pidgin.2.x.y: 757272a7: Fix remotely-triggerable crashes by vali...
markdoliner at pidgin.im
markdoliner at pidgin.im
Sat Dec 10 15:01:08 EST 2011
----------------------------------------------------------------------
Revision: 757272a78a8ca6027d518e614712c3399e34dda3
Parent: bc79b1bf09dcfa1d8edac86a06761fce7416e69c
Author: markdoliner at pidgin.im
Date: 12/06/11 01:40:23
Branch: im.pidgin.pidgin.2.x.y
URL: http://d.pidgin.im/viewmtn/revision/info/757272a78a8ca6027d518e614712c3399e34dda3
Changelog:
Fix remotely-triggerable crashes by validating strings in a few
messages related to buddy list management. Fixes #14682
I changed the four functions that parse incoming authorization-related
SNACs. The changes are:
- Make sure we have a buddy name and it is valid UTF-8. If not, we
drop the SNAC and log a debug message (we can't do much with an empty,
invalid or incorrect buddy name). This wasn't a part of the bug
report and I doubt it's actually a problem, but it seems like a good
idea regardless.
- If the incoming message is not valid UTF-8 then use
purple_utf8_salvage() to replace invalid bytes with question marks. I
believe this fixes the bug in question.
Changes against parent bc79b1bf09dcfa1d8edac86a06761fce7416e69c
patched ChangeLog
patched libpurple/protocols/oscar/family_feedbag.c
-------------- next part --------------
============================================================
--- ChangeLog 804f5180f40b46eaea728f6dd16905448739e354
+++ ChangeLog 17fbae9b5e9efd4d2874b9e0d9c9e87fb96a1fc6
@@ -4,6 +4,10 @@ version 2.10.1 (10/11/2011):
Finch:
* Fix compilation on OpenBSD.
+ AIM and ICQ:
+ * Fix remotely-triggerable crashes by validating strings in a few
+ messages related to buddy list management. (#14682)
+
Bonjour:
* IPv6 fixes (Linus L?ssing)
============================================================
--- libpurple/protocols/oscar/family_feedbag.c 8f80e2c5acd2b21acc88d54ba8e5ab43dbdaa3e2
+++ libpurple/protocols/oscar/family_feedbag.c ff8702078ba3a5c73ff1c86a206f09f7749c1314
@@ -1650,18 +1650,35 @@ static int receiveauthgrant(OscarData *o
int ret = 0;
aim_rxcallback_t userfunc;
guint16 tmp;
- char *bn, *msg;
+ char *bn, *msg, *tmpstr;
/* Read buddy name */
- if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
- else
- bn = NULL;
+ tmp = byte_stream_get8(bs);
+ if (!tmp) {
+ purple_debug_warning("oscar", "Dropping auth grant SNAC "
+ "because username was empty\n");
+ return 0;
+ }
+ bn = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(bn, -1, NULL)) {
+ purple_debug_warning("oscar", "Dropping auth grant SNAC "
+ "because the username was not valid UTF-8\n");
+ g_free(bn);
+ }
- /* Read message (null terminated) */
- if ((tmp = byte_stream_get16(bs)))
+ /* Read message */
+ tmp = byte_stream_get16(bs);
+ if (tmp) {
msg = byte_stream_getstr(bs, tmp);
- else
+ if (!g_utf8_validate(msg, -1, NULL)) {
+ /* Ugh, msg isn't UTF8. Let's salvage. */
+ purple_debug_warning("oscar", "Got non-UTF8 message in auth "
+ "grant from %s\n", bn);
+ tmpstr = purple_utf8_salvage(msg);
+ g_free(msg);
+ msg = tmpstr;
+ }
+ } else
msg = NULL;
/* Unknown */
@@ -1724,18 +1741,35 @@ static int receiveauthrequest(OscarData
int ret = 0;
aim_rxcallback_t userfunc;
guint16 tmp;
- char *bn, *msg;
+ char *bn, *msg, *tmpstr;
/* Read buddy name */
- if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
- else
- bn = NULL;
+ tmp = byte_stream_get8(bs);
+ if (!tmp) {
+ purple_debug_warning("oscar", "Dropping auth request SNAC "
+ "because username was empty\n");
+ return 0;
+ }
+ bn = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(bn, -1, NULL)) {
+ purple_debug_warning("oscar", "Dropping auth request SNAC "
+ "because the username was not valid UTF-8\n");
+ g_free(bn);
+ }
- /* Read message (null terminated) */
- if ((tmp = byte_stream_get16(bs)))
+ /* Read message */
+ tmp = byte_stream_get16(bs);
+ if (tmp) {
msg = byte_stream_getstr(bs, tmp);
- else
+ if (!g_utf8_validate(msg, -1, NULL)) {
+ /* Ugh, msg isn't UTF8. Let's salvage. */
+ purple_debug_warning("oscar", "Got non-UTF8 message in auth "
+ "request from %s\n", bn);
+ tmpstr = purple_utf8_salvage(msg);
+ g_free(msg);
+ msg = tmpstr;
+ }
+ } else
msg = NULL;
/* Unknown */
@@ -1808,21 +1842,38 @@ static int receiveauthreply(OscarData *o
aim_rxcallback_t userfunc;
guint16 tmp;
guint8 reply;
- char *bn, *msg;
+ char *bn, *msg, *tmpstr;
/* Read buddy name */
- if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
- else
- bn = NULL;
+ tmp = byte_stream_get8(bs);
+ if (!tmp) {
+ purple_debug_warning("oscar", "Dropping auth reply SNAC "
+ "because username was empty\n");
+ return 0;
+ }
+ bn = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(bn, -1, NULL)) {
+ purple_debug_warning("oscar", "Dropping auth reply SNAC "
+ "because the username was not valid UTF-8\n");
+ g_free(bn);
+ }
/* Read reply */
reply = byte_stream_get8(bs);
- /* Read message (null terminated) */
- if ((tmp = byte_stream_get16(bs)))
+ /* Read message */
+ tmp = byte_stream_get16(bs);
+ if (tmp) {
msg = byte_stream_getstr(bs, tmp);
- else
+ if (!g_utf8_validate(msg, -1, NULL)) {
+ /* Ugh, msg isn't UTF8. Let's salvage. */
+ purple_debug_warning("oscar", "Got non-UTF8 message in auth "
+ "reply from %s\n", bn);
+ tmpstr = purple_utf8_salvage(msg);
+ g_free(msg);
+ msg = tmpstr;
+ }
+ } else
msg = NULL;
/* Unknown */
@@ -1848,10 +1899,18 @@ static int receiveadded(OscarData *od, F
char *bn;
/* Read buddy name */
- if ((tmp = byte_stream_get8(bs)))
- bn = byte_stream_getstr(bs, tmp);
- else
- bn = NULL;
+ tmp = byte_stream_get8(bs);
+ if (!tmp) {
+ purple_debug_warning("oscar", "Dropping 'you were added' SNAC "
+ "because username was empty\n");
+ return 0;
+ }
+ bn = byte_stream_getstr(bs, tmp);
+ if (!g_utf8_validate(bn, -1, NULL)) {
+ purple_debug_warning("oscar", "Dropping 'you were added' SNAC "
+ "because the username was not valid UTF-8\n");
+ g_free(bn);
+ }
if ((userfunc = aim_callhandler(od, snac->family, snac->subtype)))
ret = userfunc(od, conn, frame, bn);
More information about the Commits
mailing list