/pidgin/main: 44fd89158777: In Novell Groupwise, fix potential r...

Wed Oct 22 10:20:24 EDT 2014

Changeset: 44fd8915877754d378f859dae73b64b39d4e7cb0
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-04-08 00:31 -0700
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/44fd89158777

Description:

In Novell Groupwise, fix potential remote crash parsing server message
that indicates that a large amount of memory should be allocated. I
added arbitrary max size checks that are hopefully larger than any real
expected value. It was kinda weird that the existing check on checked
MAXINT. We'll want to request a CVE ID for this.

Discovered by Yves Younan and Richard Johnson of Sourcefire VRT

diffstat:

 ChangeLog                            |   5 +++++
 libpurple/protocols/novell/nmevent.c |  29 ++++++++++++++++-------------
 2 files changed, 21 insertions(+), 13 deletions(-)

diffs (138 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,11 @@ version 2.10.10 (?/?/?):
 	Gadu-Gadu:
 	* Updated internal libgadu to version 1.12.0-rc2.
 
+	Groupwise:
+	* Fix potential remote crash parsing server message that indicates that
+	  a large amount of memory should be allocated. (Discovered by Yves Younan
+	  and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN)
+
 	MXit:
 	* Fix potential remote crash parsing a malformed emoticon response.
 	  (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
diff --git a/libpurple/protocols/novell/nmevent.c b/libpurple/protocols/novell/nmevent.c
--- a/libpurple/protocols/novell/nmevent.c
+++ b/libpurple/protocols/novell/nmevent.c
@@ -149,7 +149,7 @@ handle_receive_message(NMUser * user, NM
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -164,7 +164,7 @@ handle_receive_message(NMUser * user, NM
 	/* Read the message text */
 	if (rc == NM_OK) {
 		rc = nm_read_uint32(conn, &size);
-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+		if (size > 100000)	return NMERR_PROTOCOL;
 
 		if (rc == NM_OK) {
 			msg = g_new0(char, size + 1);
@@ -270,7 +270,7 @@ handle_conference_invite(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -280,7 +280,7 @@ handle_conference_invite(NMUser * user, 
 	/* Read the the message */
 	if (rc == NM_OK) {
 		rc = nm_read_uint32(conn, &size);
-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+		if (size > 100000)	return NMERR_PROTOCOL;
 
 		if (rc == NM_OK) {
 			msg = g_new0(char, size + 1);
@@ -349,7 +349,7 @@ handle_conference_invite_notify(NMUser *
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -401,7 +401,7 @@ handle_conference_reject(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -440,7 +440,7 @@ handle_conference_left(NMUser * user, NM
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -490,7 +490,7 @@ handle_conference_closed(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -530,7 +530,7 @@ handle_conference_joined(NMUser * user, 
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -589,7 +589,7 @@ handle_typing(NMUser * user, NMEvent * e
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -632,7 +632,7 @@ handle_status_change(NMUser * user, NMEv
 
 		/* Read the status text */
 		rc = nm_read_uint32(conn, &size);
-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+		if (size > 10000)	return NMERR_PROTOCOL;
 
 		if (rc == NM_OK) {
 			text = g_new0(char, size + 1);
@@ -670,7 +670,7 @@ handle_undeliverable_status(NMUser * use
 
 	/* Read the conference guid */
 	rc = nm_read_uint32(conn, &size);
-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
+	if (size > 1000)	return NMERR_PROTOCOL;
 
 	if (rc == NM_OK) {
 		guid = g_new0(char, size + 1);
@@ -833,7 +833,10 @@ nm_process_event(NMUser * user, int type
 	/* Read the event source */
 	rc = nm_read_uint32(conn, &size);
 	if (rc == NM_OK) {
-		if (size > 0) {
+		if (size > 1000000) {
+			/* Size is larger than our 1MB sanity check. Ignore it. */
+			rc = NMERR_PROTOCOL;
+		} else {
 			source = g_new0(char, size);
 
 			rc = nm_read_all(conn, source, size);

