fixing msn file transfer crash (CVE-2008-2955)

[Michal Marek]

Hi,

I'm trying to fix
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955 AKA
http://developer.pidgin.im/ticket/6246 , which is a crash in msn's
msn_slplink_process_msg() if the transfer is aborted. The problem is
that purple_xfer_start calls msn_slpmsg_destroy() in such case, but
there is no way for msn_slplink_process_msg() to detect that. The proper
fix would be to rework the msn transfer code to call purple_xfer_start()
as the very last step and let the callbacks do the rest, just like the
other protocols do. But as a band aid, I thought this approach could be
used:
* add a flag to struct MsnSlpMessage which tells msn_slpmsg_destroy()
that this instance shouldn't be freed, but another flag should be set
instead
* set the first flag in msn_slplink_process_msg() before calling
purple_xfer_start(), so that the slpmsg pointer is still valid after
returning from purple_xfer_start(), and check ourselves whether
msn_slpmsg_destroy() was called.

What do you think about such solution? Attached is a patch implementing
the above, it's quite short, so distributions should be able to backport
it to older libpurples if they wish.

Michal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-msn-xfer-fail.patch
Type: text/x-patch
Size: 3151 bytes
Desc: not available
URL: <http://pidgin.im/pipermail/devel/attachments/20080807/1c14c532/attachment-0002.bin>