pidgin: 784bc8bf: Fix CVE-2010-0277, a possible remote cra...

Thu Feb 18 03:16:01 EST 2010

-----------------------------------------------------------------
Revision: 784bc8bff5affb83cee8a5a9353cb0a8220a72ce
Ancestor: fccbc2f40bb19bec8eccb9e88463e8f2a3484192
Author: markdoliner at pidgin.im
Date: 2010-02-16T08:54:07
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/784bc8bff5affb83cee8a5a9353cb0a8220a72ce

Modified files:
        ChangeLog libpurple/protocols/msn/slp.c
        libpurple/protocols/msn/slpcall.c
        libpurple/protocols/msn/slplink.c
        libpurple/protocols/msn/slpmsg.h

ChangeLog: 

Fix CVE-2010-0277, a possible remote crash when parsing an incoming
SLP message.  Discovered by Fabian Yamaguchi.

-------------- next part --------------
============================================================

--- ChangeLog	683ba7212db7938fa88010815e36368f53e02f21
+++ ChangeLog	9136e0d000cf003ec7199cbf801b6aa49141baa8
@@ -26,6 +26,8 @@ version 2.6.6 (02/18/2010):
 	  Previously only icons between 48x48 and 50x50 were allowed.
 
 	MSN:
+	* Fix CVE-2010-0277, a possible remote crash when parsing an incoming
+	  SLP message.  Discovered by Fabian Yamaguchi.
 	* File transfer requests will no longer cause a crash if you delete the
 	  file before the other side accepts.
 	* Received files will no longer hold an extra lock after completion,
============================================================
--- libpurple/protocols/msn/slp.c	3791d1f2ebc50ec51989809ba3548a65f9cacc84
+++ libpurple/protocols/msn/slp.c	d033671387f0b1b7be03a6b2d9ab0df77f87096c
@@ -741,11 +741,10 @@ msn_slp_sip_recv(MsnSlpLink *slplink, co
 	if (!strncmp(body, "INVITE", strlen("INVITE")))
 	{
 		char *branch;
+		char *call_id;
 		char *content;
 		char *content_type;
 
-		slpcall = msn_slpcall_new(slplink);
-
 		/* From: <msnmsgr:buddy at hotmail.com> */
 #if 0
 		slpcall->remote_user = get_token(body, "From: <msnmsgr:", ">\r\n");
@@ -753,7 +752,7 @@ msn_slp_sip_recv(MsnSlpLink *slplink, co
 
 		branch = get_token(body, ";branch={", "}");
 
-		slpcall->id = get_token(body, "Call-ID: {", "}");
+		call_id = get_token(body, "Call-ID: {", "}");
 
 #if 0
 		long content_len = -1;
@@ -767,13 +766,15 @@ msn_slp_sip_recv(MsnSlpLink *slplink, co
 
 		content = get_token(body, "\r\n\r\n", NULL);
 
-		if (branch && content_type && content)
+		if (branch && call_id && content_type && content)
 		{
+			slpcall = msn_slpcall_new(slplink);
+			slpcall->id = call_id;
 			got_invite(slpcall, branch, content_type, content);
 		}
 		else
 		{
-			msn_slpcall_destroy(slpcall);
+			g_free(call_id);
 			slpcall = NULL;
 		}
 
============================================================
--- libpurple/protocols/msn/slpcall.c	8e026624bfadbce92df43572f26207612b8db3b1
+++ libpurple/protocols/msn/slpcall.c	6bc12efafffec9f0cf74910ba6be61eb65167bbb
@@ -199,7 +199,7 @@ msn_slp_process_msg(MsnSlpLink *slplink,
 
 	slpcall = NULL;
 	body = slpmsg->buffer;
-	body_len = slpmsg->size;
+	body_len = slpmsg->offset;
 
 	if (slpmsg->flags == 0x0 || slpmsg->flags == 0x1000000)
 	{
============================================================
--- libpurple/protocols/msn/slplink.c	590f3cea0e7283cd23d5f8897e11d0630e9e56be
+++ libpurple/protocols/msn/slplink.c	c73150501a8bbf5457e799d7bf8b2d6b1ecfd5bf
@@ -585,15 +585,16 @@ msn_slplink_process_msg(MsnSlpLink *slpl
 	}
 	else if (slpmsg->size && slpmsg->buffer)
 	{
-		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
+		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size || slpmsg->offset != offset)
 		{
 			purple_debug_error("msn",
 				"Oversized slpmsg - msgsize=%lld offset=%" G_GUINT64_FORMAT " len=%" G_GSIZE_FORMAT "\n",
 				slpmsg->size, offset, len);
 			g_return_if_reached();
-		}
-		else
+		} else {
 			memcpy(slpmsg->buffer + offset, data, len);
+			slpmsg->offset += len;
+		}
 	}
 
 	if ((slpmsg->flags == 0x20 ||
============================================================
--- libpurple/protocols/msn/slpmsg.h	df0fac8e9b93c0c615387d73f2b950a10c8fa426
+++ libpurple/protocols/msn/slpmsg.h	279a011d89a98b0c85a8c37eeae1f11e6dc2ce10
@@ -57,7 +57,18 @@ struct _MsnSlpMessage
 	gboolean ft;
 	PurpleStoredImage *img;
 	guchar *buffer;
+
+	/**
+	 * For outgoing messages this is the number of bytes from buffer that
+	 * have already been sent out.  For incoming messages this is the
+	 * number of bytes that have been written to buffer.
+	 */
 	long long offset;
+
+	/**
+	 * This is the size of buffer, unless this is an outgoing file transfer,
+	 * in which case this is the size of the file.
+	 */
 	long long size;
 
 	GList *msgs; /**< The real messages. */
