latest pidgin slplink.c patch
Ethan Blanton
elb at pidgin.im
Sun May 24 13:45:58 EDT 2009
adc spake unto us the following wisdom:
> Hi, could someone help me understand CVE-2009-1376?
> """
> The previous fix to CVE-2008-2927 <http://pidgin.im/news/security/?id=25> was
> deemed incomplete. The size check improperly casted an uint64 to size_t
> which can cause an integer overflow, rendering the check useless.
> """
> original patch:
>
> - if ((offset + len) > slpmsg->size)
> + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
>
>
> additional patch:
>
> +- gsize offset;
> ++ guint64 offset;
>
> + gsize len;
>
> Where is the problem exactly? I'm assuming that on a 32-bit machine
> G_MAXSIZE should be
> max unsigned int (2^32-1) and gsize is an unsigned integer.
On the line:
offset = msg->msnslp_header.offset;
(struct MsnSlpHeader *)->offset is declared as 64-bit. Assigning it
to a 32-bit offset field led to truncation. These checks themselves
weren't the problem.
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/pipermail/devel/attachments/20090524/a5fbe49d/attachment.sig>
More information about the Devel
mailing list