fixing msn file transfer crash (CVE-2008-2955)

Michal Marek mmarek at
Thu Aug 7 08:40:22 EDT 2008


I'm trying to fix AKA , which is a crash in msn's
msn_slplink_process_msg() if the transfer is aborted. The problem is
that purple_xfer_start calls msn_slpmsg_destroy() in such case, but
there is no way for msn_slplink_process_msg() to detect that. The proper
fix would be to rework the msn transfer code to call purple_xfer_start()
as the very last step and let the callbacks do the rest, just like the
other protocols do. But as a band aid, I thought this approach could be
* add a flag to struct MsnSlpMessage which tells msn_slpmsg_destroy()
that this instance shouldn't be freed, but another flag should be set
* set the first flag in msn_slplink_process_msg() before calling
purple_xfer_start(), so that the slpmsg pointer is still valid after
returning from purple_xfer_start(), and check ourselves whether
msn_slpmsg_destroy() was called.

What do you think about such solution? Attached is a patch implementing
the above, it's quite short, so distributions should be able to backport
it to older libpurples if they wish.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-msn-xfer-fail.patch
Type: text/x-patch
Size: 3151 bytes
Desc: not available
URL: <>

More information about the Devel mailing list