We were playing around with message injections and noticed that forcing a soju user to change their nick to *
seems to crash the entire user on that soju instance.
2024/12/20 16:40:55 user "runxiyu": upstream "rx": received: @time=2024-12-20T16:40:55.133Z;account=runxiyu NICK *
2024/12/20 16:40:55 panic serving user "runxiyu": cacheUserInfo called with empty nickname
goroutine 20 [running]:
runtime/debug.Stack()
runtime/debug/stack.go:24 +0x5e
codeberg.org/emersion/soju.(*Server).addUserLocked.func1.1()
codeberg.org/emersion/soju/server.go:440 +0x58
panic({0x560f48101a60?, 0x560f481c2f70?})
runtime/panic.go:770 +0x132
codeberg.org/emersion/soju.(*upstreamConn).cacheUserInfo(0x560f48148680?, {0xc0002648d0?, 0xc000031340?}, 0x4?)
codeberg.org/emersion/soju/upstream.go:2430 +0x2d5
codeberg.org/emersion/soju.(*upstreamConn).handleMessage(0xc0000d9a00, {0x560f481c8e48, 0x560f4857ad40}, 0xc0007bd000)
codeberg.org/emersion/soju/upstream.go:1112 +0x4a2e
codeberg.org/emersion/soju.(*user).run(0xc0000be380)
codeberg.org/emersion/soju/user.go:701 +0x19ab
codeberg.org/emersion/soju.(*Server).addUserLocked.func1()
codeberg.org/emersion/soju/server.go:451 +0x65
created by codeberg.org/emersion/soju.(*Server).addUserLocked in goroutine 1
codeberg.org/emersion/soju/server.go:437 +0x170
According to funderscore, this causes strange behaviour on the rest of their bouncer. It seems to cause my other connections to time out too (apparently my entire user is unusable?).
2024/12/20 15:42:44 downstream "127.0.0.1:43480": registration complete for user "funderscore"
2024/12/20 15:42:44 downstream "127.0.0.1:43480": failed to get/create user: user "funderscore" exists in the DB but hasn't been loaded by the bouncer -- a restart may help
According to funderscore, this causes strange behaviour on the rest of their bouncer. It seems to cause my other connections to time out too (apparently my entire user is unusable?).
Yes. All my connections time out, and I am disconnected from the bouncer. When trying to reconnect again, I get met with:
ERROR :Internal server error
Or something similar.
According to Simon in the IRC channel:
a panic brings down the entire user - that's expected
After testing with doesnm a bit, it looks like soju panics when changing its nick to something like "!blah@blah" since it parses the nick and thinks that there's an empty nick. The NICK handler calls uc.cacheUserInfo(msg.Prefix.Name, &upstreamUser...), and cacheUserInfo has if nick == "" { panic(...) }