/pidgin/main: 879db2a9a59c: Fix a bug where the MXit server or a...

Mark Doliner mark at kingant.net
Wed Feb 13 09:59:53 EST 2013 

Changeset: 879db2a9a59c5f0bd1007fd89271092932315a65
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2013-02-11 01:09 -0800
Branch:	 release-2.x.y
URL: http://hg.pidgin.im/pidgin/main/rev/879db2a9a59c

Description:

Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution.

This is CVE-2013-0272.

The problem was detected by Coverity static analysis, and Daniel Atallah
brought it to everyone's attention and got us to fix it.

diffstat:

 ChangeLog                       |  3 +++
 libpurple/protocols/mxit/http.c |  9 +++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diffs (43 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,9 @@ version 2.10.7 (02/13/2013):
 	MXit:
 	* Fix a bug where a remote MXit user could possibly specify a local
 	  file path to be written to. (CVE-2013-0271)
+	* Fix a bug where the MXit server or a man-in-the-middle could
+	  potentially send specially crafted data that could overflow a buffer
+	  and lead to a crash or remote code execution. (CVE-2013-0272)
 	* Display farewell messages in a different colour to distinguish
 	  them from normal messages.
 	* Add support for typing notification.
diff --git a/libpurple/protocols/mxit/http.c b/libpurple/protocols/mxit/http.c
--- a/libpurple/protocols/mxit/http.c
+++ b/libpurple/protocols/mxit/http.c
@@ -116,11 +116,12 @@ static void mxit_cb_http_read( gpointer 
 		buflen = session->rx_i;
 
 		/* read bytes from the socket */
-		len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
+		len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
 		if ( len <= 0 ) {
 			/* connection has been terminated, or error occurred */
 			goto done;
 		}
+		buf[buflen+len] = '\0';
 
 //nextpacket:
 
@@ -181,7 +182,11 @@ static void mxit_cb_http_read( gpointer 
 		g_free( tmp );
 		tmp = NULL;
 
-		if ( buflen > ( ( body - buf ) + bodylen ) ) {
+		if ( buflen + bodylen >= CP_MAX_PACKET ) {
+			/* this packet is way to big */
+			goto done;
+		}
+		else if ( buflen > ( ( body - buf ) + bodylen ) ) {
 			/* we have a second packet here */
 			next = body + bodylen;
 			session->rx_res = 0;

More information about the Commits mailing list