/pidgin/main: 34d56e0586c4: Merged TALOS-CAN-0141

Gary Kramlich grim at reaperworld.com
Mon Jun 20 20:09:59 EDT 2016 

Changeset: 34d56e0586c4a545e60eb5477b39c1aacca2a803
Author:	 Gary Kramlich <grim at reaperworld.com>
Date:	 2016-06-12 22:26 -0500
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/34d56e0586c4

Description:

Merged TALOS-CAN-0141

diffstat:

 ChangeLog                           |   2 ++
 libpurple/protocols/mxit/protocol.c |  22 ++++++++++++++++++++--
 libpurple/protocols/mxit/roster.c   |   4 ----
 3 files changed, 22 insertions(+), 6 deletions(-)

diffs (72 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,8 @@ version 2.10.13 (MM/DD/YY):
 	  Cisco Talos (TALOS-CAN-0137)
 	* Fixed a remote code execution issue discovered by Yves Younan of Cisco
 	  Talos.  (TALOS-CAN-0142)
+	* Fixed a remote denial of service vulnerability in contact mood
+	  handling.  Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141)
 
 version 2.10.12 (12/31/15):
 	General:
diff --git a/libpurple/protocols/mxit/protocol.c b/libpurple/protocols/mxit/protocol.c
--- a/libpurple/protocols/mxit/protocol.c
+++ b/libpurple/protocols/mxit/protocol.c
@@ -1694,6 +1694,24 @@ static short mxit_parse_presence( const 
 
 
 /*------------------------------------------------------------------------
+ * Parse the received mood value, and ensure that it is supported.
+ *
+ *  @param value		The received mood value.
+ *  @return				A valid mood value.
+ */
+static short mxit_parse_mood( const char* value )
+{
+	short mood = atoi( value );
+
+	/* ensure that the mood value is valid */
+	if ( ( mood >= MXIT_MOOD_NONE ) && ( mood <= MXIT_MOOD_STRESSED ) )
+		return mood;
+
+	return MXIT_MOOD_NONE;
+}
+
+
+/*------------------------------------------------------------------------
  * Process a received contact update packet.
  *
  *  @param session		The MXit session object
@@ -1726,7 +1744,7 @@ static void mxit_parse_cmd_contact( stru
 
 		contact->presence = mxit_parse_presence( rec->fields[3]->data );
 		contact->type = atoi( rec->fields[4]->data );
-		contact->mood = atoi( rec->fields[5]->data );
+		contact->mood = mxit_parse_mood( rec->fields[5]->data );
 
 		if ( rec->fcount > 6 ) {
 			/* added in protocol 5.9 - flags & subtype */
@@ -1783,7 +1801,7 @@ static void mxit_parse_cmd_presence( str
 		if ( rec->fcount >= 7 )		/* flags field is included */
 			flags = atoi( rec->fields[6]->data );
 
-		mxit_update_buddy_presence( session, rec->fields[0]->data, mxit_parse_presence( rec->fields[1]->data ), atoi( rec->fields[2]->data ),
+		mxit_update_buddy_presence( session, rec->fields[0]->data, mxit_parse_presence( rec->fields[1]->data ), mxit_parse_mood( rec->fields[2]->data ),
 				rec->fields[3]->data, rec->fields[4]->data, flags );
 		mxit_update_buddy_avatar( session, rec->fields[0]->data, rec->fields[5]->data );
 	}
diff --git a/libpurple/protocols/mxit/roster.c b/libpurple/protocols/mxit/roster.c
--- a/libpurple/protocols/mxit/roster.c
+++ b/libpurple/protocols/mxit/roster.c
@@ -473,10 +473,6 @@ void mxit_update_buddy_presence( struct 
 	contact->mood = mood;
 	contact->capabilities = flags;
 
-	/* validate mood */
-	if ( ( contact->mood < MXIT_MOOD_NONE ) || ( contact->mood > MXIT_MOOD_STRESSED ) )
-		contact->mood = MXIT_MOOD_NONE;
-
 	g_strlcpy( contact->customMood, customMood, sizeof( contact->customMood ) );
 	// TODO: Download custom mood frame.

More information about the Commits mailing list