whois-parser: Crash Index out of range in prepareEDU

This line crashes in prepareEDU: https://github.com/likexian/whois-parser-go/blob/20abe6414445267b491a8b80279d7ed653baaeee/prepare.go#L169

Stack trace:

runtime error: index out of range [8] with length 8
goroutine 201198 [running]:
panic(0x115d640, 0xc0003da120)
	c:/go/src/runtime/panic.go:975 +0x499
github.com/likexian/whois-parser-go.prepareEDU(0xc003d46e00, 0x622, 0xc003d46e00, 0x622)
	C:/Temp/Go/src/github.com/likexian/whois-parser-go/prepare.go:169 +0xdba
github.com/likexian/whois-parser-go.Prepare(0xc003d46000, 0x623, 0xc003d2c02a, 0x3, 0xc003d2c02a, 0x3, 0x800)
	C:/Temp/Go/src/github.com/likexian/whois-parser-go/prepare.go:41 +0x17c
github.com/likexian/whois-parser-go.Parse(0xc003d46000, 0x623, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc003ef7180, 0x1)
	C:/Temp/Go/src/github.com/likexian/whois-parser-go/parser.go:76 +0x1ec

Don’t know exactly which EDU domain is causing it, but using tokens[token][index] without checking if index is within the array is obviously dangerous. index gets incremented for each NL in the arbitrary input (text variable), so it’s an obvious time bomb.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 23 (13 by maintainers)

Most upvoted comments

Hello @mnakama @skalniy This has been fixed, please try the latest version.

If you think this repository is helpful, please share it with friends, thanks.

likexian on Dec 29, 2020

@mnakama panic/recover make code more clear. please refer to error handing with go2.0, is just something like panic/recover.

func main() {
	handle err {
		log.Fatal(err)
	}

	hex := check ioutil.ReadAll(os.Stdin)
	data := check parseHexdump(string(hex))
	os.Stdout.Write(data)
}

likexian on Jan 8, 2021

I wrote this libary and share it without reservation, I paid a lot of time to it and ask for nothing. But that is not the reason that you can just thow a trouble and ask for fixing without having any willing to give me any help. If that, You are not welcome, please immediately stop importing this libary.

likexian on Dec 18, 2020

what domains are returning data that causes the panic

It’s not domains causing the panic it’s bad code that takes input without validation. If this was developed in C you’d have a potential RCE vulnerability at hand.

Never trust arbitrary input - in this case from a remote Whois server.

If you want to teach me how to validate the input, then I want to teach you how to reslove a problem:

step 1: catch a problem
step 2: find out the reason
step 3: fix the problem

We never do something like you:

step 1: catch a problem
step 2: skip the problem
step 3: there is no problem

Since you are loving C so much, PLEASE keep away from my go libary and write a parser using C youself!

likexian on Dec 18, 2020

@Kleissner thanks, that’s what I meant to say, but your wording is much better: “Never trust arbitrary input”.

The design of the current parsing engine puts way too much trust in whois servers. There are other domains that look like they could run past the array bounds if given strange input, but I haven’t had any panics once I implemented this small patch.

I don’t want to criticize the code too much, though, since I’m grateful that I didn’t have to write domain lookup parsing myself. Thanks to @likexian for making this library =)

mnakama on Dec 16, 2020

what domains are returning data that causes the panic

It’s not domains causing the panic it’s bad code that takes input without validation. If this was developed in C you’d have a potential RCE vulnerability at hand.

Never trust arbitrary input - in this case from a remote Whois server.

Kleissner on Dec 16, 2020

Of course you can! Just add a check if index >= len(tokens[token]) break. There fixed it for ya.

This way just skip the problem but not reslove the problem, the parsing result is wrong.

likexian on Dec 4, 2020

If I can not reproduce it, i can not fix it.

likexian on Dec 3, 2020