Re: mirc32 6.0x crash when resolving dns.

On Mon, 26 May 2003 23:22:37 +0200, aT4r InsaN3 wrote:

>every time i tried to resolve a few ips mirc32 dies. the problem seems to be
>in the WSAAsyncGetHostByName() call.
>i have tested this feature in both mirc 6.01 and 6.03 in diferent
>computers.

Interestingly the bug seems to be in WS2_32.DLL itself. mIRC does a WSAAsyncGetHostByAddr() call which causes a new thread to be spawned which performs the usual gethostbyaddr() call. The returned HOSTENTcontains a NULL h_name field (as apposed to a pointer to an empty string). I can't tell if that's correct behaviour when there's no reverse lookup, but it's also interesting to note that reverse DNS lookups on the IP addresses you posted seem to fall into a loop. After performing the lookup CopyHostentToBuffer is called to copy the HOSTENT structure so it can notify the appropriate windows of the lookup's completion. BytesInHostent is called to count the number of bytes in the HOSTENT, but it trips on the NULL pointer as it tries to count how long the h_name field is.

My guess:
Vulnerable to NULL pointer dereference: Anything that calls WSAAsyncGetHostByAddr.

(Btw, the bug appears to be WSAAsyncGetHostByName in windbg because you only have the exported symbol names loaded)

Confirmed in WS2_32.DLL version 5.1.2600.0 (xpclient.010817-1148), XP SP1, mIRC 6.03.

• Blazde