latest pidgin slplink.c patch
adc
adc at intruded.net
Sun May 24 16:50:59 EDT 2009
Thank you for the clarification
------
adc spake unto us the following wisdom:
>* Hi, could someone help me understand CVE-2009-1376?*>* """*>* The previous fix to CVE-2008-2927 <http://pidgin.im/news/security/?id=25> was*>* deemed incomplete. The size check improperly casted an uint64 to size_t*>* which can cause an integer overflow, rendering the check useless.*>* """*>* original patch:*>* *>* - if ((offset + len) > slpmsg->size)*>* + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)*>* *>* *>* additional patch:*>* *>* +- gsize offset;*>* ++ guint64 offset;*>* *>* + gsize len;*>* *>* Where is the problem exactly? I'm assuming that on a 32-bit machine*>* G_MAXSIZE should be*>* max unsigned int (2^32-1) and gsize is an unsigned integer.*
On the line:
offset = msg->msnslp_header.offset;
(struct MsnSlpHeader *)->offset is declared as 64-bit. Assigning it
to a 32-bit offset field led to truncation. These checks themselves
weren't the problem.
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20090524/19f230cc/attachment.html>
More information about the Devel
mailing list