pidgin.2.x.y: d991ff6d: Fix a possible XMPP remote crash

markdoliner at pidgin.im markdoliner at pidgin.im
Mon May 7 00:08:19 EDT 2012


----------------------------------------------------------------------
Revision: d991ff6d558d185527a09eae0378edb3fc7057a5
Parent:   ff142855237badeceb6d61e1d96f0410f94d6eaf
Author:   markdoliner at pidgin.im
Date:     05/06/12 23:16:31
Branch:   im.pidgin.pidgin.2.x.y
URL: http://d.pidgin.im/viewmtn/revision/info/d991ff6d558d185527a09eae0378edb3fc7057a5

Changelog: 

Fix a possible XMPP remote crash

A series of specially crafted file transfer requests can cause clients
to reference invalid memory.  The user must have accepted one of the
file transfer requests.

The fix is to correctly cancel and free a SOCKS5 connection attempt so
that it does not trigger an attempt to access invalid memory later.

This was reported to us by Jos? Valent?n Guti?rrez and this patch is
written by Paul Aurich.

Changes against parent ff142855237badeceb6d61e1d96f0410f94d6eaf

  patched  libpurple/proxy.c

-------------- next part --------------
============================================================
--- libpurple/proxy.c	2a1922d6f3744bc61c81543909324d38d741948f
+++ libpurple/proxy.c	df78b061b3bc73de02f1a4ad29357497322aaf89
@@ -59,6 +59,8 @@ struct _PurpleProxyConnectData {
 	 */
 	GSList *hosts;
 
+	PurpleProxyConnectData *child;
+
 	/*
 	 * All of the following variables are used when establishing a
 	 * connection through a proxy.
@@ -559,6 +561,12 @@ purple_proxy_connect_data_disconnect(Pur
 static void
 purple_proxy_connect_data_disconnect(PurpleProxyConnectData *connect_data, const gchar *error_message)
 {
+	if (connect_data->child != NULL)
+	{
+		purple_proxy_connect_cancel(connect_data->child);
+		connect_data->child = NULL;
+	}
+
 	if (connect_data->inpa > 0)
 	{
 		purple_input_remove(connect_data->inpa);
@@ -2417,13 +2425,20 @@ static void socks5_connected_to_proxy(gp
 	/* This is the PurpleProxyConnectData for the overall SOCKS5 connection */
 	PurpleProxyConnectData *connect_data = data;
 
+	purple_debug_error("proxy", "Connect Data is %p\n", connect_data);
+
 	/* Check that the overall SOCKS5 connection wasn't cancelled while we were
 	 * connecting to it (we don't have a way of associating the process of
 	 * connecting to the SOCKS5 server to the overall PurpleProxyConnectData)
 	 */
-	if (!PURPLE_PROXY_CONNECT_DATA_IS_VALID(connect_data))
+	if (!PURPLE_PROXY_CONNECT_DATA_IS_VALID(connect_data)) {
+		purple_debug_error("proxy", "Data had gone out of scope :(\n");
 		return;
+	}
 
+	/* Break the link between the two PurpleProxyConnectDatas  */
+	connect_data->child = NULL;
+
 	if (error_message != NULL) {
 		purple_debug_error("proxy", "Unable to connect to SOCKS5 host.\n");
 		connect_data->connect_cb(connect_data->data, source, error_message);
@@ -2486,10 +2501,7 @@ purple_proxy_connect_socks5_account(void
 		return NULL;
 	}
 
-	/* The API doesn't really provide us with a way to cancel the specific
-	 * proxy connection attempt (account_proxy_conn_data) when the overall
-	 * SOCKS5 connection (connect_data) attempt is cancelled :(
-	 */
+	connect_data->child = account_proxy_conn_data;
 
 	handles = g_slist_prepend(handles, connect_data);
 
@@ -2499,6 +2511,8 @@ purple_proxy_connect_cancel(PurpleProxyC
 void
 purple_proxy_connect_cancel(PurpleProxyConnectData *connect_data)
 {
+	g_return_if_fail(connect_data != NULL);
+
 	purple_proxy_connect_data_disconnect(connect_data, NULL);
 	purple_proxy_connect_data_destroy(connect_data);
 }


More information about the Commits mailing list