for memory-backed responses, so not for real file downloads. This fixes not only the reported bug but also the case where a rogue webserver was unbounded in terms of what response it could send back, potentially filling up gigabytes of server memory. Reported by Link420.
About UnrealIRCd
UnrealIRCd is an Open Source IRC Server, serving thousands of networks since 1999. It runs on Linux, OS X and Windows and is currently the most widely deployed IRCd with a market share of 37%. UnrealIRCd is a highly advanced IRCd with a strong focus on modularity and security. It uses an advanced and highly configurable configuration file. Other key features include: full IRCv3 support, SSL/TLS, cloaking, JSON-RPC, advanced anti-flood and anti-spam systems, GeoIP, remote includes, and lots of other features. We are also particularly proud on our extensive online documentation.
Versions
- UnrealIRCd 6 is the stable series since December 2021. It is the only supported version.
- For full details of release scheduling and EOL dates, see UnrealIRCd releases on the wiki
How to get started
Follow the installation guide on the wiki. See:
Documentation and Support
You can find all documentation online at: https://www.unrealircd.org/docs/
We also have a good FAQ: https://www.unrealircd.org/docs/FAQ
If you are in need of support, you can pop up on #unreal-support on irc.unrealircd.org
or ask your question on the forums.
Supported systems
We try to support all major *NIX systems: all Linux distros but also NetBSD, OpenBSD and macOS, provided the OS version was released within the past ~5 years.
We use a private BuildBot instance to test each commit. The tested systems are (others are likely to work too):
- Linux: Debian (10, 11, 12, 13), Ubuntu (18.04, 20.04, 22.04, 24.04, 26.04)
- FreeBSD: 15
- Windows: Visual Studio 2019
UnrealIRCd is architecture-agnostic. Most of the BuildBot workers run on x64 but we also have some on x86 and arm64 to ensure these work as well.
Other links
- https://www.unrealircd.org - Main website
- https://bugs.unrealircd.org - Bug tracker
- https://fosstodon.org/@unrealircd - Mastodon
- https://twitter.com/Unreal_IRCd - Twitter